Merge pull request #7137 from lpy4105/issue/1785/ssl-test-script-fail
compat.sh: Skip static ECDH cases if unsupported in openssl
diff --git a/ChangeLog.d/add-uri-san.txt b/ChangeLog.d/add-uri-san.txt
new file mode 100644
index 0000000..5184e8f
--- /dev/null
+++ b/ChangeLog.d/add-uri-san.txt
@@ -0,0 +1,3 @@
+Features
+ * Add parsing of uniformResourceIdentifier subtype for subjectAltName
+ extension in x509 certificates.
diff --git a/ChangeLog.d/add_interruptible_sign_hash b/ChangeLog.d/add_interruptible_sign_hash
new file mode 100644
index 0000000..3d93303
--- /dev/null
+++ b/ChangeLog.d/add_interruptible_sign_hash
@@ -0,0 +1,5 @@
+Features
+ * Add an interruptible version of sign and verify hash to the PSA interface,
+ backed by internal library support for ECDSA signing and verification.
+
+
diff --git a/ChangeLog.d/empty-retval-description.txt b/ChangeLog.d/empty-retval-description.txt
new file mode 100644
index 0000000..491adf5
--- /dev/null
+++ b/ChangeLog.d/empty-retval-description.txt
@@ -0,0 +1,3 @@
+Bugfix
+ * Silence warnings from clang -Wdocumentation about empty \retval
+ descriptions, which started appearing with Clang 15. Fixes #6960.
diff --git a/ChangeLog.d/fix-iar-warnings.txt b/ChangeLog.d/fix-iar-warnings.txt
index 244e863..8a30132 100644
--- a/ChangeLog.d/fix-iar-warnings.txt
+++ b/ChangeLog.d/fix-iar-warnings.txt
@@ -1,2 +1,2 @@
Bugfix
- * Fix IAR compiler warnings. Contributed by Glenn Strauss in #3835.
+ * Fix IAR compiler warnings. Fixes #6924.
diff --git a/ChangeLog.d/fix-oid-to-string-bugs.txt b/ChangeLog.d/fix-oid-to-string-bugs.txt
new file mode 100644
index 0000000..799f444
--- /dev/null
+++ b/ChangeLog.d/fix-oid-to-string-bugs.txt
@@ -0,0 +1,6 @@
+Bugfix
+ * Fix bug in conversion from OID to string in
+ mbedtls_oid_get_numeric_string(). OIDs such as 2.40.0.25 are now printed
+ correctly.
+ * Reject OIDs with overlong-encoded subidentifiers when converting
+ OID-to-string.
diff --git a/ChangeLog.d/mpi-window-perf b/ChangeLog.d/mpi-window-perf
new file mode 100644
index 0000000..0f75d6a
--- /dev/null
+++ b/ChangeLog.d/mpi-window-perf
@@ -0,0 +1,7 @@
+Changes
+ * Changed the default MBEDTLS_ECP_WINDOW_SIZE from 6 to 2.
+ As tested in issue 6790, the correlation between this define and
+ RSA decryption performance has changed lately due to security fixes.
+ To fix the performance degradation when using default values the
+ window was reduced from 6 to 2, a value that gives the best or close
+ to best results when tested on Cortex-M4 and Intel i7.
diff --git a/ChangeLog.d/san_rfc822Name.txt b/ChangeLog.d/san_rfc822Name.txt
new file mode 100644
index 0000000..9720e52
--- /dev/null
+++ b/ChangeLog.d/san_rfc822Name.txt
@@ -0,0 +1,3 @@
+Features
+ * Add parsing of rfc822Name subtype for subjectAltName
+ extension in x509 certificates.
diff --git a/README.md b/README.md
index 7b45a1f..f4bf4e1 100644
--- a/README.md
+++ b/README.md
@@ -264,6 +264,7 @@
- `int` and `size_t` must be at least 32 bits wide.
- The types `uint8_t`, `uint16_t`, `uint32_t` and their signed equivalents must be available.
- Mixed-endian platforms are not supported.
+- SIZE_MAX must be at least as big as INT_MAX and UINT_MAX.
PSA cryptography API
--------------------
diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
new file mode 100644
index 0000000..eee59c4
--- /dev/null
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -0,0 +1,481 @@
+PSA migration strategy for hashes and ciphers
+=============================================
+
+## Introduction
+
+This document discusses a migration strategy for code that is not subject to `MBEDTLS_USE_PSA_CRYPTO`, is currently using legacy cryptography APIs, and should transition to PSA, without a major version change.
+
+### Relationship with the main strategy document
+
+This is complementary to the main [strategy document](strategy.html) and is intended as a refinement. However, at this stage, there may be contradictions between the strategy proposed here and some of the earlier strategy.
+
+A difference between the original strategy and the current one is that in this work, we are not treating PSA as a black box. We can change experimental features, and we can call internal interfaces.
+
+## Requirements
+
+### User stories
+
+#### Backward compatibility user story
+
+As a developer of an application that uses Mbed TLS's interfaces (including legacy crypto),
+I want Mbed TLS to preserve backward compatibility,
+so that my code keeps working in new minor versions of Mbed TLS.
+
+#### Interface design user story
+
+As a developer of library code that uses Mbed TLS to perform cryptographic operations,
+I want to know which functions to call and which feature macros to check,
+so that my code works in all Mbed TLS configurations.
+
+Note: this is the same problem we face in X.509 and TLS.
+
+#### Hardware accelerator vendor user stories
+
+As a vendor of a platform with hardware acceleration for some crypto,
+I want to build Mbed TLS in a way that uses my hardware wherever relevant,
+so that my customers maximally benefit from my hardware.
+
+As a vendor of a platform with hardware acceleration for some crypto,
+I want to build Mbed TLS without software that replicates what my hardware does,
+to minimize the code size.
+
+#### Maintainer user stories
+
+As a maintainer of Mbed TLS,
+I want to have clear rules for when to use which interface,
+to avoid bugs in “unusual” configurations.
+
+As a maintainer of Mbed TLS,
+I want to avoid duplicating code,
+because this is inefficient and error-prone.
+
+### Use PSA more
+
+In the long term, all code using cryptography should use PSA interfaces, to benefit from PSA drivers, allow eliminating legacy interfaces (less code size, less maintenance). However, this can't be done without breaking [backward compatibility](#backward-compatibility).
+
+The goal of this work is to arrange for more non-PSA interfaces to use PSA interfaces under the hood, without breaking code in the cases where this doesn't work. Using PSA interfaces has two benefits:
+
+* Where a PSA driver is available, it likely has better performance, and sometimes better security, than the built-in software implementation.
+* In many scenarios, where a PSA driver is available, this allows removing the software implementation altogether.
+* We may be able to get rid of some redundancies, for example the duplication between the implementations of HMAC in `md.c` and in `psa_crypto_mac.c`, and HKDF in `hkdf.c` and `psa_crypto.c`.
+
+### Correct dependencies
+
+Traditionally, to determine whether a cryptographic mechanism was available, you had to check whether the corresponding Mbed TLS module or submodule was present: `MBEDTLS_SHA256_C` for SHA256, `MBEDTLS_AES_C && MBEDTLS_CIPHER_MODE_CBC` for AES-CBC, etc. In code that uses the PSA interfaces, this needs to change to `PSA_WANT_xxx` symbols.
+
+### Backward compatibility
+
+All documented behavior must be preserved, except for interfaces currently described as experimental or unstable. Those interfaces can change, but we should minimize disruption by providing a transition path for reasonable use cases.
+
+#### Changeable configuration options
+
+The following configuration options are described as experimental, and are likely to change at least marginally:
+
+* `MBEDTLS_PSA_CRYPTO_CLIENT`: “This interface is experimental and may change or be removed without notice.” In practice we don't want to remove this, but we may constrain how it's used.
+* `MBEDTLS_PSA_CRYPTO_DRIVERS`: “This interface is experimental. We intend to maintain backward compatibility with application code that relies on drivers, but the driver interfaces may change without notice.” In practice, this may mean constraints not only on how to write drivers, but also on how to integrate drivers into code that is platform code more than application code.
+* `MBEDTLS_PSA_CRYPTO_CONFIG`: “This feature is still experimental and is not ready for production since it is not completed.” We may want to change this, for example, to automatically enable more mechanisms (although this wouldn't be considered a backward compatibility break anyway, since we don't promise that you will not get a feature if you don't enable its `PSA_WANT_xxx`).
+
+### Non-goals
+
+It is not a goal at this stage to make more code directly call `psa_xxx` functions. Rather, the goal is to make more code call PSA drivers where available. How dispatch is done is secondary.
+
+## Problem analysis
+
+### Scope analysis
+
+#### Limitations of `MBEDTLS_USE_PSA_CRYPTO`
+
+The option `MBEDTLS_USE_PSA_CRYPTO` causes parts of the library to call the PSA API instead of legacy APIs for cryptographic calculations. `MBEDTLS_USE_PSA_CRYPTO` only applies to `pk.h`, X.509 and TLS. When this option is enabled, applications must call `psa_crypto_init()` before calling any of the functions in these modules.
+
+In this work, we want two things:
+
+* Make non-covered modules call PSA, but only [when this will actually work](#why-psa-is-not-always-possible). This effectively brings those modules to a partial use-PSA behavior (benefiting from PSA accelerators when they're usable) regardless of whether the option is enabled.
+* Call PSA when a covered module calls a non-covered module which calls another module, for example X.509 calling pk for PSS verification which calls RSA which calculates a hash ([see issue \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497)). This effectively extends the option to modules that aren't directly covered.
+
+#### Classification of callers
+
+We can classify code that implements or uses cryptographic mechanisms into several groups:
+
+* Software implementations of primitive cryptographic mechanisms. These are not expected to change.
+* Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
+* Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
+* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding TLS 1.3).
+* Code that always uses PSA for crypto: TLS 1.3, LMS.
+
+For the purposes of this work, three domains emerge:
+
+* **Legacy domain**: does not interact with PSA. Implementations of hashes, of cipher primitives, of arithmetic.
+* **Mixed domain**: does not currently use PSA, but should [when possible](#why-psa-is-not-always-possible). This consists of the constructed cryptographic primitives (except LMS), as well as pk, X.509 and TLS when `MBEDTLS_USE_PSA_CRYPTO` is disabled.
+* **PSA domain**: includes pk, X.509 and TLS when `MBEDTLS_USE_PSA_CRYPTO` is enabled. Also TLS 1.3, LMS.
+
+#### Non-use-PSA modules
+
+The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption:
+
+* CCM (block cipher in ECB mode; interdependent with cipher)
+* cipher (cipher and AEAD algorithms)
+* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
+* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
+* entropy (hashes via low-level)
+* ECDSA (HMAC\_DRBG; `md.h` exposed through API)
+* ECJPAKE (hashes via md; `md.h` exposed through API)
+* GCM (block cipher in ECB mode; interdependent with cipher)
+* md (hashes and HMAC)
+* NIST\_KW (AES-ECB; interdependent with cipher)
+* HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
+* PEM (AES and DES in CBC mode without padding; MD5 hash via low-level)
+* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; hashes via md; `cipher.h` exposed through API)
+* PKCS5 (cipher, generically, selected from ASN.1; HMAC via `md.h`; `md.h` exposed through API)
+* RSA (hash via md for PSS and OAEP; `md.h` exposed through API)
+
+### Difficulties
+
+#### Why PSA is not always possible
+
+Here are some reasons why calling `psa_xxx()` to perform a hash or cipher calculation might not be desirable in some circumstances, explaining why the application would arrange to call the legacy software implementation instead.
+
+* `MBEDTLS_PSA_CRYPTO_C` is disabled.
+* There is a PSA driver which has not been initialized (this happens in `psa_crypto_init()`).
+* For ciphers, the keystore is not initialized yet, and Mbed TLS uses a custom implementation of PSA ITS where the file system is not accessible yet (because something else needs to happen first, and the application takes care that it happens before it calls `psa_crypto_init()`). A possible workaround may be to dispatch to the internal functions that are called after the keystore lookup, rather than to the PSA API functions (but this is incompatible with `MBEDTLS_PSA_CRYPTO_CLIENT`).
+* The requested mechanism is enabled in the legacy interface but not in the PSA interface. This was not really intended, but is possible, for example, if you enable `MBEDTLS_MD5_C` for PEM decoding with PBKDF1 but don't want `PSA_ALG_WANT_MD5` because it isn't supported for `PSA_ALG_RSA_PSS` and `PSA_ALG_DETERMINISTIC_ECDSA`.
+* `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the client has not yet activated the connection to the server (this happens in `psa_crypto_init()`).
+* `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, but the operation is part of the implementation of an encrypted communication with the crypto service, or the local implementation is faster because it avoids a costly remote procedure call.
+
+#### Indirect knowledge
+
+Consider for example the code in `rsa.c` to perform an RSA-PSS signature. It needs to calculate a hash. If `mbedtls_rsa_rsassa_pss_sign()` is called directly by application code, it is supposed to call the built-in implementation: calling a PSA accelerator would be a behavior change, acceptable only if this does not add a risk of failure or performance degradation ([PSA is impossible or undesirable in some circumstances](#why-psa-is-not-always-possible)). Note that this holds regardless of the state of `MBEDTLS_USE_PSA_CRYPTO`, since `rsa.h` is outside the scope of `MBEDTLS_USE_PSA_CRYPTO`. On the other hand, if `mbedtls_rsa_rsassa_pss_sign()` is called from X.509 code, it should use PSA to calculate hashes. It doesn't, currently, which is [bug \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497).
+
+Generally speaking, modules in the mixed domain:
+
+* must call PSA if called by a module in the PSA domain;
+* must not call PSA (or must have a fallback) if their caller is not in the PSA domain and the PSA call is not guaranteed to work.
+
+#### Non-support guarantees: requirements
+
+Generally speaking, just because some feature is not enabled in `mbedtls_config.h` or `psa_config.h` doesn't guarantee that it won't be enabled in the build. We can enable additional features through `build_info.h`.
+
+If `PSA_WANT_xxx` is disabled, this should guarantee that attempting xxx through the PSA API will fail. This is generally guaranteed by the test suite `test_suite_psa_crypto_not_supported` with automatically enumerated test cases, so it would be inconvenient to carve out an exception.
+
+### Technical requirements
+
+Based on the preceding analysis, the core of the problem is: for code in the mixed domain (see [“Classification of callers”](#classification-of-callers)), how do we handle a cryptographic mechanism? This has several related subproblems:
+
+* How the mechanism is encoded (e.g. `mbedtls_md_type_t` vs `const *mbedtls_md_info_t` vs `psa_algorithm_t` for hashes).
+* How to decide whether a specific algorithm or key type is supported (eventually based on `MBEDTLS_xxx_C` vs `PSA_WANT_xxx`).
+* How to obtain metadata about algorithms (e.g. hash/MAC/tag size, key size).
+* How to perform the operation (context type, which functions to call).
+
+We need a way to decide this based on the available information:
+
+* Who's the ultimate caller — see [indirect knowledge](#indirect-knowledge) — which is not actually available.
+* Some parameter indicating which algorithm to use.
+* The available cryptographic implementations, based on preprocessor symbols (`MBEDTLS_xxx_C`, `PSA_WANT_xxx`, `MBEDTLS_PSA_ACCEL_xxx`, etc.).
+* Possibly additional runtime state (for example, we might check whether `psa_crypto_init` has been called).
+
+And we need to take care of the [the cases where PSA is not possible](#why-psa-is-not-always-possible): either make sure the current behavior is preserved, or (where allowed by backward compatibility) document a behavior change and, preferably, a workaround.
+
+### Working through an example: RSA-PSS
+
+Let us work through the example of RSA-PSS which calculates a hash, as in [see issue \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497).
+
+RSA is in the [mixed domain](#classification-of-callers). So:
+
+* When called from `psa_sign_hash` and other PSA functions, it must call the PSA hash accelerator if there is one.
+* When called from user code, it must call the built-in hash implementation if PSA is not available (regardless of whether this is because `MBEDTLS_PSA_CRYPTO_C` is disabled, or because `PSA_WANT_ALG_xxx` is disabled for this hash, or because there is an accelerator driver which has not been initialized yet).
+
+RSA knows which hash algorithm to use based on a parameter of type `mbedtls_md_type_t`. (More generally, all mixed-domain modules that take an algorithm specification as a parameter take it via a numerical type, except HMAC\_DRBG and HKDF which take a `const mbedtls_md_info_t*` instead, and CMAC which takes a `const mbedtls_cipher_info_t *`.)
+
+#### Double encoding solution
+
+A natural solution is to double up the encoding of hashes in `mbedtls_md_type_t`. Pass `MBEDTLS_MD_SHA256` and `md` will dispatch to the legacy code, pass a new constant `MBEDTLS_MD_SHA256_USE_PSA` and `md` will dispatch through PSA.
+
+This maximally preserves backward compatibility, but then no non-PSA code benefits from PSA accelerators, and there's little potential for removing the software implementation.
+
+#### Availability of hashes in RSA-PSS
+
+Here we try to answer the question: As a caller of RSA-PSS via `rsa.h`, how do I know whether it can use a certain hash?
+
+* For a caller in the legacy domain: if e.g. `MBEDTLS_SHA256_C` is enabled, then I want RSA-PSS to support SHA-256. I don't care about negative support. So `MBEDTLS_SHA256_C` must imply support for RSA-PSS-SHA-256. It must work at all times, regardless of the state of PSA (e.g. drivers not initialized).
+* For a caller in the PSA domain: if e.g. `PSA_WANT_ALG_SHA_256` is enabled, then I want RSA-PSS to support SHA-256, provided that `psa_crypto_init()` has been called. In some limited cases, such as `test_suite_psa_crypto_not_supported` when PSA implements RSA-PSS in software, we care about negative support: if `PSA_WANT_ALG_SHA_256` is disabled then `psa_verify_hash` must reject `PSA_WANT_ALG_SHA_256`. This can be done at the level of PSA before it calls the RSA module, though, so it doesn't have any implication on the RSA module. As far as `rsa.c` is concerned, what matters is that `PSA_WANT_ALG_SHA_256` implies that SHA-256 is supported after `psa_crypto_init()` has been called.
+* For a caller in the mixed domain: requirements depend on the caller. Whatever solution RSA has to determine the availability of algorithms will apply to its caller as well.
+
+Conclusion so far: RSA must be able to do SHA-256 if either `MBEDTLS_SHA256_C` or `PSA_WANT_ALG_SHA_256` is enabled. If only `PSA_WANT_ALG_SHA_256` and not `MBEDTLS_SHA256_C` is enabled (which implies that PSA's SHA-256 comes from an accelerator driver), then SHA-256 only needs to work if `psa_crypto_init()` has been called.
+
+#### More in-depth discussion of compile-time availability determination
+
+The following combinations of compile-time support are possible:
+
+* `MBEDTLS_PSA_CRYPTO_CLIENT`. Then calling PSA may or may not be desirable for performance. There are plausible use cases where only the server has access to an accelerator so it's best to call the server, and plausible use cases where calling the server has overhead that negates the savings from using acceleration, if there are savings at all. In any case, calling PSA only works if the connection to the server has been established, meaning `psa_crypto_init` has been called successfully. In the rest of this case enumeration, assume `MBEDTLS_PSA_CRYPTO_CLIENT` is disabled.
+* No PSA accelerator. Then just call `mbedtls_sha256`, it's all there is, and it doesn't matter (from an API perspective) exactly what call chain leads to it.
+* PSA accelerator, no software implementation. Then we might as well call the accelerator, unless it's important that the call fails. At the time of writing, I can't think of a case where we would want to guarantee that if `MBEDTLS_xxx_C` is not enabled, but xxx is enabled through PSA, then a request to use algorithm xxx through some legacy interface must fail.
+* Both PSA acceleration and the built-in implementation. In this case, we would prefer PSA for the acceleration, but we can only do this if the accelerator driver is working. For hashes, it's enough to assume the driver is initialized; we've [considered requiring hash drivers to work without initialization](https://github.com/Mbed-TLS/mbedtls/pull/6470). For ciphers, this is more complicated because the cipher functions require the keystore, and plausibly a cipher accelerator might want entropy (for side channel countermeasures) which might not be available at boot time.
+
+Note that it's a bit tricky to determine which algorithms are available. In the case where there is a PSA accelerator but no software implementation, we don't want the preprocessor symbols to indicate that the algorithm is available through the legacy domain, only through the PSA domain. What does this mean for the interfaces in the mixed domain? They can't guarantee the availability of the algorithm, but they must try if requested.
+
+### Designing an interface for hashes
+
+In this section, we specify a hash metadata and calculation for the [mixed domain](#classification-of-callers), i.e. code that can be called both from legacy code and from PSA code.
+
+#### Availability of hashes
+
+Generalizing the analysis in [“Availability of hashes in RSA-PSS”](#availability-of-hashes-in-RSA-PSS):
+
+A hash is available through the mixed-domain interface iff either of the following conditions is true:
+
+* A legacy hash interface is available and the hash algorithm is implemented in software.
+* PSA crypto is enabled and the hash algorithm is implemented via PSA.
+
+We could go further and make PSA accelerators available to legacy callers that call any legacy hash interface, e.g. `md.h` or `shaX.h`. There is little point in doing this, however: callers should just use the mixed-domain interface.
+
+#### Implications between legacy availability and PSA availability
+
+* When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, all legacy mechanisms are automatically enabled through PSA. Users can manually enable PSA mechanisms that are available through accelerators but not through legacy, but this is not officially supported (users are not supposed to manually define PSA configuration symbols when `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled).
+* When `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled, there is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator.
+
+It is strongly desirable to allow mechanisms available through PSA but not legacy: this allows saving code size when an accelerator is present.
+
+There is no strong reason to allow mechanisms available through legacy but not PSA when `MBEDTLS_PSA_CRYPTO_C` is enabled. This would only save at best a very small amount of code size in the PSA dispatch code. This may be more desirable when `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled (having a mechanism available only locally and not in the crypto service), but we do not have an explicit request for this and it would be entirely reasonable to forbid it.
+
+In this analysis, we have not found a compelling reason to require all legacy mechanisms to also be available through PSA. However, this can simplify both the implementation and the use of dispatch code thanks to some simplifying properties:
+
+* Mixed-domain code can call PSA code if it knows that `psa_crypto_init()` has been called, without having to inspect the specifics of algorithm support.
+* Mixed-domain code can assume that PSA buffer calculations work correctly for all algorithms that it supports.
+
+#### Shape of the mixed-domain hash interface
+
+We now need to create an abstraction for mixed-domain hash calculation. (We could not create an abstraction, but that would require every piece of mixed-domain code to replicate the logic here. We went that route in Mbed TLS 3.3, but it made it effectively impossible to get something that works correctly.)
+
+Requirements: given a hash algorithm,
+
+* Obtain some metadata about it (size, block size).
+* Calculate the hash.
+* Set up a multipart operation to calculate the hash. The operation must support update, finish, reset, abort, clone.
+
+The existing interface in `md.h` is close to what we want, but not perfect. What's wrong with it?
+
+* It has an extra step of converting from `mbedtls_md_type_t` to `const mbedtls_md_info_t *`.
+* It includes extra fluff such as names and HMAC. This costs code size.
+* The md module has some legacy baggage dating from when it was more open, which we don't care about anymore. This may cost code size.
+
+These problems are easily solvable.
+
+* `mbedtls_md_info_t` can become a very thin type. We can't remove the extra function call from the source code of callers, but we can make it a very thin abstraction that compilers can often optimize.
+* We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
+* We can optimize `md.c` without making API changes to `md.h`.
+
+## Specification
+
+### MD light
+
+https://github.com/Mbed-TLS/mbedtls/pull/6474 implements part of this specification, but it's based on Mbed TLS 3.2, so it needs to be rewritten for 3.3.
+
+#### Definition of MD light
+
+MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
+
+The following things enable MD light automatically in `build_info.h`:
+
+* A [mixed-domain](#classification-of-callers) module that needs to calculate hashes is enabled.
+* `MBEDTLS_MD_C` is enabled.
+
+MD light includes the following types:
+
+* `mbedtls_md_type_t`
+* `mbedtls_md_info_t`
+* `mbedtls_md_context_t`
+
+MD light includes the following functions:
+
+* `mbedtls_md_info_from_type`
+* `mbedtls_md_init`
+* `mbedtls_md_free`
+* `mbedtls_md_setup` — but `hmac` must be 0 if `MBEDTLS_MD_C` is disabled.
+* `mbedtls_md_clone`
+* `mbedtls_md_get_size`
+* `mbedtls_md_get_type`
+* `mbedtls_md_starts`
+* `mbedtls_md_update`
+* `mbedtls_md_finish`
+* `mbedtls_md`
+
+Unlike the full MD, MD light does not support null pointers as `mbedtls_md_context_t *`. At least some functions still need to support null pointers as `const mbedtls_md_info_t *` because this arises when you try to use an unsupported algorithm (`mbedtls_md_info_from_type` returns `NULL`).
+
+#### MD algorithm support macros
+
+For each hash algorithm, `md.h` defines a macro `MBEDTLS_MD_CAN_xxx` whenever the corresponding hash is available through MD light. These macros are only defined when `MBEDTLS_MD_LIGHT` is enabled. Per “[Availability of hashes](#availability-of-hashes)”, `MBEDTLS_MD_CAN_xxx` is enabled if:
+
+* the corresponding `MBEDTLS_xxx_C` is defined; or
+* one of `MBEDTLS_PSA_CRYPTO_C` or `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the corresponding `PSA_WANT_ALG_xxx` is enabled.
+
+Note that some algorithms have different spellings in legacy and PSA. Since MD is a legacy interface, we'll use the legacy names. Thus, for example:
+
+```
+#if defined(MBEDTLS_MD_LIGHT)
+#if defined(MBEDTLS_SHA256_C) || \
+ ((defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)) && \
+ PSA_WANT_ALG_SHA_256)
+#define MBEDTLS_MD_CAN_SHA256
+#endif
+#endif
+```
+
+#### MD light internal support macros
+
+* If at least one hash has a PSA driver, define `MBEDTLS_MD_SOME_PSA`.
+* If at least one hash has a legacy implementation, defined `MBEDTLS_MD_SOME_LEGACY`.
+
+#### Support for PSA in the MD context
+
+An MD context needs to contain either a legacy module's context (or a pointer to one, as is the case now), or a PSA context (or a pointer to one).
+
+I am inclined to remove the pointer indirection, but this means that an MD context would always be as large as the largest supported hash context. So for the time being, this specification keeps a pointer. For uniformity, PSA will also have a pointer (we may simplify this later).
+
+```
+enum {
+ MBEDTLS_MD_ENGINE_LEGACY,
+ MBEDTLS_MD_ENGINE_PSA,
+} mbedtls_md_engine_t; // private type
+
+typedef struct mbedtls_md_context_t {
+ const mbedtls_md_type_t type;
+ const mbedtls_md_engine_t engine;
+ union {
+#if defined(MBEDTLS_MD_SOME_LEGACY)
+ void *legacy; // used if engine == LEGACY
+#endif
+#if defined(MBEDTLS_MD_SOME_PSA)
+ psa_hash_operation_t *psa; // used if engine == PSA
+#endif
+ } digest;
+#if defined(MBEDTLS_MD_C)
+ void *hmac_ctx;
+#endif
+} mbedtls_md_context_t;
+```
+
+All fields are private.
+
+The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
+
+#### Inclusion of MD info structures
+
+MD light needs to support hashes that are only enabled through PSA. Therefore the `mbedtls_md_info_t` structures must be included based on `MBEDTLS_MD_CAN_xxx` instead of just the legacy module.
+
+The same criterion applies in `mbedtls_md_info_from_type`.
+
+#### Conversion to PSA encoding
+
+The implementation needs to convert from a legacy type encoding to a PSA encoding.
+
+```
+static inline psa_algorithm_t psa_alg_of_md_info(
+ const mbedtls_md_info_t *md_info );
+```
+
+#### Determination of PSA support at runtime
+
+```
+int psa_can_do_hash(psa_algorithm_t hash_alg);
+```
+
+The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
+
+As a starting point, return 1 if PSA crypto has been initialized. This will be refined later (to return 1 if the [accelerator subsystem](https://github.com/Mbed-TLS/mbedtls/issues/6007) has been initialized).
+
+Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
+
+#### Support for PSA dispatch in hash operations
+
+Each function that performs some hash operation or context management needs to know whether to dispatch via PSA or legacy.
+
+If given an established context, use its `engine` field.
+
+If given an algorithm as an `mbedtls_md_type_t type` (possibly being the `type` field of a `const mbedtls_md_info_t *`):
+
+* If there is a PSA accelerator for this hash and `psa_can_do_hash(alg)`, call the corresponding PSA function, and if applicable set the engine to `MBEDTLS_MD_ENGINE_PSA`. (Skip this is `MBEDTLS_MD_SOME_PSA` is not defined.)
+* Otherwise dispatch to the legacy module based on the type as currently done. (Skip this is `MBEDTLS_MD_SOME_LEGACY` is not defined.)
+* If no dispatch is possible, return `MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE`.
+
+Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress. Document this.
+
+#### Error code conversion
+
+After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code. This function is currently defined in `hash_info.c`.
+
+### Migration to MD light
+
+#### Migration of modules that used to call MD and now do the legacy-or-PSA dance
+
+Get rid of the case where `MBEDTLS_MD_C` is undefined. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
+
+#### Migration of modules that used to call a low-level hash module and now do the legacy-or-PSA dance
+
+Switch to calling MD (light) unconditionally. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
+
+#### Migration of modules that call a low-level hash module
+
+Switch to calling MD (light). Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
+
+#### Migration of use-PSA mixed code
+
+Instead of calling `hash_info.h` functions to obtain metadata, get it from `md.h`.
+
+Optionally, code that currently tests on `MBEDTLS_USE_PSA_CRYPTO` just to determine whether to call MD or PSA to calculate hashes can switch to just having the MD variant.
+
+#### Remove `legacy_or_psa.h`
+
+It's no longer used.
+
+### Support all legacy algorithms in PSA
+
+As discussed in [“Implications between legacy availability and PSA availability”](#implications-between-legacy-availability-and-psa-availability), we require the following property:
+
+> If an algorithm has a legacy implementation, it is also available through PSA.
+
+When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, this is already the case. When is enabled, we will now make it so as well. Change `include/mbedtls/config_psa.h` accordingly.
+
+### MD light optimizations
+
+This section is not necessary to implement MD light, but will cut down its code size.
+
+#### Split names out of MD light
+
+Remove hash names from `mbedtls_md_info_t`. Use a simple switch-case or a separate list to implement `mbedtls_md_info_from_string` and `mbedtls_md_get_name`.
+
+#### Remove metadata from the info structure
+
+In `mbedtls_md_get_size` and in modules that want a hash's block size, instead of looking up hash metadata in the info structure, call the PSA macros.
+
+#### Optimize type conversions
+
+To allow optimizing conversions between `mbedtls_md_type_t` and `psa_algorithm_t`, renumber the `mbedtls_md_type_t` enum so that the values are the 8 lower bits of the PSA encoding.
+
+With this optimization,
+```
+static inline psa_algorithm_t psa_alg_of_md_info(
+ const mbedtls_md_info_t *md_info )
+{
+ if( md_info == NULL )
+ return( PSA_ALG_NONE );
+ return( PSA_ALG_CATEGORY_HASH | md_info->type );
+}
+```
+
+Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
+
+#### Get rid of the hash_info module
+
+The hash_info module is redundant with MD light. Move `mbedtls_md_error_from_psa` to `md.c`, defined only when `MBEDTLS_MD_SOME_PSA` is defined. The rest is no longer used.
+
+#### Unify HMAC with PSA
+
+PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).
+
+### Improving support for `MBEDTLS_PSA_CRYPTO_CLIENT`
+
+So far, MD light only dispatches to PSA if an algorithm is available via `MBEDTLS_PSA_CRYPTO_C`, not if it's available via `MBEDTLS_PSA_CRYPTO_CLIENT`. This is acceptable because `MBEDTLS_USE_PSA_CRYPTO` requires `MBEDTLS_PSA_CRYPTO_C`, hence mixed-domain code never invokes PSA.
+
+The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a little extra work. Here is an overview of the task breakdown, which should be fleshed up after we've done the first [migration](#migration-to-md-light):
+
+* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
+* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile
index 0c744da..c33c7e3 100644
--- a/doxygen/mbedtls.doxyfile
+++ b/doxygen/mbedtls.doxyfile
@@ -27,3 +27,18 @@
DOT_GRAPH_MAX_NODES = 200
MAX_DOT_GRAPH_DEPTH = 1000
DOT_TRANSPARENT = YES
+
+# We mostly use \retval declarations to document which error codes a function
+# can return. The reader can follow the hyperlink to the definition of the
+# constant to get the generic documentation of that error code. If we don't
+# have anything to say about the specific error code for the specific
+# function, we can leave the description part of the \retval command blank.
+# This is perfectly valid as far as Doxygen is concerned. However, with
+# Clang >=15, the -Wdocumentation option emits a warning for empty
+# descriptions.
+# https://github.com/Mbed-TLS/mbedtls/issues/6960
+# https://github.com/llvm/llvm-project/issues/60315
+# As a workaround, you can write something like
+# \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+# This avoids writing redundant text and keeps Clang happy.
+ALIASES += emptydescription=""
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index e8fb2de..b1d4b88 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -63,7 +63,7 @@
#if !defined(MBEDTLS_MPI_WINDOW_SIZE)
/*
- * Maximum window size used for modular exponentiation. Default: 6
+ * Maximum window size used for modular exponentiation. Default: 2
* Minimum value: 1. Maximum value: 6.
*
* Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
@@ -71,7 +71,7 @@
*
* Reduction in size, reduces speed.
*/
-#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */
#endif /* !MBEDTLS_MPI_WINDOW_SIZE */
#if !defined(MBEDTLS_MPI_MAX_SIZE)
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 9847a68..c5d9701 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -222,6 +222,134 @@
void *p_rng_blind);
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/**
+ * \brief This function computes the ECDSA signature of a
+ * previously-hashed message, in a restartable way.
+ *
+ * \note The deterministic version implemented in
+ * mbedtls_ecdsa_sign_det_restartable() is usually
+ * preferred.
+ *
+ * \note This function is like \c mbedtls_ecdsa_sign() but
+ * it can return early and restart according to the
+ * limit set with \c mbedtls_ecp_set_max_ops() to
+ * reduce blocking.
+ *
+ * \note If the bitlength of the message hash is larger
+ * than the bitlength of the group order, then the
+ * hash is truncated as defined in <em>Standards for
+ * Efficient Cryptography Group (SECG): SEC1 Elliptic
+ * Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see ecp.h
+ *
+ * \param grp The context for the elliptic curve to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param r The MPI context in which to store the first part
+ * the signature. This must be initialized.
+ * \param s The MPI context in which to store the second part
+ * the signature. This must be initialized.
+ * \param d The private signing key. This must be initialized
+ * and setup, for example through
+ * mbedtls_ecp_gen_privkey().
+ * \param buf The hashed content to be signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
+ * \param f_rng_blind The RNG function used for blinding. This must not be
+ * \c NULL.
+ * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx The restart context to use. This may be \c NULL
+ * to disable restarting. If it is not \c NULL, it
+ * must point to an initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c
+ * mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX, \c
+ * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ * error code on failure.
+ */
+int mbedtls_ecdsa_sign_restartable(
+ mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d,
+ const unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+
+/**
+ * \brief This function computes the ECDSA signature of a
+ * previously-hashed message, in a restartable way.
+ *
+ * \note This function is like \c
+ * mbedtls_ecdsa_sign_det_ext() but it can return
+ * early and restart according to the limit set with
+ * \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note If the bitlength of the message hash is larger
+ * than the bitlength of the group order, then the
+ * hash is truncated as defined in <em>Standards for
+ * Efficient Cryptography Group (SECG): SEC1 Elliptic
+ * Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see ecp.h
+ *
+ * \param grp The context for the elliptic curve to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param r The MPI context in which to store the first part
+ * the signature. This must be initialized.
+ * \param s The MPI context in which to store the second part
+ * the signature. This must be initialized.
+ * \param d The private signing key. This must be initialized
+ * and setup, for example through
+ * mbedtls_ecp_gen_privkey().
+ * \param buf The hashed content to be signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param f_rng_blind The RNG function used for blinding. This must not be
+ * \c NULL.
+ * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx The restart context to use. This may be \c NULL
+ * to disable restarting. If it is not \c NULL, it
+ * must point to an initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c
+ * mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX, \c
+ * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ * error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_restartable(
+ mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
/**
* \brief This function verifies the ECDSA signature of a
* previously-hashed message.
@@ -257,6 +385,51 @@
const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
const mbedtls_mpi *s);
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/**
+ * \brief This function verifies the ECDSA signature of a
+ * previously-hashed message, in a restartable manner
+ *
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * defined in <em>Standards for Efficient Cryptography Group
+ * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ * 4.1.4, step 3.
+ *
+ * \see ecp.h
+ *
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param buf The hashed content that was signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param Q The public key to use for verification. This must be
+ * initialized and setup.
+ * \param r The first integer of the signature.
+ * This must be initialized.
+ * \param s The second integer of the signature.
+ * This must be initialized.
+ * \param rs_ctx The restart context to use. This may be \c NULL to disable
+ * restarting. If it is not \c NULL, it must point to an
+ * initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ * error code on failure.
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *r,
+ const mbedtls_mpi *s,
+ mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
/**
* \brief This function computes the ECDSA signature and writes it
* to a buffer, serialized as defined in <em>RFC-4492:
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 18b37a9..b6144d9 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -141,6 +141,15 @@
MBEDTLS_ECP_TYPE_MONTGOMERY, /* y^2 = x^3 + a x^2 + x */
} mbedtls_ecp_curve_type;
+/*
+ * Curve modulus types
+ */
+typedef enum {
+ MBEDTLS_ECP_MOD_NONE = 0,
+ MBEDTLS_ECP_MOD_COORDINATE,
+ MBEDTLS_ECP_MOD_SCALAR
+} mbedtls_ecp_modulus_type;
+
/**
* Curve information, for use by other modules.
*
@@ -419,11 +428,22 @@
}
mbedtls_ecp_keypair;
-/*
- * Point formats, from RFC 4492's enum ECPointFormat
+/**
+ * The uncompressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
*/
-#define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format. */
-#define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format. */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED 0
+/**
+ * The compressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
+ *
+ * \warning While this format is supported for all concerned curves for
+ * writing, when it comes to parsing, it is not supported for all
+ * curves. Specifically, parsing compressed points on
+ * MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1 is not
+ * supported.
+ */
+#define MBEDTLS_ECP_PF_COMPRESSED 1
/*
* Some other constants from RFC 4492
@@ -461,6 +481,12 @@
* only enabled for specific sides and key exchanges
* (currently only for clients and ECDHE-ECDSA).
*
+ * \warning Using the PSA interruptible interfaces with keys in local
+ * storage and no accelerator driver will also call this
+ * function to set the values specified via those interfaces,
+ * overwriting values previously set. Care should be taken if
+ * mixing these two interfaces.
+ *
* \param max_ops Maximum number of basic operations done in a row.
* Default: 0 (unlimited).
* Lower (non-zero) values mean ECC functions will block for
@@ -752,6 +778,9 @@
* belongs to the given group, see mbedtls_ecp_check_pubkey()
* for that.
*
+ * \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ * limitations.
+ *
* \param grp The group to which the point should belong.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h
index 9ae51c9..b874995 100644
--- a/include/mbedtls/mbedtls_config.h
+++ b/include/mbedtls/mbedtls_config.h
@@ -3559,7 +3559,7 @@
* comment in the specific module. */
/* MPI / BIGNUM options */
-//#define MBEDTLS_MPI_WINDOW_SIZE 6 /**< Maximum window size used. */
+//#define MBEDTLS_MPI_WINDOW_SIZE 2 /**< Maximum window size used. */
//#define MBEDTLS_MPI_MAX_SIZE 1024 /**< Maximum number of bytes for usable MPIs. */
/* CTR_DRBG options */
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index fdc1355..0e4ee38 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -846,6 +846,9 @@
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
* specific key type, check the result with mbedtls_pk_can_do().
*
+ * \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ * limitations.
+ *
* \note The key is also checked for correctness.
*
* \return 0 if successful, or a specific PK or PEM error code
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 5ddd5a3..126eac4 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -136,21 +136,11 @@
mbedtls_pkcs7_signer_info;
/**
- * Structure holding attached data as part of PKCS7 signed data format
- */
-typedef struct mbedtls_pkcs7_data {
- mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid);
- mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data);
-}
-mbedtls_pkcs7_data;
-
-/**
* Structure holding the signed data section
*/
typedef struct mbedtls_pkcs7_signed_data {
int MBEDTLS_PRIVATE(version);
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers);
- struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content);
int MBEDTLS_PRIVATE(no_of_certs);
mbedtls_x509_crt MBEDTLS_PRIVATE(certs);
int MBEDTLS_PRIVATE(no_of_crls);
@@ -165,7 +155,6 @@
*/
typedef struct mbedtls_pkcs7 {
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
- mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid);
mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
}
mbedtls_pkcs7;
@@ -178,7 +167,7 @@
void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7);
/**
- * \brief Parse a single DER formatted pkcs7 content.
+ * \brief Parse a single DER formatted pkcs7 detached signature.
*
* \param pkcs7 The pkcs7 structure to be filled by parser for the output.
* \param buf The buffer holding only the DER encoded pkcs7.
@@ -188,6 +177,7 @@
* \note This function makes an internal copy of the PKCS7 buffer
* \p buf. In particular, \p buf may be destroyed or reused
* after this call returns.
+ * \note Signatures with internal data are not supported.
*
* \return The \c mbedtls_pkcs7_type of \p buf, if successful.
* \return A negative error code on failure.
@@ -207,7 +197,8 @@
* matches.
*
* This function does not use the certificates held within the
- * PKCS7 structure itself.
+ * PKCS7 structure itself, and does not check that the
+ * certificate is signed by a trusted certification authority.
*
* \param pkcs7 PKCS7 structure containing signature.
* \param cert Certificate containing key to verify signature.
@@ -228,15 +219,15 @@
* \brief Verification of PKCS7 signature against a caller-supplied
* certificate.
*
- * For each signer in the PKCS structure, this function computes
- * a signature over the supplied hash, using the supplied
- * certificate and the same digest algorithm as specified by the
- * signer. It then compares this signature against the
- * signer's signature; verification succeeds if any comparison
- * matches.
+ * For each signer in the PKCS structure, this function
+ * validates a signature over the supplied hash, using the
+ * supplied certificate and the same digest algorithm as
+ * specified by the signer. Verification succeeds if any
+ * signature is good.
*
* This function does not use the certificates held within the
- * PKCS7 structure itself.
+ * PKCS7 structure itself, and does not check that the
+ * certificate is signed by a trusted certification authority.
*
* \param pkcs7 PKCS7 structure containing signature.
* \param cert Certificate containing key to verify signature.
@@ -244,7 +235,7 @@
* \param hashlen Length of the hash.
*
* \note This function is different from mbedtls_pkcs7_signed_data_verify()
- * in a way that it directly receives the hash of the data.
+ * in that it is directly passed the hash of the data.
*
* \return 0 if the signature verifies, or a negative error code on failure.
*/
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index aa1cd08..bd1947e 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -294,7 +294,7 @@
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
- mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
+ mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only rfc822Name, dnsName and uniformResourceIdentifier are currently supported */
}
san; /**< A union of the supported SAN types */
}
@@ -385,8 +385,9 @@
* \param san The target structure to populate with the parsed presentation
* of the subject alternative name encoded in \p san_raw.
*
- * \note Only "dnsName" and "otherName" of type hardware_module_name
- * as defined in RFC 4180 is supported.
+ * \note Supported GeneralName types, as defined in RFC 5280:
+ * "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * of type "otherName", as defined in RFC 4108.
*
* \note This function should be called on a single raw data of
* subject alternative name. For example, after successful
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 187e60a..036282f 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -76,7 +76,7 @@
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). */
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2b9b2a2..8dd89fa 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -88,16 +88,16 @@
* initialization may have security implications, for example due to improper
* seeding of the random number generator.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
*/
psa_status_t psa_crypto_init(void);
@@ -368,14 +368,14 @@
* On failure, equivalent to a
* freshly-initialized structure.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -486,7 +486,7 @@
* identifier defined in \p attributes.
* \c 0 on failure.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_HANDLE
* \p source_key is invalid.
* \retval #PSA_ERROR_ALREADY_EXISTS
@@ -502,14 +502,14 @@
* The source key does not have the #PSA_KEY_USAGE_COPY usage flag, or
* the source key is not exportable and its lifetime does not
* allow copying it to the target's lifetime.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -631,14 +631,14 @@
* the key data is not correctly formatted, or
* the size in \p attributes is nonzero and does not match the size
* of the key data.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -718,22 +718,22 @@
* \param[out] data_length On success, the number of bytes
* that make up the key data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
* \retval #PSA_ERROR_NOT_PERMITTED
* The key does not have the #PSA_KEY_USAGE_EXPORT flag.
- * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p data buffer is too small. You can determine a
* sufficient buffer size by calling
* #PSA_EXPORT_KEY_OUTPUT_SIZE(\c type, \c bits)
* where \c type is the key type
* and \c bits is the key size in bits.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -793,22 +793,22 @@
* \param[out] data_length On success, the number of bytes
* that make up the key data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key is neither a public key nor a key pair.
- * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p data buffer is too small. You can determine a
* sufficient buffer size by calling
* #PSA_EXPORT_KEY_OUTPUT_SIZE(#PSA_KEY_TYPE_PUBLIC_KEY_OF_KEY_PAIR(\c type), \c bits)
* where \c type is the key type
* and \c bits is the key size in bits.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -846,13 +846,13 @@
* Success.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a hash algorithm.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p hash_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -884,10 +884,10 @@
* \p alg is not supported or is not a hash algorithm.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p input_length or \p hash_length do not match the hash size for \p alg
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -977,10 +977,10 @@
* \p alg is not a supported hash algorithm.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p alg is not a hash algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1003,10 +1003,10 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1049,10 +1049,10 @@
* The size of the \p hash buffer is too small. You can determine a
* sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
* where \c alg is the hash algorithm that is calculated.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1090,10 +1090,10 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The hash of the message was calculated successfully, but it
* differs from the expected hash.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1120,10 +1120,10 @@
*
* \param[in,out] operation Initialized hash operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -1146,11 +1146,11 @@
* \param[in,out] target_operation The operation object to set up.
* It must be initialized but not active.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The \p source_operation state is not valid (it must be active), or
* the \p target_operation state is not valid (it must be inactive), or
@@ -1190,18 +1190,18 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a MAC algorithm.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p mac_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_STORAGE_FAILURE
* The key could not be retrieved from storage.
* \retval #PSA_ERROR_BAD_STATE
@@ -1233,16 +1233,16 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The MAC of the message was calculated successfully, but it
* differs from the expected value.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_STORAGE_FAILURE
* The key could not be retrieved from storage.
* \retval #PSA_ERROR_BAD_STATE
@@ -1338,16 +1338,16 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_STORAGE_FAILURE
* The key could not be retrieved from storage.
* \retval #PSA_ERROR_BAD_STATE
@@ -1400,16 +1400,16 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \c key is not compatible with \c alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \c alg is not supported or is not a MAC algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_STORAGE_FAILURE
* The key could not be retrieved from storage.
* \retval #PSA_ERROR_BAD_STATE
@@ -1437,11 +1437,11 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1485,11 +1485,11 @@
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p mac buffer is too small. You can determine a
* sufficient buffer size by calling PSA_MAC_LENGTH().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active mac sign
* operation), or the library has not been previously initialized
@@ -1528,11 +1528,11 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The MAC of the message was calculated successfully, but it
* differs from the expected MAC.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active mac verify
* operation), or the library has not been previously initialized
@@ -1560,10 +1560,10 @@
*
* \param[in,out] operation Initialized MAC operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -1599,18 +1599,18 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -1646,18 +1646,18 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -1753,17 +1753,17 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1816,17 +1816,17 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not a cipher algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1859,11 +1859,11 @@
* Success.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p iv buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, with no IV set),
* or the library has not been previously initialized
@@ -1900,11 +1900,11 @@
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The size of \p iv is not acceptable for the chosen algorithm,
* or the chosen algorithm does not use an IV.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active cipher
* encrypt operation, with no IV set), or the library has not been
@@ -1941,11 +1941,11 @@
* Success.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, with an IV set
* if required for the algorithm), or the library has not been
@@ -1993,11 +1993,11 @@
* padding, and the ciphertext does not contain valid padding.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, with an IV set
* if required for the algorithm), or the library has not been
@@ -2026,10 +2026,10 @@
*
* \param[in,out] operation Initialized cipher operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2082,23 +2082,23 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p ciphertext_size is too small.
* #PSA_AEAD_ENCRYPT_OUTPUT_SIZE(\c key_type, \p alg,
* \p plaintext_length) or
* #PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(\p plaintext_length) can be used to
* determine the required buffer size.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2153,25 +2153,25 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The ciphertext is not authentic.
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p plaintext_size is too small.
* #PSA_AEAD_DECRYPT_OUTPUT_SIZE(\c key_type, \p alg,
* \p ciphertext_length) or
* #PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(\p ciphertext_length) can be used
* to determine the required buffer size.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2280,16 +2280,16 @@
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive), or
* the library has not been previously initialized by psa_crypto_init().
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_STORAGE_FAILURE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2344,17 +2344,17 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p key is not compatible with \p alg.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported or is not an AEAD algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive), or the
* library has not been previously initialized by psa_crypto_init().
@@ -2388,11 +2388,11 @@
* Success.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p nonce buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active aead encrypt
* operation, with no nonce set), or the library has not been
@@ -2428,11 +2428,11 @@
* Success.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The size of \p nonce is not acceptable for the chosen algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, with no nonce
* set), or the library has not been previously initialized
@@ -2473,10 +2473,10 @@
* \retval #PSA_ERROR_INVALID_ARGUMENT
* At least one of the lengths is not acceptable for the chosen
* algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, and
* psa_aead_update_ad() and psa_aead_update() must not have been
@@ -2520,11 +2520,11 @@
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The total input length overflows the additional data length that
* was previously specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, have a nonce
* set, have lengths set if required by the algorithm, and
@@ -2605,11 +2605,11 @@
* specified with psa_aead_set_lengths(), or
* the total input length overflows the plaintext length that
* was previously specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, have a nonce
* set, and have lengths set if required by the algorithm), or the
@@ -2691,11 +2691,11 @@
* the total length of input to psa_aead_update() so far is
* less than the plaintext length that was previously
* specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active encryption
* operation with a nonce set), or the library has not been previously
@@ -2774,11 +2774,11 @@
* the total length of input to psa_aead_update() so far is
* less than the plaintext length that was previously
* specified with psa_aead_set_lengths().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active decryption
* operation with a nonce set), or the library has not been previously
@@ -2809,10 +2809,10 @@
*
* \param[in,out] operation Initialized AEAD operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2858,8 +2858,8 @@
* \param[out] signature_length On success, the number of bytes that make up
* the returned signature value.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
* \retval #PSA_ERROR_NOT_PERMITTED
* The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
* or it does not permit the requested algorithm.
@@ -2869,16 +2869,16 @@
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2914,23 +2914,23 @@
* \param[out] signature Buffer containing the signature to verify.
* \param[in] signature_length Size of the \p signature buffer in bytes.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
* \retval #PSA_ERROR_NOT_PERMITTED
* The key does not have the #PSA_KEY_USAGE_SIGN_MESSAGE flag,
* or it does not permit the requested algorithm.
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The calculation was performed successfully, but the passed signature
* is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -2967,23 +2967,23 @@
* \param[out] signature_length On success, the number of bytes
* that make up the returned signature value.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p signature buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -3023,18 +3023,18 @@
*
* \retval #PSA_SUCCESS
* The signature is valid.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The calculation was performed successfully, but the passed
* signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -3076,23 +3076,23 @@
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -3136,24 +3136,24 @@
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_INVALID_PADDING
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -3263,11 +3263,11 @@
* \c alg is not a key derivation algorithm.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \c alg is not supported or is not a key derivation algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive), or
* the library has not been previously initialized by psa_crypto_init().
@@ -3287,10 +3287,10 @@
* \param[in] operation The operation to query.
* \param[out] capacity On success, the capacity of the operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active), or
* the library has not been previously initialized by psa_crypto_init().
@@ -3311,14 +3311,14 @@
* It must be less or equal to the operation's
* current capacity.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p capacity is larger than the operation's current capacity.
* In this case, the operation object remains valid and its capacity
* remains unchanged.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active), or the
* library has not been previously initialized by psa_crypto_init().
@@ -3367,11 +3367,11 @@
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step is not compatible with the operation's algorithm, or
* \c step does not allow direct inputs.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid for this input \p step, or
* the library has not been previously initialized by psa_crypto_init().
@@ -3410,11 +3410,11 @@
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step is not compatible with the operation's algorithm, or
* \c step does not allow numeric inputs.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid for this input \p step, or
* the library has not been previously initialized by psa_crypto_init().
@@ -3468,7 +3468,7 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
* \retval #PSA_ERROR_NOT_PERMITTED
* The key allows neither #PSA_KEY_USAGE_DERIVE nor
* #PSA_KEY_USAGE_VERIFY_DERIVATION, or it doesn't allow this
@@ -3477,11 +3477,11 @@
* \c step is not compatible with the operation's algorithm, or
* \c step does not allow key inputs of the given type
* or does not allow key inputs at all.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid for this input \p step, or
* the library has not been previously initialized by psa_crypto_init().
@@ -3536,8 +3536,8 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \c private_key is not compatible with \c alg,
* or \p peer_key is not valid for \c alg or not compatible with
@@ -3545,11 +3545,11 @@
* from a key agreement.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \c alg is not supported or is not a key derivation algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid for this key agreement \p step,
* or the library has not been previously initialized by psa_crypto_init().
@@ -3580,7 +3580,7 @@
* \param[out] output Buffer where the output will be written.
* \param output_length Number of bytes to output.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_NOT_PERMITTED
* One of the inputs was a key whose policy didn't allow
* #PSA_KEY_USAGE_DERIVE.
@@ -3591,11 +3591,11 @@
* The operation's capacity is set to 0, thus
* subsequent calls to this function will not
* succeed, even with a smaller output buffer.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active and completed
* all required input steps), or the library has not been previously
@@ -3738,14 +3738,14 @@
* #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a
* key; or one of the inputs was a key whose policy didn't allow
* #PSA_KEY_USAGE_DERIVE.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active and completed
* all required input steps), or the library has not been previously
@@ -3786,7 +3786,7 @@
* \param output_length Length of the expected output; this is also the
* number of bytes that will be read.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The output was read successfully, but it differs from the expected
* output.
@@ -3799,11 +3799,11 @@
* the operation's capacity is set to 0, thus
* subsequent calls to this function will not
* succeed, even with a smaller expected output.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active and completed
* all required input steps), or the library has not been previously
@@ -3845,7 +3845,7 @@
* computed by a previous call to
* psa_key_derivation_output_key().
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The output was read successfully, but if differs from the expected
* output.
@@ -3863,11 +3863,11 @@
* the operation's capacity is set to 0, thus
* subsequent calls to this function will not
* succeed, even with a smaller expected output.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active and completed
* all required input steps), or the library has not been previously
@@ -3893,10 +3893,10 @@
*
* \param[in,out] operation The operation to abort.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -3934,8 +3934,8 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p alg is not a key agreement algorithm, or
* \p private_key is not compatible with \p alg,
@@ -3945,11 +3945,11 @@
* \p output_size is too small
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not a supported key agreement algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -3981,13 +3981,13 @@
* \param[out] output Output buffer for the generated data.
* \param output_size Number of bytes to generate and output.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -4024,17 +4024,17 @@
* \retval #PSA_ERROR_ALREADY_EXISTS
* This is an attempt to create a persistent key, and there is
* already a persistent key with the given identifier.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -4045,6 +4045,628 @@
/**@}*/
+/** \defgroup interruptible_hash Interruptible sign/verify hash
+ * @{
+ */
+
+/** The type of the state data structure for interruptible hash
+ * signing operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation;
+ * memset(&operation, 0, sizeof(operation));
+ * \endcode
+ * - Initialize the structure to logical zero values, for example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation = {0};
+ * \endcode
+ * - Initialize the structure to the initializer
+ * #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation =
+ * PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ * \endcode
+ * - Assign the result of the function
+ * psa_sign_hash_interruptible_operation_init() to the structure, for
+ * example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation;
+ * operation = psa_sign_hash_interruptible_operation_init();
+ * \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
+
+/** The type of the state data structure for interruptible hash
+ * verification operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation;
+ * memset(&operation, 0, sizeof(operation));
+ * \endcode
+ * - Initialize the structure to logical zero values, for example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation = {0};
+ * \endcode
+ * - Initialize the structure to the initializer
+ * #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation =
+ * PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ * \endcode
+ * - Assign the result of the function
+ * psa_verify_hash_interruptible_operation_init() to the structure, for
+ * example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation;
+ * operation = psa_verify_hash_interruptible_operation_init();
+ * \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
+
+/**
+ * \brief Set the maximum number of ops allowed to be
+ * executed by an interruptible function in a
+ * single call.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note The time taken to execute a single op is
+ * implementation specific and depends on
+ * software, hardware, the algorithm, key type and
+ * curve chosen. Even within a single operation,
+ * successive ops can take differing amounts of
+ * time. The only guarantee is that lower values
+ * for \p max_ops means functions will block for a
+ * lesser maximum amount of time. The functions
+ * \c psa_sign_interruptible_get_num_ops() and
+ * \c psa_verify_interruptible_get_num_ops() are
+ * provided to help with tuning this value.
+ *
+ * \note This value defaults to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
+ * means the whole operation will be done in one
+ * go, regardless of the number of ops required.
+ *
+ * \note If more ops are needed to complete a
+ * computation, #PSA_OPERATION_INCOMPLETE will be
+ * returned by the function performing the
+ * computation. It is then the caller's
+ * responsibility to either call again with the
+ * same operation context until it returns 0 or an
+ * error code; or to call the relevant abort
+ * function if the answer is no longer required.
+ *
+ * \note The interpretation of \p max_ops is also
+ * implementation defined. On a hard real time
+ * system, this can indicate a hard deadline, as a
+ * real-time system needs a guarantee of not
+ * spending more than X time, however care must be
+ * taken in such an implementation to avoid the
+ * situation whereby calls just return, not being
+ * able to do any actual work within the allotted
+ * time. On a non-real-time system, the
+ * implementation can be more relaxed, but again
+ * whether this number should be interpreted as as
+ * hard or soft limit or even whether a less than
+ * or equals as regards to ops executed in a
+ * single call is implementation defined.
+ *
+ * \note For keys in local storage when no accelerator
+ * driver applies, please see also the
+ * documentation for \c mbedtls_ecp_set_max_ops(),
+ * which is the internal implementation in these
+ * cases.
+ *
+ * \warning With implementations that interpret this number
+ * as a hard limit, setting this number too small
+ * may result in an infinite loop, whereby each
+ * call results in immediate return with no ops
+ * done (as there is not enough time to execute
+ * any), and thus no result will ever be achieved.
+ *
+ * \note This only applies to functions whose
+ * documentation mentions they may return
+ * #PSA_OPERATION_INCOMPLETE.
+ *
+ * \param max_ops The maximum number of ops to be executed in a
+ * single call. This can be a number from 0 to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ * is the least amount of work done per call.
+ */
+void psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be
+ * executed by an interruptible function in a
+ * single call. This will return the last
+ * value set by
+ * \c psa_interruptible_set_max_ops() or
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
+ * that function has never been called.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \return Maximum number of ops allowed to be
+ * executed by an interruptible function in a
+ * single call.
+ */
+uint32_t psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing
+ * operation has taken so far. If the operation
+ * has completed, then this will represent the
+ * number of ops required for the entire
+ * operation. After initialization or calling
+ * \c psa_sign_hash_interruptible_abort() on
+ * the operation, a value of 0 will be returned.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * This is a helper provided to help you tune the
+ * value passed to \c
+ * psa_interruptible_set_max_ops().
+ *
+ * \param operation The \c psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that the operation has taken so
+ * far.
+ */
+uint32_t psa_sign_hash_get_num_ops(
+ const psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification
+ * operation has taken so far. If the operation
+ * has completed, then this will represent the
+ * number of ops required for the entire
+ * operation. After initialization or calling \c
+ * psa_verify_hash_interruptible_abort() on the
+ * operation, a value of 0 will be returned.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * This is a helper provided to help you tune the
+ * value passed to \c
+ * psa_interruptible_set_max_ops().
+ *
+ * \param operation The \c
+ * psa_verify_hash_interruptible_operation_t to
+ * use. This must be initialized first.
+ *
+ * \return Number of ops that the operation has taken so
+ * far.
+ */
+uint32_t psa_verify_hash_get_num_ops(
+ const psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start signing a hash or short message with a
+ * private key, in an interruptible manner.
+ *
+ * \see \c psa_sign_hash_complete()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_sign_hash_complete() is equivalent to
+ * \c psa_sign_hash() but
+ * \c psa_sign_hash_complete() can return early and
+ * resume according to the limit set with \c
+ * psa_interruptible_set_max_ops() to reduce the
+ * maximum time spent in a function call.
+ *
+ * \note Users should call \c psa_sign_hash_complete()
+ * repeatedly on the same context after a
+ * successful call to this function until \c
+ * psa_sign_hash_complete() either returns 0 or an
+ * error. \c psa_sign_hash_complete() will return
+ * #PSA_OPERATION_INCOMPLETE if there is more work
+ * to do. Alternatively users can call
+ * \c psa_sign_hash_abort() at any point if they no
+ * longer want the result.
+ *
+ * \note If this function returns an error status, the
+ * operation enters an error state and must be
+ * aborted by calling \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param key Identifier of the key to use for the operation.
+ * It must be an asymmetric key pair. The key must
+ * allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg A signature algorithm (\c PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ * is true), that is compatible with
+ * the type of \p key.
+ * \param[in] hash The hash or message to sign.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
+ * not permit the requested algorithm.
+ * \retval #PSA_ERROR_BAD_STATE
+ * An operation has previously been started on this context, and is
+ * still in progress.
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of
+ * signing a hash or short message with a private
+ * key, in an interruptible manner.
+ *
+ * \see \c psa_sign_hash_start()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_sign_hash_start() is equivalent to
+ * \c psa_sign_hash() but this function can return
+ * early and resume according to the limit set with
+ * \c psa_interruptible_set_max_ops() to reduce the
+ * maximum time spent in a function call.
+ *
+ * \note Users should call this function on the same
+ * operation object repeatedly until it either
+ * returns 0 or an error. This function will return
+ * #PSA_OPERATION_INCOMPLETE if there is more work
+ * to do. Alternatively users can call
+ * \c psa_sign_hash_abort() at any point if they no
+ * longer want the result.
+ *
+ * \note When this function returns successfully, the
+ * operation becomes inactive. If this function
+ * returns an error status, the operation enters an
+ * error state and must be aborted by calling
+ * \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first, and have
+ * had \c psa_sign_hash_start() called with it
+ * first.
+ *
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param signature_size Size of the \p signature buffer in bytes. This
+ * must be appropriate for the selected
+ * algorithm and key:
+ * - The required signature size is
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
+ * key_bits, \c alg) where \c key_type and \c
+ * key_bits are the type and bit-size
+ * respectively of key.
+ * - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ * maximum signature size of any supported
+ * signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ * the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(). There is still work to be done.
+ * Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ * An operation was not previously started on this context via
+ * \c psa_sign_hash_start().
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has either not been previously initialized by
+ * psa_crypto_init() or you did not previously call
+ * psa_sign_hash_start() with this operation object. It is
+ * implementation-dependent whether a failure to initialize results in
+ * this error code.
+ */
+psa_status_t psa_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function is the only function that clears
+ * the number of ops completed as part of the
+ * operation. Please ensure you copy this value via
+ * \c psa_sign_hash_get_num_ops() if required
+ * before calling.
+ *
+ * \note Aborting an operation frees all associated
+ * resources except for the \p operation structure
+ * itself. Once aborted, the operation object can
+ * be reused for another operation by calling \c
+ * psa_sign_hash_start() again.
+ *
+ * \note You may call this function any time after the
+ * operation object has been initialized. In
+ * particular, calling \c psa_sign_hash_abort()
+ * after the operation has already been terminated
+ * by a call to \c psa_sign_hash_abort() or
+ * psa_sign_hash_complete() is safe.
+ *
+ * \param[in,out] operation Initialized sign hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start reading and verifying a hash or short
+ * message, in an interruptible manner.
+ *
+ * \see \c psa_verify_hash_complete()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_verify_hash_complete() is equivalent to
+ * \c psa_verify_hash() but \c
+ * psa_verify_hash_complete() can return early and
+ * resume according to the limit set with \c
+ * psa_interruptible_set_max_ops() to reduce the
+ * maximum time spent in a function.
+ *
+ * \note Users should call \c psa_verify_hash_complete()
+ * repeatedly on the same operation object after a
+ * successful call to this function until \c
+ * psa_verify_hash_complete() either returns 0 or
+ * an error. \c psa_verify_hash_complete() will
+ * return #PSA_OPERATION_INCOMPLETE if there is
+ * more work to do. Alternatively users can call
+ * \c psa_verify_hash_abort() at any point if they
+ * no longer want the result.
+ *
+ * \note If this function returns an error status, the
+ * operation enters an error state and must be
+ * aborted by calling \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param key Identifier of the key to use for the operation.
+ * The key must allow the usage
+ * #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg A signature algorithm (\c PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ * is true), that is compatible with
+ * the type of \p key.
+ * \param[in] hash The hash whose signature is to be verified.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - please call \c
+ * psa_verify_hash_complete() with the same context to complete the
+ * operation.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ * Another operation has already been started on this context, and is
+ * still in progress.
+ *
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
+ * not permit the requested algorithm.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of
+ * reading and verifying a hash or short message
+ * signed with a private key, in an interruptible
+ * manner.
+ *
+ * \see \c psa_verify_hash_start()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_verify_hash_start() is equivalent to
+ * \c psa_verify_hash() but this function can
+ * return early and resume according to the limit
+ * set with \c psa_interruptible_set_max_ops() to
+ * reduce the maximum time spent in a function
+ * call.
+ *
+ * \note Users should call this function on the same
+ * operation object repeatedly until it either
+ * returns 0 or an error. This function will return
+ * #PSA_OPERATION_INCOMPLETE if there is more work
+ * to do. Alternatively users can call
+ * \c psa_verify_hash_abort() at any point if they
+ * no longer want the result.
+ *
+ * \note When this function returns successfully, the
+ * operation becomes inactive. If this function
+ * returns an error status, the operation enters an
+ * error state and must be aborted by calling
+ * \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first, and have
+ * had \c psa_verify_hash_start() called with it
+ * first.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(). There is still work to be done.
+ * Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ * \retval #PSA_ERROR_BAD_STATE
+ * An operation was not previously started on this context via
+ * \c psa_verify_hash_start().
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has either not been previously initialized by
+ * psa_crypto_init() or you did not previously call
+ * psa_verify_hash_start() on this object. It is
+ * implementation-dependent whether a failure to initialize results in
+ * this error code.
+ */
+psa_status_t psa_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify hash operation.
+ *
+ * \warning This is a beta API, and thus subject to change at
+ * any point. It is not bound by the usual interface
+ * stability promises.
+ *
+ * \note This function is the only function that clears the
+ * number of ops completed as part of the operation.
+ * Please ensure you copy this value via
+ * \c psa_verify_hash_get_num_ops() if required
+ * before calling.
+ *
+ * \note Aborting an operation frees all associated
+ * resources except for the operation structure
+ * itself. Once aborted, the operation object can be
+ * reused for another operation by calling \c
+ * psa_verify_hash_start() again.
+ *
+ * \note You may call this function any time after the
+ * operation object has been initialized.
+ * In particular, calling \c psa_verify_hash_abort()
+ * after the operation has already been terminated by
+ * a call to \c psa_verify_hash_abort() or
+ * psa_verify_hash_complete() is safe.
+ *
+ * \param[in,out] operation Initialized verify hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+
+/**@}*/
+
#ifdef __cplusplus
}
#endif
diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index b7f0b11..9f23551 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -107,4 +107,78 @@
#define MBEDTLS_PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
+#include "mbedtls/ecdsa.h"
+
+/* Context structure for the Mbed TLS interruptible sign hash implementation. */
+typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+ mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+
+ size_t MBEDTLS_PRIVATE(coordinate_bytes);
+ psa_algorithm_t MBEDTLS_PRIVATE(alg);
+ mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
+ uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ size_t MBEDTLS_PRIVATE(hash_length);
+
+#else
+ /* Make the struct non-empty if algs not supported. */
+ unsigned MBEDTLS_PRIVATE(dummy);
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+} mbedtls_psa_sign_hash_interruptible_operation_t;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, 0 }
+#else
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
+
+/* Context structure for the Mbed TLS interruptible verify hash
+ * implementation.*/
+typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+ mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+
+ uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ size_t MBEDTLS_PRIVATE(hash_length);
+
+ mbedtls_mpi MBEDTLS_PRIVATE(r);
+ mbedtls_mpi MBEDTLS_PRIVATE(s);
+
+#else
+ /* Make the struct non-empty if algs not supported. */
+ unsigned MBEDTLS_PRIVATE(dummy);
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+
+} mbedtls_psa_verify_hash_interruptible_operation_t;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, { 0 }, \
+ { 0 } }
+#else
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
+
+
+
#endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */
diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h
index 97e6584..3544f96 100644
--- a/include/psa/crypto_compat.h
+++ b/include/psa/crypto_compat.h
@@ -105,11 +105,11 @@
* permission to access it. Note that this specification does not
* define any way to create such a key, but it may be possible
* through implementation-specific means.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -149,8 +149,8 @@
* \p handle was a valid handle or \c 0. It is now closed.
* \retval #PSA_ERROR_INVALID_HANDLE
* \p handle is not a valid handle nor \c 0.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h
index bcd000e..1b95814 100644
--- a/include/psa/crypto_driver_contexts_composites.h
+++ b/include/psa/crypto_driver_contexts_composites.h
@@ -114,5 +114,15 @@
#endif
} psa_driver_aead_context_t;
+typedef union {
+ unsigned dummy; /* Make sure this union is always non-empty */
+ mbedtls_psa_sign_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_sign_hash_interruptible_context_t;
+
+typedef union {
+ unsigned dummy; /* Make sure this union is always non-empty */
+ mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_verify_hash_interruptible_context_t;
+
#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */
/* End of automatically generated file. */
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index bd1b5af..582d942 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -189,12 +189,12 @@
* or the specified slot number is not valid.
* \retval #PSA_ERROR_NOT_PERMITTED
* The caller is not authorized to register the specified key slot.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -491,10 +491,10 @@
* according to \p type as described above.
* \param data_length Size of the \p data buffer in bytes.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
psa_key_type_t type,
@@ -521,8 +521,8 @@
* \param[out] data_length On success, the number of bytes
* that make up the key domain parameters data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
*/
psa_status_t psa_get_key_domain_parameters(
const psa_key_attributes_t *attributes,
@@ -1352,8 +1352,8 @@
* compatible with the PAKE algorithm, or the hash algorithm in
* \p cipher_suite is not supported or not compatible with the PAKE
* algorithm and primitive.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid, or
* the library has not been previously initialized by psa_crypto_init().
@@ -1397,11 +1397,11 @@
* \retval #PSA_ERROR_NOT_SUPPORTED
* The key type or key size of \p password is not supported with the
* \p operation's cipher suite.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must have been set up.), or
* the library has not been previously initialized by psa_crypto_init().
@@ -1439,9 +1439,9 @@
* suite.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The value of \p user_id is not supported by the implementation.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid, or
* the library has not been previously initialized by psa_crypto_init().
@@ -1480,9 +1480,9 @@
* suite.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The algorithm doesn't associate a second identity with the session.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* Calling psa_pake_set_peer() is invalid with the \p operation's
* algorithm, the operation state is not valid, or the library has not
@@ -1524,8 +1524,8 @@
* The \p role is not a valid PAKE role in the \p operation’s algorithm.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The \p role for this algorithm is not supported or is not valid.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid, or
* the library has not been previously initialized by psa_crypto_init().
@@ -1575,13 +1575,13 @@
* \p step is not compatible with the operation's algorithm.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p step is not supported with the operation's algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, and fully set
* up, and this call must conform to the algorithm's requirements
@@ -1631,12 +1631,12 @@
* \p step p is not supported with the \p operation's algorithm, or the
* \p input is not supported for the \p operation's algorithm, cipher
* suite or \p step.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active, and fully set
* up, and this call must conform to the algorithm's requirements
@@ -1691,12 +1691,12 @@
* \retval #PSA_ERROR_NOT_SUPPORTED
* Input from a PAKE is not supported by the algorithm in the \p output
* key derivation operation.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The PAKE operation state is not valid (it must be active, but beyond
* that validity is specific to the algorithm), or
@@ -1728,8 +1728,8 @@
*
* \retval #PSA_SUCCESS
* Success.
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
index a052789..9ae631f 100644
--- a/include/psa/crypto_se_driver.h
+++ b/include/psa/crypto_se_driver.h
@@ -385,8 +385,8 @@
* \param[in] direction Indicates whether the operation is an encrypt
* or decrypt
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
*/
typedef psa_status_t (*psa_drv_se_cipher_setup_t)(psa_drv_se_context_t *drv_context,
void *op_context,
@@ -407,7 +407,7 @@
* \param[in] p_iv A buffer containing the initialization vector
* \param[in] iv_length The size (in bytes) of the `p_iv` buffer
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_cipher_set_iv_t)(void *op_context,
const uint8_t *p_iv,
@@ -429,7 +429,7 @@
* \param[out] p_output_length After completion, will contain the number
* of bytes placed in the `p_output` buffer
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_cipher_update_t)(void *op_context,
const uint8_t *p_input,
@@ -450,7 +450,7 @@
* \param[out] p_output_length After completion, will contain the number of
* bytes placed in the `p_output` buffer
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_cipher_finish_t)(void *op_context,
uint8_t *p_output,
@@ -485,8 +485,8 @@
* \param[in] output_size The allocated size in bytes of the `p_output`
* buffer
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
*/
typedef psa_status_t (*psa_drv_se_cipher_ecb_t)(psa_drv_se_context_t *drv_context,
psa_key_slot_number_t key_slot,
@@ -554,7 +554,7 @@
* \param[out] p_signature_length On success, the number of bytes
* that make up the returned signature value
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_asymmetric_sign_t)(psa_drv_se_context_t *drv_context,
psa_key_slot_number_t key_slot,
@@ -618,7 +618,7 @@
* \param[out] p_output_length On success, the number of bytes that make up
* the returned output
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_asymmetric_encrypt_t)(psa_drv_se_context_t *drv_context,
psa_key_slot_number_t key_slot,
@@ -658,7 +658,7 @@
* \param[out] p_output_length On success, the number of bytes
* that make up the returned output
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_asymmetric_decrypt_t)(psa_drv_se_context_t *drv_context,
psa_key_slot_number_t key_slot,
@@ -904,8 +904,8 @@
* Success.
* The core will record \c *key_slot as the key slot where the key
* is stored and will update the persistent data in storage.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
*/
typedef psa_status_t (*psa_drv_se_allocate_key_t)(
psa_drv_se_context_t *drv_context,
@@ -1043,13 +1043,13 @@
* \param[out] p_data_length On success, the number of bytes
* that make up the key data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- * \retval #PSA_ERROR_NOT_PERMITTED
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
typedef psa_status_t (*psa_drv_se_export_key_t)(psa_drv_se_context_t *drv_context,
psa_key_slot_number_t key,
@@ -1196,7 +1196,7 @@
* \param[in] source_key The key to be used as the source material for
* the key derivation
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_key_derivation_setup_t)(psa_drv_se_context_t *drv_context,
void *op_context,
@@ -1216,7 +1216,7 @@
* \param[in] p_collateral A buffer containing the collateral data
* \param[in] collateral_size The size in bytes of the collateral
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_key_derivation_collateral_t)(void *op_context,
uint32_t collateral_id,
@@ -1231,7 +1231,7 @@
* \param[in] dest_key The slot where the generated key material
* should be placed
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_key_derivation_derive_t)(void *op_context,
psa_key_slot_number_t dest_key);
@@ -1245,7 +1245,7 @@
* \param[out] p_output_length Upon success, contains the number of bytes of
* key material placed in `p_output`
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
typedef psa_status_t (*psa_drv_se_key_derivation_export_t)(void *op_context,
uint8_t *p_output,
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 7a6caa2..934bc17 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -491,6 +491,66 @@
return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits);
}
+/**
+ * \brief The context for PSA interruptible hash signing.
+ */
+struct psa_sign_hash_interruptible_operation_s {
+ /** Unique ID indicating which driver got assigned to do the
+ * operation. Since driver contexts are driver-specific, swapping
+ * drivers halfway through the operation is not supported.
+ * ID values are auto-generated in psa_crypto_driver_wrappers.h
+ * ID value zero means the context is not valid or not assigned to
+ * any driver (i.e. none of the driver contexts are active). */
+ unsigned int MBEDTLS_PRIVATE(id);
+
+ psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
+ unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+};
+
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
+
+static inline struct psa_sign_hash_interruptible_operation_s
+psa_sign_hash_interruptible_operation_init(void)
+{
+ const struct psa_sign_hash_interruptible_operation_s v =
+ PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+ return v;
+}
+
+/**
+ * \brief The context for PSA interruptible hash verification.
+ */
+struct psa_verify_hash_interruptible_operation_s {
+ /** Unique ID indicating which driver got assigned to do the
+ * operation. Since driver contexts are driver-specific, swapping
+ * drivers halfway through the operation is not supported.
+ * ID values are auto-generated in psa_crypto_driver_wrappers.h
+ * ID value zero means the context is not valid or not assigned to
+ * any driver (i.e. none of the driver contexts are active). */
+ unsigned int MBEDTLS_PRIVATE(id);
+
+ psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
+ unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+};
+
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
+
+static inline struct psa_verify_hash_interruptible_operation_s
+psa_verify_hash_interruptible_operation_init(void)
+{
+ const struct psa_verify_hash_interruptible_operation_s v =
+ PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+ return v;
+}
+
#ifdef __cplusplus
}
#endif
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index ee95745..39acd96 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -335,6 +335,13 @@
*/
#define PSA_ERROR_DATA_INVALID ((psa_status_t)-153)
+/** The function that returns this status is defined as interruptible and
+ * still has work to do, thus the user should call the function again with the
+ * same operation context until it either returns #PSA_SUCCESS or any other
+ * error. This is not an error per se, more a notification of status.
+ */
+#define PSA_OPERATION_INCOMPLETE ((psa_status_t)-248)
+
/* *INDENT-ON* */
/**@}*/
@@ -2739,4 +2746,18 @@
/**@}*/
+/**@}*/
+
+/** \defgroup interruptible Interruptible operations
+ * @{
+ */
+
+/** Maximum value for use with \c psa_interruptible_set_max_ops() to determine
+ * the maximum number of ops allowed to be executed by an interruptible
+ * function in a single call.
+ */
+#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX
+
+/**@}*/
+
#endif /* PSA_CRYPTO_VALUES_H */
diff --git a/library/bignum.c b/library/bignum.c
index 41b3a26..d3a1b00 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1656,6 +1656,7 @@
size_t window_bitsize;
size_t i, j, nblimbs;
size_t bufsize, nbits;
+ size_t exponent_bits_in_window = 0;
mbedtls_mpi_uint ei, mm, state;
mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos;
int neg;
@@ -1829,7 +1830,6 @@
nblimbs = E->n;
bufsize = 0;
nbits = 0;
- size_t exponent_bits_in_window = 0;
state = 0;
while (1) {
diff --git a/library/ctr_drbg.c b/library/ctr_drbg.c
index 13fa6d4..acc4208 100644
--- a/library/ctr_drbg.c
+++ b/library/ctr_drbg.c
@@ -98,14 +98,13 @@
if (len > MBEDTLS_CTR_DRBG_MAX_SEED_INPUT) {
return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
}
-#if SIZE_MAX > INT_MAX
+
/* This shouldn't be an issue because
* MBEDTLS_CTR_DRBG_MAX_SEED_INPUT < INT_MAX in any sensible
* configuration, but make sure anyway. */
if (len > INT_MAX) {
return MBEDTLS_ERR_CTR_DRBG_INPUT_TOO_BIG;
}
-#endif
/* For backward compatibility with Mbed TLS <= 2.19, store the
* entropy nonce length in a field that already exists, but isn't
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3ddb82b..eb3c303 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -239,13 +239,13 @@
* Compute ECDSA signature of a hashed message (SEC1 4.1.3)
* Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
*/
-static int ecdsa_sign_restartable(mbedtls_ecp_group *grp,
- mbedtls_mpi *r, mbedtls_mpi *s,
- const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- int (*f_rng_blind)(void *, unsigned char *, size_t),
- void *p_rng_blind,
- mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
{
int ret, key_tries, sign_tries;
int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
@@ -394,8 +394,8 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
/* Use the same RNG for both blinding and ephemeral key generation */
- return ecdsa_sign_restartable(grp, r, s, d, buf, blen,
- f_rng, p_rng, f_rng, p_rng, NULL);
+ return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+ f_rng, p_rng, f_rng, p_rng, NULL);
}
#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
@@ -406,13 +406,13 @@
* note: The f_rng_blind parameter must not be NULL.
*
*/
-static int ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
- mbedtls_mpi *r, mbedtls_mpi *s,
- const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
- mbedtls_md_type_t md_alg,
- int (*f_rng_blind)(void *, unsigned char *, size_t),
- void *p_rng_blind,
- mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_hmac_drbg_context rng_ctx;
@@ -462,9 +462,9 @@
ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
mbedtls_hmac_drbg_random, p_rng);
#else
- ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen,
- mbedtls_hmac_drbg_random, p_rng,
- f_rng_blind, p_rng_blind, rs_ctx);
+ ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+ mbedtls_hmac_drbg_random, p_rng,
+ f_rng_blind, p_rng_blind, rs_ctx);
#endif /* MBEDTLS_ECDSA_SIGN_ALT */
cleanup:
@@ -487,8 +487,8 @@
size_t),
void *p_rng_blind)
{
- return ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
- f_rng_blind, p_rng_blind, NULL);
+ return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+ f_rng_blind, p_rng_blind, NULL);
}
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
@@ -497,11 +497,12 @@
* Verify ECDSA signature of hashed message (SEC1 4.1.4)
* Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
*/
-static int ecdsa_verify_restartable(mbedtls_ecp_group *grp,
- const unsigned char *buf, size_t blen,
- const mbedtls_ecp_point *Q,
- const mbedtls_mpi *r, const mbedtls_mpi *s,
- mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *r,
+ const mbedtls_mpi *s,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi e, s_inv, u1, u2;
@@ -610,7 +611,7 @@
const mbedtls_mpi *r,
const mbedtls_mpi *s)
{
- return ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
+ return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
}
#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
@@ -665,9 +666,9 @@
mbedtls_mpi_init(&s);
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
- MBEDTLS_MPI_CHK(ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
- hash, hlen, md_alg, f_rng,
- p_rng, rs_ctx));
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, md_alg, f_rng,
+ p_rng, rs_ctx));
#else
(void) md_alg;
@@ -678,9 +679,9 @@
hash, hlen, f_rng, p_rng));
#else
/* Use the same RNG for both blinding and ephemeral key generation */
- MBEDTLS_MPI_CHK(ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
- hash, hlen, f_rng, p_rng, f_rng,
- p_rng, rs_ctx));
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, f_rng, p_rng, f_rng,
+ p_rng, rs_ctx));
#endif /* MBEDTLS_ECDSA_SIGN_ALT */
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
@@ -760,8 +761,8 @@
goto cleanup;
}
#else
- if ((ret = ecdsa_verify_restartable(&ctx->grp, hash, hlen,
- &ctx->Q, &r, &s, rs_ctx)) != 0) {
+ if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
+ &ctx->Q, &r, &s, rs_ctx)) != 0) {
goto cleanup;
}
#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 7987c3f..b352e76 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4570,6 +4570,8 @@
/* Forward declarations */
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
static int ecp_mod_p192(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
#endif
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
static int ecp_mod_p224(mbedtls_mpi *);
@@ -4582,6 +4584,8 @@
#endif
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
static int ecp_mod_p521(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
#endif
#define NIST_MODP(P) grp->modp = ecp_mod_ ## P;
@@ -4884,10 +4888,12 @@
}
#define WIDTH 8 / sizeof(mbedtls_mpi_uint)
-#define A(i) N->p + (i) * WIDTH
-#define ADD(i) add64(p, A(i), &c)
+#define A(i) Np + (i) * WIDTH
+#define ADD(i) add64(p, A(i), &c)
#define NEXT p += WIDTH; carry64(p, &c)
#define LAST p += WIDTH; *p = c; while (++p < end) *p = 0
+#define RESET last_carry[0] = c; c = 0; p = Np
+#define ADD_LAST add64(p, last_carry, &c)
/*
* Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
@@ -4895,28 +4901,51 @@
static int ecp_mod_p192(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi_uint c = 0;
- mbedtls_mpi_uint *p, *end;
-
- /* Make sure we have enough blocks so that A(5) is legal */
- MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH));
-
- p = N->p;
- end = p + N->n;
-
- ADD(3); ADD(5); NEXT; // A0 += A3 + A5
- ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
- ADD(4); ADD(5); LAST; // A2 += A4 + A5
+ size_t expected_width = 2 * ((192 + biL - 1) / biL);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p192_raw(N->p, expected_width);
cleanup:
return ret;
}
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)
+{
+ mbedtls_mpi_uint c = 0, last_carry[WIDTH] = { 0 };
+ mbedtls_mpi_uint *p, *end;
+
+ if (Nn != 2*((192 + biL - 1)/biL)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ p = Np;
+ end = p + Nn;
+
+ ADD(3); ADD(5); NEXT; // A0 += A3 + A5
+ ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
+ ADD(4); ADD(5); // A2 += A4 + A5
+
+ RESET;
+
+ /* Use the reduction for the carry as well:
+ * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+ */
+ ADD_LAST; NEXT; // A0 += last_carry
+ ADD_LAST; NEXT; // A1 += last_carry
+
+ LAST; // A2 += carry
+
+ return 0;
+}
+
#undef WIDTH
#undef A
#undef ADD
#undef NEXT
#undef LAST
+#undef RESET
+#undef ADD_LAST
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
@@ -5162,11 +5191,6 @@
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-/*
- * Here we have an actual Mersenne prime, so things are more straightforward.
- * However, chunks are aligned on a 'weird' boundary (521 bits).
- */
-
/* Size of p521 in terms of mbedtls_mpi_uint */
#define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
@@ -5174,48 +5198,81 @@
#define P521_MASK 0x01FF
/*
- * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
- * Write N as A1 + 2^521 A0, return A0 + A1
+ * Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
*/
static int ecp_mod_p521(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t i;
- mbedtls_mpi M;
- mbedtls_mpi_uint Mp[P521_WIDTH + 1];
- /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
- * we need to hold bits 513 to 1056, which is 34 limbs, that is
- * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
-
- if (N->n < P521_WIDTH) {
- return 0;
- }
-
- /* M = A1 */
- M.s = 1;
- M.n = N->n - (P521_WIDTH - 1);
- if (M.n > P521_WIDTH + 1) {
- M.n = P521_WIDTH + 1;
- }
- M.p = Mp;
- memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
-
- /* N = A0 */
- N->p[P521_WIDTH - 1] &= P521_MASK;
- for (i = P521_WIDTH; i < N->n; i++) {
- N->p[i] = 0;
- }
-
- /* N = A0 + A1 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
-
+ size_t expected_width = 2 * P521_WIDTH;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
cleanup:
return ret;
}
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ mbedtls_mpi_uint carry = 0;
+
+ if (X_limbs != 2 * P521_WIDTH || X[2 * P521_WIDTH - 1] != 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Step 1: Reduction to P521_WIDTH limbs */
+ /* Helper references for bottom part of X */
+ mbedtls_mpi_uint *X0 = X;
+ size_t X0_limbs = P521_WIDTH;
+ /* Helper references for top part of X */
+ mbedtls_mpi_uint *X1 = X + X0_limbs;
+ size_t X1_limbs = X_limbs - X0_limbs;
+ /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1.
+ * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that
+ * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.)
+ * The high order limb of the result will be held in carry and the rest
+ * in X0 (that is the result will be represented as
+ * 2^P521_WIDTH carry + X0).
+ *
+ * Also, note that the resulting carry is either 0 or 1:
+ * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512
+ * therefore
+ * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9)
+ * which in turn is less than 2 * 2^(512 + biL).
+ */
+ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
+ carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift);
+ /* Set X to X0 (by clearing the top part). */
+ memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint));
+
+ /* Step 2: Reduction modulo P521
+ *
+ * At this point X is reduced to P521_WIDTH limbs. What remains is to add
+ * the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */
+
+ /* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521.
+ * Also, recall that carry is either 0 or 1. */
+ mbedtls_mpi_uint addend = carry << (biL - 9);
+ /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */
+ addend += (X[P521_WIDTH - 1] >> 9);
+ X[P521_WIDTH - 1] &= P521_MASK;
+
+ /* Resuse the top part of X (already zeroed) as a helper array for
+ * carrying out the addition. */
+ mbedtls_mpi_uint *addend_arr = X + P521_WIDTH;
+ addend_arr[0] = addend;
+ (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH);
+ /* Both addends were less than P521 therefore X < 2 * P521. (This also means
+ * that the result fit in P521_WIDTH limbs and there won't be any carry.) */
+
+ /* Clear the reused part of X. */
+ addend_arr[0] = 0;
+
+ return 0;
+}
+
#undef P521_WIDTH
#undef P521_MASK
+
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECP_NIST_OPTIM */
@@ -5477,6 +5534,188 @@
}
#endif /* MBEDTLS_ECP_DP_SECP256K1_ENABLED */
-#endif /* !MBEDTLS_ECP_ALT */
+#if defined(MBEDTLS_TEST_HOOKS)
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_ecp_group_id id,
+ const mbedtls_ecp_curve_type ctype)
+{
+ mbedtls_mpi_uint *p = NULL;
+ size_t p_limbs;
+ if (!(ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE || \
+ ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_SCALAR)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ switch (id) {
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp192r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp192r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp224r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp224r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp256r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp256r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP384R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp384r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp384r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp384r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP521R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp521r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp521r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp521r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP256R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP256R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) brainpoolP256r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) brainpoolP256r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP256r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP384R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP384R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) brainpoolP384r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) brainpoolP384r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP384r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_BP512R1_ENABLED)
+ case MBEDTLS_ECP_DP_BP512R1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) brainpoolP512r1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) brainpoolP512r1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(brainpoolP512r1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE25519:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) curve25519_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_p));
+ } else {
+ p = (mbedtls_mpi_uint *) curve25519_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve25519_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP192K1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp192k1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp192k1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp192k1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP224K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP224K1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp224k1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp224k1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp224k1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED)
+ case MBEDTLS_ECP_DP_SECP256K1:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) secp256k1_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_p));
+ } else {
+ p = (mbedtls_mpi_uint *) secp256k1_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(secp256k1_n));
+ }
+ break;
+#endif
+
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case MBEDTLS_ECP_DP_CURVE448:
+ if (ctype == (mbedtls_ecp_curve_type) MBEDTLS_ECP_MOD_COORDINATE) {
+ p = (mbedtls_mpi_uint *) curve448_p;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve448_p));
+ } else {
+ p = (mbedtls_mpi_uint *) curve448_n;
+ p_limbs = CHARS_TO_LIMBS(sizeof(curve448_n));
+ }
+ break;
+#endif
+
+ default:
+ case MBEDTLS_ECP_DP_NONE:
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ if (mbedtls_mpi_mod_modulus_setup(N, p, p_limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY)) {
+ return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+ }
+ return 0;
+}
+#endif /* MBEDTLS_TEST_HOOKS */
+#endif /* !MBEDTLS_ECP_ALT */
#endif /* MBEDTLS_ECP_C */
diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h
index 18815be..aba7cca 100644
--- a/library/ecp_invasive.h
+++ b/library/ecp_invasive.h
@@ -28,6 +28,7 @@
#include "common.h"
#include "mbedtls/bignum.h"
+#include "bignum_mod.h"
#include "mbedtls/ecp.h"
#if defined(MBEDTLS_TEST_HOOKS) && defined(MBEDTLS_ECP_C)
@@ -76,6 +77,69 @@
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+
+/** Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ *
+ * This operation expects a 384 bit MPI and the result of the reduction
+ * is a 192 bit MPI.
+ *
+ * \param[in,out] Np The address of the MPI to be converted.
+ * Must have twice as many limbs as the modulus.
+ * Upon return this holds the reduced value. The bitlength
+ * of the reduced value is the same as that of the modulus
+ * (192 bits).
+ * \param[in] Nn The length of \p Np in limbs.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
+
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+
+/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have twice as many limbs as the modulus
+ * (the modulus is 521 bits long). Upon return this
+ * holds the reduced value. The reduced value is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * and its the bitlength is one plus the bitlength
+ * of the modulus.
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have
+ * twice as many limbs as the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
+/** Initialise a modulus with hard-coded const curve data.
+ *
+ * \note The caller is responsible for the \p N modulus' memory.
+ * mbedtls_mpi_mod_modulus_free(&N) should be invoked at the
+ * end of its lifecycle.
+ *
+ * \param[in,out] N The address of the modulus structure to populate.
+ * Must be initialized.
+ * \param[in] id The mbedtls_ecp_group_id for which to initialise the modulus.
+ * \param[in] ctype The mbedtls_ecp_curve_type identifier for a coordinate modulus (P)
+ * or a scalar modulus (N).
+ *
+ * \return \c 0 if successful.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if the given MPIs do not
+ * have the correct number of limbs.
+ *
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_modulus_setup(mbedtls_mpi_mod_modulus *N,
+ const mbedtls_ecp_group_id id,
+ const mbedtls_ecp_curve_type ctype);
+
#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
#endif /* MBEDTLS_ECP_INVASIVE_H */
diff --git a/library/oid.c b/library/oid.c
index e7c1224..86214b2 100644
--- a/library/oid.c
+++ b/library/oid.c
@@ -834,21 +834,55 @@
p = buf;
n = size;
- /* First byte contains first two dots */
- if (oid->len > 0) {
- ret = mbedtls_snprintf(p, n, "%d.%d", oid->p[0] / 40, oid->p[0] % 40);
- OID_SAFE_SNPRINTF;
+ /* First subidentifier contains first two OID components */
+ i = 0;
+ value = 0;
+ if ((oid->p[0]) == 0x80) {
+ /* Overlong encoding is not allowed */
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
- value = 0;
- for (i = 1; i < oid->len; i++) {
+ while (i < oid->len && ((oid->p[i] & 0x80) != 0)) {
/* Prevent overflow in value. */
- if (((value << 7) >> 7) != value) {
- return MBEDTLS_ERR_OID_BUF_TOO_SMALL;
+ if (value > (UINT_MAX >> 7)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+
+ value |= oid->p[i] & 0x7F;
+ value <<= 7;
+ i++;
+ }
+ if (i >= oid->len) {
+ return MBEDTLS_ERR_ASN1_OUT_OF_DATA;
+ }
+ /* Last byte of first subidentifier */
+ value |= oid->p[i] & 0x7F;
+ i++;
+
+ unsigned int component1 = value / 40;
+ if (component1 > 2) {
+ /* The first component can only be 0, 1 or 2.
+ * If oid->p[0] / 40 is greater than 2, the leftover belongs to
+ * the second component. */
+ component1 = 2;
+ }
+ unsigned int component2 = value - (40 * component1);
+ ret = mbedtls_snprintf(p, n, "%u.%u", component1, component2);
+ OID_SAFE_SNPRINTF;
+
+ value = 0;
+ for (; i < oid->len; i++) {
+ /* Prevent overflow in value. */
+ if (value > (UINT_MAX >> 7)) {
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
+ }
+ if ((value == 0) && ((oid->p[i]) == 0x80)) {
+ /* Overlong encoding is not allowed */
+ return MBEDTLS_ERR_ASN1_INVALID_DATA;
}
value <<= 7;
- value += oid->p[i] & 0x7F;
+ value |= oid->p[i] & 0x7F;
if (!(oid->p[i] & 0x80)) {
/* Last byte */
diff --git a/library/pk.c b/library/pk.c
index ed3ca41..05afdbc 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -501,11 +501,9 @@
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const mbedtls_pk_rsassa_pss_options *pss_opts;
-#if SIZE_MAX > UINT_MAX
if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
-#endif /* SIZE_MAX > UINT_MAX */
if (options == NULL) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index fa296e8..dc7a27f 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -174,11 +174,9 @@
PSA_ALG_RSA_PKCS1V15_SIGN(mbedtls_hash_info_psa_from_md(md_alg));
size_t rsa_len = mbedtls_rsa_get_len(rsa);
-#if SIZE_MAX > UINT_MAX
if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
-#endif /* SIZE_MAX > UINT_MAX */
if (sig_len < rsa_len) {
return MBEDTLS_ERR_RSA_VERIFY_FAILED;
@@ -230,11 +228,9 @@
mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
size_t rsa_len = mbedtls_rsa_get_len(rsa);
-#if SIZE_MAX > UINT_MAX
if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
-#endif /* SIZE_MAX > UINT_MAX */
if (sig_len < rsa_len) {
return MBEDTLS_ERR_RSA_VERIFY_FAILED;
@@ -345,11 +341,9 @@
{
mbedtls_rsa_context *rsa = (mbedtls_rsa_context *) ctx;
-#if SIZE_MAX > UINT_MAX
if (md_alg == MBEDTLS_MD_NONE && UINT_MAX < hash_len) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
-#endif /* SIZE_MAX > UINT_MAX */
*sig_len = mbedtls_rsa_get_len(rsa);
if (sig_size < *sig_len) {
@@ -1330,11 +1324,9 @@
{
mbedtls_rsa_alt_context *rsa_alt = (mbedtls_rsa_alt_context *) ctx;
-#if SIZE_MAX > UINT_MAX
if (UINT_MAX < hash_len) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
-#endif /* SIZE_MAX > UINT_MAX */
*sig_len = rsa_alt->key_len_func(rsa_alt->key);
if (*sig_len > MBEDTLS_PK_SIGNATURE_MAX_SIZE) {
diff --git a/library/pkcs7.c b/library/pkcs7.c
index 4fdbe36..010d706 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -57,7 +57,10 @@
ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_CONTEXT_SPECIFIC);
if (ret != 0) {
- ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ } else if ((size_t) (end - *p) != *len) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return ret;
@@ -184,13 +187,13 @@
size_t len2 = 0;
unsigned char *end_set, *end_cert, *start;
- if ((ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
- | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != 0) {
- if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
- return 0;
- } else {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
- }
+ ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return 0;
+ }
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
}
start = *p;
end_set = *p + len1;
@@ -213,12 +216,11 @@
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
}
- *p = start;
- if ((ret = mbedtls_x509_crt_parse_der(certs, *p, len1)) < 0) {
+ if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) {
return MBEDTLS_ERR_PKCS7_INVALID_CERT;
}
- *p = *p + len1;
+ *p = end_cert;
/*
* Since in this version we strictly support single certificate, and reaching
@@ -285,7 +287,8 @@
* and unauthenticatedAttributes.
**/
static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
- mbedtls_pkcs7_signer_info *signer)
+ mbedtls_pkcs7_signer_info *signer,
+ mbedtls_x509_buf *alg)
{
unsigned char *end_signer, *end_issuer_and_sn;
int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -343,8 +346,15 @@
goto out;
}
- /* Assume authenticatedAttributes is nonexistent */
+ /* Check that the digest algorithm used matches the one provided earlier */
+ if (signer->alg_identifier.tag != alg->tag ||
+ signer->alg_identifier.len != alg->len ||
+ memcmp(signer->alg_identifier.p, alg->p, alg->len) != 0) {
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+ goto out;
+ }
+ /* Asssume authenticatedAttributes is nonexistent */
ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier);
if (ret != 0) {
goto out;
@@ -377,7 +387,8 @@
* Return negative error code for failure.
**/
static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end,
- mbedtls_pkcs7_signer_info *signers_set)
+ mbedtls_pkcs7_signer_info *signers_set,
+ mbedtls_x509_buf *digest_alg)
{
unsigned char *end_set;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -397,7 +408,7 @@
end_set = *p + len;
- ret = pkcs7_get_signer_info(p, end_set, signers_set);
+ ret = pkcs7_get_signer_info(p, end_set, signers_set, digest_alg);
if (ret != 0) {
return ret;
}
@@ -412,7 +423,7 @@
goto cleanup;
}
- ret = pkcs7_get_signer_info(p, end_set, signer);
+ ret = pkcs7_get_signer_info(p, end_set, signer, digest_alg);
if (ret != 0) {
mbedtls_free(signer);
goto cleanup;
@@ -454,7 +465,7 @@
{
unsigned char *p = buf;
unsigned char *end = buf + buflen;
- unsigned char *end_set, *end_content_info;
+ unsigned char *end_content_info = NULL;
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_type_t md_alg;
@@ -465,16 +476,19 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
}
- end_set = p + len;
+ if (p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
/* Get version of signed data */
- ret = pkcs7_get_version(&p, end_set, &signed_data->version);
+ ret = pkcs7_get_version(&p, end, &signed_data->version);
if (ret != 0) {
return ret;
}
/* Get digest algorithm */
- ret = pkcs7_get_digest_algorithm_set(&p, end_set,
+ ret = pkcs7_get_digest_algorithm_set(&p, end,
&signed_data->digest_alg_identifiers);
if (ret != 0) {
return ret;
@@ -485,12 +499,15 @@
return MBEDTLS_ERR_PKCS7_INVALID_ALG;
}
- /* Do not expect any content */
- ret = pkcs7_get_content_info_type(&p, end_set, &end_content_info,
- &signed_data->content.oid);
+ mbedtls_pkcs7_buf content_type;
+ memset(&content_type, 0, sizeof(content_type));
+ ret = pkcs7_get_content_info_type(&p, end, &end_content_info, &content_type);
if (ret != 0) {
return ret;
}
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+ return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
+ }
if (p != end_content_info) {
/* Determine if valid content is present */
@@ -509,13 +526,9 @@
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
}
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid)) {
- return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
- }
-
/* Look for certificates, there may or may not be any */
mbedtls_x509_crt_init(&signed_data->certs);
- ret = pkcs7_get_certificates(&p, end_set, &signed_data->certs);
+ ret = pkcs7_get_certificates(&p, end, &signed_data->certs);
if (ret < 0) {
return ret;
}
@@ -531,7 +544,10 @@
signed_data->no_of_crls = 0;
/* Get signers info */
- ret = pkcs7_get_signers_info_set(&p, end_set, &signed_data->signers);
+ ret = pkcs7_get_signers_info_set(&p,
+ end,
+ &signed_data->signers,
+ &signed_data->digest_alg_identifiers);
if (ret < 0) {
return ret;
}
@@ -550,10 +566,9 @@
const size_t buflen)
{
unsigned char *p;
- unsigned char *end, *end_content_info;
+ unsigned char *end;
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- int isoidset = 0;
if (pkcs7 == NULL) {
return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
@@ -569,34 +584,45 @@
pkcs7->raw.len = buflen;
end = p + buflen;
- ret = pkcs7_get_content_info_type(&p, end, &end_content_info,
- &pkcs7->content_type_oid);
+ ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ goto out;
+ }
+
+ if ((size_t) (end - p) != len) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ goto out;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
+ if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ goto out;
+ }
+ p = pkcs7->raw.p;
len = buflen;
goto try_data;
}
- /* Ensure PKCS7 data uses the exact number of bytes specified in buflen */
- if (end_content_info != end) {
- ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_DATA, p, len)) {
+ /* OID is not MBEDTLS_OID_PKCS7_SIGNED_DATA, which is the only supported feature */
+ if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DIGESTED_DATA, p, len)) {
+ /* OID is valid according to the spec, but unsupported */
+ ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ } else {
+ /* OID is invalid according to the spec */
+ ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
goto out;
}
- if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid)) {
- ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
- goto out;
- }
-
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid)) {
- ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
- goto out;
- }
-
- isoidset = 1;
+ p += len;
ret = pkcs7_get_next_content_len(&p, end, &len);
if (ret != 0) {
@@ -615,12 +641,6 @@
goto out;
}
- if (!isoidset) {
- pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID;
- pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKCS7_SIGNED_DATA);
- pkcs7->content_type_oid.p = (unsigned char *) MBEDTLS_OID_PKCS7_SIGNED_DATA;
- }
-
ret = MBEDTLS_PKCS7_SIGNED_DATA;
out:
@@ -653,6 +673,39 @@
return MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
}
+ ret = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, &md_alg);
+ if (ret != 0) {
+ return ret;
+ }
+
+ md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ }
+
+ hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
+ if (hash == NULL) {
+ return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ }
+
+ /* BEGIN must free hash before jumping out */
+ if (is_data_hash) {
+ if (datalen != mbedtls_md_get_size(md_info)) {
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ } else {
+ memcpy(hash, data, datalen);
+ }
+ } else {
+ ret = mbedtls_md(md_info, data, datalen, hash);
+ }
+ if (ret != 0) {
+ mbedtls_free(hash);
+ return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ }
+
+ /* assume failure */
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+
/*
* Potential TODOs
* Currently we iterate over all signers and return success if any of them
@@ -662,61 +715,30 @@
* identification and SignerIdentifier fields first. That would also allow
* us to distinguish between 'no signature for key' and 'signature for key
* failed to validate'.
- *
- * We could also cache hashes by md, so if there are several sigs all using
- * the same algo we don't recalculate the hash each time.
*/
for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) {
- ret = mbedtls_oid_get_md_alg(&signer->alg_identifier, &md_alg);
- if (ret != 0) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- continue;
- }
-
- md_info = mbedtls_md_info_from_type(md_alg);
- if (md_info == NULL) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- continue;
- }
-
- hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
- if (hash == NULL) {
- return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
- }
- /* BEGIN must free hash before jumping out */
- if (is_data_hash) {
- if (datalen != mbedtls_md_get_size(md_info)) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- } else {
- memcpy(hash, data, datalen);
- }
- } else {
- ret = mbedtls_md(md_info, data, datalen, hash);
- }
- if (ret != 0) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- mbedtls_free(hash);
- continue;
- }
-
ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash,
mbedtls_md_get_size(md_info),
signer->sig.p, signer->sig.len);
- mbedtls_free(hash);
- /* END must free hash before jumping out */
if (ret == 0) {
break;
}
}
+ mbedtls_free(hash);
+ /* END must free hash before jumping out */
return ret;
}
+
int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7,
const mbedtls_x509_crt *cert,
const unsigned char *data,
size_t datalen)
{
+ if (data == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, data, datalen, 0);
}
@@ -725,6 +747,9 @@
const unsigned char *hash,
size_t hashlen)
{
+ if (hash == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, hash, hashlen, 1);
}
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a683fdb..b96c7b4 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -81,6 +81,7 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
+#include "hash_info.h"
#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
@@ -310,6 +311,9 @@
case MBEDTLS_ERR_ECP_RANDOM_FAILED:
return PSA_ERROR_INSUFFICIENT_ENTROPY;
+ case MBEDTLS_ERR_ECP_IN_PROGRESS:
+ return PSA_OPERATION_INCOMPLETE;
+
case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
return PSA_ERROR_CORRUPTION_DETECTED;
@@ -318,6 +322,44 @@
}
}
+/**
+ * \brief For output buffers which contain "tags"
+ * (outputs that may be checked for validity like
+ * hashes, MACs and signatures), fill the unused
+ * part of the output buffer (the whole buffer on
+ * error, the trailing part on success) with
+ * something that isn't a valid tag (barring an
+ * attack on the tag and deliberately-crafted
+ * input), in case the caller doesn't check the
+ * return status properly.
+ *
+ * \param output_buffer Pointer to buffer to wipe. May not be NULL
+ * unless \p output_buffer_size is zero.
+ * \param status Status of function called to generate
+ * output_buffer originally
+ * \param output_buffer_size Size of output buffer. If zero, \p output_buffer
+ * could be NULL.
+ * \param output_buffer_length Length of data written to output_buffer, must be
+ * less than \p output_buffer_size
+ */
+static void psa_wipe_tag_output_buffer(uint8_t *output_buffer, psa_status_t status,
+ size_t output_buffer_size, size_t output_buffer_length)
+{
+ size_t offset = 0;
+
+ if (output_buffer_size == 0) {
+ /* If output_buffer_size is 0 then we have nothing to do. We must not
+ call memset because output_buffer may be NULL in this case */
+ return;
+ }
+
+ if (status == PSA_SUCCESS) {
+ offset = output_buffer_length;
+ }
+
+ memset(output_buffer + offset, '!', output_buffer_size - offset);
+}
+
@@ -1673,12 +1715,12 @@
*
* \retval #PSA_SUCCESS
* The key was successfully created.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_ALREADY_EXISTS
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
*
* \return If this function fails, the key slot is an invalid state.
* You must call psa_fail_key_creation() to wipe and free the slot.
@@ -2500,10 +2542,7 @@
operation->mac_size = 0;
}
- if (mac_size > operation->mac_size) {
- memset(&mac[operation->mac_size], '!',
- mac_size - operation->mac_size);
- }
+ psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
abort_status = psa_mac_abort(operation);
@@ -2597,9 +2636,8 @@
*mac_length = mac_size;
operation_mac_size = 0;
}
- if (mac_size > operation_mac_size) {
- memset(&mac[operation_mac_size], '!', mac_size - operation_mac_size);
- }
+
+ psa_wipe_tag_output_buffer(mac, status, mac_size, *mac_length);
unlock_status = psa_unlock_key_slot(slot);
@@ -2741,18 +2779,8 @@
exit:
- /* Fill the unused part of the output buffer (the whole buffer on error,
- * the trailing part on success) with something that isn't a valid signature
- * (barring an attack on the signature and deliberately-crafted input),
- * in case the caller doesn't check the return status properly. */
- if (status == PSA_SUCCESS) {
- memset(signature + *signature_length, '!',
- signature_size - *signature_length);
- } else {
- memset(signature, '!', signature_size);
- }
- /* If signature_size is 0 then we have nothing to do. We must not call
- * memset because signature may be NULL in this case. */
+ psa_wipe_tag_output_buffer(signature, status, signature_size,
+ *signature_length);
unlock_status = psa_unlock_key_slot(slot);
@@ -3124,7 +3152,766 @@
return (status == PSA_SUCCESS) ? unlock_status : status;
}
+/****************************************************************/
+/* Asymmetric interruptible cryptography */
+/****************************************************************/
+void psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+ psa_driver_wrapper_interruptible_set_max_ops(max_ops);
+}
+
+uint32_t psa_interruptible_get_max_ops(void)
+{
+ return psa_driver_wrapper_interruptible_get_max_ops();
+}
+
+
+uint32_t psa_sign_hash_get_num_ops(
+ const psa_sign_hash_interruptible_operation_t *operation)
+{
+ return operation->num_ops;
+}
+
+uint32_t psa_verify_hash_get_num_ops(
+ const psa_verify_hash_interruptible_operation_t *operation)
+{
+ return operation->num_ops;
+}
+
+static psa_status_t psa_sign_hash_abort_internal(
+ psa_sign_hash_interruptible_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_driver_wrapper_sign_hash_abort(operation);
+
+ operation->id = 0;
+
+ /* Do not clear either the error_occurred or num_ops elements here as they
+ * only want to be cleared by the application calling abort, not by abort
+ * being called at completion of an operation. */
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ /* Check that start has not been previously called, or operation has not
+ * previously errored. */
+ if (operation->id != 0 || operation->error_occurred) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_sign_verify_check_alg(0, alg);
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_SIGN_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ psa_key_attributes_t attributes = {
+ .core = slot->attr
+ };
+
+ /* Ensure ops count gets reset, in case of operation re-use. */
+ operation->num_ops = 0;
+
+ status = psa_driver_wrapper_sign_hash_start(operation, &attributes,
+ slot->key.data,
+ slot->key.bytes, alg,
+ hash, hash_length);
+exit:
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_sign_hash_abort_internal(operation);
+ }
+
+ unlock_status = psa_unlock_key_slot(slot);
+
+ if (unlock_status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+psa_status_t psa_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ *signature_length = 0;
+
+ /* Check that start has been called first, and that operation has not
+ * previously errored. */
+ if (operation->id == 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ /* Immediately reject a zero-length signature buffer. This guarantees that
+ * signature must be a valid pointer. */
+ if (signature_size == 0) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_sign_hash_complete(operation, signature,
+ signature_size,
+ signature_length);
+
+ /* Update ops count with work done. */
+ operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
+
+exit:
+
+ psa_wipe_tag_output_buffer(signature, status, signature_size,
+ *signature_length);
+
+ if (status != PSA_OPERATION_INCOMPLETE) {
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ psa_sign_hash_abort_internal(operation);
+ }
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_sign_hash_abort_internal(operation);
+
+ /* We clear the number of ops done here, so that it is not cleared when
+ * the operation fails or succeeds, only on manual abort. */
+ operation->num_ops = 0;
+
+ /* Likewise, failure state. */
+ operation->error_occurred = 0;
+
+ return status;
+}
+
+static psa_status_t psa_verify_hash_abort_internal(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_driver_wrapper_verify_hash_abort(operation);
+
+ operation->id = 0;
+
+ /* Do not clear either the error_occurred or num_ops elements here as they
+ * only want to be cleared by the application calling abort, not by abort
+ * being called at completion of an operation. */
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ /* Check that start has not been previously called, or operation has not
+ * previously errored. */
+ if (operation->id != 0 || operation->error_occurred) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_sign_verify_check_alg(0, alg);
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ psa_key_attributes_t attributes = {
+ .core = slot->attr
+ };
+
+ /* Ensure ops count gets reset, in case of operation re-use. */
+ operation->num_ops = 0;
+
+ status = psa_driver_wrapper_verify_hash_start(operation, &attributes,
+ slot->key.data,
+ slot->key.bytes,
+ alg, hash, hash_length,
+ signature, signature_length);
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_verify_hash_abort_internal(operation);
+ }
+
+ unlock_status = psa_unlock_key_slot(slot);
+
+ if (unlock_status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Check that start has been called first, and that operation has not
+ * previously errored. */
+ if (operation->id == 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_verify_hash_complete(operation);
+
+ /* Update ops count with work done. */
+ operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
+ operation);
+
+exit:
+
+ if (status != PSA_OPERATION_INCOMPLETE) {
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ psa_verify_hash_abort_internal(operation);
+ }
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_verify_hash_abort_internal(operation);
+
+ /* We clear the number of ops done here, so that it is not cleared when
+ * the operation fails or succeeds, only on manual abort. */
+ operation->num_ops = 0;
+
+ /* Likewise, failure state. */
+ operation->error_occurred = 0;
+
+ return status;
+}
+
+/****************************************************************/
+/* Asymmetric interruptible cryptography internal */
+/* implementations */
+/****************************************************************/
+
+static uint32_t mbedtls_psa_interruptible_max_ops =
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+ mbedtls_psa_interruptible_max_ops = max_ops;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ /* Internal implementation uses zero to indicate infinite number max ops,
+ * therefore avoid this value, and set to minimum possible. */
+ if (max_ops == 0) {
+ max_ops = 1;
+ }
+
+ mbedtls_ecp_set_max_ops(max_ops);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_interruptible_get_max_ops(void)
+{
+ return mbedtls_psa_interruptible_max_ops;
+}
+
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+ const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ return operation->num_ops;
+#else
+ (void) operation;
+ return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+ const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+ #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ return operation->num_ops;
+#else
+ (void) operation;
+ return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_start(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t required_hash_length;
+
+ if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (!PSA_ALG_IS_ECDSA(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
+ /* Ensure num_ops is zero'ed in case of context re-use. */
+ operation->num_ops = 0;
+
+ /* Ensure default is set even if
+ * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+ mbedtls_psa_interruptible_set_max_ops(
+ mbedtls_psa_interruptible_get_max_ops());
+
+ status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+ attributes->core.bits,
+ key_buffer,
+ key_buffer_size,
+ &operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ operation->coordinate_bytes = PSA_BITS_TO_BYTES(
+ operation->ctx->grp.nbits);
+
+ psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+ operation->alg = alg;
+
+ /* We only need to store the same length of hash as the private key size
+ * here, it would be truncated by the internal implementation anyway. */
+ required_hash_length = (hash_length < operation->coordinate_bytes ?
+ hash_length : operation->coordinate_bytes);
+
+ if (required_hash_length > sizeof(operation->hash)) {
+ /* Shouldn't happen, but better safe than sorry. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ memcpy(operation->hash, hash, required_hash_length);
+ operation->hash_length = required_hash_length;
+
+ return PSA_SUCCESS;
+
+#else
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) status;
+ (void) required_hash_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_complete(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi r;
+ mbedtls_mpi s;
+
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+ if (signature_size < 2 * operation->coordinate_bytes) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
+ &r,
+ &s,
+ &operation->ctx->d,
+ operation->hash,
+ operation->hash_length,
+ operation->md_alg,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ &operation->restart_ctx));
+#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ } else {
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
+ &r,
+ &s,
+ &operation->ctx->d,
+ operation->hash,
+ operation->hash_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ &operation->restart_ctx));
+ }
+
+ /* Hide the fact that the restart context only holds a delta of number of
+ * ops done during the last operation, not an absolute value. */
+ operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary(&r,
+ signature,
+ operation->coordinate_bytes)
+ );
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary(&s,
+ signature +
+ operation->coordinate_bytes,
+ operation->coordinate_bytes)
+ );
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ *signature_length = operation->coordinate_bytes * 2;
+
+ status = PSA_SUCCESS;
+ }
+
+exit:
+
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+ return status;
+
+ #else
+
+ (void) operation;
+ (void) signature;
+ (void) signature_size;
+ (void) signature_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_abort(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ if (operation->ctx) {
+ mbedtls_ecdsa_free(operation->ctx);
+ mbedtls_free(operation->ctx);
+ operation->ctx = NULL;
+ }
+
+ mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+ operation->num_ops = 0;
+
+ return PSA_SUCCESS;
+
+#else
+
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_start(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t coordinate_bytes = 0;
+ size_t required_hash_length = 0;
+
+ if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (!PSA_ALG_IS_ECDSA(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+ mbedtls_mpi_init(&operation->r);
+ mbedtls_mpi_init(&operation->s);
+
+ /* Ensure num_ops is zero'ed in case of context re-use. */
+ operation->num_ops = 0;
+
+ /* Ensure default is set even if
+ * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+ mbedtls_psa_interruptible_set_max_ops(
+ mbedtls_psa_interruptible_get_max_ops());
+
+ status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+ attributes->core.bits,
+ key_buffer,
+ key_buffer_size,
+ &operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
+
+ if (signature_length != 2 * coordinate_bytes) {
+ return PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_read_binary(&operation->r,
+ signature,
+ coordinate_bytes));
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_read_binary(&operation->s,
+ signature +
+ coordinate_bytes,
+ coordinate_bytes));
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_psa_ecp_load_public_part(operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* We only need to store the same length of hash as the private key size
+ * here, it would be truncated by the internal implementation anyway. */
+ required_hash_length = (hash_length < coordinate_bytes ? hash_length :
+ coordinate_bytes);
+
+ if (required_hash_length > sizeof(operation->hash)) {
+ /* Shouldn't happen, but better safe than sorry. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ memcpy(operation->hash, hash, required_hash_length);
+ operation->hash_length = required_hash_length;
+
+ return PSA_SUCCESS;
+#else
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_length;
+ (void) status;
+ (void) coordinate_bytes;
+ (void) required_hash_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_complete(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
+ operation->hash,
+ operation->hash_length,
+ &operation->ctx->Q,
+ &operation->r,
+ &operation->s,
+ &operation->restart_ctx));
+
+ /* Hide the fact that the restart context only holds a delta of number of
+ * ops done during the last operation, not an absolute value. */
+ operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+ return status;
+#else
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_abort(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ if (operation->ctx) {
+ mbedtls_ecdsa_free(operation->ctx);
+ mbedtls_free(operation->ctx);
+ operation->ctx = NULL;
+ }
+
+ mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+ operation->num_ops = 0;
+
+ mbedtls_mpi_free(&operation->r);
+ mbedtls_mpi_free(&operation->s);
+
+ return PSA_SUCCESS;
+
+#else
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
/****************************************************************/
/* Symmetric cryptography */
@@ -4126,18 +4913,14 @@
tag, tag_size, tag_length);
exit:
+
+
/* In case the operation fails and the user fails to check for failure or
* the zero tag size, make sure the tag is set to something implausible.
* Even if the operation succeeds, make sure we clear the rest of the
* buffer to prevent potential leakage of anything previously placed in
* the same buffer.*/
- if (tag != NULL) {
- if (status != PSA_SUCCESS) {
- memset(tag, '!', tag_size);
- } else if (*tag_length < tag_size) {
- memset(tag + *tag_length, '!', (tag_size - *tag_length));
- }
- }
+ psa_wipe_tag_output_buffer(tag, status, tag_size, *tag_length);
psa_aead_abort(operation);
diff --git a/library/psa_crypto_aead.h b/library/psa_crypto_aead.h
index 2ae8fe8..4b24b0f 100644
--- a/library/psa_crypto_aead.h
+++ b/library/psa_crypto_aead.h
@@ -71,10 +71,10 @@
* \retval #PSA_SUCCESS Success.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* ciphertext_size is too small.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_aead_encrypt(
const psa_key_attributes_t *attributes,
@@ -134,10 +134,10 @@
* The cipher is not authentic.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* plaintext_size is too small.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_aead_decrypt(
const psa_key_attributes_t *attributes,
diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h
index 6cc6bf6..bf43ff0 100644
--- a/library/psa_crypto_cipher.h
+++ b/library/psa_crypto_cipher.h
@@ -59,10 +59,10 @@
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_cipher_encrypt_setup(
mbedtls_psa_cipher_operation_t *operation,
@@ -89,10 +89,10 @@
* (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_CIPHER(\p alg) is true).
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_cipher_decrypt_setup(
mbedtls_psa_cipher_operation_t *operation,
@@ -116,11 +116,11 @@
* the core to be less or equal to
* PSA_CIPHER_IV_MAX_SIZE.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The size of \p iv is not acceptable for the chosen algorithm,
* or the chosen algorithm does not use an IV.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_cipher_set_iv(
mbedtls_psa_cipher_operation_t *operation,
@@ -142,10 +142,10 @@
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_cipher_update(
mbedtls_psa_cipher_operation_t *operation,
@@ -165,7 +165,7 @@
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The total input size passed to this operation is not valid for
* this particular algorithm. For example, the algorithm is a based
@@ -176,7 +176,7 @@
* padding, and the ciphertext does not contain valid padding.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_cipher_finish(
mbedtls_psa_cipher_operation_t *operation,
@@ -195,7 +195,7 @@
*
* \param[in,out] operation Initialized cipher operation.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
*/
psa_status_t mbedtls_psa_cipher_abort(mbedtls_psa_cipher_operation_t *operation);
@@ -224,10 +224,10 @@
* the returned output. Initialized to zero
* by the core.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
* \retval #PSA_ERROR_INVALID_ARGUMENT
@@ -275,10 +275,10 @@
* the returned output. Initialized to zero
* by the core.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small.
* \retval #PSA_ERROR_INVALID_ARGUMENT
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 38e4bc5..5260cf7 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -209,7 +209,7 @@
* \retval #PSA_SUCCESS
* Success. This includes the case of a key slot that was
* already fully wiped.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t psa_wipe_key_slot(psa_key_slot_t *slot);
@@ -285,9 +285,9 @@
* \retval #PSA_SUCCESS The key was imported successfully.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key data is not correctly formatted.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t psa_import_key_into_slot(
const psa_key_attributes_t *attributes,
@@ -310,12 +310,12 @@
* \p data
*
* \retval #PSA_SUCCESS The key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t psa_export_key_internal(
const psa_key_attributes_t *attributes,
@@ -338,12 +338,12 @@
* \p data
*
* \retval #PSA_SUCCESS The public key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t psa_export_public_key_internal(
const psa_key_attributes_t *attributes,
@@ -364,7 +364,7 @@
*
* \retval #PSA_SUCCESS
* The key was generated successfully.
- * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
* \retval #PSA_ERROR_NOT_SUPPORTED
* Key size in bits or type not supported.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
@@ -399,18 +399,18 @@
* \param[out] signature_length On success, the number of bytes
* that make up the returned signature value.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p signature buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of the key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
*/
psa_status_t psa_sign_message_builtin(
const psa_key_attributes_t *attributes,
@@ -445,9 +445,9 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The calculation was performed successfully, but the passed
* signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t psa_verify_message_builtin(
const psa_key_attributes_t *attributes,
@@ -475,18 +475,18 @@
* \param[out] signature_length On success, the number of bytes
* that make up the returned signature value.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p signature buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of the key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
*/
psa_status_t psa_sign_hash_builtin(
const psa_key_attributes_t *attributes,
@@ -519,9 +519,9 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The calculation was performed successfully, but the passed
* signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t psa_verify_hash_builtin(
const psa_key_attributes_t *attributes,
@@ -577,8 +577,8 @@
* up the returned shared secret.
* \retval #PSA_SUCCESS
* Success. Shared secret successfully calculated.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p alg is not a key agreement algorithm, or
* \p private_key is not compatible with \p alg,
@@ -588,12 +588,12 @@
* \p shared_secret_size is too small
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not a supported key agreement algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_BAD_STATE
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE \emptydescription
*/
psa_status_t psa_key_agreement_raw_builtin(
const psa_key_attributes_t *attributes,
@@ -606,4 +606,272 @@
size_t shared_secret_size,
size_t *shared_secret_length);
+/**
+ * \brief Set the maximum number of ops allowed to be executed by an
+ * interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * interruptible_set_max_ops entry point. This function behaves as an
+ * interruptible_set_max_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in] max_ops The maximum number of ops to be executed in a
+ * single call, this can be a number from 0 to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ * is obviously the least amount of work done per
+ * call.
+ */
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be executed by an
+ * interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * interruptible_get_max_ops entry point. This function behaves as an
+ * interruptible_get_max_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \return Maximum number of ops allowed to be executed
+ * by an interruptible function in a single call.
+ */
+uint32_t mbedtls_psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing operation has taken for the
+ * previous call. If no call or work has taken place, this will return
+ * zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_get_num_ops entry point. This function behaves as an
+ * sign_hash_get_num_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that were completed
+ * in the last call to \c
+ * mbedtls_psa_sign_hash_complete().
+ */
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+ const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification operation has taken for
+ * the previous call. If no call or work has taken place, this will
+ * return zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_get_num_ops entry point. This function behaves as an
+ * verify_hash_get_num_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that were completed
+ * in the last call to \c
+ * mbedtls_psa_verify_hash_complete().
+ */
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+ const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start signing a hash or short message with a private key, in an
+ * interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_start entry point. This function behaves as a
+ * sign_hash_start entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash or message to sign.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An unsupported, incorrectly formatted or incorrect type of key was
+ * used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
+ * are currently supported, or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory to load the key representation.
+ */
+psa_status_t mbedtls_psa_sign_hash_start(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ * short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_complete entry point. This function behaves as a
+ * sign_hash_complete entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param signature_size Size of the \p signature buffer in bytes. This
+ * must be appropriate for the selected
+ * algorithm and key.
+ * \param[out] signature_length On success, the number of bytes that make up
+ * the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(), there is still work to be done,
+ * please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ */
+psa_status_t mbedtls_psa_sign_hash_complete(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver sign_hash_abort
+ * entry point. This function behaves as a sign_hash_abort entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_sign_hash_abort(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start reading and verifying a hash or short message, in an
+ * interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_start entry point. This function behaves as a
+ * verify_hash_start entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash whose signature is to be verified.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An unsupported or incorrect type of key was used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Either no internal interruptible operations are currently supported,
+ * or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory either to load the key representation,
+ * or to prepare the operation.
+ */
+psa_status_t mbedtls_psa_verify_hash_start(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ * short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_complete entry point. This function behaves as a
+ * sign_hash_complete entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(), there is still work to be done,
+ * please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ */
+psa_status_t mbedtls_psa_verify_hash_complete(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify signed hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_abort entry point. This function behaves as a
+ * verify_hash_abort entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_verify_hash_abort(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
#endif /* PSA_CRYPTO_CORE_H */
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index da3cd1d..e3edec7 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -67,6 +67,47 @@
const uint8_t *signature, size_t signature_length);
/*
+ * Interruptible Signature functions
+ */
+
+void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops);
+
+uint32_t psa_driver_wrapper_interruptible_get_max_ops(void);
+
+uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+ psa_sign_hash_interruptible_operation_t *operation);
+
+uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+psa_status_t psa_driver_wrapper_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+psa_status_t psa_driver_wrapper_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+psa_status_t psa_driver_wrapper_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+/*
* Key handling functions
*/
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index c4ccefd..f70d804 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -404,6 +404,21 @@
return mbedtls_to_psa_error(ret);
}
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
+{
+ int ret = 0;
+
+ /* Check whether the public part is loaded. If not, load it. */
+ if (mbedtls_ecp_is_zero(&ecp->Q)) {
+ ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
+ &ecp->d, &ecp->grp.G,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ }
+
+ return mbedtls_to_psa_error(ret);
+}
+
psa_status_t mbedtls_psa_ecdsa_verify_hash(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
@@ -412,7 +427,6 @@
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_keypair *ecp = NULL;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t curve_bytes;
mbedtls_mpi r, s;
@@ -432,34 +446,39 @@
mbedtls_mpi_init(&s);
if (signature_length != 2 * curve_bytes) {
- ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ status = PSA_ERROR_INVALID_SIGNATURE;
goto cleanup;
}
- MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r,
- signature,
- curve_bytes));
- MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&s,
- signature + curve_bytes,
- curve_bytes));
-
- /* Check whether the public part is loaded. If not, load it. */
- if (mbedtls_ecp_is_zero(&ecp->Q)) {
- MBEDTLS_MPI_CHK(
- mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
- mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+ status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
+ signature,
+ curve_bytes));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
}
- ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length,
- &ecp->Q, &r, &s);
+ status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
+ signature + curve_bytes,
+ curve_bytes));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = mbedtls_psa_ecp_load_public_part(ecp);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
+ hash_length, &ecp->Q,
+ &r, &s));
cleanup:
mbedtls_mpi_free(&r);
mbedtls_mpi_free(&s);
mbedtls_ecp_keypair_free(ecp);
mbedtls_free(ecp);
- return mbedtls_to_psa_error(ret);
+ return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h
index 71f9d6a..f4ad3d2 100644
--- a/library/psa_crypto_ecp.h
+++ b/library/psa_crypto_ecp.h
@@ -48,6 +48,15 @@
size_t data_length,
mbedtls_ecp_keypair **p_ecp);
+/** Load the public part of an internal ECP, if required.
+ *
+ * \param ecp The ECP context to load the public part for.
+ *
+ * \return PSA_SUCCESS on success, otherwise an MPI error.
+ */
+
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
+
/** Import an ECP key in binary format.
*
* \note The signature of this function is that of a PSA driver
@@ -70,9 +79,9 @@
* \retval #PSA_SUCCESS The ECP key was imported successfully.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key data is not correctly formatted.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_ecp_import_key(
const psa_key_attributes_t *attributes,
@@ -111,12 +120,12 @@
* \p data
*
* \retval #PSA_SUCCESS The ECP public key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_ecp_export_public_key(
const psa_key_attributes_t *attributes,
@@ -166,17 +175,17 @@
* \param[out] signature_length On success, the number of bytes
* that make up the returned signature value.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p signature buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_ECC_KEY_PAIR, \c key_bits,
* \p alg) where \c key_bits is the bit-size of the ECC key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
*/
psa_status_t mbedtls_psa_ecdsa_sign_hash(
const psa_key_attributes_t *attributes,
@@ -209,9 +218,9 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The calculation was performed successfully, but the passed
* signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_ecdsa_verify_hash(
const psa_key_attributes_t *attributes,
@@ -247,8 +256,8 @@
* up the returned shared secret.
* \retval #PSA_SUCCESS
* Success. Shared secret successfully calculated.
- * \retval #PSA_ERROR_INVALID_HANDLE
- * \retval #PSA_ERROR_NOT_PERMITTED
+ * \retval #PSA_ERROR_INVALID_HANDLE \emptydescription
+ * \retval #PSA_ERROR_NOT_PERMITTED \emptydescription
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p alg is not a key agreement algorithm, or
* \p private_key is not compatible with \p alg,
@@ -258,8 +267,8 @@
* \p shared_secret_size is too small
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not a supported key agreement algorithm.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_key_agreement_ecdh(
const psa_key_attributes_t *attributes,
diff --git a/library/psa_crypto_hash.h b/library/psa_crypto_hash.h
index 63874e8..d6bbd3f 100644
--- a/library/psa_crypto_hash.h
+++ b/library/psa_crypto_hash.h
@@ -48,8 +48,8 @@
* \p alg is not supported
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p hash_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_hash_compute(
psa_algorithm_t alg,
@@ -88,8 +88,8 @@
* \p alg is not supported
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_hash_setup(
mbedtls_psa_hash_operation_t *operation,
@@ -115,13 +115,13 @@
* \param[in,out] target_operation The operation object to set up.
* It must be initialized but not active.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The \p source_operation state is not valid (it must be active).
* \retval #PSA_ERROR_BAD_STATE
* The \p target_operation state is not valid (it must be inactive).
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_hash_clone(
const mbedtls_psa_hash_operation_t *source_operation,
@@ -147,8 +147,8 @@
* Success.
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_hash_update(
mbedtls_psa_hash_operation_t *operation,
@@ -186,8 +186,8 @@
* The size of the \p hash buffer is too small. You can determine a
* sufficient buffer size by calling #PSA_HASH_LENGTH(\c alg)
* where \c alg is the hash algorithm that is calculated.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_hash_finish(
mbedtls_psa_hash_operation_t *operation,
@@ -216,8 +216,8 @@
*
* \param[in,out] operation Initialized hash operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_hash_abort(
mbedtls_psa_hash_operation_t *operation);
diff --git a/library/psa_crypto_mac.h b/library/psa_crypto_mac.h
index 21c4de6..4f8024a 100644
--- a/library/psa_crypto_mac.h
+++ b/library/psa_crypto_mac.h
@@ -52,8 +52,8 @@
* \p alg is not supported.
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* \p mac_size is too small
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_mac_compute(
const psa_key_attributes_t *attributes,
@@ -89,8 +89,8 @@
* Success.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive).
*/
@@ -124,8 +124,8 @@
* Success.
* \retval #PSA_ERROR_NOT_SUPPORTED
* \p alg is not supported.
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be inactive).
*/
@@ -158,8 +158,8 @@
* Success.
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be active).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_mac_update(
mbedtls_psa_mac_operation_t *operation,
@@ -200,8 +200,8 @@
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p mac buffer is too small. A sufficient buffer size
* can be determined by calling PSA_MAC_LENGTH().
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_mac_sign_finish(
mbedtls_psa_mac_operation_t *operation,
@@ -241,8 +241,8 @@
* \retval #PSA_ERROR_BAD_STATE
* The operation state is not valid (it must be an active mac verify
* operation).
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_mac_verify_finish(
mbedtls_psa_mac_operation_t *operation,
@@ -267,8 +267,8 @@
*
* \param[in,out] operation Initialized MAC operation.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_mac_abort(
mbedtls_psa_mac_operation_t *operation);
diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c
index c720615..6e90f1c 100644
--- a/library/psa_crypto_rsa.c
+++ b/library/psa_crypto_rsa.c
@@ -332,11 +332,9 @@
/* The Mbed TLS RSA module uses an unsigned int for hash length
* parameters. Validate that it fits so that we don't risk an
* overflow later. */
-#if SIZE_MAX > UINT_MAX
if (hash_length > UINT_MAX) {
return PSA_ERROR_INVALID_ARGUMENT;
}
-#endif
/* For signatures using a hash, the hash length must be correct. */
if (alg != PSA_ALG_RSA_PKCS1V15_SIGN_RAW) {
diff --git a/library/psa_crypto_rsa.h b/library/psa_crypto_rsa.h
index c3acdd0..bc24ef5 100644
--- a/library/psa_crypto_rsa.h
+++ b/library/psa_crypto_rsa.h
@@ -61,9 +61,9 @@
* \retval #PSA_SUCCESS The RSA key was imported successfully.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key data is not correctly formatted.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
*/
psa_status_t mbedtls_psa_rsa_import_key(
const psa_key_attributes_t *attributes,
@@ -102,12 +102,12 @@
* \p data.
*
* \retval #PSA_SUCCESS The RSA public key was exported successfully.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_rsa_export_public_key(
const psa_key_attributes_t *attributes,
@@ -158,17 +158,17 @@
* \param[out] signature_length On success, the number of bytes
* that make up the returned signature value.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p signature buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_SIGN_OUTPUT_SIZE(\c PSA_KEY_TYPE_RSA_KEY_PAIR, \c key_bits,
* \p alg) where \c key_bits is the bit-size of the RSA key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
*/
psa_status_t mbedtls_psa_rsa_sign_hash(
const psa_key_attributes_t *attributes,
@@ -202,9 +202,9 @@
* \retval #PSA_ERROR_INVALID_SIGNATURE
* The calculation was performed successfully, but the passed
* signature is not a valid signature.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
*/
psa_status_t mbedtls_psa_rsa_verify_hash(
const psa_key_attributes_t *attributes,
@@ -237,20 +237,20 @@
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_ASYMMETRIC_ENCRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
@@ -294,21 +294,21 @@
* \param[out] output_length On success, the number of bytes
* that make up the returned output.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL
* The size of the \p output buffer is too small. You can
* determine a sufficient buffer size by calling
* #PSA_ASYMMETRIC_DECRYPT_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
* where \c key_type and \c key_bits are the type and bit-size
* respectively of \p key.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_COMMUNICATION_FAILURE
- * \retval #PSA_ERROR_HARDWARE_FAILURE
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
- * \retval #PSA_ERROR_INVALID_PADDING
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription
+ * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription
+ * \retval #PSA_ERROR_INVALID_PADDING \emptydescription
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
diff --git a/library/psa_crypto_se.c b/library/psa_crypto_se.c
index b660393..dee780f 100644
--- a/library/psa_crypto_se.c
+++ b/library/psa_crypto_se.c
@@ -125,12 +125,10 @@
return PSA_ERROR_NOT_SUPPORTED;
}
-#if SIZE_MAX > UINT32_MAX
/* ITS file sizes are limited to 32 bits. */
if (driver->u.internal.persistent_data_size > UINT32_MAX) {
return PSA_ERROR_NOT_SUPPORTED;
}
-#endif
/* See the documentation of PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE. */
*uid = PSA_CRYPTO_SE_DRIVER_ITS_UID_BASE + driver->location;
diff --git a/library/psa_crypto_slot_management.h b/library/psa_crypto_slot_management.h
index ff8ccde..c8366ab 100644
--- a/library/psa_crypto_slot_management.h
+++ b/library/psa_crypto_slot_management.h
@@ -88,9 +88,9 @@
* due to a lack of empty key slot, or available memory.
* \retval #PSA_ERROR_DOES_NOT_EXIST
* There is no key with key identifier \p key.
- * \retval #PSA_ERROR_CORRUPTION_DETECTED
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
*/
psa_status_t psa_get_and_lock_key_slot(mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot);
@@ -118,9 +118,9 @@
* associated to the returned slot.
* \param[out] p_slot On success, a pointer to the slot.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_BAD_STATE
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_BAD_STATE \emptydescription
*/
psa_status_t psa_get_empty_key_slot(psa_key_id_t *volatile_key_id,
psa_key_slot_t **p_slot);
@@ -195,8 +195,8 @@
* storage, returns a pointer to the driver table
* associated with the key's storage location.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
*/
psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime,
psa_se_drv_table_entry_t **p_drv);
@@ -205,7 +205,7 @@
*
* \param[in] lifetime The key lifetime attribute.
*
- * \retval #PSA_SUCCESS
+ * \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_NOT_SUPPORTED The key is persistent but persistent keys
* are not supported.
*/
diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c
index 8225014..a8ed937 100644
--- a/library/psa_crypto_storage.c
+++ b/library/psa_crypto_storage.c
@@ -79,11 +79,11 @@
* \param[out] data Buffer where the data is to be written.
* \param data_size Size of the \c data buffer in bytes.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
*/
static psa_status_t psa_crypto_storage_load(
const mbedtls_svc_key_id_t key, uint8_t *data, size_t data_size)
@@ -131,11 +131,11 @@
* \param data_length The number of bytes
* that make up the data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_ALREADY_EXISTS
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
static psa_status_t psa_crypto_storage_store(const mbedtls_svc_key_id_t key,
const uint8_t *data,
@@ -205,10 +205,10 @@
* is to be obtained.
* \param[out] data_length The number of bytes that make up the data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DOES_NOT_EXIST
- * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
*/
static psa_status_t psa_crypto_storage_get_data_length(
const mbedtls_svc_key_id_t key,
diff --git a/library/psa_crypto_storage.h b/library/psa_crypto_storage.h
index 8e108c5..04768f8 100644
--- a/library/psa_crypto_storage.h
+++ b/library/psa_crypto_storage.h
@@ -96,14 +96,14 @@
* \param[in] data Buffer containing the key data.
* \param data_length The number of bytes that make up the key data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_ALREADY_EXISTS
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_ALREADY_EXISTS \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
*/
psa_status_t psa_save_persistent_key(const psa_core_key_attributes_t *attr,
const uint8_t *data,
@@ -129,11 +129,11 @@
* \param[out] data Pointer to an allocated key data buffer on return.
* \param[out] data_length The number of bytes that make up the key data.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_DOES_NOT_EXIST
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_DOES_NOT_EXIST \emptydescription
*/
psa_status_t psa_load_persistent_key(psa_core_key_attributes_t *attr,
uint8_t **data,
@@ -148,7 +148,7 @@
* \retval #PSA_SUCCESS
* The key was successfully removed,
* or the key did not exist.
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t psa_destroy_persistent_key(const mbedtls_svc_key_id_t key);
@@ -190,9 +190,9 @@
* \param[out] attr On success, the attribute structure is filled
* with the loaded key metadata.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
- * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
*/
psa_status_t psa_parse_key_data_from_storage(const uint8_t *storage_data,
size_t storage_data_length,
@@ -322,10 +322,10 @@
* You may call this function multiple times during a transaction to
* atomically update the transaction state.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_DATA_CORRUPT
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
- * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
*/
psa_status_t psa_crypto_save_transaction(void);
@@ -339,9 +339,9 @@
* #psa_crypto_transaction.
* \retval #PSA_ERROR_DOES_NOT_EXIST
* There is no ongoing transaction.
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_DATA_INVALID
- * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_DATA_INVALID \emptydescription
+ * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription
*/
psa_status_t psa_crypto_load_transaction(void);
@@ -380,8 +380,8 @@
*
* \retval #PSA_SUCCESS
* Success
- * \retval #PSA_ERROR_STORAGE_FAILURE
- * \retval #PSA_ERROR_INSUFFICIENT_STORAGE
+ * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription
+ * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription
* \retval #PSA_ERROR_NOT_PERMITTED
* The entropy seed file already exists.
*/
diff --git a/library/ssl_client.c b/library/ssl_client.c
index 963f8bb..ea64b21 100644
--- a/library/ssl_client.c
+++ b/library/ssl_client.c
@@ -945,16 +945,29 @@
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && MBEDTLS_SSL_PROTO_DTLS */
{
- mbedtls_ssl_add_hs_hdr_to_checksum(ssl, MBEDTLS_SSL_HS_CLIENT_HELLO,
- msg_len);
- ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CLIENT_HELLO,
+ msg_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_add_hs_hdr_to_checksum", ret);
+ return ret;
+ }
+ ret = ssl->handshake->update_checksum(ssl, buf, msg_len - binders_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
if (binders_len > 0) {
MBEDTLS_SSL_PROC_CHK(
mbedtls_ssl_tls13_write_binders_of_pre_shared_key_ext(
ssl, buf + msg_len - binders_len, buf + msg_len));
- ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
- binders_len);
+ ret = ssl->handshake->update_checksum(ssl, buf + msg_len - binders_len,
+ binders_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
}
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index ef05dca..7385c6e 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -705,9 +705,12 @@
mbedtls_ssl_ciphersuite_t const *ciphersuite_info;
- void (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
- void (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
- void (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
+ MBEDTLS_CHECK_RETURN_CRITICAL
+ int (*update_checksum)(mbedtls_ssl_context *, const unsigned char *, size_t);
+ MBEDTLS_CHECK_RETURN_CRITICAL
+ int (*calc_verify)(const mbedtls_ssl_context *, unsigned char *, size_t *);
+ MBEDTLS_CHECK_RETURN_CRITICAL
+ int (*calc_finished)(mbedtls_ssl_context *, unsigned char *, int);
mbedtls_ssl_tls_prf_cb *tls_prf;
/*
@@ -986,7 +989,6 @@
mbedtls_ssl_tls13_handshake_secrets tls13_hs_secrets;
#if defined(MBEDTLS_SSL_EARLY_DATA)
- mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
/** TLS 1.3 transform for early data and handshake messages. */
mbedtls_ssl_transform *transform_earlydata;
#endif
@@ -1318,7 +1320,8 @@
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_send_fatal_handshake_failure(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
MBEDTLS_CHECK_RETURN_CRITICAL
@@ -1329,7 +1332,8 @@
int mbedtls_ssl_handle_message_type(mbedtls_ssl_context *ssl);
MBEDTLS_CHECK_RETURN_CRITICAL
int mbedtls_ssl_prepare_handshake_record(mbedtls_ssl_context *ssl);
-void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl);
/**
* \brief Update record layer
@@ -1462,14 +1466,16 @@
/*
* Update checksum of handshake messages.
*/
-void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- unsigned char const *msg,
- size_t msg_len);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ unsigned char const *msg,
+ size_t msg_len);
-void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- size_t total_hs_len);
+MBEDTLS_CHECK_RETURN_CRITICAL
+int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ size_t total_hs_len);
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
diff --git a/library/ssl_msg.c b/library/ssl_msg.c
index 4ebc8cb..d26d950 100644
--- a/library/ssl_msg.c
+++ b/library/ssl_msg.c
@@ -2090,7 +2090,7 @@
return ret;
}
- if ((size_t) ret > len || (INT_MAX > SIZE_MAX && ret > (int) SIZE_MAX)) {
+ if ((size_t) ret > len) {
MBEDTLS_SSL_DEBUG_MSG(1,
("f_recv returned %d bytes but only %" MBEDTLS_PRINTF_SIZET
" were requested",
@@ -2142,7 +2142,7 @@
return ret;
}
- if ((size_t) ret > ssl->out_left || (INT_MAX > SIZE_MAX && ret > (int) SIZE_MAX)) {
+ if ((size_t) ret > ssl->out_left) {
MBEDTLS_SSL_DEBUG_MSG(1,
("f_send returned %d bytes but only %" MBEDTLS_PRINTF_SIZET
" bytes were sent",
@@ -2639,7 +2639,12 @@
/* Update running hashes of handshake messages seen */
if (hs_type != MBEDTLS_SSL_HS_HELLO_REQUEST && update_checksum != 0) {
- ssl->handshake->update_checksum(ssl, ssl->out_msg, ssl->out_msglen);
+ ret = ssl->handshake->update_checksum(ssl, ssl->out_msg,
+ ssl->out_msglen);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
}
}
@@ -3067,12 +3072,17 @@
return 0;
}
-void mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
+int mbedtls_ssl_update_handshake_status(mbedtls_ssl_context *ssl)
{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_ssl_handshake_params * const hs = ssl->handshake;
if (mbedtls_ssl_is_handshake_over(ssl) == 0 && hs != NULL) {
- ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
+ ret = ssl->handshake->update_checksum(ssl, ssl->in_msg, ssl->in_hslen);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
+ }
}
/* Handshake message is complete, increment counter */
@@ -3103,6 +3113,7 @@
memset(hs_buf, 0, sizeof(mbedtls_ssl_hs_buffer));
}
#endif
+ return 0;
}
/*
@@ -3928,7 +3939,11 @@
if (ssl->in_msgtype == MBEDTLS_SSL_MSG_HANDSHAKE &&
update_hs_digest == 1) {
- mbedtls_ssl_update_handshake_status(ssl);
+ ret = mbedtls_ssl_update_handshake_status(ssl);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
+ return ret;
+ }
}
} else {
MBEDTLS_SSL_DEBUG_MSG(2, ("reuse previously read message"));
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index 86f5c0b..441089f 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -418,8 +418,8 @@
const char *label,
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen);
-static void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
-static void ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
+static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
@@ -430,8 +430,8 @@
const unsigned char *random, size_t rlen,
unsigned char *dstbuf, size_t dlen);
-static void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
-static void ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
+static int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *, unsigned char *, size_t *);
+static int ssl_calc_finished_tls_sha384(mbedtls_ssl_context *, unsigned char *, int);
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
static size_t ssl_tls12_session_save(const mbedtls_ssl_session *session,
@@ -444,14 +444,14 @@
size_t len);
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
-static void ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
+static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-static void ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
+static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-static void ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
+static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
@@ -788,9 +788,9 @@
}
}
-void mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- size_t total_hs_len)
+int mbedtls_ssl_add_hs_hdr_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ size_t total_hs_len)
{
unsigned char hs_hdr[4];
@@ -800,84 +800,137 @@
hs_hdr[2] = MBEDTLS_BYTE_1(total_hs_len);
hs_hdr[3] = MBEDTLS_BYTE_0(total_hs_len);
- ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
+ return ssl->handshake->update_checksum(ssl, hs_hdr, sizeof(hs_hdr));
}
-void mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
- unsigned hs_type,
- unsigned char const *msg,
- size_t msg_len)
+int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
+ unsigned hs_type,
+ unsigned char const *msg,
+ size_t msg_len)
{
- mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
- ssl->handshake->update_checksum(ssl, msg, msg_len);
+ int ret;
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl, hs_type, msg_len);
+ if (ret != 0) {
+ return ret;
+ }
+ return ssl->handshake->update_checksum(ssl, msg, msg_len);
}
-void mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
+int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
{
+#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
+ defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_status_t status;
+#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+#endif
+#else /* SHA-256 or SHA-384 */
((void) ssl);
+#endif /* SHA-256 or SHA-384 */
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&ssl->handshake->fin_sha256_psa);
- psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
+ status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+ status = psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
#else
- mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
+ ret = mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
+ if (ret != 0) {
+ return ret;
+ }
#endif
#endif
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&ssl->handshake->fin_sha384_psa);
- psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
+ status = psa_hash_abort(&ssl->handshake->fin_sha384_psa);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+ status = psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
#else
- mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
+ ret = mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
+ if (ret != 0) {
+ return ret;
+ }
#endif
#endif
+ return 0;
}
-static void ssl_update_checksum_start(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
+static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
{
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
+ defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
+ psa_status_t status;
#else
- mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
#endif
-#endif
-#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
-#else
- mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
-#endif
-#endif
-#if !defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
- !defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- (void) ssl;
+#else /* SHA-256 or SHA-384 */
+ ((void) ssl);
(void) buf;
(void) len;
+#endif /* SHA-256 or SHA-384 */
+#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+#else
+ ret = mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
+ if (ret != 0) {
+ return ret;
+ }
#endif
+#endif
+#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ status = psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
+ if (status != PSA_SUCCESS) {
+ return mbedtls_md_error_from_psa(status);
+ }
+#else
+ ret = mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
+ if (ret != 0) {
+ return ret;
+ }
+#endif
+#endif
+ return 0;
}
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-static void ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
+static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
+ return mbedtls_md_error_from_psa(psa_hash_update(
+ &ssl->handshake->fin_sha256_psa, buf, len));
#else
- mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
+ return mbedtls_sha256_update(&ssl->handshake->fin_sha256, buf, len);
#endif
}
#endif
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-static void ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
- const unsigned char *buf, size_t len)
+static int ssl_update_checksum_sha384(mbedtls_ssl_context *ssl,
+ const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_update(&ssl->handshake->fin_sha384_psa, buf, len);
+ return mbedtls_md_error_from_psa(psa_hash_update(
+ &ssl->handshake->fin_sha384_psa, buf, len));
#else
- mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
+ return mbedtls_sha512_update(&ssl->handshake->fin_sha384, buf, len);
#endif
}
#endif
@@ -889,19 +942,15 @@
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
handshake->fin_sha256_psa = psa_hash_operation_init();
- psa_hash_setup(&handshake->fin_sha256_psa, PSA_ALG_SHA_256);
#else
mbedtls_sha256_init(&handshake->fin_sha256);
- mbedtls_sha256_starts(&handshake->fin_sha256, 0);
#endif
#endif
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
handshake->fin_sha384_psa = psa_hash_operation_init();
- psa_hash_setup(&handshake->fin_sha384_psa, PSA_ALG_SHA_384);
#else
mbedtls_sha512_init(&handshake->fin_sha384);
- mbedtls_sha512_starts(&handshake->fin_sha384, 1);
#endif
#endif
@@ -971,6 +1020,8 @@
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_handshake_init(mbedtls_ssl_context *ssl)
{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
+
/* Clear old handshake information if present */
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
if (ssl->transform_negotiate) {
@@ -1038,6 +1089,13 @@
mbedtls_ssl_transform_init(ssl->transform_negotiate);
#endif
+ /* Setup handshake checksums */
+ ret = mbedtls_ssl_reset_checksum(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
+ return ret;
+ }
+
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SRV_C) && \
defined(MBEDTLS_SSL_SESSION_TICKETS)
@@ -6285,7 +6343,10 @@
if (handshake->extended_ms == MBEDTLS_SSL_EXTENDED_MS_ENABLED) {
lbl = "extended master secret";
seed = session_hash;
- handshake->calc_verify(ssl, session_hash, &seed_len);
+ ret = handshake->calc_verify(ssl, session_hash, &seed_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calc_verify", ret);
+ }
MBEDTLS_SSL_DEBUG_BUF(3, "session hash for extended master secret",
session_hash, seed_len);
@@ -6513,9 +6574,9 @@
}
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-void ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
- unsigned char *hash,
- size_t *hlen)
+int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
+ unsigned char *hash,
+ size_t *hlen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_size;
@@ -6525,20 +6586,23 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha256"));
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
- return;
+ goto exit;
}
status = psa_hash_finish(&sha256_psa, hash, 32, &hash_size);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
- return;
+ goto exit;
}
*hlen = 32;
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
+
+exit:
+ psa_hash_abort(&sha256_psa);
+ return mbedtls_md_error_from_psa(status);
#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_sha256_context sha256;
mbedtls_sha256_init(&sha256);
@@ -6546,23 +6610,28 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha256"));
mbedtls_sha256_clone(&sha256, &ssl->handshake->fin_sha256);
- mbedtls_sha256_finish(&sha256, hash);
+
+ ret = mbedtls_sha256_finish(&sha256, hash);
+ if (ret != 0) {
+ goto exit;
+ }
*hlen = 32;
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+exit:
mbedtls_sha256_free(&sha256);
+ return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
- return;
}
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-void ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
- unsigned char *hash,
- size_t *hlen)
+int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
+ unsigned char *hash,
+ size_t *hlen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t hash_size;
@@ -6572,20 +6641,23 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> PSA calc verify sha384"));
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
- return;
+ goto exit;
}
status = psa_hash_finish(&sha384_psa, hash, 48, &hash_size);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
- return;
+ goto exit;
}
*hlen = 48;
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= PSA calc verify"));
+
+exit:
+ psa_hash_abort(&sha384_psa);
+ return mbedtls_md_error_from_psa(status);
#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_sha512_context sha512;
mbedtls_sha512_init(&sha512);
@@ -6593,16 +6665,21 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> calc verify sha384"));
mbedtls_sha512_clone(&sha512, &ssl->handshake->fin_sha384);
- mbedtls_sha512_finish(&sha512, hash);
+
+ ret = mbedtls_sha512_finish(&sha512, hash);
+ if (ret != 0) {
+ goto exit;
+ }
*hlen = 48;
MBEDTLS_SSL_DEBUG_BUF(3, "calculated verify result", hash, *hlen);
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc verify"));
+exit:
mbedtls_sha512_free(&sha512);
+ return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
- return;
}
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
@@ -7545,7 +7622,7 @@
#endif /* MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-static void ssl_calc_finished_tls_sha256(
+static int ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
int len = 12;
@@ -7556,6 +7633,7 @@
psa_hash_operation_t sha256_psa = PSA_HASH_OPERATION_INIT;
psa_status_t status;
#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_sha256_context sha256;
#endif
@@ -7575,14 +7653,12 @@
status = psa_hash_clone(&ssl->handshake->fin_sha256_psa, &sha256_psa);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
- return;
+ goto exit;
}
status = psa_hash_finish(&sha256_psa, padbuf, sizeof(padbuf), &hash_size);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
- return;
+ goto exit;
}
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 32);
#else
@@ -7604,8 +7680,10 @@
sha256.state, sizeof(sha256.state));
#endif
- mbedtls_sha256_finish(&sha256, padbuf);
- mbedtls_sha256_free(&sha256);
+ ret = mbedtls_sha256_finish(&sha256, padbuf);
+ if (ret != 0) {
+ goto exit;
+ }
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ssl->handshake->tls_prf(session->master, 48, sender,
@@ -7616,12 +7694,21 @@
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort(&sha256_psa);
+ return mbedtls_md_error_from_psa(status);
+#else
+ mbedtls_sha256_free(&sha256);
+ return ret;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
-static void ssl_calc_finished_tls_sha384(
+static int ssl_calc_finished_tls_sha384(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
int len = 12;
@@ -7632,6 +7719,7 @@
psa_hash_operation_t sha384_psa = PSA_HASH_OPERATION_INIT;
psa_status_t status;
#else
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_sha512_context sha512;
#endif
@@ -7651,14 +7739,12 @@
status = psa_hash_clone(&ssl->handshake->fin_sha384_psa, &sha384_psa);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash clone failed"));
- return;
+ goto exit;
}
status = psa_hash_finish(&sha384_psa, padbuf, sizeof(padbuf), &hash_size);
if (status != PSA_SUCCESS) {
- MBEDTLS_SSL_DEBUG_MSG(2, ("PSA hash finish failed"));
- return;
+ goto exit;
}
MBEDTLS_SSL_DEBUG_BUF(3, "PSA calculated padbuf", padbuf, 48);
#else
@@ -7678,9 +7764,10 @@
MBEDTLS_SSL_DEBUG_BUF(4, "finished sha512 state", (unsigned char *)
sha512.state, sizeof(sha512.state));
#endif
- mbedtls_sha512_finish(&sha512, padbuf);
-
- mbedtls_sha512_free(&sha512);
+ ret = mbedtls_sha512_finish(&sha512, padbuf);
+ if (ret != 0) {
+ goto exit;
+ }
#endif
ssl->handshake->tls_prf(session->master, 48, sender,
@@ -7691,6 +7778,15 @@
mbedtls_platform_zeroize(padbuf, sizeof(padbuf));
MBEDTLS_SSL_DEBUG_MSG(2, ("<= calc finished"));
+
+exit:
+#if defined(MBEDTLS_USE_PSA_CRYPTO)
+ psa_hash_abort(&sha384_psa);
+ return mbedtls_md_error_from_psa(status);
+#else
+ mbedtls_sha512_free(&sha512);
+ return ret;
+#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA*/
@@ -7787,7 +7883,10 @@
mbedtls_ssl_update_out_pointers(ssl, ssl->transform_negotiate);
- ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
+ ret = ssl->handshake->calc_finished(ssl, ssl->out_msg + 4, ssl->conf->endpoint);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
+ }
/*
* RFC 5246 7.4.9 (Page 63) says 12 is the default length and ciphersuites
@@ -7897,7 +7996,10 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse finished"));
- ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
+ ret = ssl->handshake->calc_finished(ssl, buf, ssl->conf->endpoint ^ 1);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "calc_finished", ret);
+ }
if ((ret = mbedtls_ssl_read_record(ssl, 1)) != 0) {
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_read_record", ret);
diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c
index b427ae9..fc99fde 100644
--- a/library/ssl_tls12_client.c
+++ b/library/ssl_tls12_client.c
@@ -1090,6 +1090,7 @@
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_parse_hello_verify_request(mbedtls_ssl_context *ssl)
{
+ int ret = MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
const unsigned char *p = ssl->in_msg + mbedtls_ssl_hs_hdr_len(ssl);
uint16_t dtls_legacy_version;
@@ -1160,7 +1161,11 @@
/* Start over at ClientHello */
ssl->state = MBEDTLS_SSL_CLIENT_HELLO;
- mbedtls_ssl_reset_checksum(ssl);
+ ret = mbedtls_ssl_reset_checksum(ssl);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_reset_checksum"), ret);
+ return ret;
+ }
mbedtls_ssl_recv_flight_completed(ssl);
@@ -3283,7 +3288,11 @@
sign:
#endif
- ssl->handshake->calc_verify(ssl, hash, &hashlen);
+ ret = ssl->handshake->calc_verify(ssl, hash, &hashlen);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
+ return ret;
+ }
/*
* digitally-signed struct {
diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c
index 9298292..d5c8b7c 100644
--- a/library/ssl_tls12_server.c
+++ b/library/ssl_tls12_server.c
@@ -1020,7 +1020,11 @@
MBEDTLS_SSL_DEBUG_BUF(4, "record contents", buf, msg_len);
- ssl->handshake->update_checksum(ssl, buf, msg_len);
+ ret = ssl->handshake->update_checksum(ssl, buf, msg_len);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
/*
* Handshake layer:
@@ -4129,7 +4133,11 @@
/* Calculate hash and verify signature */
{
size_t dummy_hlen;
- ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
+ ret = ssl->handshake->calc_verify(ssl, hash, &dummy_hlen);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("calc_verify"), ret);
+ return ret;
+ }
}
if ((ret = mbedtls_pk_verify(peer_pk,
@@ -4139,7 +4147,11 @@
return ret;
}
- mbedtls_ssl_update_handshake_status(ssl);
+ ret = mbedtls_ssl_update_handshake_status(ssl);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_update_handshake_status"), ret);
+ return ret;
+ }
MBEDTLS_SSL_DEBUG_MSG(2, ("<= parse certificate verify"));
diff --git a/library/ssl_tls13_client.c b/library/ssl_tls13_client.c
index 1e79afa..0dd762e 100644
--- a/library/ssl_tls13_client.c
+++ b/library/ssl_tls13_client.c
@@ -1489,8 +1489,9 @@
ssl->keep_current_message = 1;
ssl->tls_version = MBEDTLS_SSL_VERSION_TLS1_2;
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
- buf, (size_t) (end - buf));
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_SERVER_HELLO,
+ buf, (size_t) (end - buf)));
if (mbedtls_ssl_conf_tls13_some_ephemeral_enabled(ssl)) {
ret = ssl_tls13_reset_key_share(ssl);
@@ -2056,8 +2057,9 @@
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_reset_transcript_for_hrr(ssl));
}
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_SERVER_HELLO,
- buf, buf_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_SERVER_HELLO, buf,
+ buf_len));
if (is_hrr) {
MBEDTLS_SSL_PROC_CHK(ssl_tls13_postprocess_hrr(ssl));
@@ -2214,8 +2216,9 @@
}
#endif
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
- buf, buf_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS,
+ buf, buf_len));
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED)
if (mbedtls_ssl_tls13_key_exchange_mode_with_psk(ssl)) {
@@ -2259,8 +2262,8 @@
ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA,
&buf, &buf_len));
- mbedtls_ssl_add_hs_hdr_to_checksum(
- ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_hdr_to_checksum(
+ ssl, MBEDTLS_SSL_HS_END_OF_EARLY_DATA, 0));
MBEDTLS_SSL_PROC_CHK(
mbedtls_ssl_finish_handshake_msg(ssl, buf_len, 0));
@@ -2458,8 +2461,9 @@
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_certificate_request(ssl,
buf, buf + buf_len));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
- buf, buf_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE_REQUEST,
+ buf, buf_len));
} else if (ret == SSL_CERTIFICATE_REQUEST_SKIP) {
ret = 0;
} else {
diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c
index 4fb73f9..f607e36 100644
--- a/library/ssl_tls13_generic.c
+++ b/library/ssl_tls13_generic.c
@@ -322,8 +322,9 @@
buf + buf_len, verify_buffer,
verify_buffer_len));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
- buf, buf_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
+ buf, buf_len));
cleanup:
@@ -752,8 +753,9 @@
/* Validate the certificate chain and set the verification results. */
MBEDTLS_SSL_PROC_CHK(ssl_tls13_validate_certificate(ssl));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE,
- buf, buf_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE, buf,
+ buf_len));
cleanup:
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED */
@@ -868,8 +870,9 @@
buf + buf_len,
&msg_len));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE,
- buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE, buf,
+ msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@@ -1070,8 +1073,9 @@
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_verify_body(
ssl, buf, buf + buf_len, &msg_len));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_CERTIFICATE_VERIFY,
- buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CERTIFICATE_VERIFY, buf,
+ msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@@ -1171,8 +1175,8 @@
MBEDTLS_SSL_PROC_CHK(ssl_tls13_parse_finished_message(ssl, buf, buf + buf_len));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED,
- buf, buf_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_FINISHED, buf, buf_len));
cleanup:
@@ -1248,8 +1252,8 @@
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_finished_message_body(
ssl, buf, buf + buf_len, &msg_len));
- mbedtls_ssl_add_hs_msg_to_checksum(ssl, MBEDTLS_SSL_HS_FINISHED,
- buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(ssl,
+ MBEDTLS_SSL_HS_FINISHED, buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@@ -1388,7 +1392,7 @@
PSA_HASH_MAX_SIZE,
&hash_len);
if (ret != 0) {
- MBEDTLS_SSL_DEBUG_RET(4, "mbedtls_ssl_get_handshake_transcript", ret);
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_get_handshake_transcript", ret);
return ret;
}
@@ -1399,37 +1403,20 @@
hash_len += 4;
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- if (ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
- MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-256 handshake transcript",
- hash_transcript, hash_len);
+ MBEDTLS_SSL_DEBUG_BUF(4, "Truncated handshake transcript",
+ hash_transcript, hash_len);
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&ssl->handshake->fin_sha256_psa);
- psa_hash_setup(&ssl->handshake->fin_sha256_psa, PSA_ALG_SHA_256);
-#else
- mbedtls_sha256_starts(&ssl->handshake->fin_sha256, 0);
-#endif
+ /* Reset running hash and replace it with a hash of the transcript */
+ ret = mbedtls_ssl_reset_checksum(ssl);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_ssl_reset_checksum", ret);
+ return ret;
}
-#endif /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
- MBEDTLS_SSL_DEBUG_BUF(4, "Truncated SHA-384 handshake transcript",
- hash_transcript, hash_len);
-
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_hash_abort(&ssl->handshake->fin_sha384_psa);
- psa_hash_setup(&ssl->handshake->fin_sha384_psa, PSA_ALG_SHA_384);
-#else
- mbedtls_sha512_starts(&ssl->handshake->fin_sha384, 1);
-#endif
+ ret = ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
+ if (ret != 0) {
+ MBEDTLS_SSL_DEBUG_RET(1, "update_checksum", ret);
+ return ret;
}
-#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
-#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA) || \
- defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
- ssl->handshake->update_checksum(ssl, hash_transcript, hash_len);
-#endif \
- /* MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA || MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
return ret;
}
diff --git a/library/ssl_tls13_keys.c b/library/ssl_tls13_keys.c
index 2e34ee8..a95d2fd 100644
--- a/library/ssl_tls13_keys.c
+++ b/library/ssl_tls13_keys.c
@@ -1127,10 +1127,10 @@
size_t transcript_len;
size_t key_len;
size_t iv_len;
+ mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info = handshake->ciphersuite_info;
- mbedtls_ssl_tls13_early_secrets *tls13_early_secrets = &handshake->tls13_early_secrets;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> ssl_tls13_generate_early_key"));
@@ -1158,7 +1158,7 @@
ret = mbedtls_ssl_tls13_derive_early_secrets(
hash_alg, handshake->tls13_master_secrets.early,
- transcript, transcript_len, tls13_early_secrets);
+ transcript, transcript_len, &tls13_early_secrets);
if (ret != 0) {
MBEDTLS_SSL_DEBUG_RET(
1, "mbedtls_ssl_tls13_derive_early_secrets", ret);
@@ -1167,7 +1167,7 @@
MBEDTLS_SSL_DEBUG_BUF(
4, "Client early traffic secret",
- tls13_early_secrets->client_early_traffic_secret, hash_len);
+ tls13_early_secrets.client_early_traffic_secret, hash_len);
/*
* Export client handshake traffic secret
@@ -1176,7 +1176,7 @@
ssl->f_export_keys(
ssl->p_export_keys,
MBEDTLS_SSL_KEY_EXPORT_TLS1_3_CLIENT_EARLY_SECRET,
- tls13_early_secrets->client_early_traffic_secret,
+ tls13_early_secrets.client_early_traffic_secret,
hash_len,
handshake->randbytes,
handshake->randbytes + MBEDTLS_CLIENT_HELLO_RANDOM_LEN,
@@ -1185,7 +1185,7 @@
ret = ssl_tls13_make_traffic_key(
hash_alg,
- tls13_early_secrets->client_early_traffic_secret,
+ tls13_early_secrets.client_early_traffic_secret,
hash_len, traffic_keys->client_write_key, key_len,
traffic_keys->client_write_iv, iv_len);
if (ret != 0) {
@@ -1206,9 +1206,9 @@
MBEDTLS_SSL_DEBUG_MSG(2, ("<= ssl_tls13_generate_early_key"));
cleanup:
- /* Erase secret and transcript */
+ /* Erase early secrets and transcript */
mbedtls_platform_zeroize(
- tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets));
+ &tls13_early_secrets, sizeof(mbedtls_ssl_tls13_early_secrets));
mbedtls_platform_zeroize(transcript, sizeof(transcript));
return ret;
}
diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c
index 81c289a..6b1c4c5 100644
--- a/library/ssl_tls13_server.c
+++ b/library/ssl_tls13_server.c
@@ -486,6 +486,7 @@
const unsigned char *ciphersuites,
const unsigned char *ciphersuites_end)
{
+ int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
const unsigned char *identities = pre_shared_key_ext;
const unsigned char *p_identity_len;
size_t identities_len;
@@ -521,8 +522,12 @@
MBEDTLS_SSL_CHK_BUF_READ_PTR(p_binder_len, pre_shared_key_ext_end, binders_len);
binders_end = p_binder_len + binders_len;
- ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
- identities_end - pre_shared_key_ext);
+ ret = ssl->handshake->update_checksum(ssl, pre_shared_key_ext,
+ identities_end - pre_shared_key_ext);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
while (p_identity_len < identities_end && p_binder_len < binders_end) {
const unsigned char *identity;
@@ -530,7 +535,6 @@
uint32_t obfuscated_ticket_age;
const unsigned char *binder;
size_t binder_len;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
int psk_type;
uint16_t cipher_suite;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@@ -642,9 +646,13 @@
}
/* Update the handshake transcript with the binder list. */
- ssl->handshake->update_checksum(ssl,
- identities_end,
- (size_t) (binders_end - identities_end));
+ ret = ssl->handshake->update_checksum(ssl,
+ identities_end,
+ (size_t) (binders_end - identities_end));
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
if (matched_identity == -1) {
MBEDTLS_SSL_DEBUG_MSG(3, ("No matched PSK or ticket."));
return MBEDTLS_ERR_SSL_UNKNOWN_IDENTITY;
@@ -1590,9 +1598,13 @@
MBEDTLS_SSL_PRINT_EXTS(3, MBEDTLS_SSL_HS_CLIENT_HELLO,
handshake->received_extensions);
- mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
- MBEDTLS_SSL_HS_CLIENT_HELLO,
- p - buf);
+ ret = mbedtls_ssl_add_hs_hdr_to_checksum(ssl,
+ MBEDTLS_SSL_HS_CLIENT_HELLO,
+ p - buf);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("mbedtls_ssl_add_hs_hdr_to_checksum"), ret);
+ return ret;
+ }
#if defined(MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED)
/* Update checksum with either
@@ -1603,8 +1615,12 @@
if (mbedtls_ssl_tls13_some_psk_enabled(ssl) &&
mbedtls_ssl_conf_tls13_some_psk_enabled(ssl) &&
(handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(PRE_SHARED_KEY))) {
- handshake->update_checksum(ssl, buf,
- pre_shared_key_ext - buf);
+ ret = handshake->update_checksum(ssl, buf,
+ pre_shared_key_ext - buf);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
ret = ssl_tls13_parse_pre_shared_key_ext(ssl,
pre_shared_key_ext,
pre_shared_key_ext_end,
@@ -1620,7 +1636,11 @@
} else
#endif /* MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED */
{
- handshake->update_checksum(ssl, buf, p - buf);
+ ret = handshake->update_checksum(ssl, buf, p - buf);
+ if (0 != ret) {
+ MBEDTLS_SSL_DEBUG_RET(1, ("update_checksum"), ret);
+ return ret;
+ }
}
ret = ssl_tls13_determine_key_exchange_mode(ssl);
@@ -2134,8 +2154,8 @@
&msg_len,
0));
- mbedtls_ssl_add_hs_msg_to_checksum(
- ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@@ -2207,8 +2227,8 @@
buf + buf_len,
&msg_len,
1));
- mbedtls_ssl_add_hs_msg_to_checksum(
- ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_SERVER_HELLO, buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(ssl, buf_len,
@@ -2306,8 +2326,8 @@
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_encrypted_extensions_body(
ssl, buf, buf + buf_len, &msg_len));
- mbedtls_ssl_add_hs_msg_to_checksum(
- ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_ENCRYPTED_EXTENSIONS, buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
@@ -2439,8 +2459,8 @@
MBEDTLS_SSL_PROC_CHK(ssl_tls13_write_certificate_request_body(
ssl, buf, buf + buf_len, &msg_len));
- mbedtls_ssl_add_hs_msg_to_checksum(
- ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len);
+ MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_add_hs_msg_to_checksum(
+ ssl, MBEDTLS_SSL_HS_CERTIFICATE_REQUEST, buf, msg_len));
MBEDTLS_SSL_PROC_CHK(mbedtls_ssl_finish_handshake_msg(
ssl, buf_len, msg_len));
diff --git a/library/x509.c b/library/x509.c
index 2865c2e..fc13b92 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1227,8 +1227,9 @@
* nameAssigner [0] DirectoryString OPTIONAL,
* partyName [1] DirectoryString }
*
- * NOTE: we list all types, but only use dNSName and otherName
- * of type HwModuleName, as defined in RFC 4108, at this point.
+ * We list all types, but use the following GeneralName types from RFC 5280:
+ * "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * of type "otherName", as defined in RFC 4108.
*/
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
@@ -1397,7 +1398,19 @@
}
break;
+ /*
+ * uniformResourceIdentifier
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+ memcpy(&san->san.unstructured_name,
+ san_buf, sizeof(*san_buf));
+
+ }
+ break;
/*
* dNSName
*/
@@ -1408,7 +1421,17 @@
memcpy(&san->san.unstructured_name,
san_buf, sizeof(*san_buf));
+ }
+ break;
+ /*
+ * RFC822 Name
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_RFC822_NAME):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_RFC822_NAME;
+ memcpy(&san->san.unstructured_name, san_buf, sizeof(*san_buf));
}
break;
@@ -1488,13 +1511,38 @@
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
}
break;
+ /*
+ * uniformResourceIdentifier
+ */
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ {
+ ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if (san.san.unstructured_name.len >= n) {
+ *p = '\0';
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
+ p += san.san.unstructured_name.len;
+ n -= san.san.unstructured_name.len;
+ }
+ break;
/*
* dNSName
+ * RFC822 Name
*/
case MBEDTLS_X509_SAN_DNS_NAME:
+ case MBEDTLS_X509_SAN_RFC822_NAME:
{
- ret = mbedtls_snprintf(p, n, "\n%s dNSName : ", prefix);
+ const char *dns_name = "dNSName";
+ const char *rfc822_name = "rfc822Name";
+
+ ret = mbedtls_snprintf(p, n,
+ "\n%s %s : ",
+ prefix,
+ san.type ==
+ MBEDTLS_X509_SAN_DNS_NAME ? dns_name : rfc822_name);
MBEDTLS_X509_SAFE_SNPRINTF;
if (san.san.unstructured_name.len >= n) {
*p = '\0';
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index b4d7008..13423a1 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -337,6 +337,32 @@
void *pointer;
/*
+ * Check some basic platform requirements as specified in README.md
+ */
+ if (SIZE_MAX < INT_MAX || SIZE_MAX < UINT_MAX) {
+ mbedtls_printf("SIZE_MAX must be at least as big as INT_MAX and UINT_MAX\n");
+ mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+ }
+
+ if (sizeof(int) < 4) {
+ mbedtls_printf("int must be at least 32 bits\n");
+ mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+ }
+
+ if (sizeof(size_t) < 4) {
+ mbedtls_printf("size_t must be at least 32 bits\n");
+ mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+ }
+
+ uint32_t endian_test = 0x12345678;
+ char *p = (char *) &endian_test;
+ if (!(p[0] == 0x12 && p[1] == 0x34 && p[2] == 0x56 && p[3] == 0x78) &&
+ !(p[3] == 0x12 && p[2] == 0x34 && p[1] == 0x56 && p[0] == 0x78)) {
+ mbedtls_printf("Mixed-endian platforms are not supported\n");
+ mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+ }
+
+ /*
* The C standard doesn't guarantee that all-bits-0 is the representation
* of a NULL pointer. We do however use that in our code for initializing
* structures, which should work on every modern platform. Let's be sure.
diff --git a/scripts/code_style.py b/scripts/code_style.py
index dd8305f..c31fb29 100755
--- a/scripts/code_style.py
+++ b/scripts/code_style.py
@@ -33,6 +33,14 @@
def print_err(*args):
print("Error: ", *args, file=sys.stderr)
+# Print the file names that will be skipped and the help message
+def print_skip(files_to_skip):
+ print()
+ print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n")
+ print("Warning: The listed files will be skipped because\n"
+ "they are not known to git.")
+ print()
+
# Match FILENAME(s) in "check SCRIPT (FILENAME...)"
CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)",
re.ASCII)
@@ -174,22 +182,27 @@
parser.add_argument('-f', '--fix', action='store_true',
help=('modify source files to fix the code style '
'(default: print diff, do not modify files)'))
- # --files is almost useless: it only matters if there are no files
+ # --subset is almost useless: it only matters if there are no files
# ('code_style.py' without arguments checks all files known to Git,
- # 'code_style.py --files' does nothing). In particular,
- # 'code_style.py --fix --files ...' is intended as a stable ("porcelain")
+ # 'code_style.py --subset' does nothing). In particular,
+ # 'code_style.py --fix --subset ...' is intended as a stable ("porcelain")
# way to restyle a possibly empty set of files.
- parser.add_argument('--files', action='store_true',
+ parser.add_argument('--subset', action='store_true',
help='only check the specified files (default with non-option arguments)')
parser.add_argument('operands', nargs='*', metavar='FILE',
- help='files to check (if none: check files that are known to git)')
+ help='files to check (files MUST be known to git, if none: check all)')
args = parser.parse_args()
- if args.files or args.operands:
- src_files = args.operands
+ covered = frozenset(get_src_files())
+ # We only check files that are known to git
+ if args.subset or args.operands:
+ src_files = [f for f in args.operands if f in covered]
+ skip_src_files = [f for f in args.operands if f not in covered]
+ if skip_src_files:
+ print_skip(skip_src_files)
else:
- src_files = get_src_files()
+ src_files = list(covered)
if args.fix:
# Fix mode
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index bdf3315..0f42b8c 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -433,6 +433,269 @@
}
}
+void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops )
+{
+ /* TODO - dispatch to drivers dynamically registered for this
+ * service when registering is implemented. For now, fall
+ * through to internal implementation. */
+
+ mbedtls_psa_interruptible_set_max_ops( max_ops );
+}
+
+uint32_t psa_driver_wrapper_interruptible_get_max_ops( void )
+{
+ /* TODO - dispatch to drivers dynamically registered for this
+ * service when registering is implemented. For now, fall
+ * through to internal implementation. */
+
+ return mbedtls_psa_interruptible_get_max_ops( );
+}
+
+uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+ psa_sign_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ /* If uninitialised, return 0, as no work can have been done. */
+ case 0:
+ return 0;
+
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return(mbedtls_psa_sign_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ /* If uninitialised, return 0, as no work can have been done. */
+ case 0:
+ return 0;
+
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return (mbedtls_psa_verify_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION(
+ attributes->core.lifetime );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+ /* Add test driver tests here */
+
+ /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ return( mbedtls_psa_sign_hash_start( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length ) );
+ break;
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ ( void ) status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ ( void ) operation;
+ ( void ) key_buffer;
+ ( void ) key_buffer_size;
+ ( void ) alg;
+ ( void ) hash;
+ ( void ) hash_length;
+
+ return( status );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_sign_hash_complete( &operation->ctx.mbedtls_ctx,
+ signature, signature_size,
+ signature_length ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ ( void ) signature;
+ ( void ) signature_size;
+ ( void ) signature_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_sign_hash_abort( &operation->ctx.mbedtls_ctx ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
+{
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ attributes->core.lifetime );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+ /* Add test driver tests here */
+
+ /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ return( mbedtls_psa_verify_hash_start( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length
+ ) );
+ break;
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ ( void ) status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ ( void ) operation;
+ ( void ) key_buffer;
+ ( void ) key_buffer_size;
+ ( void ) alg;
+ ( void ) hash;
+ ( void ) hash_length;
+ ( void ) signature;
+ ( void ) signature_length;
+
+ return( status );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_verify_hash_complete(
+ &operation->ctx.mbedtls_ctx
+ ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_verify_hash_abort( &operation->ctx.mbedtls_ctx
+ ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
/** Calculate the key buffer size required to store the key material of a key
* associated with an opaque driver from input key data.
*
@@ -441,9 +704,9 @@
* \param[in] data_length The input data length.
* \param[out] key_buffer_size Minimum buffer size to contain the key material.
*
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_INVALID_ARGUMENT
- * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_SUCCESS \emptydescription
+ * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription
+ * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription
*/
psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
const psa_key_attributes_t *attributes,
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index e9d9275..9cf34f6 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -11,4 +11,5 @@
perl scripts\generate_visualc_files.pl || exit /b 1
python scripts\generate_psa_constants.py || exit /b 1
python tests\scripts\generate_bignum_tests.py || exit /b 1
+python tests\scripts\generate_ecp_tests.py || exit /b 1
python tests\scripts\generate_psa_tests.py || exit /b 1
diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py
new file mode 100644
index 0000000..6370d25
--- /dev/null
+++ b/scripts/mbedtls_dev/ecp.py
@@ -0,0 +1,168 @@
+"""Framework classes for generation of ecp test cases."""
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import List
+
+from . import test_data_generation
+from . import bignum_common
+
+class EcpTarget(test_data_generation.BaseTarget):
+ #pylint: disable=abstract-method, too-few-public-methods
+ """Target for ecp test case generation."""
+ target_basename = 'test_suite_ecp.generated'
+
+class EcpP192R1Raw(bignum_common.ModOperationCommon,
+ EcpTarget):
+ """Test cases for ecp quasi_reduction()."""
+ symbol = "-"
+ test_function = "ecp_mod_p192_raw"
+ test_name = "ecp_mod_p192_raw"
+ input_style = "fixed"
+ arity = 1
+
+ moduli = ["fffffffffffffffffffffffffffffffeffffffffffffffff"] # type: List[str]
+
+ input_values = [
+ "0", "1",
+
+ # Modulus - 1
+ "fffffffffffffffffffffffffffffffefffffffffffffffe",
+
+ # First 8 number generated by random.getrandbits(384) - seed(2,2)
+ ("cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
+ "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
+ ("ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
+ "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"),
+ ("ef8acd128b4f2fc15f3f57ebf30b94fa82523e86feac7eb7"
+ "dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"),
+ ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"
+ "defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2"),
+ ("2d3d854e061b90303b08c6e33c7295782d6c797f8f7d9b78"
+ "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
+ ("fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"
+ "5c14bc4a829e07b0829a48d422fe99a22c70501e533c9135"),
+ ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561"
+ "867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"),
+ ("bd143fa9b714210c665d7435c1066932f4767f26294365b2"
+ "721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
+
+ # Next 2 number generated by random.getrandbits(192)
+ "47733e847d718d733ff98ff387c56473a7a83ee0761ebfd2",
+ "cbd4d3e2d4dec9ef83f0be4e80371eb97f81375eecc1cb63"
+ ]
+
+ @property
+ def arg_a(self) -> str:
+ return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
+
+ def result(self) -> List[str]:
+ result = self.int_a % self.int_n
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return True
+
+class EcpP521R1Raw(bignum_common.ModOperationCommon,
+ EcpTarget):
+ """Test cases for ecp quasi_reduction()."""
+ test_function = "ecp_mod_p521_raw"
+ test_name = "ecp_mod_p521_raw"
+ input_style = "arch_split"
+ arity = 1
+
+ moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff")
+ ] # type: List[str]
+
+ input_values = [
+ "0", "1",
+
+ # Corner case: maximum canonical P521 multiplication result
+ ("0003ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffff800"
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000004"),
+
+ # Test case for overflow during addition
+ ("0001efffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "000001ef"
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "000000000000000000000000000000000000000000000000000000000f000000"),
+
+ # First 8 number generated by random.getrandbits(1042) - seed(2,2)
+ ("0003cc2e82523e86feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f"
+ "6e405d93ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd"
+ "9b1f282e"
+ "4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
+ "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
+ ("00017052829e07b0829a48d422fe99a22c70501e533c91352d3d854e061b9030"
+ "3b08c6e33c7295782d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c5055"
+ "6c71c4a6"
+ "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045defc044a"
+ "09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57eb"),
+ ("00021f15a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26"
+ "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b97eeab64"
+ "ca2ce6bc"
+ "5d3fd983c34c769fe89204e2e8168561867e5e15bc01bfce6a27e0dfcbf87544"
+ "72154e76e4c11ab2fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"),
+ ("000381bc2a838af8d5c44a4eb3172062d08f1bb2531d6460f0caeef038c89b38"
+ "a8acb5137c9260dc74e088a9b9492f258ebdbfe3eb9ac688b9d39cca91551e82"
+ "59cc60b1"
+ "7604e4b4e73695c3e652c71a74667bffe202849da9643a295a9ac6decbd4d3e2"
+ "d4dec9ef83f0be4e80371eb97f81375eecc1cb6347733e847d718d733ff98ff3"),
+ ("00034816c8c69069134bccd3e1cf4f589f8e4ce0af29d115ef24bd625dd961e6"
+ "830b54fa7d28f93435339774bb1e386c4fd5079e681b8f5896838b769da59b74"
+ "a6c3181c"
+ "81e220df848b1df78feb994a81167346d4c0dca8b4c9e755cc9c3adcf515a823"
+ "4da4daeb4f3f87777ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48e86ec9c6"),
+ ("000397846c4454b90f756132e16dce72f18e859835e1f291d322a7353ead4efe"
+ "440e2b4fda9c025a22f1a83185b98f5fc11e60de1b343f52ea748db9e020307a"
+ "aeb6db2c"
+ "3a038a709779ac1f45e9dd320c855fdfa7251af0930cdbd30f0ad2a81b2d19a2"
+ "beaa14a7ff3fe32a30ffc4eed0a7bd04e85bfcdd0227eeb7b9d7d01f5769da05"),
+ ("00002c3296e6bc4d62b47204007ee4fab105d83e85e951862f0981aebc1b00d9"
+ "2838e766ef9b6bf2d037fe2e20b6a8464174e75a5f834da70569c018eb2b5693"
+ "babb7fbb"
+ "0a76c196067cfdcb11457d9cf45e2fa01d7f4275153924800600571fac3a5b26"
+ "3fdf57cd2c0064975c3747465cc36c270e8a35b10828d569c268a20eb78ac332"),
+ ("00009d23b4917fc09f20dbb0dcc93f0e66dfe717c17313394391b6e2e6eacb0f"
+ "0bb7be72bd6d25009aeb7fa0c4169b148d2f527e72daf0a54ef25c0707e33868"
+ "7d1f7157"
+ "5653a45c49390aa51cf5192bbf67da14be11d56ba0b4a2969d8055a9f03f2d71"
+ "581d8e830112ff0f0948eccaf8877acf26c377c13f719726fd70bddacb4deeec"),
+
+ # Next 2 number generated by random.getrandbits(521)
+ ("12b84ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da1a1fe"
+ "3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccdf572df00790813e3"),
+ ("166049dd332a73fa0b26b75196cf87eb8a09b27ec714307c68c425424a1574f1"
+ "eedf5b0f16cdfdb839424d201e653f53d6883ca1c107ca6e706649889c0c7f38608")
+ ]
+
+ @property
+ def arg_a(self) -> str:
+ # Number of limbs: 2 * N
+ return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
+
+ def result(self) -> List[str]:
+ result = self.int_a % self.int_n
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return True
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4a7de82..4549a7a 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -32,6 +32,18 @@
execute_process(
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+ --list-for-cmake
+ WORKING_DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/..
+ OUTPUT_VARIABLE
+ base_ecp_generated_data_files)
+string(REGEX REPLACE "[^;]*/" ""
+ base_ecp_generated_data_files "${base_ecp_generated_data_files}")
+
+execute_process(
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py
--list-for-cmake
WORKING_DIRECTORY
@@ -44,14 +56,18 @@
# Derive generated file paths in the build directory. The generated data
# files go into the suites/ subdirectory.
set(base_generated_data_files
- ${base_bignum_generated_data_files} ${base_psa_generated_data_files})
+ ${base_bignum_generated_data_files} ${base_ecp_generated_data_files} ${base_psa_generated_data_files})
string(REGEX REPLACE "([^;]+)" "suites/\\1"
all_generated_data_files "${base_generated_data_files}")
set(bignum_generated_data_files "")
+set(ecp_generated_data_files "")
set(psa_generated_data_files "")
foreach(file ${base_bignum_generated_data_files})
list(APPEND bignum_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
+foreach(file ${base_ecp_generated_data_files})
+ list(APPEND ecp_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
+endforeach()
foreach(file ${base_psa_generated_data_files})
list(APPEND psa_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
@@ -77,6 +93,22 @@
)
add_custom_command(
OUTPUT
+ ${ecp_generated_data_files}
+ WORKING_DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/..
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+ --directory ${CMAKE_CURRENT_BINARY_DIR}/suites
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/ecp.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py
+ )
+ add_custom_command(
+ OUTPUT
${psa_generated_data_files}
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -107,6 +139,7 @@
# With this line, only 4 sub-makefiles include the above command, that reduces
# the risk of a race.
add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files})
+add_custom_target(test_suite_ecp_generated_data DEPENDS ${ecp_generated_data_files})
add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files})
# If SKIP_TEST_SUITES is not defined with -D, get it from the environment.
if((NOT DEFINED SKIP_TEST_SUITES) AND (DEFINED ENV{SKIP_TEST_SUITES}))
@@ -129,6 +162,7 @@
# Get the test names of the tests with generated .data files
# from the generated_data_files list in parent scope.
set(bignum_generated_data_names "")
+ set(ecp_generated_data_names "")
set(psa_generated_data_names "")
foreach(generated_data_file ${bignum_generated_data_files})
# Get the plain filename
@@ -139,6 +173,15 @@
string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
list(APPEND bignum_generated_data_names ${generated_data_name})
endforeach()
+ foreach(generated_data_file ${ecp_generated_data_files})
+ # Get the plain filename
+ get_filename_component(generated_data_name ${generated_data_file} NAME)
+ # Remove the ".data" extension
+ get_name_without_last_ext(generated_data_name ${generated_data_name})
+ # Remove leading "test_suite_"
+ string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
+ list(APPEND ecp_generated_data_names ${generated_data_name})
+ endforeach()
foreach(generated_data_file ${psa_generated_data_files})
# Get the plain filename
get_filename_component(generated_data_name ${generated_data_file} NAME)
@@ -153,6 +196,10 @@
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
set(dependency test_suite_bignum_generated_data)
+ elseif(";${ecp_generated_data_names};" MATCHES ";${data_name};")
+ set(data_file
+ ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
+ set(dependency test_suite_ecp_generated_data)
elseif(";${psa_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
@@ -160,7 +207,7 @@
else()
set(data_file
${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data)
- set(dependency test_suite_bignum_generated_data test_suite_psa_generated_data)
+ set(dependency test_suite_bignum_generated_data test_suite_ecp_generated_data test_suite_psa_generated_data)
endif()
add_custom_command(
diff --git a/tests/Makefile b/tests/Makefile
index 312607e..c9283c9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -73,6 +73,13 @@
ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED)
$(error "$(PYTHON) scripts/generate_bignum_tests.py --list" failed)
endif
+GENERATED_ECP_DATA_FILES := $(patsubst tests/%,%,$(shell \
+ $(PYTHON) scripts/generate_ecp_tests.py --list || \
+ echo FAILED \
+))
+ifeq ($(GENERATED_ECP_DATA_FILES),FAILED)
+$(error "$(PYTHON) scripts/generate_ecp_tests.py --list" failed)
+endif
GENERATED_PSA_DATA_FILES := $(patsubst tests/%,%,$(shell \
$(PYTHON) scripts/generate_psa_tests.py --list || \
echo FAILED \
@@ -80,7 +87,7 @@
ifeq ($(GENERATED_PSA_DATA_FILES),FAILED)
$(error "$(PYTHON) scripts/generate_psa_tests.py --list" failed)
endif
-GENERATED_FILES := $(GENERATED_PSA_DATA_FILES) $(GENERATED_BIGNUM_DATA_FILES)
+GENERATED_FILES := $(GENERATED_PSA_DATA_FILES) $(GENERATED_ECP_DATA_FILES) $(GENERATED_BIGNUM_DATA_FILES)
generated_files: $(GENERATED_FILES)
# generate_bignum_tests.py and generate_psa_tests.py spend more time analyzing
@@ -89,7 +96,7 @@
# It's rare not to want all the outputs. So always generate all of its outputs.
# Use an intermediate phony dependency so that parallel builds don't run
# a separate instance of the recipe for each output file.
-.SECONDARY: generated_bignum_test_data generated_psa_test_data
+.SECONDARY: generated_bignum_test_data generated_ecp_test_data generated_psa_test_data
$(GENERATED_BIGNUM_DATA_FILES): generated_bignum_test_data
generated_bignum_test_data: scripts/generate_bignum_tests.py
generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py
@@ -102,6 +109,16 @@
echo " Gen $(GENERATED_BIGNUM_DATA_FILES)"
$(PYTHON) scripts/generate_bignum_tests.py
+$(GENERATED_ECP_DATA_FILES): generated_ecp_test_data
+generated_ecp_test_data: scripts/generate_ecp_tests.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/bignum_common.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/ecp.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/test_case.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/test_data_generation.py
+generated_ecp_test_data:
+ echo " Gen $(GENERATED_ECP_DATA_FILES)"
+ $(PYTHON) scripts/generate_ecp_tests.py
+
$(GENERATED_PSA_DATA_FILES): generated_psa_test_data
generated_psa_test_data: scripts/generate_psa_tests.py
generated_psa_test_data: ../scripts/mbedtls_dev/crypto_knowledge.py
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 070f538..db16ab7 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -140,6 +140,9 @@
test_csr_v3_all_malformed_attributes_extension_request_sequence_len2.csr.der: test_csr_v3_all.csr.der
(hexdump -ve '1/1 "%.2X"' $< | sed "s/3051300B0603551D0F04/3050300B0603551D0F04/" | xxd -r -p ) > $@
+test_cert_rfc822name.crt.der: cert_example_multi.csr
+ $(OPENSSL) x509 -req -CA $(test_ca_crt) -CAkey $(test_ca_key_file_rsa) -extfile $(test_ca_config_file) -outform DER -extensions rfc822name_names -passin "pass:$(test_ca_pwd_rsa)" -set_serial 17 -days 3653 -sha256 -in $< > $@
+
$(test_ca_key_file_rsa_alt):test-ca.opensslconf
$(OPENSSL) genrsa -out $@ 2048
test-ca-alt.csr: $(test_ca_key_file_rsa_alt) $(test_ca_config_file)
@@ -336,6 +339,12 @@
$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@
all_final += server5-tricky-ip-san.crt
+rsa_single_san_uri.crt.der: rsa_single_san_uri.key
+ $(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
+
+rsa_multiple_san_uri.crt.der: rsa_multiple_san_uri.key
+ $(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
+
server10-badsign.crt: server10.crt
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
all_final += server10-badsign.crt
@@ -911,6 +920,70 @@
$(OPENSSL) pkey -in $< -inform DER -out $@
all_final += ec_prv.pk8param.pem
+ec_prv.sec1.comp.pem: ec_prv.sec1.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_prv.sec1.comp.pem
+
+ec_224_prv.comp.pem: ec_224_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_224_prv.comp.pem
+
+ec_256_prv.comp.pem: ec_256_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_256_prv.comp.pem
+
+ec_384_prv.comp.pem: ec_384_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_384_prv.comp.pem
+
+ec_521_prv.comp.pem: ec_521_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_521_prv.comp.pem
+
+ec_bp256_prv.comp.pem: ec_bp256_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_bp256_prv.comp.pem
+
+ec_bp384_prv.comp.pem: ec_bp384_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_bp384_prv.comp.pem
+
+ec_bp512_prv.comp.pem: ec_bp512_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_bp512_prv.comp.pem
+
+ec_pub.comp.pem: ec_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_pub.comp.pem
+
+ec_224_pub.comp.pem: ec_224_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_224_pub.comp.pem
+
+ec_256_pub.comp.pem: ec_256_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_256_pub.comp.pem
+
+ec_384_pub.comp.pem: ec_384_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_384_pub.comp.pem
+
+ec_521_pub.comp.pem: ec_521_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_521_pub.comp.pem
+
+ec_bp256_pub.comp.pem: ec_bp256_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_bp256_pub.comp.pem
+
+ec_bp384_pub.comp.pem: ec_bp384_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_bp384_pub.comp.pem
+
+ec_bp512_pub.comp.pem: ec_bp512_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_bp512_pub.comp.pem
+
################################################################
### Generate CSRs for X.509 write test suite
################################################################
@@ -1205,6 +1278,10 @@
echo -e "Hello\xd" > $@
all_final += $(pkcs7_test_file)
+pkcs7_zerolendata.bin:
+ printf '' > $@
+all_final += pkcs7_zerolendata.bin
+
pkcs7_data_1.bin:
echo -e "2\xd" > $@
all_final += pkcs7_data_1.bin
@@ -1238,6 +1315,11 @@
$(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER
all_final += pkcs7-rsa-sha256-2.der
+# pkcs7 signature file over zero-len data
+pkcs7_zerolendata_detached.der: pkcs7_zerolendata.bin pkcs7-rsa-sha256-1.key pkcs7-rsa-sha256-1.crt
+ $(OPENSSL) smime -sign -md sha256 -nocerts -noattr -in pkcs7_zerolendata.bin -inkey pkcs7-rsa-sha256-1.key -outform DER -binary -signer pkcs7-rsa-sha256-1.crt -out pkcs7_zerolendata_detached.der
+all_final += pkcs7_zerolendata_detached.der
+
# pkcs7 signature file with CERT
pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
diff --git a/tests/data_files/ec_224_prv.comp.pem b/tests/data_files/ec_224_prv.comp.pem
new file mode 100644
index 0000000..e7ed538
--- /dev/null
+++ b/tests/data_files/ec_224_prv.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MEwCAQEEHGhJ+X0QZvaZd1ljfH44mUZM7j7HrJcGU6C+B0KgBwYFK4EEACGhIAMe
+AAMWk6KQ9/C1cf4rQdXYSwEydjH0qGD5lfozLAl/
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_224_pub.comp.pem b/tests/data_files/ec_224_pub.comp.pem
new file mode 100644
index 0000000..159366c
--- /dev/null
+++ b/tests/data_files/ec_224_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDIwEAYHKoZIzj0CAQYFK4EEACEDHgADFpOikPfwtXH+K0HV2EsBMnYx9Khg+ZX6
+MywJfw==
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_256_prv.comp.pem b/tests/data_files/ec_256_prv.comp.pem
new file mode 100644
index 0000000..9ef8c97
--- /dev/null
+++ b/tests/data_files/ec_256_prv.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MFcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49
+AwEHoSQDIgADd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1c=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_256_pub.comp.pem b/tests/data_files/ec_256_pub.comp.pem
new file mode 100644
index 0000000..bf9655d
--- /dev/null
+++ b/tests/data_files/ec_256_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADd3Jlb4FLOZJ51eHxeB+sbwmaPFyh
+sONTUYNLCLZeC1c=
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_384_prv.comp.pem b/tests/data_files/ec_384_prv.comp.pem
new file mode 100644
index 0000000..3125b41
--- /dev/null
+++ b/tests/data_files/ec_384_prv.comp.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEMD9djZvigLVpbMXMn5TPivfmth3WWSsqsrOkxgdFBBfsMn3Nyu18EAU9
+cZoFdPCnaqAHBgUrgQQAIqE0AzIAA9nGYrULopykeZBFDgQ66vTwxpsVZ20RL2Iq
+cckwWa+ZlpHFaA0rRNERV52xL0pBOg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_384_pub.comp.pem b/tests/data_files/ec_384_pub.comp.pem
new file mode 100644
index 0000000..ccb6702
--- /dev/null
+++ b/tests/data_files/ec_384_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MEYwEAYHKoZIzj0CAQYFK4EEACIDMgAD2cZitQuinKR5kEUOBDrq9PDGmxVnbREv
+YipxyTBZr5mWkcVoDStE0RFXnbEvSkE6
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_521_prv.comp.pem b/tests/data_files/ec_521_prv.comp.pem
new file mode 100644
index 0000000..314c393
--- /dev/null
+++ b/tests/data_files/ec_521_prv.comp.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGYAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q
+lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhRgNEAAMAHeFC1U9p
+6wOO5LevnTygdzb9nPcZ6zVNaYee5/PBNvsPv58I+Gvl+hKOwaBR0+bGQ+ha2o/6
+zzZjwmC9LIRLb1Y=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_521_pub.comp.pem b/tests/data_files/ec_521_pub.comp.pem
new file mode 100644
index 0000000..4bb8c2b
--- /dev/null
+++ b/tests/data_files/ec_521_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFgwEAYHKoZIzj0CAQYFK4EEACMDRAADAB3hQtVPaesDjuS3r508oHc2/Zz3Ges1
+TWmHnufzwTb7D7+fCPhr5foSjsGgUdPmxkPoWtqP+s82Y8JgvSyES29W
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp256_prv.comp.pem b/tests/data_files/ec_bp256_prv.comp.pem
new file mode 100644
index 0000000..198d21d
--- /dev/null
+++ b/tests/data_files/ec_bp256_prv.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MFgCAQEEICFh1vLbdlJvpiwW81aoDwHzL3dnhLNqqZeZqLdmIID/oAsGCSskAwMC
+CAEBB6EkAyIAA3aMjK5KvKYwbbDtgbDEpiFcN4Bm7G1hbBRuE/HH34Cb
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp256_pub.comp.pem b/tests/data_files/ec_bp256_pub.comp.pem
new file mode 100644
index 0000000..ecd07bc
--- /dev/null
+++ b/tests/data_files/ec_bp256_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDowFAYHKoZIzj0CAQYJKyQDAwIIAQEHAyIAA3aMjK5KvKYwbbDtgbDEpiFcN4Bm
+7G1hbBRuE/HH34Cb
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp384_prv.comp.pem b/tests/data_files/ec_bp384_prv.comp.pem
new file mode 100644
index 0000000..c0e2393
--- /dev/null
+++ b/tests/data_files/ec_bp384_prv.comp.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEMD3ZLnUNkNfTn8GIXNitEuqUQfIrkzS02WUgKtsUSM4kxYCKhd2a/CKa
+8KMST3Vby6ALBgkrJAMDAggBAQuhNAMyAAJxn50JOmJ+DTUDhcZhzr8AxhkjVm/p
+AGoxB68dhxvGu2iYX9ci6jK+MW+OeDt80ZU=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp384_pub.comp.pem b/tests/data_files/ec_bp384_pub.comp.pem
new file mode 100644
index 0000000..638666d
--- /dev/null
+++ b/tests/data_files/ec_bp384_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MEowFAYHKoZIzj0CAQYJKyQDAwIIAQELAzIAAnGfnQk6Yn4NNQOFxmHOvwDGGSNW
+b+kAajEHrx2HG8a7aJhf1yLqMr4xb454O3zRlQ==
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp512_prv.comp.pem b/tests/data_files/ec_bp512_prv.comp.pem
new file mode 100644
index 0000000..73b1c07
--- /dev/null
+++ b/tests/data_files/ec_bp512_prv.comp.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGYAgEBBEA3LJd49p9ybLyj9KJo8WtNYX0QKA15pqApzVGHn+EBKTTf5TlUVTN9
+9pBtx9bS7qTbsgZcAij3Oz7XFkgOfXHSoAsGCSskAwMCCAEBDaFEA0IAAji37JK2
+HFxsf7wopOx1nUj81OLjdN79XElopU2+91EOUXiG+/w46jmqUpNZ1wpxVsNdPLrH
+zndr2yUd1kvOcSM=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp512_pub.comp.pem b/tests/data_files/ec_bp512_pub.comp.pem
new file mode 100644
index 0000000..c2fbdca
--- /dev/null
+++ b/tests/data_files/ec_bp512_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFowFAYHKoZIzj0CAQYJKyQDAwIIAQENA0IAAji37JK2HFxsf7wopOx1nUj81OLj
+dN79XElopU2+91EOUXiG+/w46jmqUpNZ1wpxVsNdPLrHzndr2yUd1kvOcSM=
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_prv.sec1.comp.pem b/tests/data_files/ec_prv.sec1.comp.pem
new file mode 100644
index 0000000..ada14c2
--- /dev/null
+++ b/tests/data_files/ec_prv.sec1.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MEcCAQEEGDOOhqiB4jj1Sb1vBVNJS3Pj1hEw/cbJbaAKBggqhkjOPQMBAaEcAxoA
+A1F1vN8wo3DznVOT5hJyiNgBZ7X0tLd2xg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_pub.comp.pem b/tests/data_files/ec_pub.comp.pem
new file mode 100644
index 0000000..a3742a3
--- /dev/null
+++ b/tests/data_files/ec_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgACvHl9s65/COw9SWtPtBGz9iClWKUB
+4CIt
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/pkcs7_zerolendata.bin b/tests/data_files/pkcs7_zerolendata.bin
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/data_files/pkcs7_zerolendata.bin
diff --git a/tests/data_files/pkcs7_zerolendata_detached.der b/tests/data_files/pkcs7_zerolendata_detached.der
new file mode 100644
index 0000000..2a389ab
--- /dev/null
+++ b/tests/data_files/pkcs7_zerolendata_detached.der
Binary files differ
diff --git a/tests/data_files/rsa_multiple_san_uri.crt.der b/tests/data_files/rsa_multiple_san_uri.crt.der
new file mode 100644
index 0000000..ac5fab2
--- /dev/null
+++ b/tests/data_files/rsa_multiple_san_uri.crt.der
Binary files differ
diff --git a/tests/data_files/rsa_multiple_san_uri.key b/tests/data_files/rsa_multiple_san_uri.key
new file mode 100644
index 0000000..c8c3492
--- /dev/null
+++ b/tests/data_files/rsa_multiple_san_uri.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxc5q8z8XR6vH2
+1Ko29Mk3dOKpSOrX9Tb5HtmCQMoKIxnTUQrNkVeOQtiQt6XZo05cbA6Z87kWDgGJ
+P/5Lxofrx13Rp1xZzZ+0AAPfvUCY5tzZwmicQWvu9st6JwTyaLTCzSt0cPTUs5Hi
+hJt9RzSW6GTk5ANjjgoewOMhwh5f84JRURJ2INZjz4namBGe/9f14ZHxKWuxl5in
++z582rSEhLXrPLbaKjT3Jphff51xsusC+pP0xNqkAcrGJ+/Jk0Vk6ClRCd40ZcTB
+4SkOqsZ8/uGWnradkrN74PoMMnSKKOuxlsVMPfzMkrlMbuazO4nK/osTAnoSqMUv
+COBdXkTtAgMBAAECggEANVlTIQa6K3UeD546GlGXmQOcDVbtu8VuJJFgxScjVs7c
+uco4nDrg/tUb9M4xn2/YZDLcZO6AK6BEV/YURsXGIV2L2DcfraQDKoOCpqZoIE/v
+/8vR1YBZqbsqy2ulshdGmPZD5Tr8cGIYLui9MnnQ1rnBc4sVdb3DTyGgZ4rLxP6X
+0BoHw+LQA0wwSbE/NW71qmeDSEDkSkUQISVg6Rp06U0PZaJAWtYoBNKGAsDGAhjc
+vVTXE5B9d+3yOM0InCWFsM/bUvaUv/yxxTcZnVq9Lji3KwDhy63F99pUaFnV6Rf2
+3CKO3VHegWSwMcnYaBbufDqWPHuEDSlZ0nRhrbrKRQKBgQD6dQd0xPHfxIz5l+AC
+1kPHIsUKPEirrJKTVHlxQwT0yVpD+yUkF95HY6NgHVHKnRP9qicqr3raIfA01VQc
+y+lhXo6xUAqYsKvB9m4njERFWMTCVSVU30Klhic/s4R/1abKlvkax1SiQFIRStqC
+onsZ0M1Isw69/I8Yha3mzv/gvwKBgQC1YPXnd5dZmdbe0UibBWjU5X6AQGt+oxL+
++6EP3EfuRmYI3i3r2bdbB3ELd95f8tgV0UagmjQfFoigBsuRfbhrQEPSHMBWYpAV
++TZKxUvmpJXwLEgxcPv7VTTvxw0qL1u1s/dX6WBfEOUgVzPgcp+IJGEr1MZekTqt
+P65coDpZUwKBgAmrLuiBGd1Lly2jgVBauS8c1oJ4pU2LUfVCE5Ydwjk49LUfIuXr
+zfbvj8UMHLY3rifiw7RQJev5124StjaOYKoTnmqV7nLKjzbjroj0T0ZmEOJ3qwNF
+wyrkrOs2oOzWcKPthBxWiZvh48krHJhicWIjv2kJEI6hC10k+/unDhW9AoGAZyRg
+MeRb+OP2wHaapy0IVCi9Kwl3F2h8oOtOx8ooTWNTGq/dxUTlc6pjqnXbyww5vQ5o
+72NBSHxz7SxwDqhDexnsd0tKRNV/wj8ZlKNlah8l9JH568OoR2BI3iF/ZwHPUSCq
+Ax//YZAl+6IbKgOEnNKzP02cEKLdjy+rY5jqFWkCgYEAmEl4mg1IGoVDM6d3iIPP
+JLz5DghV8kP++99vFrJx07D6e/uhzojR73Ye+fq69Vy0yjGXpaRPwwHfvPzDA1hm
+ir7rJWsbbskR+iTn2yKvIpB1wBI1u0SQ4lnJ1ZIVJPVlh4yA29JvPT7/7/2nQ/s6
+v0N2oKrfaiKc7BjCz3eYW4Q=
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/rsa_single_san_uri.crt.der b/tests/data_files/rsa_single_san_uri.crt.der
new file mode 100644
index 0000000..22308c6
--- /dev/null
+++ b/tests/data_files/rsa_single_san_uri.crt.der
Binary files differ
diff --git a/tests/data_files/rsa_single_san_uri.key b/tests/data_files/rsa_single_san_uri.key
new file mode 100644
index 0000000..bb6c0ca
--- /dev/null
+++ b/tests/data_files/rsa_single_san_uri.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCng06zdlkhYiBK
+43H+cK+vkHYvvRA2RtWbLMw+9rV9IrdGQ+iQQ/X1SZfDl2hWUiKTpabcuGYzY38H
+lXW4UXwTB36KEe7G3yF/fbvYzNsdUCAVOzNs/0EMvXJeD/Dm5CBMEsG6V0ovHmkc
+c80fQYQiSxgjpWyRpKdP+z/2imGph9onuu7EWOpAXGArozlLL5OixQ2dmutsc5ap
+hfgwq6za00uKsFifolRtAhiH86N0vjiAJkzZR83uBlI285sj5+EzRrtjVv+kgsLW
+gLDlj3bgsuKQDfxWhe+mpy2PIJ41kqktCz1qew3wyHI2ysE+6htHYQMNbCtkRMdX
+/4t1yx95AgMBAAECggEAIIhn6IK7nLgp/WFe6kOIW1h7G5pkY6YuJgz1PeU8Kilr
+3sGhkSMhyZmZV+s34EvjWzl4xrUpZCGWsipcyodIyYlTEg2ZihYbs17/9IMUqwS8
+tmLhAfIw+ABzDcGaz7zOaPfbmA0L40rMrzHuTHu05dQfxAyEoWSQ+f+Z1I/bl8jy
+GdXQVtqZzqJcWXbXt+3+B4f2/d7K5xzb7lv/8zhAf/zoG9srMByPa6/Do5rVas5Q
+NmzJPwXngxE5dJcHsWU4FkHbSbJj0khW858MJ4o5Ddw5ZOPimqlcmpClb01wCdXf
+13o2ozKGE/xq3InU7MA4ad0tLMdEM8R7yhUZ9Xe/gQKBgQDYXt4BhiamnSl1tHR8
+MiiyzkcZuVH04/A6FsnUhcbQF9iCqO9szw50k0z7DVIGS9dSY9kmMdEcpsX6m2XC
+XfEsxHBm0wmJqLUGq3UzM6oDsyZG1fkTg+eMzbVO0sv4xdhJLPpmsck5yJ8t0TxB
+8gIS9yNEw7+w6rZhgSRsMT+WhQKBgQDGMZ0qIdFi1Ae7ueTcBCe+cjgmTG9nXq6+
+qRokU63rPP9y8XTVD6hRmviMRl4skt0F39yGJ7janIQnOBrf2DVEX4Mcf0sY4vDJ
+msDV5jkbzgbAEas0ejO4h+dpRqa4mUiU1JR/Pb1jZHNOg7ZfTw45WPqBGsLTEpAt
+OsKVUgbZZQKBgCIe+8WjwS6fNC2SspfvVQm1i/Lbjbgfxf9zHor8ObkROZyJRZCU
+KoRpwkcI97l0dlVQ16q1SnPJPQljPi3joKfdppggia2CxGFz4nybliEVPGEJV0kj
+kP1cZ04x4eauVIhdpnNRcBlDsQ6Jo4YGwxr4jEBI2k7tBKvlsLe7IHr9AoGAeJmi
+IAwaBIAvAH16lKL2qD2Ki0uBkq4buSrfHHHK59TjQEdLJ4byjk21pm3/SjJHyhZR
+c1TieCw7gj3ypHlE2IkiGAohYVBe4t6HLuF7qL6yfteBjVo69LPGDdqPAs9LSj0c
+61xfTQbH32PoapCJgD3zmPH20Ud/cfZKh2A1iL0CgYEAwQgGxHVo+/d3BhLQvQHt
+64fE+qrZA5oWWwBh8EzR+98eOnDCF3Gm6chrEs9boOzlwxr9LU4TgiBnpyYrQCEw
+AdOA9dhYz91d+chJZjKo635Y9byN9rutr3/EfqZLxWL73k1y5LNAYL+jyAab0Jsw
+l2xG6PNj5rItkgO3j50qA7s=
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf
index bd12760..8f8385a 100644
--- a/tests/data_files/test-ca.opensslconf
+++ b/tests/data_files/test-ca.opensslconf
@@ -24,6 +24,9 @@
[dns_alt_names]
subjectAltName=DNS:example.com, DNS:example.net, DNS:*.example.org
+[rfc822name_names]
+subjectAltName=email:my@other.address,email:second@other.address
+
[alt_names]
DNS.1=example.com
otherName.1=1.3.6.1.5.5.7.8.4;SEQ:hw_module_name
diff --git a/tests/data_files/test_cert_rfc822name.crt.der b/tests/data_files/test_cert_rfc822name.crt.der
new file mode 100644
index 0000000..cdc8189
--- /dev/null
+++ b/tests/data_files/test_cert_rfc822name.crt.der
Binary files differ
diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py
index 30748e7..44c62f7 100755
--- a/tests/scripts/analyze_outcomes.py
+++ b/tests/scripts/analyze_outcomes.py
@@ -175,10 +175,6 @@
'component_driver': 'test_psa_crypto_config_accel_ecdsa_use_psa',
'ignored_suites': [
'ecdsa', # the software implementation that's excluded
- # the following lines should not be needed,
- # they will be removed by upcoming work
- 'debug', # #6860
- 'ssl', # #6860
],
'ignored_tests': {
'test_suite_random': [
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 2bb9fea..4d6f930 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -137,4 +137,5 @@
check scripts/generate_visualc_files.pl visualc/VS2013
check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c
check tests/scripts/generate_bignum_tests.py $(tests/scripts/generate_bignum_tests.py --list)
+check tests/scripts/generate_ecp_tests.py $(tests/scripts/generate_ecp_tests.py --list)
check tests/scripts/generate_psa_tests.py $(tests/scripts/generate_psa_tests.py --list)
diff --git a/tests/scripts/generate_ecp_tests.py b/tests/scripts/generate_ecp_tests.py
new file mode 100755
index 0000000..abbfda5
--- /dev/null
+++ b/tests/scripts/generate_ecp_tests.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python3
+"""Generate test data for ecp functions.
+
+The command line usage, class structure and available methods are the same
+as in generate_bignum_tests.py.
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_dev import test_data_generation
+# Import modules containing additional test classes
+# Test function classes in these modules will be registered by
+# the framework
+from mbedtls_dev import ecp # pylint: disable=unused-import
+
+if __name__ == '__main__':
+ # Use the section of the docstring relevant to the CLI as description
+ test_data_generation.main(sys.argv[1:], "\n".join(__doc__.splitlines()[:4]))
diff --git a/tests/src/certs.c b/tests/src/certs.c
index 1fcdc42..bd5c49e 100644
--- a/tests/src/certs.c
+++ b/tests/src/certs.c
@@ -25,6 +25,8 @@
#include "mbedtls/legacy_or_psa.h"
+#include "mbedtls/pk.h"
+
/*
* Test CA Certificates
*
@@ -1678,7 +1680,7 @@
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
mbedtls_test_ca_crt_rsa_sha256,
#endif
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
mbedtls_test_ca_crt_ec,
#endif
NULL
@@ -1690,7 +1692,7 @@
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
sizeof(mbedtls_test_ca_crt_rsa_sha256),
#endif
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
sizeof(mbedtls_test_ca_crt_ec),
#endif
0
@@ -1706,9 +1708,9 @@
mbedtls_test_ca_crt_rsa_sha1_der,
#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
mbedtls_test_ca_crt_ec_der,
-#endif /* MBEDTLS_ECDSA_C */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
NULL
};
@@ -1721,9 +1723,9 @@
sizeof(mbedtls_test_ca_crt_rsa_sha1_der),
#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
sizeof(mbedtls_test_ca_crt_ec_der),
-#endif /* MBEDTLS_ECDSA_C */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
0
};
@@ -1738,9 +1740,9 @@
TEST_CA_CRT_RSA_SHA1_PEM
#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
TEST_CA_CRT_EC_PEM
-#endif /* MBEDTLS_ECDSA_C */
+#endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
"";
const size_t mbedtls_test_cas_pem_len = sizeof(mbedtls_test_cas_pem);
#endif /* MBEDTLS_PEM_PARSE_C */
diff --git a/tests/suites/test_suite_constant_time.function b/tests/suites/test_suite_constant_time.function
index 14dc8ae..a2bf396 100644
--- a/tests/suites/test_suite_constant_time.function
+++ b/tests/suites/test_suite_constant_time.function
@@ -18,7 +18,7 @@
/* BEGIN_CASE */
void mbedtls_ct_memcmp_null()
{
- uint32_t x;
+ uint32_t x = 0;
TEST_ASSERT(mbedtls_ct_memcmp(&x, NULL, 0) == 0);
TEST_ASSERT(mbedtls_ct_memcmp(NULL, &x, 0) == 0);
TEST_ASSERT(mbedtls_ct_memcmp(NULL, NULL, 0) == 0);
diff --git a/tests/suites/test_suite_debug.data b/tests/suites/test_suite_debug.data
index 47612d6..60e96a4 100644
--- a/tests/suites/test_suite_debug.data
+++ b/tests/suites/test_suite_debug.data
@@ -63,5 +63,5 @@
mbedtls_debug_print_crt:"data_files/server1.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: 01\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=PolarSSL Server 1\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:06\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:06\nMyFile(0999)\: signed using \: RSA with SHA1\nMyFile(0999)\: RSA key size \: 2048 bits\nMyFile(0999)\: basic constraints \: CA=false\nMyFile(0999)\: value of 'crt->rsa.N' (2048 bits) is\:\nMyFile(0999)\: a9 02 1f 3d 40 6a d5 55 53 8b fd 36 ee 82 65 2e\nMyFile(0999)\: 15 61 5e 89 bf b8 e8 45 90 db ee 88 16 52 d3 f1\nMyFile(0999)\: 43 50 47 96 12 59 64 87 6b fd 2b e0 46 f9 73 be\nMyFile(0999)\: dd cf 92 e1 91 5b ed 66 a0 6f 89 29 79 45 80 d0\nMyFile(0999)\: 83 6a d5 41 43 77 5f 39 7c 09 04 47 82 b0 57 39\nMyFile(0999)\: 70 ed a3 ec 15 19 1e a8 33 08 47 c1 05 42 a9 fd\nMyFile(0999)\: 4c c3 b4 df dd 06 1f 4d 10 51 40 67 73 13 0f 40\nMyFile(0999)\: f8 6d 81 25 5f 0a b1 53 c6 30 7e 15 39 ac f9 5a\nMyFile(0999)\: ee 7f 92 9e a6 05 5b e7 13 97 85 b5 23 92 d9 d4\nMyFile(0999)\: 24 06 d5 09 25 89 75 07 dd a6 1a 8f 3f 09 19 be\nMyFile(0999)\: ad 65 2c 64 eb 95 9b dc fe 41 5e 17 a6 da 6c 5b\nMyFile(0999)\: 69 cc 02 ba 14 2c 16 24 9c 4a dc cd d0 f7 52 67\nMyFile(0999)\: 73 f1 2d a0 23 fd 7e f4 31 ca 2d 70 ca 89 0b 04\nMyFile(0999)\: db 2e a6 4f 70 6e 9e ce bd 58 89 e2 53 59 9e 6e\nMyFile(0999)\: 5a 92 65 e2 88 3f 0c 94 19 a3 dd e5 e8 9d 95 13\nMyFile(0999)\: ed 29 db ab 70 12 dc 5a ca 6b 17 ab 52 82 54 b1\nMyFile(0999)\: value of 'crt->rsa.E' (17 bits) is\:\nMyFile(0999)\: 01 00 01\n"
Debug print certificate #2 (EC)
-depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA:!MBEDTLS_X509_REMOVE_INFO
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_BASE64_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA:!MBEDTLS_X509_REMOVE_INFO
mbedtls_debug_print_crt:"data_files/test-ca2.crt":"MyFile":999:"PREFIX_":"MyFile(0999)\: PREFIX_ #1\:\nMyFile(0999)\: cert. version \: 3\nMyFile(0999)\: serial number \: C1\:43\:E2\:7E\:62\:43\:CC\:E8\nMyFile(0999)\: issuer name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: subject name \: C=NL, O=PolarSSL, CN=Polarssl Test EC CA\nMyFile(0999)\: issued on \: 2019-02-10 14\:44\:00\nMyFile(0999)\: expires on \: 2029-02-10 14\:44\:00\nMyFile(0999)\: signed using \: ECDSA with SHA256\nMyFile(0999)\: EC key size \: 384 bits\nMyFile(0999)\: basic constraints \: CA=true\nMyFile(0999)\: value of 'crt->eckey.Q(X)' (384 bits) is\:\nMyFile(0999)\: c3 da 2b 34 41 37 58 2f 87 56 fe fc 89 ba 29 43\nMyFile(0999)\: 4b 4e e0 6e c3 0e 57 53 33 39 58 d4 52 b4 91 95\nMyFile(0999)\: 39 0b 23 df 5f 17 24 62 48 fc 1a 95 29 ce 2c 2d\nMyFile(0999)\: value of 'crt->eckey.Q(Y)' (384 bits) is\:\nMyFile(0999)\: 87 c2 88 52 80 af d6 6a ab 21 dd b8 d3 1c 6e 58\nMyFile(0999)\: b8 ca e8 b2 69 8e f3 41 ad 29 c3 b4 5f 75 a7 47\nMyFile(0999)\: 6f d5 19 29 55 69 9a 53 3b 20 b4 66 16 60 33 1e\n"
diff --git a/tests/suites/test_suite_debug.function b/tests/suites/test_suite_debug.function
index 6a3ca33..8117c79 100644
--- a/tests/suites/test_suite_debug.function
+++ b/tests/suites/test_suite_debug.function
@@ -2,6 +2,7 @@
#include "mbedtls/debug.h"
#include "string.h"
#include "mbedtls/legacy_or_psa.h"
+#include "mbedtls/pk.h"
struct buffer_data {
char buf[2000];
diff --git a/tests/suites/test_suite_ecp.data b/tests/suites/test_suite_ecp.data
index 9a13793..3fbad92 100644
--- a/tests/suites/test_suite_ecp.data
+++ b/tests/suites/test_suite_ecp.data
@@ -1038,3 +1038,115 @@
ECP check order for CURVE448
depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
ecp_check_order:MBEDTLS_ECP_DP_CURVE448:"3fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3"
+
+ecp_setup #1 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffffffffffeffffffffffffffff":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #2 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_setup:"00000000ffffffffffffffffffffffffffffffff000000000000000000000001":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #3 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_setup:"ffffffff00000001000000000000000000000000ffffffffffffffffffffffff":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #4 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffff0000000000000000ffffffff":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #5 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_setup:"1ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #6 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_setup:"a9fb57dba1eea9bc3e660a909d838d726e3bf623d52620282013481d1f6e5377":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #7 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_setup:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #8 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_setup:"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca703308717d4d9b009bc66842aecda12ae6a380e62881ff2f2d82c68528aa6056583a48f3":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #9 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_setup:"7fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffed":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #10 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffeffffee37":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #11 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffffffffffeffffe56d":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #12 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffffffffffffffffffffffffffffffffffefffffc2f":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #13 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_setup:"000000000000000fffffffffffffffffffffffffffffffffffffffffffffffffffffffeffffffffffffffffffffffffffffffffffffffffffffffffffffffff":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #14 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192R1)
+depends_on:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+ecp_mod_setup:"ffffffffffffffffffffffff99def836146bc9b1b4d22831":MBEDTLS_ECP_DP_SECP192R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #15 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224R1)
+depends_on:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+ecp_mod_setup:"ffffffffffffffffffffffffffff16a2e0b8f03e13dd29455c5c2a3d":MBEDTLS_ECP_DP_SECP224R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #16 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256R1)
+depends_on:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+ecp_mod_setup:"ffffffff00000000ffffffffffffffffbce6faada7179e84f3b9cac2fc632551":MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #17 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP384R1)
+depends_on:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+ecp_mod_setup:"ffffffffffffffffffffffffffffffffffffffffffffffffc7634d81f4372ddf581a0db248b0a77aecec196accc52973":MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #18 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP521R1)
+depends_on:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+ecp_mod_setup:"1fffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffa51868783bf2f966b7fcc0148f709a5d03bb5c9b8899c47aebb6fb71e91386409":MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #19 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP256R1)
+depends_on:MBEDTLS_ECP_DP_BP256R1_ENABLED
+ecp_mod_setup:"a9fb57dba1eea9bc3e660a909d838d718c397aa3b561a6f7901e0e82974856a7":MBEDTLS_ECP_DP_BP256R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #20 MBEDTLS_ECP_MOD_COORDINATE(MBEDTLS_ECP_DP_BP384R1)
+depends_on:MBEDTLS_ECP_DP_BP384R1_ENABLED
+ecp_mod_setup:"8cb91e82a3386d280f5d6f7e50e641df152f7109ed5456b412b1da197fb71123acd3a729901d1a71874700133107ec53":MBEDTLS_ECP_DP_BP384R1:MBEDTLS_ECP_MOD_COORDINATE:0
+
+ecp_setup #21 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_BP512R1)
+depends_on:MBEDTLS_ECP_DP_BP512R1_ENABLED
+ecp_mod_setup:"aadd9db8dbe9c48b3fd4e6ae33c9fc07cb308db3b3c9d20ed6639cca70330870553e5c414ca92619418661197fac10471db1d381085ddaddb58796829ca90069":MBEDTLS_ECP_DP_BP512R1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #22 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE25519)
+depends_on:MBEDTLS_ECP_DP_CURVE25519_ENABLED
+ecp_mod_setup:"1000000000000000000000000000000014def9dea2f79cd65812631a5cf5d3ed":MBEDTLS_ECP_DP_CURVE25519:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #23 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP192K1)
+depends_on:MBEDTLS_ECP_DP_SECP192K1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffe26f2fc170f69466a74defd8d":MBEDTLS_ECP_DP_SECP192K1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #24 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP224K1)
+depends_on:MBEDTLS_ECP_DP_SECP224K1_ENABLED
+ecp_mod_setup:"000000010000000000000000000000000001dce8d2ec6184caf0a971769fb1f7":MBEDTLS_ECP_DP_SECP224K1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #25 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_SECP256K1)
+depends_on:MBEDTLS_ECP_DP_SECP256K1_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffffffffffebaaedce6af48a03bbfd25e8cd0364141":MBEDTLS_ECP_DP_SECP256K1:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup #26 MBEDTLS_ECP_MOD_SCALAR(MBEDTLS_ECP_DP_CURVE448)
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_setup:"0000000000000003fffffffffffffffffffffffffffffffffffffffffffffffffffffff7cca23e9c44edb49aed63690216cc2728dc58f552378c292ab5844f3":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_SCALAR:0
+
+ecp_setup_negative_test #27 Invalid Moduli Type
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_CURVE448:MBEDTLS_ECP_MOD_NONE:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
+
+ecp_setup_negative_test #28 Invalid Curve Type
+depends_on:MBEDTLS_ECP_DP_CURVE448_ENABLED
+ecp_mod_setup:"fffffffffffffffffffffffe26f2fc17f69466a74defd8d":MBEDTLS_ECP_DP_NONE:MBEDTLS_ECP_MOD_SCALAR:MBEDTLS_ERR_ECP_BAD_INPUT_DATA
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index c8a0a82..96537c2 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -1,9 +1,12 @@
/* BEGIN_HEADER */
#include "mbedtls/ecp.h"
+#include "ecp_invasive.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecdh.h"
+#include "bignum_core.h"
#include "ecp_invasive.h"
+#include "bignum_mod_raw_invasive.h"
#if defined(MBEDTLS_TEST_HOOKS) && \
(defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
@@ -1299,3 +1302,129 @@
mbedtls_mpi_free(&expected_n);
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_p192_raw(char *input_N,
+ char *input_X,
+ char *result)
+{
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *res = NULL;
+ size_t limbs_X;
+ size_t limbs_N;
+ size_t limbs_res;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
+
+ size_t limbs = limbs_N;
+ size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
+
+ TEST_EQUAL(limbs_X, 2 * limbs);
+ TEST_EQUAL(limbs_res, limbs);
+
+ TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
+
+ TEST_EQUAL(mbedtls_ecp_mod_p192_raw(X, limbs_X), 0);
+ TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 192);
+ mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
+ ASSERT_COMPARE(X, bytes, res, bytes);
+
+exit:
+ mbedtls_free(X);
+ mbedtls_free(res);
+
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_free(N);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_p521_raw(char *input_N,
+ char *input_X,
+ char *result)
+{
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *res = NULL;
+ size_t limbs_X;
+ size_t limbs_N;
+ size_t limbs_res;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
+
+ size_t limbs = limbs_N;
+ size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
+
+ TEST_EQUAL(limbs_X, 2 * limbs);
+ TEST_EQUAL(limbs_res, limbs);
+
+ TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
+
+ TEST_EQUAL(mbedtls_ecp_mod_p521_raw(X, limbs_X), 0);
+ TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 522);
+ mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
+ ASSERT_COMPARE(X, bytes, res, bytes);
+
+exit:
+ mbedtls_free(X);
+ mbedtls_free(res);
+
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_free(N);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_setup(char *input_A, int id, int ctype, int iret)
+{
+ int ret;
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init(&m);
+ mbedtls_mpi_uint *p = NULL;
+ size_t p_limbs;
+ size_t bytes;
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&p, &p_limbs, input_A), 0);
+
+ ret = mbedtls_ecp_modulus_setup(&m, id, ctype);
+ TEST_EQUAL(ret, iret);
+
+ if (ret == 0) {
+
+ /* Test for limb sizes */
+ TEST_EQUAL(m.limbs, p_limbs);
+ bytes = p_limbs * sizeof(mbedtls_mpi_uint);
+
+ /* Test for validity of moduli by the presence of Montgomery consts */
+
+ TEST_ASSERT(m.rep.mont.mm != 0);
+ TEST_ASSERT(m.rep.mont.rr != NULL);
+
+
+ /* Compare output byte-by-byte */
+ ASSERT_COMPARE(p, bytes, m.p, bytes);
+
+ /* Test for user free-ing allocated memory */
+ mbedtls_mpi_mod_modulus_free(&m);
+ }
+
+exit:
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_free(p);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_oid.data b/tests/suites/test_suite_oid.data
index 1738841..b9fa654 100644
--- a/tests/suites/test_suite_oid.data
+++ b/tests/suites/test_suite_oid.data
@@ -89,3 +89,33 @@
OID hash id - invalid oid
oid_get_md_alg_id:"2B864886f70d0204":-1
+OID get numeric string - hardware module name
+oid_get_numeric_string:"2B06010505070804":0:"1.3.6.1.5.5.7.8.4"
+
+OID get numeric string - multi-byte subidentifier
+oid_get_numeric_string:"29903C":0:"1.1.2108"
+
+OID get numeric string - second component greater than 39
+oid_get_numeric_string:"81010000863A00":0:"2.49.0.0.826.0"
+
+OID get numeric string - multi-byte first subidentifier
+oid_get_numeric_string:"8837":0:"2.999"
+
+OID get numeric string - empty oid buffer
+oid_get_numeric_string:"":MBEDTLS_ERR_ASN1_OUT_OF_DATA:""
+
+OID get numeric string - no final / all bytes have top bit set
+oid_get_numeric_string:"818181":MBEDTLS_ERR_ASN1_OUT_OF_DATA:""
+
+# Encodes the number 0x0400000000 as a subidentifier which overflows 32-bits
+OID get numeric string - 32-bit overflow
+oid_get_numeric_string:"C080808000":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID get numeric string - 32-bit overflow, second subidentifier
+oid_get_numeric_string:"2BC080808000":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID get numeric string - overlong encoding
+oid_get_numeric_string:"8001":MBEDTLS_ERR_ASN1_INVALID_DATA:""
+
+OID get numeric string - overlong encoding, second subidentifier
+oid_get_numeric_string:"2B8001":MBEDTLS_ERR_ASN1_INVALID_DATA:""
diff --git a/tests/suites/test_suite_oid.function b/tests/suites/test_suite_oid.function
index 687b216..3004b65 100644
--- a/tests/suites/test_suite_oid.function
+++ b/tests/suites/test_suite_oid.function
@@ -96,3 +96,24 @@
}
}
/* END_CASE */
+
+/* BEGIN_CASE */
+void oid_get_numeric_string(data_t *oid, int error_ret, char *result_str)
+{
+ char buf[256];
+ mbedtls_asn1_buf input_oid = { 0, 0, NULL };
+ int ret;
+
+ input_oid.tag = MBEDTLS_ASN1_OID;
+ input_oid.p = oid->x;
+ input_oid.len = oid->len;
+
+ ret = mbedtls_oid_get_numeric_string(buf, sizeof(buf), &input_oid);
+
+ if (error_ret == 0) {
+ TEST_ASSERT(strcmp(buf, result_str) == 0);
+ } else {
+ TEST_EQUAL(ret, error_ret);
+ }
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index d8a8f86..a99b6c0 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -1064,10 +1064,6 @@
size_t hash_len = SIZE_MAX, sig_len = SIZE_MAX;
unsigned char hash[50], sig[100];
- if (SIZE_MAX <= UINT_MAX) {
- return;
- }
-
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 840a24b..9948537 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -38,6 +38,14 @@
depends_on:MBEDTLS_SHA256_C
pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+PKCS7 Signed Data Verification Pass zero-len data
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_zerolendata.bin":0:0
+
+PKCS7 Signed Data Verification Fail zero-len data
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+
PKCS7 Signed Data Verification Pass SHA256 #9
depends_on:MBEDTLS_SHA256_C
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 62f9f66..91fe47b 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -125,7 +125,8 @@
TEST_ASSERT(file != NULL);
datalen = st.st_size;
- ASSERT_ALLOC(data, datalen);
+ /* Special-case for zero-length input so that data will be non-NULL */
+ ASSERT_ALLOC(data, datalen == 0 ? 1 : datalen);
buflen = fread((void *) data, sizeof(unsigned char), datalen, file);
TEST_EQUAL(buflen, datalen);
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
index a493325..317a6c9 100644
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@@ -912,34 +912,68 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_pub.pem":0
+Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_pub.comp.pem":0
+
Parse Public EC Key #3 (RFC 5480, secp224r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_224_pub.pem":0
+# Compressed points parsing does not support MBEDTLS_ECP_DP_SECP224R1 and
+# MBEDTLS_ECP_DP_SECP224K1. Therefore a failure is expected in this case
+Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_224_pub.comp.pem":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
Parse Public EC Key #4 (RFC 5480, secp256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_256_pub.pem":0
+Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_256_pub.comp.pem":0
+
Parse Public EC Key #5 (RFC 5480, secp384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_384_pub.pem":0
+Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_384_pub.comp.pem":0
+
Parse Public EC Key #6 (RFC 5480, secp521r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_521_pub.pem":0
+Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_521_pub.comp.pem":0
+
Parse Public EC Key #7 (RFC 5480, brainpoolP256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.pem":0
+Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.comp.pem":0
+
Parse Public EC Key #8 (RFC 5480, brainpoolP384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.pem":0
+Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.comp.pem":0
+
Parse Public EC Key #9 (RFC 5480, brainpoolP512r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.pem":0
+Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.comp.pem":0
+
Parse EC Key #1 (SEC1 DER)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_prv.sec1.der":"NULL":0
@@ -948,6 +982,10 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pem":"NULL":0
+Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_prv.sec1.comp.pem":"NULL":0
+
Parse EC Key #3 (SEC1 PEM encrypted)
depends_on:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA
pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pw.pem":"polar":0
@@ -988,30 +1026,58 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_224_prv.pem":"NULL":0
+Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_224_prv.comp.pem":"NULL":0
+
Parse EC Key #9 (SEC1 PEM, secp256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_256_prv.pem":"NULL":0
+Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_256_prv.comp.pem":"NULL":0
+
Parse EC Key #10 (SEC1 PEM, secp384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_384_prv.pem":"NULL":0
+Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_384_prv.comp.pem":"NULL":0
+
Parse EC Key #11 (SEC1 PEM, secp521r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_521_prv.pem":"NULL":0
+Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_521_prv.comp.pem":"NULL":0
+
Parse EC Key #12 (SEC1 PEM, bp256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_bp256_prv.pem":"NULL":0
+Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_bp256_prv.comp.pem":"NULL":0
+
Parse EC Key #13 (SEC1 PEM, bp384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_bp384_prv.pem":"NULL":0
+Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_bp384_prv.comp.pem":"NULL":0
+
Parse EC Key #14 (SEC1 PEM, bp512r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_bp512_prv.pem":"NULL":0
+Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_bp512_prv.comp.pem":"NULL":0
+
Parse EC Key #15 (SEC1 DER, secp256k1, SpecifiedECDomain)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256K1_ENABLED:MBEDTLS_PK_PARSE_EC_EXTENDED
pk_parse_keyfile_ec:"data_files/ec_prv.specdom.der":"NULL":0
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index ff19981..0856f3f 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -2,6 +2,7 @@
#include "mbedtls/pk.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
+#include "mbedtls/ecp.h"
#include "mbedtls/legacy_or_psa.h"
/* END_HEADER */
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c356142..f340a7f 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4145,6 +4145,30 @@
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":0
+
+PSA sign hash int (ops=inf) det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":0
+
+PSA sign hash int (ops=inf): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":0
+
PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015":128:PSA_ERROR_INVALID_ARGUMENT
@@ -4206,9 +4230,53 @@
sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT
PSA sign hash: deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:0
+
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, empty out buf
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:0
+
+PSA sign hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:0
+
+PSA sign hash int: det ECDSA SECP256R1, invld hash alg (wildcard)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int: invld alg for ECC key
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int: ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=inf): det ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:0
+
PSA sign/verify hash: RSA PKCS#1 v1.5, raw
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
sign_verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263"
@@ -4249,6 +4317,54 @@
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0
+
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0
+
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":0
+
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":0
+
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0
+
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0
+
PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C
verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
@@ -4369,6 +4485,14 @@
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+PSA vrfy hash int: ECDSA SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int w/keypair: ECDSA SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE
@@ -4397,6 +4521,50 @@
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig size (correct but ASN1-encoded)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrong sig of correct size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrong sig of correct size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:0
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (empty)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (truncated)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (trailing junk)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (leading junk)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: invld alg for ECC key
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign/vrfy hash int edge case tests: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_edgecase_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
PSA sign message: RSA PKCS#1 v1.5 SHA-256
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index 5e46ca0..ab39fba 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1220,6 +1220,34 @@
INJECT_ANTICIPATE_KEY_DERIVATION_2,
} ecjpake_injected_failure_t;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
+ psa_status_t expected_status,
+ size_t *min_completes,
+ size_t *max_completes)
+{
+
+ /* This is slightly contrived, but we only really know that with a minimum
+ value of max_ops that a successful operation should take more than one op
+ to complete, and likewise that with a max_ops of
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
+ if (max_ops == 0 || max_ops == 1) {
+
+ if (expected_status == PSA_SUCCESS) {
+ *min_completes = 2;
+ } else {
+ *min_completes = 1;
+ }
+
+ *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+ } else {
+ *min_completes = 1;
+ *max_completes = 1;
+ }
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -5968,8 +5996,10 @@
}
psa_aead_abort(&operation);
+#endif
/* Test for calling set lengths with a plaintext length of SIZE_MAX, after setting nonce */
+#if SIZE_MAX > UINT32_MAX
PSA_ASSERT(psa_aead_encrypt_setup(&operation, key, alg));
PSA_ASSERT(psa_aead_set_nonce(&operation, nonce->x, nonce->len));
@@ -6442,6 +6472,135 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * sign_hash_interruptible() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test interruptible sign hash with known outcomes (deterministic ECDSA
+ * only).
+ *
+ * 2. Test the number of calls to psa_sign_hash_complete() required are as
+ * expected for different max_ops values.
+ *
+ * 3. Test that the number of ops done prior to start and after abort is zero
+ * and that each successful stage completes some ops (this is not mandated by
+ * the PSA specification, but is currently the case).
+ *
+ * 4. Test that calling psa_sign_hash_get_num_ops() multiple times between
+ * complete() calls does not alter the number of ops returned.
+ */
+void sign_hash_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *input_data,
+ data_t *output_data, int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_OPERATION_INCOMPLETE;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_sign_hash_interruptible_operation_t operation =
+ psa_sign_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+ &min_completes, &max_completes);
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start performing the signature. */
+ PSA_ASSERT(psa_sign_hash_start(&operation, key, alg,
+ input_data->x, input_data->len));
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_sign_hash_complete(&operation, signature, signature_size,
+ &signature_length);
+
+ num_completes++;
+
+ if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+
+ /* Ensure calling get_num_ops() twice still returns the same
+ * number of ops as previously reported. */
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+
+ TEST_EQUAL(num_ops, num_ops_prior);
+ }
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ /* Verify that the signature is what is expected. */
+ ASSERT_COMPARE(output_data->x, output_data->len,
+ signature, signature_length);
+
+ PSA_ASSERT(psa_sign_hash_abort(&operation));
+
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+exit:
+
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void sign_hash_fail(int key_type_arg, data_t *key_data,
int alg_arg, data_t *input_data,
@@ -6487,6 +6646,139 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * sign_hash_fail_interruptible() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test that various failure cases for interruptible sign hash fail with the
+ * correct error codes, and at the correct point (at start or during
+ * complete).
+ *
+ * 2. Test the number of calls to psa_sign_hash_complete() required are as
+ * expected for different max_ops values.
+ *
+ * 3. Test that the number of ops done prior to start and after abort is zero
+ * and that each successful stage completes some ops (this is not mandated by
+ * the PSA specification, but is currently the case).
+ */
+void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *input_data,
+ int signature_size_arg,
+ int expected_start_status_arg,
+ int expected_complete_status_arg,
+ int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t signature_size = signature_size_arg;
+ psa_status_t actual_status;
+ psa_status_t expected_start_status = expected_start_status_arg;
+ psa_status_t expected_complete_status = expected_complete_status_arg;
+ unsigned char *signature = NULL;
+ size_t signature_length = 0xdeadbeef;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_sign_hash_interruptible_operation_t operation =
+ psa_sign_hash_interruptible_operation_init();
+
+ ASSERT_ALLOC(signature, signature_size);
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops,
+ expected_complete_status,
+ &min_completes,
+ &max_completes);
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start performing the signature. */
+ actual_status = psa_sign_hash_start(&operation, key, alg,
+ input_data->x, input_data->len);
+
+ TEST_EQUAL(actual_status, expected_start_status);
+
+ if (expected_start_status != PSA_SUCCESS) {
+ actual_status = psa_sign_hash_start(&operation, key, alg,
+ input_data->x, input_data->len);
+
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+ }
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ actual_status = psa_sign_hash_complete(&operation, signature,
+ signature_size,
+ &signature_length);
+
+ num_completes++;
+
+ if (actual_status == PSA_SUCCESS ||
+ actual_status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+ }
+ } while (actual_status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_EQUAL(actual_status, expected_complete_status);
+
+ /* Check that another complete returns BAD_STATE. */
+ actual_status = psa_sign_hash_complete(&operation, signature,
+ signature_size,
+ &signature_length);
+
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&operation));
+
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+ /* The value of *signature_length is unspecified on error, but
+ * whatever it is, it should be less than signature_size, so that
+ * if the caller tries to read *signature_length bytes without
+ * checking the error code then they don't overflow a buffer. */
+ TEST_LE_U(signature_length, signature_size);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+exit:
+ psa_reset_key_attributes(&attributes);
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void sign_verify_hash(int key_type_arg, data_t *key_data,
int alg_arg, data_t *input_data)
@@ -6557,6 +6849,152 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * sign_verify_hash_interruptible() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test that we can sign an input hash with the given key and then afterwards
+ * verify that signature. This is currently the only way to test non
+ * deterministic ECDSA, but this test can also handle deterministic.
+ *
+ * 2. Test that after corrupting the hash, the verification detects an invalid
+ * signature.
+ *
+ * 3. Test the number of calls to psa_sign_hash_complete() required are as
+ * expected for different max_ops values.
+ */
+void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *input_data,
+ int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_OPERATION_INCOMPLETE;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+ &min_completes, &max_completes);
+
+ /* Start performing the signature. */
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ /* Continue performing the signature until complete. */
+ do {
+
+ status = psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length);
+
+ num_completes++;
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ /* Check that the signature length looks sensible. */
+ TEST_LE_U(signature_length, signature_size);
+ TEST_ASSERT(signature_length > 0);
+
+ num_completes = 0;
+
+ /* Start verification. */
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_verify_hash_complete(&verify_operation);
+
+ num_completes++;
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ verify_operation = psa_verify_hash_interruptible_operation_init();
+
+ if (input_data->len != 0) {
+ /* Flip a bit in the input and verify that the signature is now
+ * detected as invalid. Flip a bit at the beginning, not at the end,
+ * because ECDSA may ignore the last few bits of the input. */
+ input_data->x[0] ^= 1;
+
+ /* Start verification. */
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_verify_hash_complete(&verify_operation);
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
+ }
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void verify_hash(int key_type_arg, data_t *key_data,
int alg_arg, data_t *hash_data,
@@ -6589,6 +7027,112 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * verify_hash_interruptible() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test interruptible verify hash with known outcomes (deterministic ECDSA
+ * only).
+ *
+ * 2. Test the number of calls to psa_verify_hash_complete() required are as
+ * expected for different max_ops values.
+ *
+ * 3. Test that the number of ops done prior to start and after abort is zero
+ * and that each successful stage completes some ops (this is not mandated by
+ * the PSA specification, but is currently the case).
+ */
+void verify_hash_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *hash_data,
+ data_t *signature_data, int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_OPERATION_INCOMPLETE;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_verify_hash_interruptible_operation_t operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+ &min_completes, &max_completes);
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start verification. */
+ PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
+ hash_data->x, hash_data->len,
+ signature_data->x, signature_data->len)
+ );
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_verify_hash_complete(&operation);
+
+ num_completes++;
+
+ if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+
+ /* Ensure calling get_num_ops() twice still returns the same
+ * number of ops as previously reported. */
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+
+ TEST_EQUAL(num_ops, num_ops_prior);
+ }
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_verify_hash_abort(&operation));
+
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+exit:
+ psa_reset_key_attributes(&attributes);
+ psa_destroy_key(key);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void verify_hash_fail(int key_type_arg, data_t *key_data,
int alg_arg, data_t *hash_data,
@@ -6623,6 +7167,519 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * verify_hash_fail_interruptible() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test that various failure cases for interruptible verify hash fail with
+ * the correct error codes, and at the correct point (at start or during
+ * complete).
+ *
+ * 2. Test the number of calls to psa_verify_hash_complete() required are as
+ * expected for different max_ops values.
+ *
+ * 3. Test that the number of ops done prior to start and after abort is zero
+ * and that each successful stage completes some ops (this is not mandated by
+ * the PSA specification, but is currently the case).
+ */
+void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *hash_data,
+ data_t *signature_data,
+ int expected_start_status_arg,
+ int expected_complete_status_arg,
+ int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_status_t actual_status;
+ psa_status_t expected_start_status = expected_start_status_arg;
+ psa_status_t expected_complete_status = expected_complete_status_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+ psa_verify_hash_interruptible_operation_t operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops,
+ expected_complete_status,
+ &min_completes,
+ &max_completes);
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start verification. */
+ actual_status = psa_verify_hash_start(&operation, key, alg,
+ hash_data->x, hash_data->len,
+ signature_data->x,
+ signature_data->len);
+
+ TEST_EQUAL(actual_status, expected_start_status);
+
+ if (expected_start_status != PSA_SUCCESS) {
+ actual_status = psa_verify_hash_start(&operation, key, alg,
+ hash_data->x, hash_data->len,
+ signature_data->x,
+ signature_data->len);
+
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+ }
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ actual_status = psa_verify_hash_complete(&operation);
+
+ num_completes++;
+
+ if (actual_status == PSA_SUCCESS ||
+ actual_status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+ }
+ } while (actual_status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_EQUAL(actual_status, expected_complete_status);
+
+ /* Check that another complete returns BAD_STATE. */
+ actual_status = psa_verify_hash_complete(&operation);
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_verify_hash_abort(&operation));
+
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+exit:
+ psa_reset_key_attributes(&attributes);
+ psa_destroy_key(key);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * interruptible_signverify_hash_state_test() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test that calling the various interruptible sign and verify hash functions
+ * in incorrect orders returns BAD_STATE errors.
+ */
+void interruptible_signverify_hash_state_test(int key_type_arg,
+ data_t *key_data, int alg_arg, data_t *input_data)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ /* --- Attempt completes prior to starts --- */
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* --- Aborts in all other places. --- */
+ psa_sign_hash_abort(&sign_operation);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_OPERATION_INCOMPLETE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+ PSA_OPERATION_INCOMPLETE);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* --- Attempt double starts. --- */
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * interruptible_signverify_hash_edgecase_tests() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test various edge cases in the interruptible sign and verify hash
+ * interfaces.
+ */
+void interruptible_signverify_hash_edgecase_tests(int key_type_arg,
+ data_t *key_data, int alg_arg, data_t *input_data)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t *input_buffer = NULL;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ /* --- Ensure changing the max ops mid operation works (operation should
+ * complete successfully after setting max ops to unlimited --- */
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_OPERATION_INCOMPLETE);
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+ PSA_OPERATION_INCOMPLETE);
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* --- Change function inputs mid run, to cause an error (sign only,
+ * verify passes all inputs to start. --- */
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_OPERATION_INCOMPLETE);
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ 0,
+ &signature_length),
+ PSA_ERROR_BUFFER_TOO_SMALL);
+
+ /* And test that this invalidates the operation. */
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ 0,
+ &signature_length),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ /* Trash the hash buffer in between start and complete, to ensure
+ * no reliance on external buffers. */
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ input_buffer = mbedtls_calloc(1, input_data->len);
+ TEST_ASSERT(input_buffer != NULL);
+
+ memcpy(input_buffer, input_data->x, input_data->len);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_buffer, input_data->len));
+
+ memset(input_buffer, '!', input_data->len);
+ mbedtls_free(input_buffer);
+ input_buffer = NULL;
+
+ PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ input_buffer = mbedtls_calloc(1, input_data->len);
+ TEST_ASSERT(input_buffer != NULL);
+
+ memcpy(input_buffer, input_data->x, input_data->len);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_buffer, input_data->len,
+ signature, signature_length));
+
+ memset(input_buffer, '!', input_data->len);
+ mbedtls_free(input_buffer);
+ input_buffer = NULL;
+
+ PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+/**
+ * interruptible_signverify_hash_maxops_tests() test intentions:
+ *
+ * Note: This test can currently only handle ECDSA.
+ *
+ * 1. Test that setting max ops is reflected in both interruptible sign and
+ * verify hash
+ */
+void interruptible_signverify_hash_maxops_tests(int key_type_arg,
+ data_t *key_data, int alg_arg, data_t *input_data)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
+
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ /* Check that default max ops gets set if we don't set it. */
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_interruptible_get_max_ops(),
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_size));
+
+ TEST_EQUAL(psa_interruptible_get_max_ops(),
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* Check that max ops gets set properly. */
+
+ psa_interruptible_set_max_ops(0xbeef);
+
+ TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef);
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void sign_message_deterministic(int key_type_arg,
data_t *key_data,
@@ -6900,7 +7957,11 @@
output, output_size,
&output_length);
TEST_EQUAL(actual_status, expected_status);
- TEST_EQUAL(output_length, expected_output_length);
+ if (actual_status == PSA_SUCCESS) {
+ TEST_EQUAL(output_length, expected_output_length);
+ } else {
+ TEST_LE_U(output_length, output_size);
+ }
/* If the label is empty, the test framework puts a non-null pointer
* in label->x. Test that a null pointer works as well. */
@@ -6915,7 +7976,11 @@
output, output_size,
&output_length);
TEST_EQUAL(actual_status, expected_status);
- TEST_EQUAL(output_length, expected_output_length);
+ if (actual_status == PSA_SUCCESS) {
+ TEST_EQUAL(output_length, expected_output_length);
+ } else {
+ TEST_LE_U(output_length, output_size);
+ }
}
exit:
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 046e3c3..970be84 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -221,6 +221,13 @@
uint8_t input[1] = { 'A' };
uint8_t output[PSA_SIGNATURE_MAX_SIZE] = { 0 };
size_t length = SIZE_MAX;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+
PSA_INIT();
@@ -237,6 +244,15 @@
psa_sign_hash(key_id, alg,
input, sizeof(input),
output, sizeof(output), &length));
+
+ if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+ TEST_STATUS(expected_status,
+ psa_sign_hash_start(&sign_operation, key_id, alg,
+ input, sizeof(input)));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+ }
+
if (!private_only) {
/* Determine a plausible signature size to avoid an INVALID_SIGNATURE
* error based on this. */
@@ -253,6 +269,15 @@
psa_verify_hash(key_id, alg,
input, sizeof(input),
output, output_length));
+
+ if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+ TEST_STATUS(expected_status,
+ psa_verify_hash_start(&verify_operation, key_id, alg,
+ input, sizeof(input),
+ output, output_length));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+ }
}
exit:
diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data
index 1848c17..928a7ce 100644
--- a/tests/suites/test_suite_ssl.data
+++ b/tests/suites/test_suite_ssl.data
@@ -440,19 +440,19 @@
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque
-depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque
-depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg
-depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage
-depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_ECDSA_C:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
+depends_on:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_AES_C:MBEDTLS_RSA_C:MBEDTLS_PK_CAN_ECDSA_VERIFY:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECDH_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_ECP_DP_SECP384R1_ENABLED:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque
@@ -3234,15 +3234,15 @@
ssl_serialize_session_save_load:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, save-load: no ticket, cert
-depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
ssl_serialize_session_save_load:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, save-load: small ticket, cert
-depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
ssl_serialize_session_save_load:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, save-load: large ticket, cert
-depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
ssl_serialize_session_save_load:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: Session serialization, save-load: no ticket
@@ -3274,15 +3274,15 @@
ssl_serialize_session_load_save:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, load-save: no ticket, cert
-depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
ssl_serialize_session_load_save:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, load-save: small ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_load_save:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, load-save: large ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_load_save:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: Session serialization, load-save: no ticket
@@ -3314,15 +3314,15 @@
ssl_serialize_session_save_buf_size:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, save buffer size: no ticket, cert
-depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
+depends_on:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO:MBEDTLS_SSL_PROTO_TLS1_2
ssl_serialize_session_save_buf_size:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, save buffer size: small ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_save_buf_size:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, save buffer size: large ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_save_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: Session serialization, save buffer size: no ticket
@@ -3354,15 +3354,15 @@
ssl_serialize_session_load_buf_size:1023:"":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, load buffer size: no ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_load_buf_size:0:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, load buffer size: small ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_load_buf_size:42:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
Session serialization, load buffer size: large ticket, cert
-depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
+depends_on:MBEDTLS_SSL_PROTO_TLS1_2:MBEDTLS_SSL_SESSION_TICKETS:MBEDTLS_SSL_CLI_C:MBEDTLS_X509_USE_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_FS_IO
ssl_serialize_session_load_buf_size:1023:"data_files/server5.crt":0:MBEDTLS_SSL_VERSION_TLS1_2
TLS 1.3: CLI: Session serialization, load buffer size: no ticket
diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function
index 1d182e0..15246cb 100644
--- a/tests/suites/test_suite_ssl.function
+++ b/tests/suites/test_suite_ssl.function
@@ -3,6 +3,7 @@
#include <ssl_misc.h>
#include <mbedtls/timing.h>
#include <mbedtls/debug.h>
+#include <mbedtls/pk.h>
#include <ssl_tls13_keys.h>
#include <ssl_tls13_invasive.h>
#include "test/certs.h"
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 01da08b..54080a7 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -122,6 +122,14 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n <unsupported>\n <unsupported>\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+X509 CRT information, Subject Alt Name with uniformResourceIdentifier
+depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_cert_info:"data_files/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+
+X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers
+depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_cert_info:"data_files/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+
X509 CRT information, RSA Certificate Policy any
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_cert_info:"data_files/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"
@@ -168,7 +176,7 @@
X509 CRT information Bitstring in subject name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
-x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n <unsupported>\next key usage \: TLS Web Client Authentication\n"
+x509_cert_info:"data_files/bitstring-in-dn.pem":"cert. version \: 3\nserial number \: 02\nissuer name \: CN=Test CA 01, ST=Ecnivorp, C=XX, emailAddress=tca@example.com, O=Test CA Authority\nsubject name \: C=XX, O=tca, ST=Ecnivorp, OU=TCA, CN=Client, emailAddress=client@example.com, serialNumber=7101012255, uniqueIdentifier=?7101012255\nissued on \: 2015-03-11 12\:06\:51\nexpires on \: 2025-03-08 12\:06\:51\nsigned using \: RSA with SHA1\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n rfc822Name \: client@example.com\next key usage \: TLS Web Client Authentication\n"
X509 CRT information Non-ASCII string in issuer name and subject name
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
@@ -198,6 +206,10 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_PK_CAN_ECDSA_SOME:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_parse_san:"data_files/server5-unsupported_othername.crt":""
+X509 SAN parsing rfc822Name
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_parse_san:"data_files/test_cert_rfc822name.crt.der":"type \: 1\nrfc822Name \: my@other.address\ntype \: 1\nrfc822Name \: second@other.address\n"
+
X509 CRL information #1
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_RSA_C:!MBEDTLS_X509_REMOVE_INFO
mbedtls_x509_crl_info:"data_files/crl_expired.pem":"CRL version \: 1\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nthis update \: 2011-02-20 10\:24\:19\nnext update \: 2011-02-20 11\:24\:19\nRevoked certificates\:\nserial number\: 01 revocation date\: 2011-02-12 14\:44\:07\nserial number\: 03 revocation date\: 2011-02-12 14\:44\:07\nsigned using \: RSA with SHA1\n"
@@ -2550,7 +2562,7 @@
x509_oid_numstr:"2a864886f70d":"1.2.840.113549":15:14
X509 OID numstring #5 (arithmetic overflow)
-x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_OID_BUF_TOO_SMALL
+x509_oid_numstr:"2a8648f9f8f7f6f5f4f3f2f1f001":"":100:MBEDTLS_ERR_ASN1_INVALID_DATA
X509 CRT keyUsage #1 (no extension, expected KU)
depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function
index 3454da3..f6e4a06 100644
--- a/tests/suites/test_suite_x509parse.function
+++ b/tests/suites/test_suite_x509parse.function
@@ -279,7 +279,18 @@
*p++ = san->san.unstructured_name.p[i];
}
break;/* MBEDTLS_X509_SAN_DNS_NAME */
-
+ case (MBEDTLS_X509_SAN_RFC822_NAME):
+ ret = mbedtls_snprintf(p, n, "\nrfc822Name : ");
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if (san->san.unstructured_name.len >= n) {
+ *p = '\0';
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ n -= san->san.unstructured_name.len;
+ for (i = 0; i < san->san.unstructured_name.len; i++) {
+ *p++ = san->san.unstructured_name.p[i];
+ }
+ break;/* MBEDTLS_X509_SAN_RFC822_NAME */
default:
/*
* Should not happen.