Merge pull request #7105 from davidhorstmann-arm/fix-oid-printing-bug
Fix bugs in OID to string conversion
diff --git a/ChangeLog.d/add-uri-san.txt b/ChangeLog.d/add-uri-san.txt
new file mode 100644
index 0000000..5184e8f
--- /dev/null
+++ b/ChangeLog.d/add-uri-san.txt
@@ -0,0 +1,3 @@
+Features
+ * Add parsing of uniformResourceIdentifier subtype for subjectAltName
+ extension in x509 certificates.
diff --git a/ChangeLog.d/add_interruptible_sign_hash b/ChangeLog.d/add_interruptible_sign_hash
new file mode 100644
index 0000000..3d93303
--- /dev/null
+++ b/ChangeLog.d/add_interruptible_sign_hash
@@ -0,0 +1,5 @@
+Features
+ * Add an interruptible version of sign and verify hash to the PSA interface,
+ backed by internal library support for ECDSA signing and verification.
+
+
diff --git a/ChangeLog.d/fix-iar-warnings.txt b/ChangeLog.d/fix-iar-warnings.txt
index 244e863..8a30132 100644
--- a/ChangeLog.d/fix-iar-warnings.txt
+++ b/ChangeLog.d/fix-iar-warnings.txt
@@ -1,2 +1,2 @@
Bugfix
- * Fix IAR compiler warnings. Contributed by Glenn Strauss in #3835.
+ * Fix IAR compiler warnings. Fixes #6924.
diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md
new file mode 100644
index 0000000..eee59c4
--- /dev/null
+++ b/docs/architecture/psa-migration/md-cipher-dispatch.md
@@ -0,0 +1,481 @@
+PSA migration strategy for hashes and ciphers
+=============================================
+
+## Introduction
+
+This document discusses a migration strategy for code that is not subject to `MBEDTLS_USE_PSA_CRYPTO`, is currently using legacy cryptography APIs, and should transition to PSA, without a major version change.
+
+### Relationship with the main strategy document
+
+This is complementary to the main [strategy document](strategy.html) and is intended as a refinement. However, at this stage, there may be contradictions between the strategy proposed here and some of the earlier strategy.
+
+A difference between the original strategy and the current one is that in this work, we are not treating PSA as a black box. We can change experimental features, and we can call internal interfaces.
+
+## Requirements
+
+### User stories
+
+#### Backward compatibility user story
+
+As a developer of an application that uses Mbed TLS's interfaces (including legacy crypto),
+I want Mbed TLS to preserve backward compatibility,
+so that my code keeps working in new minor versions of Mbed TLS.
+
+#### Interface design user story
+
+As a developer of library code that uses Mbed TLS to perform cryptographic operations,
+I want to know which functions to call and which feature macros to check,
+so that my code works in all Mbed TLS configurations.
+
+Note: this is the same problem we face in X.509 and TLS.
+
+#### Hardware accelerator vendor user stories
+
+As a vendor of a platform with hardware acceleration for some crypto,
+I want to build Mbed TLS in a way that uses my hardware wherever relevant,
+so that my customers maximally benefit from my hardware.
+
+As a vendor of a platform with hardware acceleration for some crypto,
+I want to build Mbed TLS without software that replicates what my hardware does,
+to minimize the code size.
+
+#### Maintainer user stories
+
+As a maintainer of Mbed TLS,
+I want to have clear rules for when to use which interface,
+to avoid bugs in “unusual” configurations.
+
+As a maintainer of Mbed TLS,
+I want to avoid duplicating code,
+because this is inefficient and error-prone.
+
+### Use PSA more
+
+In the long term, all code using cryptography should use PSA interfaces, to benefit from PSA drivers, allow eliminating legacy interfaces (less code size, less maintenance). However, this can't be done without breaking [backward compatibility](#backward-compatibility).
+
+The goal of this work is to arrange for more non-PSA interfaces to use PSA interfaces under the hood, without breaking code in the cases where this doesn't work. Using PSA interfaces has two benefits:
+
+* Where a PSA driver is available, it likely has better performance, and sometimes better security, than the built-in software implementation.
+* In many scenarios, where a PSA driver is available, this allows removing the software implementation altogether.
+* We may be able to get rid of some redundancies, for example the duplication between the implementations of HMAC in `md.c` and in `psa_crypto_mac.c`, and HKDF in `hkdf.c` and `psa_crypto.c`.
+
+### Correct dependencies
+
+Traditionally, to determine whether a cryptographic mechanism was available, you had to check whether the corresponding Mbed TLS module or submodule was present: `MBEDTLS_SHA256_C` for SHA256, `MBEDTLS_AES_C && MBEDTLS_CIPHER_MODE_CBC` for AES-CBC, etc. In code that uses the PSA interfaces, this needs to change to `PSA_WANT_xxx` symbols.
+
+### Backward compatibility
+
+All documented behavior must be preserved, except for interfaces currently described as experimental or unstable. Those interfaces can change, but we should minimize disruption by providing a transition path for reasonable use cases.
+
+#### Changeable configuration options
+
+The following configuration options are described as experimental, and are likely to change at least marginally:
+
+* `MBEDTLS_PSA_CRYPTO_CLIENT`: “This interface is experimental and may change or be removed without notice.” In practice we don't want to remove this, but we may constrain how it's used.
+* `MBEDTLS_PSA_CRYPTO_DRIVERS`: “This interface is experimental. We intend to maintain backward compatibility with application code that relies on drivers, but the driver interfaces may change without notice.” In practice, this may mean constraints not only on how to write drivers, but also on how to integrate drivers into code that is platform code more than application code.
+* `MBEDTLS_PSA_CRYPTO_CONFIG`: “This feature is still experimental and is not ready for production since it is not completed.” We may want to change this, for example, to automatically enable more mechanisms (although this wouldn't be considered a backward compatibility break anyway, since we don't promise that you will not get a feature if you don't enable its `PSA_WANT_xxx`).
+
+### Non-goals
+
+It is not a goal at this stage to make more code directly call `psa_xxx` functions. Rather, the goal is to make more code call PSA drivers where available. How dispatch is done is secondary.
+
+## Problem analysis
+
+### Scope analysis
+
+#### Limitations of `MBEDTLS_USE_PSA_CRYPTO`
+
+The option `MBEDTLS_USE_PSA_CRYPTO` causes parts of the library to call the PSA API instead of legacy APIs for cryptographic calculations. `MBEDTLS_USE_PSA_CRYPTO` only applies to `pk.h`, X.509 and TLS. When this option is enabled, applications must call `psa_crypto_init()` before calling any of the functions in these modules.
+
+In this work, we want two things:
+
+* Make non-covered modules call PSA, but only [when this will actually work](#why-psa-is-not-always-possible). This effectively brings those modules to a partial use-PSA behavior (benefiting from PSA accelerators when they're usable) regardless of whether the option is enabled.
+* Call PSA when a covered module calls a non-covered module which calls another module, for example X.509 calling pk for PSS verification which calls RSA which calculates a hash ([see issue \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497)). This effectively extends the option to modules that aren't directly covered.
+
+#### Classification of callers
+
+We can classify code that implements or uses cryptographic mechanisms into several groups:
+
+* Software implementations of primitive cryptographic mechanisms. These are not expected to change.
+* Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
+* Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
+* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding TLS 1.3).
+* Code that always uses PSA for crypto: TLS 1.3, LMS.
+
+For the purposes of this work, three domains emerge:
+
+* **Legacy domain**: does not interact with PSA. Implementations of hashes, of cipher primitives, of arithmetic.
+* **Mixed domain**: does not currently use PSA, but should [when possible](#why-psa-is-not-always-possible). This consists of the constructed cryptographic primitives (except LMS), as well as pk, X.509 and TLS when `MBEDTLS_USE_PSA_CRYPTO` is disabled.
+* **PSA domain**: includes pk, X.509 and TLS when `MBEDTLS_USE_PSA_CRYPTO` is enabled. Also TLS 1.3, LMS.
+
+#### Non-use-PSA modules
+
+The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption:
+
+* CCM (block cipher in ECB mode; interdependent with cipher)
+* cipher (cipher and AEAD algorithms)
+* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
+* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
+* entropy (hashes via low-level)
+* ECDSA (HMAC\_DRBG; `md.h` exposed through API)
+* ECJPAKE (hashes via md; `md.h` exposed through API)
+* GCM (block cipher in ECB mode; interdependent with cipher)
+* md (hashes and HMAC)
+* NIST\_KW (AES-ECB; interdependent with cipher)
+* HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
+* PEM (AES and DES in CBC mode without padding; MD5 hash via low-level)
+* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; hashes via md; `cipher.h` exposed through API)
+* PKCS5 (cipher, generically, selected from ASN.1; HMAC via `md.h`; `md.h` exposed through API)
+* RSA (hash via md for PSS and OAEP; `md.h` exposed through API)
+
+### Difficulties
+
+#### Why PSA is not always possible
+
+Here are some reasons why calling `psa_xxx()` to perform a hash or cipher calculation might not be desirable in some circumstances, explaining why the application would arrange to call the legacy software implementation instead.
+
+* `MBEDTLS_PSA_CRYPTO_C` is disabled.
+* There is a PSA driver which has not been initialized (this happens in `psa_crypto_init()`).
+* For ciphers, the keystore is not initialized yet, and Mbed TLS uses a custom implementation of PSA ITS where the file system is not accessible yet (because something else needs to happen first, and the application takes care that it happens before it calls `psa_crypto_init()`). A possible workaround may be to dispatch to the internal functions that are called after the keystore lookup, rather than to the PSA API functions (but this is incompatible with `MBEDTLS_PSA_CRYPTO_CLIENT`).
+* The requested mechanism is enabled in the legacy interface but not in the PSA interface. This was not really intended, but is possible, for example, if you enable `MBEDTLS_MD5_C` for PEM decoding with PBKDF1 but don't want `PSA_ALG_WANT_MD5` because it isn't supported for `PSA_ALG_RSA_PSS` and `PSA_ALG_DETERMINISTIC_ECDSA`.
+* `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the client has not yet activated the connection to the server (this happens in `psa_crypto_init()`).
+* `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, but the operation is part of the implementation of an encrypted communication with the crypto service, or the local implementation is faster because it avoids a costly remote procedure call.
+
+#### Indirect knowledge
+
+Consider for example the code in `rsa.c` to perform an RSA-PSS signature. It needs to calculate a hash. If `mbedtls_rsa_rsassa_pss_sign()` is called directly by application code, it is supposed to call the built-in implementation: calling a PSA accelerator would be a behavior change, acceptable only if this does not add a risk of failure or performance degradation ([PSA is impossible or undesirable in some circumstances](#why-psa-is-not-always-possible)). Note that this holds regardless of the state of `MBEDTLS_USE_PSA_CRYPTO`, since `rsa.h` is outside the scope of `MBEDTLS_USE_PSA_CRYPTO`. On the other hand, if `mbedtls_rsa_rsassa_pss_sign()` is called from X.509 code, it should use PSA to calculate hashes. It doesn't, currently, which is [bug \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497).
+
+Generally speaking, modules in the mixed domain:
+
+* must call PSA if called by a module in the PSA domain;
+* must not call PSA (or must have a fallback) if their caller is not in the PSA domain and the PSA call is not guaranteed to work.
+
+#### Non-support guarantees: requirements
+
+Generally speaking, just because some feature is not enabled in `mbedtls_config.h` or `psa_config.h` doesn't guarantee that it won't be enabled in the build. We can enable additional features through `build_info.h`.
+
+If `PSA_WANT_xxx` is disabled, this should guarantee that attempting xxx through the PSA API will fail. This is generally guaranteed by the test suite `test_suite_psa_crypto_not_supported` with automatically enumerated test cases, so it would be inconvenient to carve out an exception.
+
+### Technical requirements
+
+Based on the preceding analysis, the core of the problem is: for code in the mixed domain (see [“Classification of callers”](#classification-of-callers)), how do we handle a cryptographic mechanism? This has several related subproblems:
+
+* How the mechanism is encoded (e.g. `mbedtls_md_type_t` vs `const *mbedtls_md_info_t` vs `psa_algorithm_t` for hashes).
+* How to decide whether a specific algorithm or key type is supported (eventually based on `MBEDTLS_xxx_C` vs `PSA_WANT_xxx`).
+* How to obtain metadata about algorithms (e.g. hash/MAC/tag size, key size).
+* How to perform the operation (context type, which functions to call).
+
+We need a way to decide this based on the available information:
+
+* Who's the ultimate caller — see [indirect knowledge](#indirect-knowledge) — which is not actually available.
+* Some parameter indicating which algorithm to use.
+* The available cryptographic implementations, based on preprocessor symbols (`MBEDTLS_xxx_C`, `PSA_WANT_xxx`, `MBEDTLS_PSA_ACCEL_xxx`, etc.).
+* Possibly additional runtime state (for example, we might check whether `psa_crypto_init` has been called).
+
+And we need to take care of the [the cases where PSA is not possible](#why-psa-is-not-always-possible): either make sure the current behavior is preserved, or (where allowed by backward compatibility) document a behavior change and, preferably, a workaround.
+
+### Working through an example: RSA-PSS
+
+Let us work through the example of RSA-PSS which calculates a hash, as in [see issue \#6497](https://github.com/Mbed-TLS/mbedtls/issues/6497).
+
+RSA is in the [mixed domain](#classification-of-callers). So:
+
+* When called from `psa_sign_hash` and other PSA functions, it must call the PSA hash accelerator if there is one.
+* When called from user code, it must call the built-in hash implementation if PSA is not available (regardless of whether this is because `MBEDTLS_PSA_CRYPTO_C` is disabled, or because `PSA_WANT_ALG_xxx` is disabled for this hash, or because there is an accelerator driver which has not been initialized yet).
+
+RSA knows which hash algorithm to use based on a parameter of type `mbedtls_md_type_t`. (More generally, all mixed-domain modules that take an algorithm specification as a parameter take it via a numerical type, except HMAC\_DRBG and HKDF which take a `const mbedtls_md_info_t*` instead, and CMAC which takes a `const mbedtls_cipher_info_t *`.)
+
+#### Double encoding solution
+
+A natural solution is to double up the encoding of hashes in `mbedtls_md_type_t`. Pass `MBEDTLS_MD_SHA256` and `md` will dispatch to the legacy code, pass a new constant `MBEDTLS_MD_SHA256_USE_PSA` and `md` will dispatch through PSA.
+
+This maximally preserves backward compatibility, but then no non-PSA code benefits from PSA accelerators, and there's little potential for removing the software implementation.
+
+#### Availability of hashes in RSA-PSS
+
+Here we try to answer the question: As a caller of RSA-PSS via `rsa.h`, how do I know whether it can use a certain hash?
+
+* For a caller in the legacy domain: if e.g. `MBEDTLS_SHA256_C` is enabled, then I want RSA-PSS to support SHA-256. I don't care about negative support. So `MBEDTLS_SHA256_C` must imply support for RSA-PSS-SHA-256. It must work at all times, regardless of the state of PSA (e.g. drivers not initialized).
+* For a caller in the PSA domain: if e.g. `PSA_WANT_ALG_SHA_256` is enabled, then I want RSA-PSS to support SHA-256, provided that `psa_crypto_init()` has been called. In some limited cases, such as `test_suite_psa_crypto_not_supported` when PSA implements RSA-PSS in software, we care about negative support: if `PSA_WANT_ALG_SHA_256` is disabled then `psa_verify_hash` must reject `PSA_WANT_ALG_SHA_256`. This can be done at the level of PSA before it calls the RSA module, though, so it doesn't have any implication on the RSA module. As far as `rsa.c` is concerned, what matters is that `PSA_WANT_ALG_SHA_256` implies that SHA-256 is supported after `psa_crypto_init()` has been called.
+* For a caller in the mixed domain: requirements depend on the caller. Whatever solution RSA has to determine the availability of algorithms will apply to its caller as well.
+
+Conclusion so far: RSA must be able to do SHA-256 if either `MBEDTLS_SHA256_C` or `PSA_WANT_ALG_SHA_256` is enabled. If only `PSA_WANT_ALG_SHA_256` and not `MBEDTLS_SHA256_C` is enabled (which implies that PSA's SHA-256 comes from an accelerator driver), then SHA-256 only needs to work if `psa_crypto_init()` has been called.
+
+#### More in-depth discussion of compile-time availability determination
+
+The following combinations of compile-time support are possible:
+
+* `MBEDTLS_PSA_CRYPTO_CLIENT`. Then calling PSA may or may not be desirable for performance. There are plausible use cases where only the server has access to an accelerator so it's best to call the server, and plausible use cases where calling the server has overhead that negates the savings from using acceleration, if there are savings at all. In any case, calling PSA only works if the connection to the server has been established, meaning `psa_crypto_init` has been called successfully. In the rest of this case enumeration, assume `MBEDTLS_PSA_CRYPTO_CLIENT` is disabled.
+* No PSA accelerator. Then just call `mbedtls_sha256`, it's all there is, and it doesn't matter (from an API perspective) exactly what call chain leads to it.
+* PSA accelerator, no software implementation. Then we might as well call the accelerator, unless it's important that the call fails. At the time of writing, I can't think of a case where we would want to guarantee that if `MBEDTLS_xxx_C` is not enabled, but xxx is enabled through PSA, then a request to use algorithm xxx through some legacy interface must fail.
+* Both PSA acceleration and the built-in implementation. In this case, we would prefer PSA for the acceleration, but we can only do this if the accelerator driver is working. For hashes, it's enough to assume the driver is initialized; we've [considered requiring hash drivers to work without initialization](https://github.com/Mbed-TLS/mbedtls/pull/6470). For ciphers, this is more complicated because the cipher functions require the keystore, and plausibly a cipher accelerator might want entropy (for side channel countermeasures) which might not be available at boot time.
+
+Note that it's a bit tricky to determine which algorithms are available. In the case where there is a PSA accelerator but no software implementation, we don't want the preprocessor symbols to indicate that the algorithm is available through the legacy domain, only through the PSA domain. What does this mean for the interfaces in the mixed domain? They can't guarantee the availability of the algorithm, but they must try if requested.
+
+### Designing an interface for hashes
+
+In this section, we specify a hash metadata and calculation for the [mixed domain](#classification-of-callers), i.e. code that can be called both from legacy code and from PSA code.
+
+#### Availability of hashes
+
+Generalizing the analysis in [“Availability of hashes in RSA-PSS”](#availability-of-hashes-in-RSA-PSS):
+
+A hash is available through the mixed-domain interface iff either of the following conditions is true:
+
+* A legacy hash interface is available and the hash algorithm is implemented in software.
+* PSA crypto is enabled and the hash algorithm is implemented via PSA.
+
+We could go further and make PSA accelerators available to legacy callers that call any legacy hash interface, e.g. `md.h` or `shaX.h`. There is little point in doing this, however: callers should just use the mixed-domain interface.
+
+#### Implications between legacy availability and PSA availability
+
+* When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, all legacy mechanisms are automatically enabled through PSA. Users can manually enable PSA mechanisms that are available through accelerators but not through legacy, but this is not officially supported (users are not supposed to manually define PSA configuration symbols when `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled).
+* When `MBEDTLS_PSA_CRYPTO_CONFIG` is enabled, there is no mandatory relationship between PSA support and legacy support for a mechanism. Users can configure legacy support and PSA support independently. Legacy support is automatically enabled if PSA support is requested, but only if there is no accelerator.
+
+It is strongly desirable to allow mechanisms available through PSA but not legacy: this allows saving code size when an accelerator is present.
+
+There is no strong reason to allow mechanisms available through legacy but not PSA when `MBEDTLS_PSA_CRYPTO_C` is enabled. This would only save at best a very small amount of code size in the PSA dispatch code. This may be more desirable when `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled (having a mechanism available only locally and not in the crypto service), but we do not have an explicit request for this and it would be entirely reasonable to forbid it.
+
+In this analysis, we have not found a compelling reason to require all legacy mechanisms to also be available through PSA. However, this can simplify both the implementation and the use of dispatch code thanks to some simplifying properties:
+
+* Mixed-domain code can call PSA code if it knows that `psa_crypto_init()` has been called, without having to inspect the specifics of algorithm support.
+* Mixed-domain code can assume that PSA buffer calculations work correctly for all algorithms that it supports.
+
+#### Shape of the mixed-domain hash interface
+
+We now need to create an abstraction for mixed-domain hash calculation. (We could not create an abstraction, but that would require every piece of mixed-domain code to replicate the logic here. We went that route in Mbed TLS 3.3, but it made it effectively impossible to get something that works correctly.)
+
+Requirements: given a hash algorithm,
+
+* Obtain some metadata about it (size, block size).
+* Calculate the hash.
+* Set up a multipart operation to calculate the hash. The operation must support update, finish, reset, abort, clone.
+
+The existing interface in `md.h` is close to what we want, but not perfect. What's wrong with it?
+
+* It has an extra step of converting from `mbedtls_md_type_t` to `const mbedtls_md_info_t *`.
+* It includes extra fluff such as names and HMAC. This costs code size.
+* The md module has some legacy baggage dating from when it was more open, which we don't care about anymore. This may cost code size.
+
+These problems are easily solvable.
+
+* `mbedtls_md_info_t` can become a very thin type. We can't remove the extra function call from the source code of callers, but we can make it a very thin abstraction that compilers can often optimize.
+* We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
+* We can optimize `md.c` without making API changes to `md.h`.
+
+## Specification
+
+### MD light
+
+https://github.com/Mbed-TLS/mbedtls/pull/6474 implements part of this specification, but it's based on Mbed TLS 3.2, so it needs to be rewritten for 3.3.
+
+#### Definition of MD light
+
+MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
+
+The following things enable MD light automatically in `build_info.h`:
+
+* A [mixed-domain](#classification-of-callers) module that needs to calculate hashes is enabled.
+* `MBEDTLS_MD_C` is enabled.
+
+MD light includes the following types:
+
+* `mbedtls_md_type_t`
+* `mbedtls_md_info_t`
+* `mbedtls_md_context_t`
+
+MD light includes the following functions:
+
+* `mbedtls_md_info_from_type`
+* `mbedtls_md_init`
+* `mbedtls_md_free`
+* `mbedtls_md_setup` — but `hmac` must be 0 if `MBEDTLS_MD_C` is disabled.
+* `mbedtls_md_clone`
+* `mbedtls_md_get_size`
+* `mbedtls_md_get_type`
+* `mbedtls_md_starts`
+* `mbedtls_md_update`
+* `mbedtls_md_finish`
+* `mbedtls_md`
+
+Unlike the full MD, MD light does not support null pointers as `mbedtls_md_context_t *`. At least some functions still need to support null pointers as `const mbedtls_md_info_t *` because this arises when you try to use an unsupported algorithm (`mbedtls_md_info_from_type` returns `NULL`).
+
+#### MD algorithm support macros
+
+For each hash algorithm, `md.h` defines a macro `MBEDTLS_MD_CAN_xxx` whenever the corresponding hash is available through MD light. These macros are only defined when `MBEDTLS_MD_LIGHT` is enabled. Per “[Availability of hashes](#availability-of-hashes)”, `MBEDTLS_MD_CAN_xxx` is enabled if:
+
+* the corresponding `MBEDTLS_xxx_C` is defined; or
+* one of `MBEDTLS_PSA_CRYPTO_C` or `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, and the corresponding `PSA_WANT_ALG_xxx` is enabled.
+
+Note that some algorithms have different spellings in legacy and PSA. Since MD is a legacy interface, we'll use the legacy names. Thus, for example:
+
+```
+#if defined(MBEDTLS_MD_LIGHT)
+#if defined(MBEDTLS_SHA256_C) || \
+ ((defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)) && \
+ PSA_WANT_ALG_SHA_256)
+#define MBEDTLS_MD_CAN_SHA256
+#endif
+#endif
+```
+
+#### MD light internal support macros
+
+* If at least one hash has a PSA driver, define `MBEDTLS_MD_SOME_PSA`.
+* If at least one hash has a legacy implementation, defined `MBEDTLS_MD_SOME_LEGACY`.
+
+#### Support for PSA in the MD context
+
+An MD context needs to contain either a legacy module's context (or a pointer to one, as is the case now), or a PSA context (or a pointer to one).
+
+I am inclined to remove the pointer indirection, but this means that an MD context would always be as large as the largest supported hash context. So for the time being, this specification keeps a pointer. For uniformity, PSA will also have a pointer (we may simplify this later).
+
+```
+enum {
+ MBEDTLS_MD_ENGINE_LEGACY,
+ MBEDTLS_MD_ENGINE_PSA,
+} mbedtls_md_engine_t; // private type
+
+typedef struct mbedtls_md_context_t {
+ const mbedtls_md_type_t type;
+ const mbedtls_md_engine_t engine;
+ union {
+#if defined(MBEDTLS_MD_SOME_LEGACY)
+ void *legacy; // used if engine == LEGACY
+#endif
+#if defined(MBEDTLS_MD_SOME_PSA)
+ psa_hash_operation_t *psa; // used if engine == PSA
+#endif
+ } digest;
+#if defined(MBEDTLS_MD_C)
+ void *hmac_ctx;
+#endif
+} mbedtls_md_context_t;
+```
+
+All fields are private.
+
+The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
+
+#### Inclusion of MD info structures
+
+MD light needs to support hashes that are only enabled through PSA. Therefore the `mbedtls_md_info_t` structures must be included based on `MBEDTLS_MD_CAN_xxx` instead of just the legacy module.
+
+The same criterion applies in `mbedtls_md_info_from_type`.
+
+#### Conversion to PSA encoding
+
+The implementation needs to convert from a legacy type encoding to a PSA encoding.
+
+```
+static inline psa_algorithm_t psa_alg_of_md_info(
+ const mbedtls_md_info_t *md_info );
+```
+
+#### Determination of PSA support at runtime
+
+```
+int psa_can_do_hash(psa_algorithm_t hash_alg);
+```
+
+The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
+
+As a starting point, return 1 if PSA crypto has been initialized. This will be refined later (to return 1 if the [accelerator subsystem](https://github.com/Mbed-TLS/mbedtls/issues/6007) has been initialized).
+
+Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
+
+#### Support for PSA dispatch in hash operations
+
+Each function that performs some hash operation or context management needs to know whether to dispatch via PSA or legacy.
+
+If given an established context, use its `engine` field.
+
+If given an algorithm as an `mbedtls_md_type_t type` (possibly being the `type` field of a `const mbedtls_md_info_t *`):
+
+* If there is a PSA accelerator for this hash and `psa_can_do_hash(alg)`, call the corresponding PSA function, and if applicable set the engine to `MBEDTLS_MD_ENGINE_PSA`. (Skip this is `MBEDTLS_MD_SOME_PSA` is not defined.)
+* Otherwise dispatch to the legacy module based on the type as currently done. (Skip this is `MBEDTLS_MD_SOME_LEGACY` is not defined.)
+* If no dispatch is possible, return `MBEDTLS_ERR_MD_FEATURE_UNAVAILABLE`.
+
+Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress. Document this.
+
+#### Error code conversion
+
+After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code. This function is currently defined in `hash_info.c`.
+
+### Migration to MD light
+
+#### Migration of modules that used to call MD and now do the legacy-or-PSA dance
+
+Get rid of the case where `MBEDTLS_MD_C` is undefined. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
+
+#### Migration of modules that used to call a low-level hash module and now do the legacy-or-PSA dance
+
+Switch to calling MD (light) unconditionally. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
+
+#### Migration of modules that call a low-level hash module
+
+Switch to calling MD (light). Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
+
+#### Migration of use-PSA mixed code
+
+Instead of calling `hash_info.h` functions to obtain metadata, get it from `md.h`.
+
+Optionally, code that currently tests on `MBEDTLS_USE_PSA_CRYPTO` just to determine whether to call MD or PSA to calculate hashes can switch to just having the MD variant.
+
+#### Remove `legacy_or_psa.h`
+
+It's no longer used.
+
+### Support all legacy algorithms in PSA
+
+As discussed in [“Implications between legacy availability and PSA availability”](#implications-between-legacy-availability-and-psa-availability), we require the following property:
+
+> If an algorithm has a legacy implementation, it is also available through PSA.
+
+When `MBEDTLS_PSA_CRYPTO_CONFIG` is disabled, this is already the case. When is enabled, we will now make it so as well. Change `include/mbedtls/config_psa.h` accordingly.
+
+### MD light optimizations
+
+This section is not necessary to implement MD light, but will cut down its code size.
+
+#### Split names out of MD light
+
+Remove hash names from `mbedtls_md_info_t`. Use a simple switch-case or a separate list to implement `mbedtls_md_info_from_string` and `mbedtls_md_get_name`.
+
+#### Remove metadata from the info structure
+
+In `mbedtls_md_get_size` and in modules that want a hash's block size, instead of looking up hash metadata in the info structure, call the PSA macros.
+
+#### Optimize type conversions
+
+To allow optimizing conversions between `mbedtls_md_type_t` and `psa_algorithm_t`, renumber the `mbedtls_md_type_t` enum so that the values are the 8 lower bits of the PSA encoding.
+
+With this optimization,
+```
+static inline psa_algorithm_t psa_alg_of_md_info(
+ const mbedtls_md_info_t *md_info )
+{
+ if( md_info == NULL )
+ return( PSA_ALG_NONE );
+ return( PSA_ALG_CATEGORY_HASH | md_info->type );
+}
+```
+
+Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
+
+#### Get rid of the hash_info module
+
+The hash_info module is redundant with MD light. Move `mbedtls_md_error_from_psa` to `md.c`, defined only when `MBEDTLS_MD_SOME_PSA` is defined. The rest is no longer used.
+
+#### Unify HMAC with PSA
+
+PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).
+
+### Improving support for `MBEDTLS_PSA_CRYPTO_CLIENT`
+
+So far, MD light only dispatches to PSA if an algorithm is available via `MBEDTLS_PSA_CRYPTO_C`, not if it's available via `MBEDTLS_PSA_CRYPTO_CLIENT`. This is acceptable because `MBEDTLS_USE_PSA_CRYPTO` requires `MBEDTLS_PSA_CRYPTO_C`, hence mixed-domain code never invokes PSA.
+
+The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a little extra work. Here is an overview of the task breakdown, which should be fleshed up after we've done the first [migration](#migration-to-md-light):
+
+* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
+* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
diff --git a/include/mbedtls/ecdsa.h b/include/mbedtls/ecdsa.h
index 9847a68..c5d9701 100644
--- a/include/mbedtls/ecdsa.h
+++ b/include/mbedtls/ecdsa.h
@@ -222,6 +222,134 @@
void *p_rng_blind);
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#if !defined(MBEDTLS_ECDSA_SIGN_ALT)
+/**
+ * \brief This function computes the ECDSA signature of a
+ * previously-hashed message, in a restartable way.
+ *
+ * \note The deterministic version implemented in
+ * mbedtls_ecdsa_sign_det_restartable() is usually
+ * preferred.
+ *
+ * \note This function is like \c mbedtls_ecdsa_sign() but
+ * it can return early and restart according to the
+ * limit set with \c mbedtls_ecp_set_max_ops() to
+ * reduce blocking.
+ *
+ * \note If the bitlength of the message hash is larger
+ * than the bitlength of the group order, then the
+ * hash is truncated as defined in <em>Standards for
+ * Efficient Cryptography Group (SECG): SEC1 Elliptic
+ * Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see ecp.h
+ *
+ * \param grp The context for the elliptic curve to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param r The MPI context in which to store the first part
+ * the signature. This must be initialized.
+ * \param s The MPI context in which to store the second part
+ * the signature. This must be initialized.
+ * \param d The private signing key. This must be initialized
+ * and setup, for example through
+ * mbedtls_ecp_gen_privkey().
+ * \param buf The hashed content to be signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param f_rng The RNG function. This must not be \c NULL.
+ * \param p_rng The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
+ * \param f_rng_blind The RNG function used for blinding. This must not be
+ * \c NULL.
+ * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx The restart context to use. This may be \c NULL
+ * to disable restarting. If it is not \c NULL, it
+ * must point to an initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c
+ * mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX, \c
+ * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ * error code on failure.
+ */
+int mbedtls_ecdsa_sign_restartable(
+ mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d,
+ const unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t),
+ void *p_rng,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+
+/**
+ * \brief This function computes the ECDSA signature of a
+ * previously-hashed message, in a restartable way.
+ *
+ * \note This function is like \c
+ * mbedtls_ecdsa_sign_det_ext() but it can return
+ * early and restart according to the limit set with
+ * \c mbedtls_ecp_set_max_ops() to reduce blocking.
+ *
+ * \note If the bitlength of the message hash is larger
+ * than the bitlength of the group order, then the
+ * hash is truncated as defined in <em>Standards for
+ * Efficient Cryptography Group (SECG): SEC1 Elliptic
+ * Curve Cryptography</em>, section 4.1.3, step 5.
+ *
+ * \see ecp.h
+ *
+ * \param grp The context for the elliptic curve to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param r The MPI context in which to store the first part
+ * the signature. This must be initialized.
+ * \param s The MPI context in which to store the second part
+ * the signature. This must be initialized.
+ * \param d The private signing key. This must be initialized
+ * and setup, for example through
+ * mbedtls_ecp_gen_privkey().
+ * \param buf The hashed content to be signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param f_rng_blind The RNG function used for blinding. This must not be
+ * \c NULL.
+ * \param p_rng_blind The RNG context to be passed to \p f_rng. This may be
+ * \c NULL if \p f_rng doesn't need a context parameter.
+ * \param rs_ctx The restart context to use. This may be \c NULL
+ * to disable restarting. If it is not \c NULL, it
+ * must point to an initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c
+ * mbedtls_ecp_set_max_ops().
+ * \return Another \c MBEDTLS_ERR_ECP_XXX, \c
+ * MBEDTLS_ERR_MPI_XXX or \c MBEDTLS_ERR_ASN1_XXX
+ * error code on failure.
+ */
+int mbedtls_ecdsa_sign_det_restartable(
+ mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
+
/**
* \brief This function verifies the ECDSA signature of a
* previously-hashed message.
@@ -257,6 +385,51 @@
const mbedtls_ecp_point *Q, const mbedtls_mpi *r,
const mbedtls_mpi *s);
+#if !defined(MBEDTLS_ECDSA_VERIFY_ALT)
+/**
+ * \brief This function verifies the ECDSA signature of a
+ * previously-hashed message, in a restartable manner
+ *
+ * \note If the bitlength of the message hash is larger than the
+ * bitlength of the group order, then the hash is truncated as
+ * defined in <em>Standards for Efficient Cryptography Group
+ * (SECG): SEC1 Elliptic Curve Cryptography</em>, section
+ * 4.1.4, step 3.
+ *
+ * \see ecp.h
+ *
+ * \param grp The ECP group to use.
+ * This must be initialized and have group parameters
+ * set, for example through mbedtls_ecp_group_load().
+ * \param buf The hashed content that was signed. This must be a readable
+ * buffer of length \p blen Bytes. It may be \c NULL if
+ * \p blen is zero.
+ * \param blen The length of \p buf in Bytes.
+ * \param Q The public key to use for verification. This must be
+ * initialized and setup.
+ * \param r The first integer of the signature.
+ * This must be initialized.
+ * \param s The second integer of the signature.
+ * This must be initialized.
+ * \param rs_ctx The restart context to use. This may be \c NULL to disable
+ * restarting. If it is not \c NULL, it must point to an
+ * initialized restart context.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_IN_PROGRESS if maximum number of
+ * operations was reached: see \c mbedtls_ecp_set_max_ops().
+ * \return An \c MBEDTLS_ERR_ECP_XXX or \c MBEDTLS_MPI_XXX
+ * error code on failure.
+ */
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *r,
+ const mbedtls_mpi *s,
+ mbedtls_ecdsa_restart_ctx *rs_ctx);
+
+#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
+
/**
* \brief This function computes the ECDSA signature and writes it
* to a buffer, serialized as defined in <em>RFC-4492:
diff --git a/include/mbedtls/ecp.h b/include/mbedtls/ecp.h
index 18b37a9..1590ef2 100644
--- a/include/mbedtls/ecp.h
+++ b/include/mbedtls/ecp.h
@@ -419,11 +419,22 @@
}
mbedtls_ecp_keypair;
-/*
- * Point formats, from RFC 4492's enum ECPointFormat
+/**
+ * The uncompressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
*/
-#define MBEDTLS_ECP_PF_UNCOMPRESSED 0 /**< Uncompressed point format. */
-#define MBEDTLS_ECP_PF_COMPRESSED 1 /**< Compressed point format. */
+#define MBEDTLS_ECP_PF_UNCOMPRESSED 0
+/**
+ * The compressed point format for Short Weierstrass curves
+ * (MBEDTLS_ECP_DP_SECP_XXX and MBEDTLS_ECP_DP_BP_XXX).
+ *
+ * \warning While this format is supported for all concerned curves for
+ * writing, when it comes to parsing, it is not supported for all
+ * curves. Specifically, parsing compressed points on
+ * MBEDTLS_ECP_DP_SECP224R1 and MBEDTLS_ECP_DP_SECP224K1 is not
+ * supported.
+ */
+#define MBEDTLS_ECP_PF_COMPRESSED 1
/*
* Some other constants from RFC 4492
@@ -461,6 +472,12 @@
* only enabled for specific sides and key exchanges
* (currently only for clients and ECDHE-ECDSA).
*
+ * \warning Using the PSA interruptible interfaces with keys in local
+ * storage and no accelerator driver will also call this
+ * function to set the values specified via those interfaces,
+ * overwriting values previously set. Care should be taken if
+ * mixing these two interfaces.
+ *
* \param max_ops Maximum number of basic operations done in a row.
* Default: 0 (unlimited).
* Lower (non-zero) values mean ECC functions will block for
@@ -752,6 +769,9 @@
* belongs to the given group, see mbedtls_ecp_check_pubkey()
* for that.
*
+ * \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ * limitations.
+ *
* \param grp The group to which the point should belong.
* This must be initialized and have group parameters
* set, for example through mbedtls_ecp_group_load().
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index fdc1355..0e4ee38 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -846,6 +846,9 @@
* with mbedtls_pk_init() or reset with mbedtls_pk_free(). If you need a
* specific key type, check the result with mbedtls_pk_can_do().
*
+ * \note For compressed points, see #MBEDTLS_ECP_PF_COMPRESSED for
+ * limitations.
+ *
* \note The key is also checked for correctness.
*
* \return 0 if successful, or a specific PK or PEM error code
diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h
index 5ddd5a3..126eac4 100644
--- a/include/mbedtls/pkcs7.h
+++ b/include/mbedtls/pkcs7.h
@@ -136,21 +136,11 @@
mbedtls_pkcs7_signer_info;
/**
- * Structure holding attached data as part of PKCS7 signed data format
- */
-typedef struct mbedtls_pkcs7_data {
- mbedtls_pkcs7_buf MBEDTLS_PRIVATE(oid);
- mbedtls_pkcs7_buf MBEDTLS_PRIVATE(data);
-}
-mbedtls_pkcs7_data;
-
-/**
* Structure holding the signed data section
*/
typedef struct mbedtls_pkcs7_signed_data {
int MBEDTLS_PRIVATE(version);
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(digest_alg_identifiers);
- struct mbedtls_pkcs7_data MBEDTLS_PRIVATE(content);
int MBEDTLS_PRIVATE(no_of_certs);
mbedtls_x509_crt MBEDTLS_PRIVATE(certs);
int MBEDTLS_PRIVATE(no_of_crls);
@@ -165,7 +155,6 @@
*/
typedef struct mbedtls_pkcs7 {
mbedtls_pkcs7_buf MBEDTLS_PRIVATE(raw);
- mbedtls_pkcs7_buf MBEDTLS_PRIVATE(content_type_oid);
mbedtls_pkcs7_signed_data MBEDTLS_PRIVATE(signed_data);
}
mbedtls_pkcs7;
@@ -178,7 +167,7 @@
void mbedtls_pkcs7_init(mbedtls_pkcs7 *pkcs7);
/**
- * \brief Parse a single DER formatted pkcs7 content.
+ * \brief Parse a single DER formatted pkcs7 detached signature.
*
* \param pkcs7 The pkcs7 structure to be filled by parser for the output.
* \param buf The buffer holding only the DER encoded pkcs7.
@@ -188,6 +177,7 @@
* \note This function makes an internal copy of the PKCS7 buffer
* \p buf. In particular, \p buf may be destroyed or reused
* after this call returns.
+ * \note Signatures with internal data are not supported.
*
* \return The \c mbedtls_pkcs7_type of \p buf, if successful.
* \return A negative error code on failure.
@@ -207,7 +197,8 @@
* matches.
*
* This function does not use the certificates held within the
- * PKCS7 structure itself.
+ * PKCS7 structure itself, and does not check that the
+ * certificate is signed by a trusted certification authority.
*
* \param pkcs7 PKCS7 structure containing signature.
* \param cert Certificate containing key to verify signature.
@@ -228,15 +219,15 @@
* \brief Verification of PKCS7 signature against a caller-supplied
* certificate.
*
- * For each signer in the PKCS structure, this function computes
- * a signature over the supplied hash, using the supplied
- * certificate and the same digest algorithm as specified by the
- * signer. It then compares this signature against the
- * signer's signature; verification succeeds if any comparison
- * matches.
+ * For each signer in the PKCS structure, this function
+ * validates a signature over the supplied hash, using the
+ * supplied certificate and the same digest algorithm as
+ * specified by the signer. Verification succeeds if any
+ * signature is good.
*
* This function does not use the certificates held within the
- * PKCS7 structure itself.
+ * PKCS7 structure itself, and does not check that the
+ * certificate is signed by a trusted certification authority.
*
* \param pkcs7 PKCS7 structure containing signature.
* \param cert Certificate containing key to verify signature.
@@ -244,7 +235,7 @@
* \param hashlen Length of the hash.
*
* \note This function is different from mbedtls_pkcs7_signed_data_verify()
- * in a way that it directly receives the hash of the data.
+ * in that it is directly passed the hash of the data.
*
* \return 0 if the signature verifies, or a negative error code on failure.
*/
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index aa1cd08..9f92ed6 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -294,7 +294,7 @@
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
- mbedtls_x509_buf unstructured_name; /**< The buffer for the un constructed types. Only dnsName currently supported */
+ mbedtls_x509_buf unstructured_name; /**< The buffer for the unconstructed types. Only dnsName and uniformResourceIdentifier are currently supported */
}
san; /**< A union of the supported SAN types */
}
@@ -385,8 +385,9 @@
* \param san The target structure to populate with the parsed presentation
* of the subject alternative name encoded in \p san_raw.
*
- * \note Only "dnsName" and "otherName" of type hardware_module_name
- * as defined in RFC 4180 is supported.
+ * \note Supported GeneralName types, as defined in RFC 5280:
+ * "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * of type "otherName", as defined in RFC 4108.
*
* \note This function should be called on a single raw data of
* subject alternative name. For example, after successful
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index 187e60a..036282f 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -76,7 +76,7 @@
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier and OtherName are listed). */
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
diff --git a/include/psa/crypto.h b/include/psa/crypto.h
index 2b9b2a2..80bf5c9 100644
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@@ -4045,6 +4045,628 @@
/**@}*/
+/** \defgroup interruptible_hash Interruptible sign/verify hash
+ * @{
+ */
+
+/** The type of the state data structure for interruptible hash
+ * signing operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation;
+ * memset(&operation, 0, sizeof(operation));
+ * \endcode
+ * - Initialize the structure to logical zero values, for example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation = {0};
+ * \endcode
+ * - Initialize the structure to the initializer
+ * #PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation =
+ * PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ * \endcode
+ * - Assign the result of the function
+ * psa_sign_hash_interruptible_operation_init() to the structure, for
+ * example:
+ * \code
+ * psa_sign_hash_interruptible_operation_t operation;
+ * operation = psa_sign_hash_interruptible_operation_init();
+ * \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_sign_hash_interruptible_operation_s psa_sign_hash_interruptible_operation_t;
+
+/** The type of the state data structure for interruptible hash
+ * verification operations.
+ *
+ * Before calling any function on a sign hash operation object, the
+ * application must initialize it by any of the following means:
+ * - Set the structure to all-bits-zero, for example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation;
+ * memset(&operation, 0, sizeof(operation));
+ * \endcode
+ * - Initialize the structure to logical zero values, for example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation = {0};
+ * \endcode
+ * - Initialize the structure to the initializer
+ * #PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT, for example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation =
+ * PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+ * \endcode
+ * - Assign the result of the function
+ * psa_verify_hash_interruptible_operation_init() to the structure, for
+ * example:
+ * \code
+ * psa_verify_hash_interruptible_operation_t operation;
+ * operation = psa_verify_hash_interruptible_operation_init();
+ * \endcode
+ *
+ * This is an implementation-defined \c struct. Applications should not
+ * make any assumptions about the content of this structure.
+ * Implementation details can change in future versions without notice. */
+typedef struct psa_verify_hash_interruptible_operation_s psa_verify_hash_interruptible_operation_t;
+
+/**
+ * \brief Set the maximum number of ops allowed to be
+ * executed by an interruptible function in a
+ * single call.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note The time taken to execute a single op is
+ * implementation specific and depends on
+ * software, hardware, the algorithm, key type and
+ * curve chosen. Even within a single operation,
+ * successive ops can take differing amounts of
+ * time. The only guarantee is that lower values
+ * for \p max_ops means functions will block for a
+ * lesser maximum amount of time. The functions
+ * \c psa_sign_interruptible_get_num_ops() and
+ * \c psa_verify_interruptible_get_num_ops() are
+ * provided to help with tuning this value.
+ *
+ * \note This value defaults to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, which
+ * means the whole operation will be done in one
+ * go, regardless of the number of ops required.
+ *
+ * \note If more ops are needed to complete a
+ * computation, #PSA_OPERATION_INCOMPLETE will be
+ * returned by the function performing the
+ * computation. It is then the caller's
+ * responsibility to either call again with the
+ * same operation context until it returns 0 or an
+ * error code; or to call the relevant abort
+ * function if the answer is no longer required.
+ *
+ * \note The interpretation of \p max_ops is also
+ * implementation defined. On a hard real time
+ * system, this can indicate a hard deadline, as a
+ * real-time system needs a guarantee of not
+ * spending more than X time, however care must be
+ * taken in such an implementation to avoid the
+ * situation whereby calls just return, not being
+ * able to do any actual work within the allotted
+ * time. On a non-real-time system, the
+ * implementation can be more relaxed, but again
+ * whether this number should be interpreted as as
+ * hard or soft limit or even whether a less than
+ * or equals as regards to ops executed in a
+ * single call is implementation defined.
+ *
+ * \note For keys in local storage when no accelerator
+ * driver applies, please see also the
+ * documentation for \c mbedtls_ecp_set_max_ops(),
+ * which is the internal implementation in these
+ * cases.
+ *
+ * \warning With implementations that interpret this number
+ * as a hard limit, setting this number too small
+ * may result in an infinite loop, whereby each
+ * call results in immediate return with no ops
+ * done (as there is not enough time to execute
+ * any), and thus no result will ever be achieved.
+ *
+ * \note This only applies to functions whose
+ * documentation mentions they may return
+ * #PSA_OPERATION_INCOMPLETE.
+ *
+ * \param max_ops The maximum number of ops to be executed in a
+ * single call. This can be a number from 0 to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ * is the least amount of work done per call.
+ */
+void psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be
+ * executed by an interruptible function in a
+ * single call. This will return the last
+ * value set by
+ * \c psa_interruptible_set_max_ops() or
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED if
+ * that function has never been called.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \return Maximum number of ops allowed to be
+ * executed by an interruptible function in a
+ * single call.
+ */
+uint32_t psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing
+ * operation has taken so far. If the operation
+ * has completed, then this will represent the
+ * number of ops required for the entire
+ * operation. After initialization or calling
+ * \c psa_sign_hash_interruptible_abort() on
+ * the operation, a value of 0 will be returned.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * This is a helper provided to help you tune the
+ * value passed to \c
+ * psa_interruptible_set_max_ops().
+ *
+ * \param operation The \c psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that the operation has taken so
+ * far.
+ */
+uint32_t psa_sign_hash_get_num_ops(
+ const psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification
+ * operation has taken so far. If the operation
+ * has completed, then this will represent the
+ * number of ops required for the entire
+ * operation. After initialization or calling \c
+ * psa_verify_hash_interruptible_abort() on the
+ * operation, a value of 0 will be returned.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * This is a helper provided to help you tune the
+ * value passed to \c
+ * psa_interruptible_set_max_ops().
+ *
+ * \param operation The \c
+ * psa_verify_hash_interruptible_operation_t to
+ * use. This must be initialized first.
+ *
+ * \return Number of ops that the operation has taken so
+ * far.
+ */
+uint32_t psa_verify_hash_get_num_ops(
+ const psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start signing a hash or short message with a
+ * private key, in an interruptible manner.
+ *
+ * \see \c psa_sign_hash_complete()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_sign_hash_complete() is equivalent to
+ * \c psa_sign_hash() but
+ * \c psa_sign_hash_complete() can return early and
+ * resume according to the limit set with \c
+ * psa_interruptible_set_max_ops() to reduce the
+ * maximum time spent in a function call.
+ *
+ * \note Users should call \c psa_sign_hash_complete()
+ * repeatedly on the same context after a
+ * successful call to this function until \c
+ * psa_sign_hash_complete() either returns 0 or an
+ * error. \c psa_sign_hash_complete() will return
+ * #PSA_OPERATION_INCOMPLETE if there is more work
+ * to do. Alternatively users can call
+ * \c psa_sign_hash_abort() at any point if they no
+ * longer want the result.
+ *
+ * \note If this function returns an error status, the
+ * operation enters an error state and must be
+ * aborted by calling \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param key Identifier of the key to use for the operation.
+ * It must be an asymmetric key pair. The key must
+ * allow the usage #PSA_KEY_USAGE_SIGN_HASH.
+ * \param alg A signature algorithm (\c PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ * is true), that is compatible with
+ * the type of \p key.
+ * \param[in] hash The hash or message to sign.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The key does not have the #PSA_KEY_USAGE_SIGN_HASH flag, or it does
+ * not permit the requested algorithm.
+ * \retval #PSA_ERROR_BAD_STATE
+ * An operation has previously been started on this context, and is
+ * still in progress.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of
+ * signing a hash or short message with a private
+ * key, in an interruptible manner.
+ *
+ * \see \c psa_sign_hash_start()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_sign_hash_start() is equivalent to
+ * \c psa_sign_hash() but this function can return
+ * early and resume according to the limit set with
+ * \c psa_interruptible_set_max_ops() to reduce the
+ * maximum time spent in a function call.
+ *
+ * \note Users should call this function on the same
+ * operation object repeatedly until it either
+ * returns 0 or an error. This function will return
+ * #PSA_OPERATION_INCOMPLETE if there is more work
+ * to do. Alternatively users can call
+ * \c psa_sign_hash_abort() at any point if they no
+ * longer want the result.
+ *
+ * \note When this function returns successfully, the
+ * operation becomes inactive. If this function
+ * returns an error status, the operation enters an
+ * error state and must be aborted by calling
+ * \c psa_sign_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first, and have
+ * had \c psa_sign_hash_start() called with it
+ * first.
+ *
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param signature_size Size of the \p signature buffer in bytes. This
+ * must be appropriate for the selected
+ * algorithm and key:
+ * - The required signature size is
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c
+ * key_bits, \c alg) where \c key_type and \c
+ * key_bits are the type and bit-size
+ * respectively of key.
+ * - #PSA_SIGNATURE_MAX_SIZE evaluates to the
+ * maximum signature size of any supported
+ * signature algorithm.
+ * \param[out] signature_length On success, the number of bytes that make up
+ * the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(). There is still work to be done.
+ * Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ * An operation was not previously started on this context via
+ * \c psa_sign_hash_start().
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has either not been previously initialized by
+ * psa_crypto_init() or you did not previously call
+ * psa_sign_hash_start() with this operation object. It is
+ * implementation-dependent whether a failure to initialize results in
+ * this error code.
+ */
+psa_status_t psa_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function is the only function that clears
+ * the number of ops completed as part of the
+ * operation. Please ensure you copy this value via
+ * \c psa_sign_hash_get_num_ops() if required
+ * before calling.
+ *
+ * \note Aborting an operation frees all associated
+ * resources except for the \p operation structure
+ * itself. Once aborted, the operation object can
+ * be reused for another operation by calling \c
+ * psa_sign_hash_start() again.
+ *
+ * \note You may call this function any time after the
+ * operation object has been initialized. In
+ * particular, calling \c psa_sign_hash_abort()
+ * after the operation has already been terminated
+ * by a call to \c psa_sign_hash_abort() or
+ * psa_sign_hash_complete() is safe.
+ *
+ * \param[in,out] operation Initialized sign hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start reading and verifying a hash or short
+ * message, in an interruptible manner.
+ *
+ * \see \c psa_verify_hash_complete()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_verify_hash_complete() is equivalent to
+ * \c psa_verify_hash() but \c
+ * psa_verify_hash_complete() can return early and
+ * resume according to the limit set with \c
+ * psa_interruptible_set_max_ops() to reduce the
+ * maximum time spent in a function.
+ *
+ * \note Users should call \c psa_verify_hash_complete()
+ * repeatedly on the same operation object after a
+ * successful call to this function until \c
+ * psa_verify_hash_complete() either returns 0 or
+ * an error. \c psa_verify_hash_complete() will
+ * return #PSA_OPERATION_INCOMPLETE if there is
+ * more work to do. Alternatively users can call
+ * \c psa_verify_hash_abort() at any point if they
+ * no longer want the result.
+ *
+ * \note If this function returns an error status, the
+ * operation enters an error state and must be
+ * aborted by calling \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param key Identifier of the key to use for the operation.
+ * The key must allow the usage
+ * #PSA_KEY_USAGE_VERIFY_HASH.
+ * \param alg A signature algorithm (\c PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ * is true), that is compatible with
+ * the type of \p key.
+ * \param[in] hash The hash whose signature is to be verified.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - please call \c
+ * psa_verify_hash_complete() with the same context to complete the
+ * operation.
+ *
+ * \retval #PSA_ERROR_BAD_STATE
+ * Another operation has already been started on this context, and is
+ * still in progress.
+ *
+ * \retval #PSA_ERROR_NOT_PERMITTED
+ * The key does not have the #PSA_KEY_USAGE_VERIFY_HASH flag, or it does
+ * not permit the requested algorithm.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval PSA_ERROR_DATA_CORRUPT
+ * \retval PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of
+ * reading and verifying a hash or short message
+ * signed with a private key, in an interruptible
+ * manner.
+ *
+ * \see \c psa_verify_hash_start()
+ *
+ * \warning This is a beta API, and thus subject to change
+ * at any point. It is not bound by the usual
+ * interface stability promises.
+ *
+ * \note This function combined with \c
+ * psa_verify_hash_start() is equivalent to
+ * \c psa_verify_hash() but this function can
+ * return early and resume according to the limit
+ * set with \c psa_interruptible_set_max_ops() to
+ * reduce the maximum time spent in a function
+ * call.
+ *
+ * \note Users should call this function on the same
+ * operation object repeatedly until it either
+ * returns 0 or an error. This function will return
+ * #PSA_OPERATION_INCOMPLETE if there is more work
+ * to do. Alternatively users can call
+ * \c psa_verify_hash_abort() at any point if they
+ * no longer want the result.
+ *
+ * \note When this function returns successfully, the
+ * operation becomes inactive. If this function
+ * returns an error status, the operation enters an
+ * error state and must be aborted by calling
+ * \c psa_verify_hash_abort().
+ *
+ * \param[in, out] operation The \c psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first, and have
+ * had \c psa_verify_hash_start() called with it
+ * first.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(). There is still work to be done.
+ * Call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_HANDLE
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ *\retval #PSA_ERROR_BAD_STATE
+ * An operation was not previously started on this context via
+ * \c psa_verify_hash_start().
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_COMMUNICATION_FAILURE
+ * \retval #PSA_ERROR_HARDWARE_FAILURE
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_STORAGE_FAILURE
+ * \retval #PSA_ERROR_DATA_CORRUPT
+ * \retval #PSA_ERROR_DATA_INVALID
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has either not been previously initialized by
+ * psa_crypto_init() or you did not previously call
+ * psa_verify_hash_start() on this object. It is
+ * implementation-dependent whether a failure to initialize results in
+ * this error code.
+ */
+psa_status_t psa_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify hash operation.
+ *
+ * \warning This is a beta API, and thus subject to change at
+ * any point. It is not bound by the usual interface
+ * stability promises.
+ *
+ * \note This function is the only function that clears the
+ * number of ops completed as part of the operation.
+ * Please ensure you copy this value via
+ * \c psa_verify_hash_get_num_ops() if required
+ * before calling.
+ *
+ * \note Aborting an operation frees all associated
+ * resources except for the operation structure
+ * itself. Once aborted, the operation object can be
+ * reused for another operation by calling \c
+ * psa_verify_hash_start() again.
+ *
+ * \note You may call this function any time after the
+ * operation object has been initialized.
+ * In particular, calling \c psa_verify_hash_abort()
+ * after the operation has already been terminated by
+ * a call to \c psa_verify_hash_abort() or
+ * psa_verify_hash_complete() is safe.
+ *
+ * \param[in,out] operation Initialized verify hash operation.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_BAD_STATE
+ * The library has not been previously initialized by psa_crypto_init().
+ * It is implementation-dependent whether a failure to initialize
+ * results in this error code.
+ */
+psa_status_t psa_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+
+/**@}*/
+
#ifdef __cplusplus
}
#endif
diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h
index b7f0b11..9f23551 100644
--- a/include/psa/crypto_builtin_composites.h
+++ b/include/psa/crypto_builtin_composites.h
@@ -107,4 +107,78 @@
#define MBEDTLS_PSA_AEAD_OPERATION_INIT { 0, 0, 0, 0, { 0 } }
+#include "mbedtls/ecdsa.h"
+
+/* Context structure for the Mbed TLS interruptible sign hash implementation. */
+typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+ mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+ mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+
+ size_t MBEDTLS_PRIVATE(coordinate_bytes);
+ psa_algorithm_t MBEDTLS_PRIVATE(alg);
+ mbedtls_md_type_t MBEDTLS_PRIVATE(md_alg);
+ uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ size_t MBEDTLS_PRIVATE(hash_length);
+
+#else
+ /* Make the struct non-empty if algs not supported. */
+ unsigned MBEDTLS_PRIVATE(dummy);
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+} mbedtls_psa_sign_hash_interruptible_operation_t;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, 0, 0 }
+#else
+#define MBEDTLS_PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
+
+/* Context structure for the Mbed TLS interruptible verify hash
+ * implementation.*/
+typedef struct {
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_context *MBEDTLS_PRIVATE(ctx);
+ mbedtls_ecdsa_restart_ctx MBEDTLS_PRIVATE(restart_ctx);
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+
+ uint8_t MBEDTLS_PRIVATE(hash)[PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS)];
+ size_t MBEDTLS_PRIVATE(hash_length);
+
+ mbedtls_mpi MBEDTLS_PRIVATE(r);
+ mbedtls_mpi MBEDTLS_PRIVATE(s);
+
+#else
+ /* Make the struct non-empty if algs not supported. */
+ unsigned MBEDTLS_PRIVATE(dummy);
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+
+} mbedtls_psa_verify_hash_interruptible_operation_t;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { { 0 }, { 0 }, 0, 0, 0, 0, { 0 }, \
+ { 0 } }
+#else
+#define MBEDTLS_VERIFY_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0 }
+#endif
+
+
+
#endif /* PSA_CRYPTO_BUILTIN_COMPOSITES_H */
diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h
index bcd000e..1b95814 100644
--- a/include/psa/crypto_driver_contexts_composites.h
+++ b/include/psa/crypto_driver_contexts_composites.h
@@ -114,5 +114,15 @@
#endif
} psa_driver_aead_context_t;
+typedef union {
+ unsigned dummy; /* Make sure this union is always non-empty */
+ mbedtls_psa_sign_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_sign_hash_interruptible_context_t;
+
+typedef union {
+ unsigned dummy; /* Make sure this union is always non-empty */
+ mbedtls_psa_verify_hash_interruptible_operation_t mbedtls_ctx;
+} psa_driver_verify_hash_interruptible_context_t;
+
#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_COMPOSITES_H */
/* End of automatically generated file. */
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 7a6caa2..934bc17 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -491,6 +491,66 @@
return attributes->MBEDTLS_PRIVATE(core).MBEDTLS_PRIVATE(bits);
}
+/**
+ * \brief The context for PSA interruptible hash signing.
+ */
+struct psa_sign_hash_interruptible_operation_s {
+ /** Unique ID indicating which driver got assigned to do the
+ * operation. Since driver contexts are driver-specific, swapping
+ * drivers halfway through the operation is not supported.
+ * ID values are auto-generated in psa_crypto_driver_wrappers.h
+ * ID value zero means the context is not valid or not assigned to
+ * any driver (i.e. none of the driver contexts are active). */
+ unsigned int MBEDTLS_PRIVATE(id);
+
+ psa_driver_sign_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
+ unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+};
+
+#define PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
+
+static inline struct psa_sign_hash_interruptible_operation_s
+psa_sign_hash_interruptible_operation_init(void)
+{
+ const struct psa_sign_hash_interruptible_operation_s v =
+ PSA_SIGN_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+ return v;
+}
+
+/**
+ * \brief The context for PSA interruptible hash verification.
+ */
+struct psa_verify_hash_interruptible_operation_s {
+ /** Unique ID indicating which driver got assigned to do the
+ * operation. Since driver contexts are driver-specific, swapping
+ * drivers halfway through the operation is not supported.
+ * ID values are auto-generated in psa_crypto_driver_wrappers.h
+ * ID value zero means the context is not valid or not assigned to
+ * any driver (i.e. none of the driver contexts are active). */
+ unsigned int MBEDTLS_PRIVATE(id);
+
+ psa_driver_verify_hash_interruptible_context_t MBEDTLS_PRIVATE(ctx);
+
+ unsigned int MBEDTLS_PRIVATE(error_occurred) : 1;
+
+ uint32_t MBEDTLS_PRIVATE(num_ops);
+};
+
+#define PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT { 0, { 0 }, 0, 0 }
+
+static inline struct psa_verify_hash_interruptible_operation_s
+psa_verify_hash_interruptible_operation_init(void)
+{
+ const struct psa_verify_hash_interruptible_operation_s v =
+ PSA_VERIFY_HASH_INTERRUPTIBLE_OPERATION_INIT;
+
+ return v;
+}
+
#ifdef __cplusplus
}
#endif
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index ee95745..39acd96 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -335,6 +335,13 @@
*/
#define PSA_ERROR_DATA_INVALID ((psa_status_t)-153)
+/** The function that returns this status is defined as interruptible and
+ * still has work to do, thus the user should call the function again with the
+ * same operation context until it either returns #PSA_SUCCESS or any other
+ * error. This is not an error per se, more a notification of status.
+ */
+#define PSA_OPERATION_INCOMPLETE ((psa_status_t)-248)
+
/* *INDENT-ON* */
/**@}*/
@@ -2739,4 +2746,18 @@
/**@}*/
+/**@}*/
+
+/** \defgroup interruptible Interruptible operations
+ * @{
+ */
+
+/** Maximum value for use with \c psa_interruptible_set_max_ops() to determine
+ * the maximum number of ops allowed to be executed by an interruptible
+ * function in a single call.
+ */
+#define PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED UINT32_MAX
+
+/**@}*/
+
#endif /* PSA_CRYPTO_VALUES_H */
diff --git a/library/bignum.c b/library/bignum.c
index 41b3a26..d3a1b00 100644
--- a/library/bignum.c
+++ b/library/bignum.c
@@ -1656,6 +1656,7 @@
size_t window_bitsize;
size_t i, j, nblimbs;
size_t bufsize, nbits;
+ size_t exponent_bits_in_window = 0;
mbedtls_mpi_uint ei, mm, state;
mbedtls_mpi RR, T, W[(size_t) 1 << MBEDTLS_MPI_WINDOW_SIZE], WW, Apos;
int neg;
@@ -1829,7 +1830,6 @@
nblimbs = E->n;
bufsize = 0;
nbits = 0;
- size_t exponent_bits_in_window = 0;
state = 0;
while (1) {
diff --git a/library/ecdsa.c b/library/ecdsa.c
index 3ddb82b..eb3c303 100644
--- a/library/ecdsa.c
+++ b/library/ecdsa.c
@@ -239,13 +239,13 @@
* Compute ECDSA signature of a hashed message (SEC1 4.1.3)
* Obviously, compared to SEC1 4.1.3, we skip step 4 (hash message)
*/
-static int ecdsa_sign_restartable(mbedtls_ecp_group *grp,
- mbedtls_mpi *r, mbedtls_mpi *s,
- const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
- int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
- int (*f_rng_blind)(void *, unsigned char *, size_t),
- void *p_rng_blind,
- mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_sign_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ int (*f_rng)(void *, unsigned char *, size_t), void *p_rng,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
{
int ret, key_tries, sign_tries;
int *p_sign_tries = &sign_tries, *p_key_tries = &key_tries;
@@ -394,8 +394,8 @@
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng)
{
/* Use the same RNG for both blinding and ephemeral key generation */
- return ecdsa_sign_restartable(grp, r, s, d, buf, blen,
- f_rng, p_rng, f_rng, p_rng, NULL);
+ return mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+ f_rng, p_rng, f_rng, p_rng, NULL);
}
#endif /* !MBEDTLS_ECDSA_SIGN_ALT */
@@ -406,13 +406,13 @@
* note: The f_rng_blind parameter must not be NULL.
*
*/
-static int ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
- mbedtls_mpi *r, mbedtls_mpi *s,
- const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
- mbedtls_md_type_t md_alg,
- int (*f_rng_blind)(void *, unsigned char *, size_t),
- void *p_rng_blind,
- mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_sign_det_restartable(mbedtls_ecp_group *grp,
+ mbedtls_mpi *r, mbedtls_mpi *s,
+ const mbedtls_mpi *d, const unsigned char *buf, size_t blen,
+ mbedtls_md_type_t md_alg,
+ int (*f_rng_blind)(void *, unsigned char *, size_t),
+ void *p_rng_blind,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_hmac_drbg_context rng_ctx;
@@ -462,9 +462,9 @@
ret = mbedtls_ecdsa_sign(grp, r, s, d, buf, blen,
mbedtls_hmac_drbg_random, p_rng);
#else
- ret = ecdsa_sign_restartable(grp, r, s, d, buf, blen,
- mbedtls_hmac_drbg_random, p_rng,
- f_rng_blind, p_rng_blind, rs_ctx);
+ ret = mbedtls_ecdsa_sign_restartable(grp, r, s, d, buf, blen,
+ mbedtls_hmac_drbg_random, p_rng,
+ f_rng_blind, p_rng_blind, rs_ctx);
#endif /* MBEDTLS_ECDSA_SIGN_ALT */
cleanup:
@@ -487,8 +487,8 @@
size_t),
void *p_rng_blind)
{
- return ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
- f_rng_blind, p_rng_blind, NULL);
+ return mbedtls_ecdsa_sign_det_restartable(grp, r, s, d, buf, blen, md_alg,
+ f_rng_blind, p_rng_blind, NULL);
}
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
@@ -497,11 +497,12 @@
* Verify ECDSA signature of hashed message (SEC1 4.1.4)
* Obviously, compared to SEC1 4.1.3, we skip step 2 (hash message)
*/
-static int ecdsa_verify_restartable(mbedtls_ecp_group *grp,
- const unsigned char *buf, size_t blen,
- const mbedtls_ecp_point *Q,
- const mbedtls_mpi *r, const mbedtls_mpi *s,
- mbedtls_ecdsa_restart_ctx *rs_ctx)
+int mbedtls_ecdsa_verify_restartable(mbedtls_ecp_group *grp,
+ const unsigned char *buf, size_t blen,
+ const mbedtls_ecp_point *Q,
+ const mbedtls_mpi *r,
+ const mbedtls_mpi *s,
+ mbedtls_ecdsa_restart_ctx *rs_ctx)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_mpi e, s_inv, u1, u2;
@@ -610,7 +611,7 @@
const mbedtls_mpi *r,
const mbedtls_mpi *s)
{
- return ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
+ return mbedtls_ecdsa_verify_restartable(grp, buf, blen, Q, r, s, NULL);
}
#endif /* !MBEDTLS_ECDSA_VERIFY_ALT */
@@ -665,9 +666,9 @@
mbedtls_mpi_init(&s);
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
- MBEDTLS_MPI_CHK(ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
- hash, hlen, md_alg, f_rng,
- p_rng, rs_ctx));
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_det_restartable(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, md_alg, f_rng,
+ p_rng, rs_ctx));
#else
(void) md_alg;
@@ -678,9 +679,9 @@
hash, hlen, f_rng, p_rng));
#else
/* Use the same RNG for both blinding and ephemeral key generation */
- MBEDTLS_MPI_CHK(ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
- hash, hlen, f_rng, p_rng, f_rng,
- p_rng, rs_ctx));
+ MBEDTLS_MPI_CHK(mbedtls_ecdsa_sign_restartable(&ctx->grp, &r, &s, &ctx->d,
+ hash, hlen, f_rng, p_rng, f_rng,
+ p_rng, rs_ctx));
#endif /* MBEDTLS_ECDSA_SIGN_ALT */
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
@@ -760,8 +761,8 @@
goto cleanup;
}
#else
- if ((ret = ecdsa_verify_restartable(&ctx->grp, hash, hlen,
- &ctx->Q, &r, &s, rs_ctx)) != 0) {
+ if ((ret = mbedtls_ecdsa_verify_restartable(&ctx->grp, hash, hlen,
+ &ctx->Q, &r, &s, rs_ctx)) != 0) {
goto cleanup;
}
#endif /* MBEDTLS_ECDSA_VERIFY_ALT */
diff --git a/library/ecp_curves.c b/library/ecp_curves.c
index 7987c3f..1a027d6 100644
--- a/library/ecp_curves.c
+++ b/library/ecp_curves.c
@@ -4570,6 +4570,8 @@
/* Forward declarations */
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
static int ecp_mod_p192(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
#endif
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED)
static int ecp_mod_p224(mbedtls_mpi *);
@@ -4582,6 +4584,8 @@
#endif
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
static int ecp_mod_p521(mbedtls_mpi *);
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *N_p, size_t N_n);
#endif
#define NIST_MODP(P) grp->modp = ecp_mod_ ## P;
@@ -4884,10 +4888,12 @@
}
#define WIDTH 8 / sizeof(mbedtls_mpi_uint)
-#define A(i) N->p + (i) * WIDTH
-#define ADD(i) add64(p, A(i), &c)
+#define A(i) Np + (i) * WIDTH
+#define ADD(i) add64(p, A(i), &c)
#define NEXT p += WIDTH; carry64(p, &c)
#define LAST p += WIDTH; *p = c; while (++p < end) *p = 0
+#define RESET last_carry[0] = c; c = 0; p = Np
+#define ADD_LAST add64(p, last_carry, &c)
/*
* Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
@@ -4895,28 +4901,51 @@
static int ecp_mod_p192(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- mbedtls_mpi_uint c = 0;
- mbedtls_mpi_uint *p, *end;
-
- /* Make sure we have enough blocks so that A(5) is legal */
- MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, 6 * WIDTH));
-
- p = N->p;
- end = p + N->n;
-
- ADD(3); ADD(5); NEXT; // A0 += A3 + A5
- ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
- ADD(4); ADD(5); LAST; // A2 += A4 + A5
+ size_t expected_width = 2 * ((192 + biL - 1) / biL);
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p192_raw(N->p, expected_width);
cleanup:
return ret;
}
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn)
+{
+ mbedtls_mpi_uint c = 0, last_carry[WIDTH] = { 0 };
+ mbedtls_mpi_uint *p, *end;
+
+ if (Nn != 2*((192 + biL - 1)/biL)) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ p = Np;
+ end = p + Nn;
+
+ ADD(3); ADD(5); NEXT; // A0 += A3 + A5
+ ADD(3); ADD(4); ADD(5); NEXT; // A1 += A3 + A4 + A5
+ ADD(4); ADD(5); // A2 += A4 + A5
+
+ RESET;
+
+ /* Use the reduction for the carry as well:
+ * 2^192 * last_carry = 2^64 * last_carry + last_carry mod P192
+ */
+ ADD_LAST; NEXT; // A0 += last_carry
+ ADD_LAST; NEXT; // A1 += last_carry
+
+ LAST; // A2 += carry
+
+ return 0;
+}
+
#undef WIDTH
#undef A
#undef ADD
#undef NEXT
#undef LAST
+#undef RESET
+#undef ADD_LAST
#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
@@ -5162,11 +5191,6 @@
MBEDTLS_ECP_DP_SECP384R1_ENABLED */
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
-/*
- * Here we have an actual Mersenne prime, so things are more straightforward.
- * However, chunks are aligned on a 'weird' boundary (521 bits).
- */
-
/* Size of p521 in terms of mbedtls_mpi_uint */
#define P521_WIDTH (521 / 8 / sizeof(mbedtls_mpi_uint) + 1)
@@ -5174,48 +5198,81 @@
#define P521_MASK 0x01FF
/*
- * Fast quasi-reduction modulo p521 (FIPS 186-3 D.2.5)
- * Write N as A1 + 2^521 A0, return A0 + A1
+ * Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
*/
static int ecp_mod_p521(mbedtls_mpi *N)
{
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- size_t i;
- mbedtls_mpi M;
- mbedtls_mpi_uint Mp[P521_WIDTH + 1];
- /* Worst case for the size of M is when mbedtls_mpi_uint is 16 bits:
- * we need to hold bits 513 to 1056, which is 34 limbs, that is
- * P521_WIDTH + 1. Otherwise P521_WIDTH is enough. */
-
- if (N->n < P521_WIDTH) {
- return 0;
- }
-
- /* M = A1 */
- M.s = 1;
- M.n = N->n - (P521_WIDTH - 1);
- if (M.n > P521_WIDTH + 1) {
- M.n = P521_WIDTH + 1;
- }
- M.p = Mp;
- memcpy(Mp, N->p + P521_WIDTH - 1, M.n * sizeof(mbedtls_mpi_uint));
- MBEDTLS_MPI_CHK(mbedtls_mpi_shift_r(&M, 521 % (8 * sizeof(mbedtls_mpi_uint))));
-
- /* N = A0 */
- N->p[P521_WIDTH - 1] &= P521_MASK;
- for (i = P521_WIDTH; i < N->n; i++) {
- N->p[i] = 0;
- }
-
- /* N = A0 + A1 */
- MBEDTLS_MPI_CHK(mbedtls_mpi_add_abs(N, N, &M));
-
+ size_t expected_width = 2 * P521_WIDTH;
+ MBEDTLS_MPI_CHK(mbedtls_mpi_grow(N, expected_width));
+ ret = mbedtls_ecp_mod_p521_raw(N->p, expected_width);
cleanup:
return ret;
}
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs)
+{
+ mbedtls_mpi_uint carry = 0;
+
+ if (X_limbs != 2 * P521_WIDTH || X[2 * P521_WIDTH - 1] != 0) {
+ return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
+ }
+
+ /* Step 1: Reduction to P521_WIDTH limbs */
+ /* Helper references for bottom part of X */
+ mbedtls_mpi_uint *X0 = X;
+ size_t X0_limbs = P521_WIDTH;
+ /* Helper references for top part of X */
+ mbedtls_mpi_uint *X1 = X + X0_limbs;
+ size_t X1_limbs = X_limbs - X0_limbs;
+ /* Split X as X0 + 2^P521_WIDTH X1 and compute X0 + 2^(biL - 9) X1.
+ * (We are using that 2^P521_WIDTH = 2^(512 + biL) and that
+ * 2^(512 + biL) X1 = 2^(biL - 9) X1 mod P521.)
+ * The high order limb of the result will be held in carry and the rest
+ * in X0 (that is the result will be represented as
+ * 2^P521_WIDTH carry + X0).
+ *
+ * Also, note that the resulting carry is either 0 or 1:
+ * X0 < 2^P521_WIDTH = 2^(512 + biL) and X1 < 2^(P521_WIDTH-biL) = 2^512
+ * therefore
+ * X0 + 2^(biL - 9) X1 < 2^(512 + biL) + 2^(512 + biL - 9)
+ * which in turn is less than 2 * 2^(512 + biL).
+ */
+ mbedtls_mpi_uint shift = ((mbedtls_mpi_uint) 1u) << (biL - 9);
+ carry = mbedtls_mpi_core_mla(X0, X0_limbs, X1, X1_limbs, shift);
+ /* Set X to X0 (by clearing the top part). */
+ memset(X1, 0, X1_limbs * sizeof(mbedtls_mpi_uint));
+
+ /* Step 2: Reduction modulo P521
+ *
+ * At this point X is reduced to P521_WIDTH limbs. What remains is to add
+ * the carry (that is 2^P521_WIDTH carry) and to reduce mod P521. */
+
+ /* 2^P521_WIDTH carry = 2^(512 + biL) carry = 2^(biL - 9) carry mod P521.
+ * Also, recall that carry is either 0 or 1. */
+ mbedtls_mpi_uint addend = carry << (biL - 9);
+ /* Keep the top 9 bits and reduce the rest, using 2^521 = 1 mod P521. */
+ addend += (X[P521_WIDTH - 1] >> 9);
+ X[P521_WIDTH - 1] &= P521_MASK;
+
+ /* Resuse the top part of X (already zeroed) as a helper array for
+ * carrying out the addition. */
+ mbedtls_mpi_uint *addend_arr = X + P521_WIDTH;
+ addend_arr[0] = addend;
+ (void) mbedtls_mpi_core_add(X, X, addend_arr, P521_WIDTH);
+ /* Both addends were less than P521 therefore X < 2 * P521. (This also means
+ * that the result fit in P521_WIDTH limbs and there won't be any carry.) */
+
+ /* Clear the reused part of X. */
+ addend_arr[0] = 0;
+
+ return 0;
+}
+
#undef P521_WIDTH
#undef P521_MASK
+
#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* MBEDTLS_ECP_NIST_OPTIM */
diff --git a/library/ecp_invasive.h b/library/ecp_invasive.h
index 18815be..3d1321c 100644
--- a/library/ecp_invasive.h
+++ b/library/ecp_invasive.h
@@ -76,6 +76,47 @@
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
+#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
+
+/** Fast quasi-reduction modulo p192 (FIPS 186-3 D.2.1)
+ *
+ * This operation expects a 384 bit MPI and the result of the reduction
+ * is a 192 bit MPI.
+ *
+ * \param[in,out] Np The address of the MPI to be converted.
+ * Must have twice as many limbs as the modulus.
+ * Upon return this holds the reduced value. The bitlength
+ * of the reduced value is the same as that of the modulus
+ * (192 bits).
+ * \param[in] Nn The length of \p Np in limbs.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p192_raw(mbedtls_mpi_uint *Np, size_t Nn);
+
+#endif /* MBEDTLS_ECP_DP_SECP192R1_ENABLED */
+
+#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED)
+
+/** Fast quasi-reduction modulo p521 = 2^521 - 1 (FIPS 186-3 D.2.5)
+ *
+ * \param[in,out] X The address of the MPI to be converted.
+ * Must have twice as many limbs as the modulus
+ * (the modulus is 521 bits long). Upon return this
+ * holds the reduced value. The reduced value is
+ * in range `0 <= X < 2 * N` (where N is the modulus).
+ * and its the bitlength is one plus the bitlength
+ * of the modulus.
+ * \param[in] X_limbs The length of \p X in limbs.
+ *
+ * \return \c 0 on success.
+ * \return #MBEDTLS_ERR_ECP_BAD_INPUT_DATA if \p X_limbs does not have
+ * twice as many limbs as the modulus.
+ */
+MBEDTLS_STATIC_TESTABLE
+int mbedtls_ecp_mod_p521_raw(mbedtls_mpi_uint *X, size_t X_limbs);
+
+#endif /* MBEDTLS_ECP_DP_SECP521R1_ENABLED */
+
#endif /* MBEDTLS_TEST_HOOKS && MBEDTLS_ECP_C */
#endif /* MBEDTLS_ECP_INVASIVE_H */
diff --git a/library/pkcs7.c b/library/pkcs7.c
index 4fdbe36..010d706 100644
--- a/library/pkcs7.c
+++ b/library/pkcs7.c
@@ -57,7 +57,10 @@
ret = mbedtls_asn1_get_tag(p, end, len, MBEDTLS_ASN1_CONSTRUCTED
| MBEDTLS_ASN1_CONTEXT_SPECIFIC);
if (ret != 0) {
- ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO, ret);
+ } else if ((size_t) (end - *p) != *len) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
}
return ret;
@@ -184,13 +187,13 @@
size_t len2 = 0;
unsigned char *end_set, *end_cert, *start;
- if ((ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
- | MBEDTLS_ASN1_CONTEXT_SPECIFIC)) != 0) {
- if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
- return 0;
- } else {
- return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
- }
+ ret = mbedtls_asn1_get_tag(p, end, &len1, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_CONTEXT_SPECIFIC);
+ if (ret == MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ return 0;
+ }
+ if (ret != 0) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
}
start = *p;
end_set = *p + len1;
@@ -213,12 +216,11 @@
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
}
- *p = start;
- if ((ret = mbedtls_x509_crt_parse_der(certs, *p, len1)) < 0) {
+ if ((ret = mbedtls_x509_crt_parse_der(certs, start, len1)) < 0) {
return MBEDTLS_ERR_PKCS7_INVALID_CERT;
}
- *p = *p + len1;
+ *p = end_cert;
/*
* Since in this version we strictly support single certificate, and reaching
@@ -285,7 +287,8 @@
* and unauthenticatedAttributes.
**/
static int pkcs7_get_signer_info(unsigned char **p, unsigned char *end,
- mbedtls_pkcs7_signer_info *signer)
+ mbedtls_pkcs7_signer_info *signer,
+ mbedtls_x509_buf *alg)
{
unsigned char *end_signer, *end_issuer_and_sn;
int asn1_ret = 0, ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -343,8 +346,15 @@
goto out;
}
- /* Assume authenticatedAttributes is nonexistent */
+ /* Check that the digest algorithm used matches the one provided earlier */
+ if (signer->alg_identifier.tag != alg->tag ||
+ signer->alg_identifier.len != alg->len ||
+ memcmp(signer->alg_identifier.p, alg->p, alg->len) != 0) {
+ ret = MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO;
+ goto out;
+ }
+ /* Asssume authenticatedAttributes is nonexistent */
ret = pkcs7_get_digest_algorithm(p, end_signer, &signer->sig_alg_identifier);
if (ret != 0) {
goto out;
@@ -377,7 +387,8 @@
* Return negative error code for failure.
**/
static int pkcs7_get_signers_info_set(unsigned char **p, unsigned char *end,
- mbedtls_pkcs7_signer_info *signers_set)
+ mbedtls_pkcs7_signer_info *signers_set,
+ mbedtls_x509_buf *digest_alg)
{
unsigned char *end_set;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
@@ -397,7 +408,7 @@
end_set = *p + len;
- ret = pkcs7_get_signer_info(p, end_set, signers_set);
+ ret = pkcs7_get_signer_info(p, end_set, signers_set, digest_alg);
if (ret != 0) {
return ret;
}
@@ -412,7 +423,7 @@
goto cleanup;
}
- ret = pkcs7_get_signer_info(p, end_set, signer);
+ ret = pkcs7_get_signer_info(p, end_set, signer, digest_alg);
if (ret != 0) {
mbedtls_free(signer);
goto cleanup;
@@ -454,7 +465,7 @@
{
unsigned char *p = buf;
unsigned char *end = buf + buflen;
- unsigned char *end_set, *end_content_info;
+ unsigned char *end_content_info = NULL;
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
mbedtls_md_type_t md_alg;
@@ -465,16 +476,19 @@
return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
}
- end_set = p + len;
+ if (p + len != end) {
+ return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ }
/* Get version of signed data */
- ret = pkcs7_get_version(&p, end_set, &signed_data->version);
+ ret = pkcs7_get_version(&p, end, &signed_data->version);
if (ret != 0) {
return ret;
}
/* Get digest algorithm */
- ret = pkcs7_get_digest_algorithm_set(&p, end_set,
+ ret = pkcs7_get_digest_algorithm_set(&p, end,
&signed_data->digest_alg_identifiers);
if (ret != 0) {
return ret;
@@ -485,12 +499,15 @@
return MBEDTLS_ERR_PKCS7_INVALID_ALG;
}
- /* Do not expect any content */
- ret = pkcs7_get_content_info_type(&p, end_set, &end_content_info,
- &signed_data->content.oid);
+ mbedtls_pkcs7_buf content_type;
+ memset(&content_type, 0, sizeof(content_type));
+ ret = pkcs7_get_content_info_type(&p, end, &end_content_info, &content_type);
if (ret != 0) {
return ret;
}
+ if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &content_type)) {
+ return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
+ }
if (p != end_content_info) {
/* Determine if valid content is present */
@@ -509,13 +526,9 @@
return MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
}
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &signed_data->content.oid)) {
- return MBEDTLS_ERR_PKCS7_INVALID_CONTENT_INFO;
- }
-
/* Look for certificates, there may or may not be any */
mbedtls_x509_crt_init(&signed_data->certs);
- ret = pkcs7_get_certificates(&p, end_set, &signed_data->certs);
+ ret = pkcs7_get_certificates(&p, end, &signed_data->certs);
if (ret < 0) {
return ret;
}
@@ -531,7 +544,10 @@
signed_data->no_of_crls = 0;
/* Get signers info */
- ret = pkcs7_get_signers_info_set(&p, end_set, &signed_data->signers);
+ ret = pkcs7_get_signers_info_set(&p,
+ end,
+ &signed_data->signers,
+ &signed_data->digest_alg_identifiers);
if (ret < 0) {
return ret;
}
@@ -550,10 +566,9 @@
const size_t buflen)
{
unsigned char *p;
- unsigned char *end, *end_content_info;
+ unsigned char *end;
size_t len = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
- int isoidset = 0;
if (pkcs7 == NULL) {
return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
@@ -569,34 +584,45 @@
pkcs7->raw.len = buflen;
end = p + buflen;
- ret = pkcs7_get_content_info_type(&p, end, &end_content_info,
- &pkcs7->content_type_oid);
+ ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_CONSTRUCTED
+ | MBEDTLS_ASN1_SEQUENCE);
if (ret != 0) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT, ret);
+ goto out;
+ }
+
+ if ((size_t) (end - p) != len) {
+ ret = MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PKCS7_INVALID_FORMAT,
+ MBEDTLS_ERR_ASN1_LENGTH_MISMATCH);
+ goto out;
+ }
+
+ if ((ret = mbedtls_asn1_get_tag(&p, end, &len, MBEDTLS_ASN1_OID)) != 0) {
+ if (ret != MBEDTLS_ERR_ASN1_UNEXPECTED_TAG) {
+ goto out;
+ }
+ p = pkcs7->raw.p;
len = buflen;
goto try_data;
}
- /* Ensure PKCS7 data uses the exact number of bytes specified in buflen */
- if (end_content_info != end) {
- ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ if (MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_DATA, p, len)) {
+ /* OID is not MBEDTLS_OID_PKCS7_SIGNED_DATA, which is the only supported feature */
+ if (!MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, p, len)
+ || !MBEDTLS_OID_CMP_RAW(MBEDTLS_OID_PKCS7_DIGESTED_DATA, p, len)) {
+ /* OID is valid according to the spec, but unsupported */
+ ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
+ } else {
+ /* OID is invalid according to the spec */
+ ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
goto out;
}
- if (!MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENVELOPED_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_AND_ENVELOPED_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_DIGESTED_DATA, &pkcs7->content_type_oid)
- || !MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_ENCRYPTED_DATA, &pkcs7->content_type_oid)) {
- ret = MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE;
- goto out;
- }
-
- if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS7_SIGNED_DATA, &pkcs7->content_type_oid)) {
- ret = MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
- goto out;
- }
-
- isoidset = 1;
+ p += len;
ret = pkcs7_get_next_content_len(&p, end, &len);
if (ret != 0) {
@@ -615,12 +641,6 @@
goto out;
}
- if (!isoidset) {
- pkcs7->content_type_oid.tag = MBEDTLS_ASN1_OID;
- pkcs7->content_type_oid.len = MBEDTLS_OID_SIZE(MBEDTLS_OID_PKCS7_SIGNED_DATA);
- pkcs7->content_type_oid.p = (unsigned char *) MBEDTLS_OID_PKCS7_SIGNED_DATA;
- }
-
ret = MBEDTLS_PKCS7_SIGNED_DATA;
out:
@@ -653,6 +673,39 @@
return MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID;
}
+ ret = mbedtls_oid_get_md_alg(&pkcs7->signed_data.digest_alg_identifiers, &md_alg);
+ if (ret != 0) {
+ return ret;
+ }
+
+ md_info = mbedtls_md_info_from_type(md_alg);
+ if (md_info == NULL) {
+ return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ }
+
+ hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
+ if (hash == NULL) {
+ return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
+ }
+
+ /* BEGIN must free hash before jumping out */
+ if (is_data_hash) {
+ if (datalen != mbedtls_md_get_size(md_info)) {
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ } else {
+ memcpy(hash, data, datalen);
+ }
+ } else {
+ ret = mbedtls_md(md_info, data, datalen, hash);
+ }
+ if (ret != 0) {
+ mbedtls_free(hash);
+ return MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+ }
+
+ /* assume failure */
+ ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
+
/*
* Potential TODOs
* Currently we iterate over all signers and return success if any of them
@@ -662,61 +715,30 @@
* identification and SignerIdentifier fields first. That would also allow
* us to distinguish between 'no signature for key' and 'signature for key
* failed to validate'.
- *
- * We could also cache hashes by md, so if there are several sigs all using
- * the same algo we don't recalculate the hash each time.
*/
for (signer = &pkcs7->signed_data.signers; signer; signer = signer->next) {
- ret = mbedtls_oid_get_md_alg(&signer->alg_identifier, &md_alg);
- if (ret != 0) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- continue;
- }
-
- md_info = mbedtls_md_info_from_type(md_alg);
- if (md_info == NULL) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- continue;
- }
-
- hash = mbedtls_calloc(mbedtls_md_get_size(md_info), 1);
- if (hash == NULL) {
- return MBEDTLS_ERR_PKCS7_ALLOC_FAILED;
- }
- /* BEGIN must free hash before jumping out */
- if (is_data_hash) {
- if (datalen != mbedtls_md_get_size(md_info)) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- } else {
- memcpy(hash, data, datalen);
- }
- } else {
- ret = mbedtls_md(md_info, data, datalen, hash);
- }
- if (ret != 0) {
- ret = MBEDTLS_ERR_PKCS7_VERIFY_FAIL;
- mbedtls_free(hash);
- continue;
- }
-
ret = mbedtls_pk_verify(&pk_cxt, md_alg, hash,
mbedtls_md_get_size(md_info),
signer->sig.p, signer->sig.len);
- mbedtls_free(hash);
- /* END must free hash before jumping out */
if (ret == 0) {
break;
}
}
+ mbedtls_free(hash);
+ /* END must free hash before jumping out */
return ret;
}
+
int mbedtls_pkcs7_signed_data_verify(mbedtls_pkcs7 *pkcs7,
const mbedtls_x509_crt *cert,
const unsigned char *data,
size_t datalen)
{
+ if (data == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, data, datalen, 0);
}
@@ -725,6 +747,9 @@
const unsigned char *hash,
size_t hashlen)
{
+ if (hash == NULL) {
+ return MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA;
+ }
return mbedtls_pkcs7_data_or_hash_verify(pkcs7, cert, hash, hashlen, 1);
}
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index a683fdb..3ec9273 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -81,6 +81,7 @@
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
+#include "hash_info.h"
#define ARRAY_LENGTH(array) (sizeof(array) / sizeof(*(array)))
@@ -310,6 +311,9 @@
case MBEDTLS_ERR_ECP_RANDOM_FAILED:
return PSA_ERROR_INSUFFICIENT_ENTROPY;
+ case MBEDTLS_ERR_ECP_IN_PROGRESS:
+ return PSA_OPERATION_INCOMPLETE;
+
case MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED:
return PSA_ERROR_CORRUPTION_DETECTED;
@@ -2679,6 +2683,37 @@
return PSA_SUCCESS;
}
+/**
+ * \brief Fill the unused part of the output buffer (the
+ * whole buffer on error, the trailing part on
+ * success) with something that isn't a valid
+ * signature (barring an attack on the signature
+ * and deliberately-crafted input), in case the
+ * caller doesn't check the return status properly.
+ *
+ * \param output_buffer pointer to buffer to wipe. May not be NULL
+ * unless \p output_buffer_size is zero.
+ * \param status status of function called to generate
+ * output_buffer originally
+ * \param output_buffer_size Size of output buffer. If zero, \p output_buffer
+ * could be NULL
+ * \param output_buffer_length Length of data written to output_buffer, must be
+ * less than \p output_buffer_size
+ */
+static void psa_wipe_output_buffer(uint8_t *output_buffer, psa_status_t status,
+ size_t output_buffer_size, size_t output_buffer_length)
+{
+ if (status == PSA_SUCCESS) {
+ memset(output_buffer + output_buffer_length, '!',
+ output_buffer_size - output_buffer_length);
+ } else if (output_buffer_size > 0) {
+ memset(output_buffer, '!', output_buffer_size);
+ }
+ /* If output_buffer_size is 0 then we have nothing to do. We must
+ * not call memset because output_buffer may be NULL in this
+ * case.*/
+}
+
static psa_status_t psa_sign_internal(mbedtls_svc_key_id_t key,
int input_is_message,
psa_algorithm_t alg,
@@ -2741,18 +2776,8 @@
exit:
- /* Fill the unused part of the output buffer (the whole buffer on error,
- * the trailing part on success) with something that isn't a valid signature
- * (barring an attack on the signature and deliberately-crafted input),
- * in case the caller doesn't check the return status properly. */
- if (status == PSA_SUCCESS) {
- memset(signature + *signature_length, '!',
- signature_size - *signature_length);
- } else {
- memset(signature, '!', signature_size);
- }
- /* If signature_size is 0 then we have nothing to do. We must not call
- * memset because signature may be NULL in this case. */
+ psa_wipe_output_buffer(signature, status, signature_size,
+ *signature_length);
unlock_status = psa_unlock_key_slot(slot);
@@ -3124,7 +3149,766 @@
return (status == PSA_SUCCESS) ? unlock_status : status;
}
+/****************************************************************/
+/* Asymmetric interruptible cryptography */
+/****************************************************************/
+void psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+ psa_driver_wrapper_interruptible_set_max_ops(max_ops);
+}
+
+uint32_t psa_interruptible_get_max_ops(void)
+{
+ return psa_driver_wrapper_interruptible_get_max_ops();
+}
+
+
+uint32_t psa_sign_hash_get_num_ops(
+ const psa_sign_hash_interruptible_operation_t *operation)
+{
+ return operation->num_ops;
+}
+
+uint32_t psa_verify_hash_get_num_ops(
+ const psa_verify_hash_interruptible_operation_t *operation)
+{
+ return operation->num_ops;
+}
+
+static psa_status_t psa_sign_hash_abort_internal(
+ psa_sign_hash_interruptible_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_driver_wrapper_sign_hash_abort(operation);
+
+ operation->id = 0;
+
+ /* Do not clear either the error_occurred or num_ops elements here as they
+ * only want to be cleared by the application calling abort, not by abort
+ * being called at completion of an operation. */
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ /* Check that start has not been previously called, or operation has not
+ * previously errored. */
+ if (operation->id != 0 || operation->error_occurred) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_sign_verify_check_alg(0, alg);
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_SIGN_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ if (!PSA_KEY_TYPE_IS_KEY_PAIR(slot->attr.type)) {
+ status = PSA_ERROR_INVALID_ARGUMENT;
+ goto exit;
+ }
+
+ psa_key_attributes_t attributes = {
+ .core = slot->attr
+ };
+
+ /* Ensure ops count gets reset, in case of operation re-use. */
+ operation->num_ops = 0;
+
+ status = psa_driver_wrapper_sign_hash_start(operation, &attributes,
+ slot->key.data,
+ slot->key.bytes, alg,
+ hash, hash_length);
+exit:
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_sign_hash_abort_internal(operation);
+ }
+
+ unlock_status = psa_unlock_key_slot(slot);
+
+ if (unlock_status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+
+psa_status_t psa_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ *signature_length = 0;
+
+ /* Check that start has been called first, and that operation has not
+ * previously errored. */
+ if (operation->id == 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ /* Immediately reject a zero-length signature buffer. This guarantees that
+ * signature must be a valid pointer. */
+ if (signature_size == 0) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_sign_hash_complete(operation, signature,
+ signature_size,
+ signature_length);
+
+ /* Update ops count with work done. */
+ operation->num_ops = psa_driver_wrapper_sign_hash_get_num_ops(operation);
+
+exit:
+
+ psa_wipe_output_buffer(signature, status, signature_size,
+ *signature_length);
+
+ if (status != PSA_OPERATION_INCOMPLETE) {
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ psa_sign_hash_abort_internal(operation);
+ }
+
+ return status;
+}
+
+psa_status_t psa_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_sign_hash_abort_internal(operation);
+
+ /* We clear the number of ops done here, so that it is not cleared when
+ * the operation fails or succeeds, only on manual abort. */
+ operation->num_ops = 0;
+
+ /* Likewise, failure state. */
+ operation->error_occurred = 0;
+
+ return status;
+}
+
+static psa_status_t psa_verify_hash_abort_internal(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ if (operation->id == 0) {
+ /* The object has (apparently) been initialized but it is not (yet)
+ * in use. It's ok to call abort on such an object, and there's
+ * nothing to do. */
+ return PSA_SUCCESS;
+ }
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_driver_wrapper_verify_hash_abort(operation);
+
+ operation->id = 0;
+
+ /* Do not clear either the error_occurred or num_ops elements here as they
+ * only want to be cleared by the application calling abort, not by abort
+ * being called at completion of an operation. */
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ mbedtls_svc_key_id_t key, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_status_t unlock_status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_slot_t *slot;
+
+ /* Check that start has not been previously called, or operation has not
+ * previously errored. */
+ if (operation->id != 0 || operation->error_occurred) {
+ return PSA_ERROR_BAD_STATE;
+ }
+
+ status = psa_sign_verify_check_alg(0, alg);
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ status = psa_get_and_lock_key_slot_with_policy(key, &slot,
+ PSA_KEY_USAGE_VERIFY_HASH,
+ alg);
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ return status;
+ }
+
+ psa_key_attributes_t attributes = {
+ .core = slot->attr
+ };
+
+ /* Ensure ops count gets reset, in case of operation re-use. */
+ operation->num_ops = 0;
+
+ status = psa_driver_wrapper_verify_hash_start(operation, &attributes,
+ slot->key.data,
+ slot->key.bytes,
+ alg, hash, hash_length,
+ signature, signature_length);
+
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ psa_verify_hash_abort_internal(operation);
+ }
+
+ unlock_status = psa_unlock_key_slot(slot);
+
+ if (unlock_status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ return (status == PSA_SUCCESS) ? unlock_status : status;
+}
+
+psa_status_t psa_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ /* Check that start has been called first, and that operation has not
+ * previously errored. */
+ if (operation->id == 0 || operation->error_occurred) {
+ status = PSA_ERROR_BAD_STATE;
+ goto exit;
+ }
+
+ status = psa_driver_wrapper_verify_hash_complete(operation);
+
+ /* Update ops count with work done. */
+ operation->num_ops = psa_driver_wrapper_verify_hash_get_num_ops(
+ operation);
+
+exit:
+
+ if (status != PSA_OPERATION_INCOMPLETE) {
+ if (status != PSA_SUCCESS) {
+ operation->error_occurred = 1;
+ }
+
+ psa_verify_hash_abort_internal(operation);
+ }
+
+ return status;
+}
+
+psa_status_t psa_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = psa_verify_hash_abort_internal(operation);
+
+ /* We clear the number of ops done here, so that it is not cleared when
+ * the operation fails or succeeds, only on manual abort. */
+ operation->num_ops = 0;
+
+ /* Likewise, failure state. */
+ operation->error_occurred = 0;
+
+ return status;
+}
+
+/****************************************************************/
+/* Asymmetric interruptible cryptography internal */
+/* implementations */
+/****************************************************************/
+
+static uint32_t mbedtls_psa_interruptible_max_ops =
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops)
+{
+ mbedtls_psa_interruptible_max_ops = max_ops;
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ /* Internal implementation uses zero to indicate infinite number max ops,
+ * therefore avoid this value, and set to minimum possible. */
+ if (max_ops == 0) {
+ max_ops = 1;
+ }
+
+ mbedtls_ecp_set_max_ops(max_ops);
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_interruptible_get_max_ops(void)
+{
+ return mbedtls_psa_interruptible_max_ops;
+}
+
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+ const mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ return operation->num_ops;
+#else
+ (void) operation;
+ return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+ const mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+ #if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ return operation->num_ops;
+#else
+ (void) operation;
+ return 0;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_start(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t required_hash_length;
+
+ if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (!PSA_ALG_IS_ECDSA(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+
+ /* Ensure num_ops is zero'ed in case of context re-use. */
+ operation->num_ops = 0;
+
+ /* Ensure default is set even if
+ * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+ mbedtls_psa_interruptible_set_max_ops(
+ mbedtls_psa_interruptible_get_max_ops());
+
+ status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+ attributes->core.bits,
+ key_buffer,
+ key_buffer_size,
+ &operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ operation->coordinate_bytes = PSA_BITS_TO_BYTES(
+ operation->ctx->grp.nbits);
+
+ psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH(alg);
+ operation->md_alg = mbedtls_hash_info_md_from_psa(hash_alg);
+ operation->alg = alg;
+
+ /* We only need to store the same length of hash as the private key size
+ * here, it would be truncated by the internal implementation anyway. */
+ required_hash_length = (hash_length < operation->coordinate_bytes ?
+ hash_length : operation->coordinate_bytes);
+
+ if (required_hash_length > sizeof(operation->hash)) {
+ /* Shouldn't happen, but better safe than sorry. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ memcpy(operation->hash, hash, required_hash_length);
+ operation->hash_length = required_hash_length;
+
+ return PSA_SUCCESS;
+
+#else
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) status;
+ (void) required_hash_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_complete(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length)
+{
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ mbedtls_mpi r;
+ mbedtls_mpi s;
+
+ mbedtls_mpi_init(&r);
+ mbedtls_mpi_init(&s);
+
+ if (signature_size < 2 * operation->coordinate_bytes) {
+ status = PSA_ERROR_BUFFER_TOO_SMALL;
+ goto exit;
+ }
+
+ if (PSA_ALG_ECDSA_IS_DETERMINISTIC(operation->alg)) {
+
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_sign_det_restartable(&operation->ctx->grp,
+ &r,
+ &s,
+ &operation->ctx->d,
+ operation->hash,
+ operation->hash_length,
+ operation->md_alg,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ &operation->restart_ctx));
+#else /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ status = PSA_ERROR_NOT_SUPPORTED;
+ goto exit;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
+ } else {
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_sign_restartable(&operation->ctx->grp,
+ &r,
+ &s,
+ &operation->ctx->d,
+ operation->hash,
+ operation->hash_length,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE,
+ &operation->restart_ctx));
+ }
+
+ /* Hide the fact that the restart context only holds a delta of number of
+ * ops done during the last operation, not an absolute value. */
+ operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+ if (status == PSA_SUCCESS) {
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary(&r,
+ signature,
+ operation->coordinate_bytes)
+ );
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_write_binary(&s,
+ signature +
+ operation->coordinate_bytes,
+ operation->coordinate_bytes)
+ );
+
+ if (status != PSA_SUCCESS) {
+ goto exit;
+ }
+
+ *signature_length = operation->coordinate_bytes * 2;
+
+ status = PSA_SUCCESS;
+ }
+
+exit:
+
+ mbedtls_mpi_free(&r);
+ mbedtls_mpi_free(&s);
+ return status;
+
+ #else
+
+ (void) operation;
+ (void) signature;
+ (void) signature_size;
+ (void) signature_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_sign_hash_abort(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ if (operation->ctx) {
+ mbedtls_ecdsa_free(operation->ctx);
+ mbedtls_free(operation->ctx);
+ operation->ctx = NULL;
+ }
+
+ mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+ operation->num_ops = 0;
+
+ return PSA_SUCCESS;
+
+#else
+
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_start(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length)
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ size_t coordinate_bytes = 0;
+ size_t required_hash_length = 0;
+
+ if (!PSA_KEY_TYPE_IS_ECC(attributes->core.type)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+ if (!PSA_ALG_IS_ECDSA(alg)) {
+ return PSA_ERROR_NOT_SUPPORTED;
+ }
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ mbedtls_ecdsa_restart_init(&operation->restart_ctx);
+ mbedtls_mpi_init(&operation->r);
+ mbedtls_mpi_init(&operation->s);
+
+ /* Ensure num_ops is zero'ed in case of context re-use. */
+ operation->num_ops = 0;
+
+ /* Ensure default is set even if
+ * mbedtls_psa_interruptible_set_max_ops() has not been called. */
+ mbedtls_psa_interruptible_set_max_ops(
+ mbedtls_psa_interruptible_get_max_ops());
+
+ status = mbedtls_psa_ecp_load_representation(attributes->core.type,
+ attributes->core.bits,
+ key_buffer,
+ key_buffer_size,
+ &operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ coordinate_bytes = PSA_BITS_TO_BYTES(operation->ctx->grp.nbits);
+
+ if (signature_length != 2 * coordinate_bytes) {
+ return PSA_ERROR_INVALID_SIGNATURE;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_read_binary(&operation->r,
+ signature,
+ coordinate_bytes));
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_to_psa_error(
+ mbedtls_mpi_read_binary(&operation->s,
+ signature +
+ coordinate_bytes,
+ coordinate_bytes));
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ status = mbedtls_psa_ecp_load_public_part(operation->ctx);
+
+ if (status != PSA_SUCCESS) {
+ return status;
+ }
+
+ /* We only need to store the same length of hash as the private key size
+ * here, it would be truncated by the internal implementation anyway. */
+ required_hash_length = (hash_length < coordinate_bytes ? hash_length :
+ coordinate_bytes);
+
+ if (required_hash_length > sizeof(operation->hash)) {
+ /* Shouldn't happen, but better safe than sorry. */
+ return PSA_ERROR_CORRUPTION_DETECTED;
+ }
+
+ memcpy(operation->hash, hash, required_hash_length);
+ operation->hash_length = required_hash_length;
+
+ return PSA_SUCCESS;
+#else
+ (void) operation;
+ (void) key_buffer;
+ (void) key_buffer_size;
+ (void) alg;
+ (void) hash;
+ (void) hash_length;
+ (void) signature;
+ (void) signature_length;
+ (void) status;
+ (void) coordinate_bytes;
+ (void) required_hash_length;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_complete(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+
+ status = mbedtls_to_psa_error(
+ mbedtls_ecdsa_verify_restartable(&operation->ctx->grp,
+ operation->hash,
+ operation->hash_length,
+ &operation->ctx->Q,
+ &operation->r,
+ &operation->s,
+ &operation->restart_ctx));
+
+ /* Hide the fact that the restart context only holds a delta of number of
+ * ops done during the last operation, not an absolute value. */
+ operation->num_ops += operation->restart_ctx.ecp.ops_done;
+
+ return status;
+#else
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
+
+psa_status_t mbedtls_psa_verify_hash_abort(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation)
+{
+
+#if (defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
+ defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)) && \
+ defined(MBEDTLS_ECP_RESTARTABLE)
+
+ if (operation->ctx) {
+ mbedtls_ecdsa_free(operation->ctx);
+ mbedtls_free(operation->ctx);
+ operation->ctx = NULL;
+ }
+
+ mbedtls_ecdsa_restart_free(&operation->restart_ctx);
+
+ operation->num_ops = 0;
+
+ mbedtls_mpi_free(&operation->r);
+ mbedtls_mpi_free(&operation->s);
+
+ return PSA_SUCCESS;
+
+#else
+ (void) operation;
+
+ return PSA_ERROR_NOT_SUPPORTED;
+
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) ||
+ * defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) &&
+ * defined( MBEDTLS_ECP_RESTARTABLE ) */
+}
/****************************************************************/
/* Symmetric cryptography */
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 38e4bc5..b1817e2 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -606,4 +606,272 @@
size_t shared_secret_size,
size_t *shared_secret_length);
+/**
+ * \brief Set the maximum number of ops allowed to be executed by an
+ * interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * interruptible_set_max_ops entry point. This function behaves as an
+ * interruptible_set_max_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param[in] max_ops The maximum number of ops to be executed in a
+ * single call, this can be a number from 0 to
+ * #PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, where 0
+ * is obviously the least amount of work done per
+ * call.
+ */
+void mbedtls_psa_interruptible_set_max_ops(uint32_t max_ops);
+
+/**
+ * \brief Get the maximum number of ops allowed to be executed by an
+ * interruptible function in a single call.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * interruptible_get_max_ops entry point. This function behaves as an
+ * interruptible_get_max_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \return Maximum number of ops allowed to be executed
+ * by an interruptible function in a single call.
+ */
+uint32_t mbedtls_psa_interruptible_get_max_ops(void);
+
+/**
+ * \brief Get the number of ops that a hash signing operation has taken for the
+ * previous call. If no call or work has taken place, this will return
+ * zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_get_num_ops entry point. This function behaves as an
+ * sign_hash_get_num_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that were completed
+ * in the last call to \c
+ * mbedtls_psa_sign_hash_complete().
+ */
+uint32_t mbedtls_psa_sign_hash_get_num_ops(
+ const mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Get the number of ops that a hash verification operation has taken for
+ * the previous call. If no call or work has taken place, this will
+ * return zero.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_get_num_ops entry point. This function behaves as an
+ * verify_hash_get_num_ops entry point as defined in the PSA driver
+ * interface specification for transparent drivers.
+ *
+ * \param operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \return Number of ops that were completed
+ * in the last call to \c
+ * mbedtls_psa_verify_hash_complete().
+ */
+uint32_t mbedtls_psa_verify_hash_get_num_ops(
+ const mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start signing a hash or short message with a private key, in an
+ * interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_start entry point. This function behaves as a
+ * sign_hash_start entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash or message to sign.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An unsupported, incorrectly formatted or incorrect type of key was
+ * used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED Either no internal interruptible operations
+ * are currently supported, or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory to load the key representation.
+ */
+psa_status_t mbedtls_psa_sign_hash_start(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ * short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_complete entry point. This function behaves as a
+ * sign_hash_complete entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param signature_size Size of the \p signature buffer in bytes. This
+ * must be appropriate for the selected
+ * algorithm and key.
+ * \param[out] signature_length On success, the number of bytes that make up
+ * the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(), there is still work to be done,
+ * please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p key.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval #PSA_ERROR_CORRUPTION_DETECTED
+ * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY
+ */
+psa_status_t mbedtls_psa_sign_hash_complete(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+/**
+ * \brief Abort a sign hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver sign_hash_abort
+ * entry point. This function behaves as a sign_hash_abort entry point as
+ * defined in the PSA driver interface specification for transparent
+ * drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_sign_hash_abort(
+ mbedtls_psa_sign_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Start reading and verifying a hash or short message, in an
+ * interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_start entry point. This function behaves as a
+ * verify_hash_start entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ * \param[in] attributes The attributes of the key to use for the
+ * operation.
+ * \param[in] key_buffer The buffer containing the key context.
+ * \param[in] key_buffer_size Size of the \p key_buffer buffer in bytes.
+ * \param[in] alg A signature algorithm that is compatible with
+ * the type of the key.
+ * \param[in] hash The hash whose signature is to be verified.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation started successfully - call \c psa_sign_hash_complete()
+ * with the same context to complete the operation
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * An unsupported or incorrect type of key was used.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * Either no internal interruptible operations are currently supported,
+ * or the key type is currently unsupported.
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ * There was insufficient memory either to load the key representation,
+ * or to prepare the operation.
+ */
+psa_status_t mbedtls_psa_verify_hash_start(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes,
+ const uint8_t *key_buffer, size_t key_buffer_size,
+ psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+/**
+ * \brief Continue and eventually complete the action of signing a hash or
+ * short message with a private key, in an interruptible manner.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * sign_hash_complete entry point. This function behaves as a
+ * sign_hash_complete entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_sign_hash_interruptible_operation_t
+ * to use. This must be initialized first.
+ *
+ * \retval #PSA_SUCCESS
+ * Operation completed successfully, and the passed signature is valid.
+ *
+ * \retval #PSA_OPERATION_INCOMPLETE
+ * Operation was interrupted due to the setting of \c
+ * psa_interruptible_set_max_ops(), there is still work to be done,
+ * please call this function again with the same operation object.
+ *
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * The calculation was performed successfully, but the passed
+ * signature is not a valid signature.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval #PSA_ERROR_INVALID_ARGUMENT
+ * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
+ */
+psa_status_t mbedtls_psa_verify_hash_complete(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
+/**
+ * \brief Abort a verify signed hash operation.
+ *
+ * \note The signature of this function is that of a PSA driver
+ * verify_hash_abort entry point. This function behaves as a
+ * verify_hash_abort entry point as defined in the PSA driver interface
+ * specification for transparent drivers.
+ *
+ * \param[in] operation The \c
+ * mbedtls_psa_verify_hash_interruptible_operation_t
+ * to abort.
+ *
+ * \retval #PSA_SUCCESS
+ * The operation was aborted successfully.
+ */
+psa_status_t mbedtls_psa_verify_hash_abort(
+ mbedtls_psa_verify_hash_interruptible_operation_t *operation);
+
#endif /* PSA_CRYPTO_CORE_H */
diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h
index da3cd1d..e3edec7 100644
--- a/library/psa_crypto_driver_wrappers.h
+++ b/library/psa_crypto_driver_wrappers.h
@@ -67,6 +67,47 @@
const uint8_t *signature, size_t signature_length);
/*
+ * Interruptible Signature functions
+ */
+
+void psa_driver_wrapper_interruptible_set_max_ops(uint32_t max_ops);
+
+uint32_t psa_driver_wrapper_interruptible_get_max_ops(void);
+
+uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+ psa_sign_hash_interruptible_operation_t *operation);
+
+uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length);
+
+psa_status_t psa_driver_wrapper_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length);
+
+psa_status_t psa_driver_wrapper_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length);
+
+psa_status_t psa_driver_wrapper_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+psa_status_t psa_driver_wrapper_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation);
+
+/*
* Key handling functions
*/
diff --git a/library/psa_crypto_ecp.c b/library/psa_crypto_ecp.c
index c4ccefd..f70d804 100644
--- a/library/psa_crypto_ecp.c
+++ b/library/psa_crypto_ecp.c
@@ -404,6 +404,21 @@
return mbedtls_to_psa_error(ret);
}
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp)
+{
+ int ret = 0;
+
+ /* Check whether the public part is loaded. If not, load it. */
+ if (mbedtls_ecp_is_zero(&ecp->Q)) {
+ ret = mbedtls_ecp_mul(&ecp->grp, &ecp->Q,
+ &ecp->d, &ecp->grp.G,
+ mbedtls_psa_get_random,
+ MBEDTLS_PSA_RANDOM_STATE);
+ }
+
+ return mbedtls_to_psa_error(ret);
+}
+
psa_status_t mbedtls_psa_ecdsa_verify_hash(
const psa_key_attributes_t *attributes,
const uint8_t *key_buffer, size_t key_buffer_size,
@@ -412,7 +427,6 @@
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_ecp_keypair *ecp = NULL;
- int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t curve_bytes;
mbedtls_mpi r, s;
@@ -432,34 +446,39 @@
mbedtls_mpi_init(&s);
if (signature_length != 2 * curve_bytes) {
- ret = MBEDTLS_ERR_ECP_VERIFY_FAILED;
+ status = PSA_ERROR_INVALID_SIGNATURE;
goto cleanup;
}
- MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&r,
- signature,
- curve_bytes));
- MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&s,
- signature + curve_bytes,
- curve_bytes));
-
- /* Check whether the public part is loaded. If not, load it. */
- if (mbedtls_ecp_is_zero(&ecp->Q)) {
- MBEDTLS_MPI_CHK(
- mbedtls_ecp_mul(&ecp->grp, &ecp->Q, &ecp->d, &ecp->grp.G,
- mbedtls_psa_get_random, MBEDTLS_PSA_RANDOM_STATE));
+ status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&r,
+ signature,
+ curve_bytes));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
}
- ret = mbedtls_ecdsa_verify(&ecp->grp, hash, hash_length,
- &ecp->Q, &r, &s);
+ status = mbedtls_to_psa_error(mbedtls_mpi_read_binary(&s,
+ signature + curve_bytes,
+ curve_bytes));
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+ status = mbedtls_psa_ecp_load_public_part(ecp);
+ if (status != PSA_SUCCESS) {
+ goto cleanup;
+ }
+
+ status = mbedtls_to_psa_error(mbedtls_ecdsa_verify(&ecp->grp, hash,
+ hash_length, &ecp->Q,
+ &r, &s));
cleanup:
mbedtls_mpi_free(&r);
mbedtls_mpi_free(&s);
mbedtls_ecp_keypair_free(ecp);
mbedtls_free(ecp);
- return mbedtls_to_psa_error(ret);
+ return status;
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || \
diff --git a/library/psa_crypto_ecp.h b/library/psa_crypto_ecp.h
index 71f9d6a..c7ef534 100644
--- a/library/psa_crypto_ecp.h
+++ b/library/psa_crypto_ecp.h
@@ -48,6 +48,15 @@
size_t data_length,
mbedtls_ecp_keypair **p_ecp);
+/** Load the public part of an internal ECP, if required.
+ *
+ * \param ecp The ECP context to load the public part for.
+ *
+ * \return PSA_SUCCESS on success, otherwise an MPI error.
+ */
+
+psa_status_t mbedtls_psa_ecp_load_public_part(mbedtls_ecp_keypair *ecp);
+
/** Import an ECP key in binary format.
*
* \note The signature of this function is that of a PSA driver
diff --git a/library/x509.c b/library/x509.c
index 2865c2e..b859df9 100644
--- a/library/x509.c
+++ b/library/x509.c
@@ -1227,8 +1227,9 @@
* nameAssigner [0] DirectoryString OPTIONAL,
* partyName [1] DirectoryString }
*
- * NOTE: we list all types, but only use dNSName and otherName
- * of type HwModuleName, as defined in RFC 4108, at this point.
+ * We list all types, but use the following GeneralName types from RFC 5280:
+ * "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * of type "otherName", as defined in RFC 4108.
*/
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
@@ -1397,7 +1398,19 @@
}
break;
+ /*
+ * uniformResourceIdentifier
+ */
+ case (MBEDTLS_ASN1_CONTEXT_SPECIFIC | MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER):
+ {
+ memset(san, 0, sizeof(mbedtls_x509_subject_alternative_name));
+ san->type = MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER;
+ memcpy(&san->san.unstructured_name,
+ san_buf, sizeof(*san_buf));
+
+ }
+ break;
/*
* dNSName
*/
@@ -1488,7 +1501,23 @@
}/* MBEDTLS_OID_ON_HW_MODULE_NAME */
}
break;
+ /*
+ * uniformResourceIdentifier
+ */
+ case MBEDTLS_X509_SAN_UNIFORM_RESOURCE_IDENTIFIER:
+ {
+ ret = mbedtls_snprintf(p, n, "\n%s uniformResourceIdentifier : ", prefix);
+ MBEDTLS_X509_SAFE_SNPRINTF;
+ if (san.san.unstructured_name.len >= n) {
+ *p = '\0';
+ return MBEDTLS_ERR_X509_BUFFER_TOO_SMALL;
+ }
+ memcpy(p, san.san.unstructured_name.p, san.san.unstructured_name.len);
+ p += san.san.unstructured_name.len;
+ n -= san.san.unstructured_name.len;
+ }
+ break;
/*
* dNSName
*/
diff --git a/scripts/code_style.py b/scripts/code_style.py
index dd8305f..c31fb29 100755
--- a/scripts/code_style.py
+++ b/scripts/code_style.py
@@ -33,6 +33,14 @@
def print_err(*args):
print("Error: ", *args, file=sys.stderr)
+# Print the file names that will be skipped and the help message
+def print_skip(files_to_skip):
+ print()
+ print(*files_to_skip, sep=", SKIP\n", end=", SKIP\n")
+ print("Warning: The listed files will be skipped because\n"
+ "they are not known to git.")
+ print()
+
# Match FILENAME(s) in "check SCRIPT (FILENAME...)"
CHECK_CALL_RE = re.compile(r"\n\s*check\s+[^\s#$&*?;|]+([^\n#$&*?;|]+)",
re.ASCII)
@@ -174,22 +182,27 @@
parser.add_argument('-f', '--fix', action='store_true',
help=('modify source files to fix the code style '
'(default: print diff, do not modify files)'))
- # --files is almost useless: it only matters if there are no files
+ # --subset is almost useless: it only matters if there are no files
# ('code_style.py' without arguments checks all files known to Git,
- # 'code_style.py --files' does nothing). In particular,
- # 'code_style.py --fix --files ...' is intended as a stable ("porcelain")
+ # 'code_style.py --subset' does nothing). In particular,
+ # 'code_style.py --fix --subset ...' is intended as a stable ("porcelain")
# way to restyle a possibly empty set of files.
- parser.add_argument('--files', action='store_true',
+ parser.add_argument('--subset', action='store_true',
help='only check the specified files (default with non-option arguments)')
parser.add_argument('operands', nargs='*', metavar='FILE',
- help='files to check (if none: check files that are known to git)')
+ help='files to check (files MUST be known to git, if none: check all)')
args = parser.parse_args()
- if args.files or args.operands:
- src_files = args.operands
+ covered = frozenset(get_src_files())
+ # We only check files that are known to git
+ if args.subset or args.operands:
+ src_files = [f for f in args.operands if f in covered]
+ skip_src_files = [f for f in args.operands if f not in covered]
+ if skip_src_files:
+ print_skip(skip_src_files)
else:
- src_files = get_src_files()
+ src_files = list(covered)
if args.fix:
# Fix mode
diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
index bdf3315..b35e726 100644
--- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
+++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja
@@ -433,6 +433,269 @@
}
}
+void psa_driver_wrapper_interruptible_set_max_ops( uint32_t max_ops )
+{
+ /* TODO - dispatch to drivers dynamically registered for this
+ * service when registering is implemented. For now, fall
+ * through to internal implementation. */
+
+ mbedtls_psa_interruptible_set_max_ops( max_ops );
+}
+
+uint32_t psa_driver_wrapper_interruptible_get_max_ops( void )
+{
+ /* TODO - dispatch to drivers dynamically registered for this
+ * service when registering is implemented. For now, fall
+ * through to internal implementation. */
+
+ return mbedtls_psa_interruptible_get_max_ops( );
+}
+
+uint32_t psa_driver_wrapper_sign_hash_get_num_ops(
+ psa_sign_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ /* If uninitialised, return 0, as no work can have been done. */
+ case 0:
+ return 0;
+
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return(mbedtls_psa_sign_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+uint32_t psa_driver_wrapper_verify_hash_get_num_ops(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ /* If uninitialised, return 0, as no work can have been done. */
+ case 0:
+ return 0;
+
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return (mbedtls_psa_verify_hash_get_num_ops(&operation->ctx.mbedtls_ctx));
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_start(
+ psa_sign_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length )
+{
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location =
+ PSA_KEY_LIFETIME_GET_LOCATION(
+ attributes->core.lifetime );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+ /* Add test driver tests here */
+
+ /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ return( mbedtls_psa_sign_hash_start( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length ) );
+ break;
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ ( void ) status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ ( void ) operation;
+ ( void ) key_buffer;
+ ( void ) key_buffer_size;
+ ( void ) alg;
+ ( void ) hash;
+ ( void ) hash_length;
+
+ return( status );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_complete(
+ psa_sign_hash_interruptible_operation_t *operation,
+ uint8_t *signature, size_t signature_size,
+ size_t *signature_length )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_sign_hash_complete( &operation->ctx.mbedtls_ctx,
+ signature, signature_size,
+ signature_length ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ ( void ) signature;
+ ( void ) signature_size;
+ ( void ) signature_length;
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_sign_hash_abort(
+ psa_sign_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_sign_hash_abort( &operation->ctx.mbedtls_ctx ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_start(
+ psa_verify_hash_interruptible_operation_t *operation,
+ const psa_key_attributes_t *attributes, const uint8_t *key_buffer,
+ size_t key_buffer_size, psa_algorithm_t alg,
+ const uint8_t *hash, size_t hash_length,
+ const uint8_t *signature, size_t signature_length )
+{
+
+ psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
+ psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(
+ attributes->core.lifetime );
+
+ switch( location )
+ {
+ case PSA_KEY_LOCATION_LOCAL_STORAGE:
+ /* Key is stored in the slot in export representation, so
+ * cycle through all known transparent accelerators */
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+
+ /* Add test driver tests here */
+
+ /* Declared with fallback == true */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+
+ /* Fell through, meaning no accelerator supports this operation */
+ operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID;
+ return( mbedtls_psa_verify_hash_start( &operation->ctx.mbedtls_ctx,
+ attributes,
+ key_buffer, key_buffer_size,
+ alg, hash, hash_length,
+ signature, signature_length
+ ) );
+ break;
+
+ /* Add cases for opaque driver here */
+
+ default:
+ /* Key is declared with a lifetime not known to us */
+ ( void ) status;
+ return( PSA_ERROR_INVALID_ARGUMENT );
+ }
+
+ ( void ) operation;
+ ( void ) key_buffer;
+ ( void ) key_buffer_size;
+ ( void ) alg;
+ ( void ) hash;
+ ( void ) hash_length;
+ ( void ) signature;
+ ( void ) signature_length;
+
+ return( status );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_complete(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_verify_hash_complete(
+ &operation->ctx.mbedtls_ctx
+ ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
+psa_status_t psa_driver_wrapper_verify_hash_abort(
+ psa_verify_hash_interruptible_operation_t *operation )
+{
+ switch( operation->id )
+ {
+ case PSA_CRYPTO_MBED_TLS_DRIVER_ID:
+ return( mbedtls_psa_verify_hash_abort( &operation->ctx.mbedtls_ctx
+ ) );
+
+#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
+#if defined(PSA_CRYPTO_DRIVER_TEST)
+ /* Add test driver tests here */
+
+#endif /* PSA_CRYPTO_DRIVER_TEST */
+#endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */
+ }
+
+ return( PSA_ERROR_INVALID_ARGUMENT );
+}
+
/** Calculate the key buffer size required to store the key material of a key
* associated with an opaque driver from input key data.
*
diff --git a/scripts/make_generated_files.bat b/scripts/make_generated_files.bat
index e9d9275..9cf34f6 100644
--- a/scripts/make_generated_files.bat
+++ b/scripts/make_generated_files.bat
@@ -11,4 +11,5 @@
perl scripts\generate_visualc_files.pl || exit /b 1
python scripts\generate_psa_constants.py || exit /b 1
python tests\scripts\generate_bignum_tests.py || exit /b 1
+python tests\scripts\generate_ecp_tests.py || exit /b 1
python tests\scripts\generate_psa_tests.py || exit /b 1
diff --git a/scripts/mbedtls_dev/ecp.py b/scripts/mbedtls_dev/ecp.py
new file mode 100644
index 0000000..6370d25
--- /dev/null
+++ b/scripts/mbedtls_dev/ecp.py
@@ -0,0 +1,168 @@
+"""Framework classes for generation of ecp test cases."""
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+from typing import List
+
+from . import test_data_generation
+from . import bignum_common
+
+class EcpTarget(test_data_generation.BaseTarget):
+ #pylint: disable=abstract-method, too-few-public-methods
+ """Target for ecp test case generation."""
+ target_basename = 'test_suite_ecp.generated'
+
+class EcpP192R1Raw(bignum_common.ModOperationCommon,
+ EcpTarget):
+ """Test cases for ecp quasi_reduction()."""
+ symbol = "-"
+ test_function = "ecp_mod_p192_raw"
+ test_name = "ecp_mod_p192_raw"
+ input_style = "fixed"
+ arity = 1
+
+ moduli = ["fffffffffffffffffffffffffffffffeffffffffffffffff"] # type: List[str]
+
+ input_values = [
+ "0", "1",
+
+ # Modulus - 1
+ "fffffffffffffffffffffffffffffffefffffffffffffffe",
+
+ # First 8 number generated by random.getrandbits(384) - seed(2,2)
+ ("cf1822ffbc6887782b491044d5e341245c6e433715ba2bdd"
+ "177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
+ ("ffed9235288bc781ae66267594c9c9500925e4749b575bd1"
+ "3653f8dd9b1f282e4067c3584ee207f8da94e3e8ab73738f"),
+ ("ef8acd128b4f2fc15f3f57ebf30b94fa82523e86feac7eb7"
+ "dc38f519b91751dacdbd47d364be8049a372db8f6e405d93"),
+ ("e8624fab5186ee32ee8d7ee9770348a05d300cb90706a045"
+ "defc044a09325626e6b58de744ab6cce80877b6f71e1f6d2"),
+ ("2d3d854e061b90303b08c6e33c7295782d6c797f8f7d9b78"
+ "2a1be9cd8697bbd0e2520e33e44c50556c71c4a66148a86f"),
+ ("fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"
+ "5c14bc4a829e07b0829a48d422fe99a22c70501e533c9135"),
+ ("97eeab64ca2ce6bc5d3fd983c34c769fe89204e2e8168561"
+ "867e5e15bc01bfce6a27e0dfcbf8754472154e76e4c11ab2"),
+ ("bd143fa9b714210c665d7435c1066932f4767f26294365b2"
+ "721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b"),
+
+ # Next 2 number generated by random.getrandbits(192)
+ "47733e847d718d733ff98ff387c56473a7a83ee0761ebfd2",
+ "cbd4d3e2d4dec9ef83f0be4e80371eb97f81375eecc1cb63"
+ ]
+
+ @property
+ def arg_a(self) -> str:
+ return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
+
+ def result(self) -> List[str]:
+ result = self.int_a % self.int_n
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return True
+
+class EcpP521R1Raw(bignum_common.ModOperationCommon,
+ EcpTarget):
+ """Test cases for ecp quasi_reduction()."""
+ test_function = "ecp_mod_p521_raw"
+ test_name = "ecp_mod_p521_raw"
+ input_style = "arch_split"
+ arity = 1
+
+ moduli = [("01ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff")
+ ] # type: List[str]
+
+ input_values = [
+ "0", "1",
+
+ # Corner case: maximum canonical P521 multiplication result
+ ("0003ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "fffff800"
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "0000000000000000000000000000000000000000000000000000000000000004"),
+
+ # Test case for overflow during addition
+ ("0001efffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "ffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffffff"
+ "000001ef"
+ "0000000000000000000000000000000000000000000000000000000000000000"
+ "000000000000000000000000000000000000000000000000000000000f000000"),
+
+ # First 8 number generated by random.getrandbits(1042) - seed(2,2)
+ ("0003cc2e82523e86feac7eb7dc38f519b91751dacdbd47d364be8049a372db8f"
+ "6e405d93ffed9235288bc781ae66267594c9c9500925e4749b575bd13653f8dd"
+ "9b1f282e"
+ "4067c3584ee207f8da94e3e8ab73738fcf1822ffbc6887782b491044d5e34124"
+ "5c6e433715ba2bdd177219d30e7a269fd95bafc8f2a4d27bdcf4bb99f4bea973"),
+ ("00017052829e07b0829a48d422fe99a22c70501e533c91352d3d854e061b9030"
+ "3b08c6e33c7295782d6c797f8f7d9b782a1be9cd8697bbd0e2520e33e44c5055"
+ "6c71c4a6"
+ "6148a86fe8624fab5186ee32ee8d7ee9770348a05d300cb90706a045defc044a"
+ "09325626e6b58de744ab6cce80877b6f71e1f6d2ef8acd128b4f2fc15f3f57eb"),
+ ("00021f15a7a83ee0761ebfd2bd143fa9b714210c665d7435c1066932f4767f26"
+ "294365b2721dea3bf63f23d0dbe53fcafb2147df5ca495fa5a91c89b97eeab64"
+ "ca2ce6bc"
+ "5d3fd983c34c769fe89204e2e8168561867e5e15bc01bfce6a27e0dfcbf87544"
+ "72154e76e4c11ab2fec3f6b32e8d4b8a8f54f8ceacaab39e83844b40ffa9b9f1"),
+ ("000381bc2a838af8d5c44a4eb3172062d08f1bb2531d6460f0caeef038c89b38"
+ "a8acb5137c9260dc74e088a9b9492f258ebdbfe3eb9ac688b9d39cca91551e82"
+ "59cc60b1"
+ "7604e4b4e73695c3e652c71a74667bffe202849da9643a295a9ac6decbd4d3e2"
+ "d4dec9ef83f0be4e80371eb97f81375eecc1cb6347733e847d718d733ff98ff3"),
+ ("00034816c8c69069134bccd3e1cf4f589f8e4ce0af29d115ef24bd625dd961e6"
+ "830b54fa7d28f93435339774bb1e386c4fd5079e681b8f5896838b769da59b74"
+ "a6c3181c"
+ "81e220df848b1df78feb994a81167346d4c0dca8b4c9e755cc9c3adcf515a823"
+ "4da4daeb4f3f87777ad1f45ae9500ec9c5e2486c44a4a8f69dc8db48e86ec9c6"),
+ ("000397846c4454b90f756132e16dce72f18e859835e1f291d322a7353ead4efe"
+ "440e2b4fda9c025a22f1a83185b98f5fc11e60de1b343f52ea748db9e020307a"
+ "aeb6db2c"
+ "3a038a709779ac1f45e9dd320c855fdfa7251af0930cdbd30f0ad2a81b2d19a2"
+ "beaa14a7ff3fe32a30ffc4eed0a7bd04e85bfcdd0227eeb7b9d7d01f5769da05"),
+ ("00002c3296e6bc4d62b47204007ee4fab105d83e85e951862f0981aebc1b00d9"
+ "2838e766ef9b6bf2d037fe2e20b6a8464174e75a5f834da70569c018eb2b5693"
+ "babb7fbb"
+ "0a76c196067cfdcb11457d9cf45e2fa01d7f4275153924800600571fac3a5b26"
+ "3fdf57cd2c0064975c3747465cc36c270e8a35b10828d569c268a20eb78ac332"),
+ ("00009d23b4917fc09f20dbb0dcc93f0e66dfe717c17313394391b6e2e6eacb0f"
+ "0bb7be72bd6d25009aeb7fa0c4169b148d2f527e72daf0a54ef25c0707e33868"
+ "7d1f7157"
+ "5653a45c49390aa51cf5192bbf67da14be11d56ba0b4a2969d8055a9f03f2d71"
+ "581d8e830112ff0f0948eccaf8877acf26c377c13f719726fd70bddacb4deeec"),
+
+ # Next 2 number generated by random.getrandbits(521)
+ ("12b84ae65e920a63ac1f2b64df6dff07870c9d531ae72a47403063238da1a1fe"
+ "3f9d6a179fa50f96cd4aff9261aa92c0e6f17ec940639bc2ccdf572df00790813e3"),
+ ("166049dd332a73fa0b26b75196cf87eb8a09b27ec714307c68c425424a1574f1"
+ "eedf5b0f16cdfdb839424d201e653f53d6883ca1c107ca6e706649889c0c7f38608")
+ ]
+
+ @property
+ def arg_a(self) -> str:
+ # Number of limbs: 2 * N
+ return super().format_arg('{:x}'.format(self.int_a)).zfill(2 * self.hex_digits)
+
+ def result(self) -> List[str]:
+ result = self.int_a % self.int_n
+ return [self.format_result(result)]
+
+ @property
+ def is_valid(self) -> bool:
+ return True
diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt
index 4a7de82..4549a7a 100644
--- a/tests/CMakeLists.txt
+++ b/tests/CMakeLists.txt
@@ -32,6 +32,18 @@
execute_process(
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+ --list-for-cmake
+ WORKING_DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/..
+ OUTPUT_VARIABLE
+ base_ecp_generated_data_files)
+string(REGEX REPLACE "[^;]*/" ""
+ base_ecp_generated_data_files "${base_ecp_generated_data_files}")
+
+execute_process(
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_psa_tests.py
--list-for-cmake
WORKING_DIRECTORY
@@ -44,14 +56,18 @@
# Derive generated file paths in the build directory. The generated data
# files go into the suites/ subdirectory.
set(base_generated_data_files
- ${base_bignum_generated_data_files} ${base_psa_generated_data_files})
+ ${base_bignum_generated_data_files} ${base_ecp_generated_data_files} ${base_psa_generated_data_files})
string(REGEX REPLACE "([^;]+)" "suites/\\1"
all_generated_data_files "${base_generated_data_files}")
set(bignum_generated_data_files "")
+set(ecp_generated_data_files "")
set(psa_generated_data_files "")
foreach(file ${base_bignum_generated_data_files})
list(APPEND bignum_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
+foreach(file ${base_ecp_generated_data_files})
+ list(APPEND ecp_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
+endforeach()
foreach(file ${base_psa_generated_data_files})
list(APPEND psa_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
@@ -77,6 +93,22 @@
)
add_custom_command(
OUTPUT
+ ${ecp_generated_data_files}
+ WORKING_DIRECTORY
+ ${CMAKE_CURRENT_SOURCE_DIR}/..
+ COMMAND
+ ${MBEDTLS_PYTHON_EXECUTABLE}
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+ --directory ${CMAKE_CURRENT_BINARY_DIR}/suites
+ DEPENDS
+ ${CMAKE_CURRENT_SOURCE_DIR}/../tests/scripts/generate_ecp_tests.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/bignum_common.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/ecp.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_case.py
+ ${CMAKE_CURRENT_SOURCE_DIR}/../scripts/mbedtls_dev/test_data_generation.py
+ )
+ add_custom_command(
+ OUTPUT
${psa_generated_data_files}
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
@@ -107,6 +139,7 @@
# With this line, only 4 sub-makefiles include the above command, that reduces
# the risk of a race.
add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files})
+add_custom_target(test_suite_ecp_generated_data DEPENDS ${ecp_generated_data_files})
add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files})
# If SKIP_TEST_SUITES is not defined with -D, get it from the environment.
if((NOT DEFINED SKIP_TEST_SUITES) AND (DEFINED ENV{SKIP_TEST_SUITES}))
@@ -129,6 +162,7 @@
# Get the test names of the tests with generated .data files
# from the generated_data_files list in parent scope.
set(bignum_generated_data_names "")
+ set(ecp_generated_data_names "")
set(psa_generated_data_names "")
foreach(generated_data_file ${bignum_generated_data_files})
# Get the plain filename
@@ -139,6 +173,15 @@
string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
list(APPEND bignum_generated_data_names ${generated_data_name})
endforeach()
+ foreach(generated_data_file ${ecp_generated_data_files})
+ # Get the plain filename
+ get_filename_component(generated_data_name ${generated_data_file} NAME)
+ # Remove the ".data" extension
+ get_name_without_last_ext(generated_data_name ${generated_data_name})
+ # Remove leading "test_suite_"
+ string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
+ list(APPEND ecp_generated_data_names ${generated_data_name})
+ endforeach()
foreach(generated_data_file ${psa_generated_data_files})
# Get the plain filename
get_filename_component(generated_data_name ${generated_data_file} NAME)
@@ -153,6 +196,10 @@
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
set(dependency test_suite_bignum_generated_data)
+ elseif(";${ecp_generated_data_names};" MATCHES ";${data_name};")
+ set(data_file
+ ${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
+ set(dependency test_suite_ecp_generated_data)
elseif(";${psa_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
@@ -160,7 +207,7 @@
else()
set(data_file
${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data)
- set(dependency test_suite_bignum_generated_data test_suite_psa_generated_data)
+ set(dependency test_suite_bignum_generated_data test_suite_ecp_generated_data test_suite_psa_generated_data)
endif()
add_custom_command(
diff --git a/tests/Makefile b/tests/Makefile
index 312607e..c9283c9 100644
--- a/tests/Makefile
+++ b/tests/Makefile
@@ -73,6 +73,13 @@
ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED)
$(error "$(PYTHON) scripts/generate_bignum_tests.py --list" failed)
endif
+GENERATED_ECP_DATA_FILES := $(patsubst tests/%,%,$(shell \
+ $(PYTHON) scripts/generate_ecp_tests.py --list || \
+ echo FAILED \
+))
+ifeq ($(GENERATED_ECP_DATA_FILES),FAILED)
+$(error "$(PYTHON) scripts/generate_ecp_tests.py --list" failed)
+endif
GENERATED_PSA_DATA_FILES := $(patsubst tests/%,%,$(shell \
$(PYTHON) scripts/generate_psa_tests.py --list || \
echo FAILED \
@@ -80,7 +87,7 @@
ifeq ($(GENERATED_PSA_DATA_FILES),FAILED)
$(error "$(PYTHON) scripts/generate_psa_tests.py --list" failed)
endif
-GENERATED_FILES := $(GENERATED_PSA_DATA_FILES) $(GENERATED_BIGNUM_DATA_FILES)
+GENERATED_FILES := $(GENERATED_PSA_DATA_FILES) $(GENERATED_ECP_DATA_FILES) $(GENERATED_BIGNUM_DATA_FILES)
generated_files: $(GENERATED_FILES)
# generate_bignum_tests.py and generate_psa_tests.py spend more time analyzing
@@ -89,7 +96,7 @@
# It's rare not to want all the outputs. So always generate all of its outputs.
# Use an intermediate phony dependency so that parallel builds don't run
# a separate instance of the recipe for each output file.
-.SECONDARY: generated_bignum_test_data generated_psa_test_data
+.SECONDARY: generated_bignum_test_data generated_ecp_test_data generated_psa_test_data
$(GENERATED_BIGNUM_DATA_FILES): generated_bignum_test_data
generated_bignum_test_data: scripts/generate_bignum_tests.py
generated_bignum_test_data: ../scripts/mbedtls_dev/bignum_common.py
@@ -102,6 +109,16 @@
echo " Gen $(GENERATED_BIGNUM_DATA_FILES)"
$(PYTHON) scripts/generate_bignum_tests.py
+$(GENERATED_ECP_DATA_FILES): generated_ecp_test_data
+generated_ecp_test_data: scripts/generate_ecp_tests.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/bignum_common.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/ecp.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/test_case.py
+generated_ecp_test_data: ../scripts/mbedtls_dev/test_data_generation.py
+generated_ecp_test_data:
+ echo " Gen $(GENERATED_ECP_DATA_FILES)"
+ $(PYTHON) scripts/generate_ecp_tests.py
+
$(GENERATED_PSA_DATA_FILES): generated_psa_test_data
generated_psa_test_data: scripts/generate_psa_tests.py
generated_psa_test_data: ../scripts/mbedtls_dev/crypto_knowledge.py
diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile
index 070f538..622a289 100644
--- a/tests/data_files/Makefile
+++ b/tests/data_files/Makefile
@@ -336,6 +336,12 @@
$(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS Tricky IP SAN" -set_serial 77 -config $(test_ca_config_file) -extensions tricky_ip_san -days 3650 -sha256 -key server5.key -out $@
all_final += server5-tricky-ip-san.crt
+rsa_single_san_uri.crt.der: rsa_single_san_uri.key
+ $(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
+
+rsa_multiple_san_uri.crt.der: rsa_multiple_san_uri.key
+ $(OPENSSL) req -x509 -outform der -nodes -days 7300 -newkey rsa:2048 -key $< -out $@ -addext "subjectAltName = URI:urn:example.com:5ff40f78-9210-494f-8206-c2c082f0609c, URI:urn:example.com:5ff40f78-9210-494f-8206-abcde1234567" -extensions 'v3_req' -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS URI SAN"
+
server10-badsign.crt: server10.crt
{ head -n-2 $<; tail -n-2 $< | sed -e '1s/0\(=*\)$$/_\1/' -e '1s/[^_=]\(=*\)$$/0\1/' -e '1s/_/1/'; } > $@
all_final += server10-badsign.crt
@@ -911,6 +917,70 @@
$(OPENSSL) pkey -in $< -inform DER -out $@
all_final += ec_prv.pk8param.pem
+ec_prv.sec1.comp.pem: ec_prv.sec1.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_prv.sec1.comp.pem
+
+ec_224_prv.comp.pem: ec_224_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_224_prv.comp.pem
+
+ec_256_prv.comp.pem: ec_256_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_256_prv.comp.pem
+
+ec_384_prv.comp.pem: ec_384_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_384_prv.comp.pem
+
+ec_521_prv.comp.pem: ec_521_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_521_prv.comp.pem
+
+ec_bp256_prv.comp.pem: ec_bp256_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_bp256_prv.comp.pem
+
+ec_bp384_prv.comp.pem: ec_bp384_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_bp384_prv.comp.pem
+
+ec_bp512_prv.comp.pem: ec_bp512_prv.pem
+ $(OPENSSL) ec -in $< -out $@ -conv_form compressed
+all_final += ec_bp512_prv.comp.pem
+
+ec_pub.comp.pem: ec_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_pub.comp.pem
+
+ec_224_pub.comp.pem: ec_224_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_224_pub.comp.pem
+
+ec_256_pub.comp.pem: ec_256_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_256_pub.comp.pem
+
+ec_384_pub.comp.pem: ec_384_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_384_pub.comp.pem
+
+ec_521_pub.comp.pem: ec_521_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_521_pub.comp.pem
+
+ec_bp256_pub.comp.pem: ec_bp256_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_bp256_pub.comp.pem
+
+ec_bp384_pub.comp.pem: ec_bp384_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_bp384_pub.comp.pem
+
+ec_bp512_pub.comp.pem: ec_bp512_pub.pem
+ $(OPENSSL) ec -pubin -in $< -out $@ -conv_form compressed
+all_final += ec_bp512_pub.comp.pem
+
################################################################
### Generate CSRs for X.509 write test suite
################################################################
@@ -1205,6 +1275,10 @@
echo -e "Hello\xd" > $@
all_final += $(pkcs7_test_file)
+pkcs7_zerolendata.bin:
+ printf '' > $@
+all_final += pkcs7_zerolendata.bin
+
pkcs7_data_1.bin:
echo -e "2\xd" > $@
all_final += pkcs7_data_1.bin
@@ -1238,6 +1312,11 @@
$(OPENSSL) x509 -in pkcs7-rsa-sha256-2.crt -out $@ -outform DER
all_final += pkcs7-rsa-sha256-2.der
+# pkcs7 signature file over zero-len data
+pkcs7_zerolendata_detached.der: pkcs7_zerolendata.bin pkcs7-rsa-sha256-1.key pkcs7-rsa-sha256-1.crt
+ $(OPENSSL) smime -sign -md sha256 -nocerts -noattr -in pkcs7_zerolendata.bin -inkey pkcs7-rsa-sha256-1.key -outform DER -binary -signer pkcs7-rsa-sha256-1.crt -out pkcs7_zerolendata_detached.der
+all_final += pkcs7_zerolendata_detached.der
+
# pkcs7 signature file with CERT
pkcs7_data_cert_signed_sha256.der: $(pkcs7_test_file) $(pkcs7_test_cert_1)
$(OPENSSL) smime -sign -binary -in pkcs7_data.bin -out $@ -md sha256 -signer pkcs7-rsa-sha256-1.pem -noattr -outform DER -out $@
diff --git a/tests/data_files/ec_224_prv.comp.pem b/tests/data_files/ec_224_prv.comp.pem
new file mode 100644
index 0000000..e7ed538
--- /dev/null
+++ b/tests/data_files/ec_224_prv.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MEwCAQEEHGhJ+X0QZvaZd1ljfH44mUZM7j7HrJcGU6C+B0KgBwYFK4EEACGhIAMe
+AAMWk6KQ9/C1cf4rQdXYSwEydjH0qGD5lfozLAl/
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_224_pub.comp.pem b/tests/data_files/ec_224_pub.comp.pem
new file mode 100644
index 0000000..159366c
--- /dev/null
+++ b/tests/data_files/ec_224_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDIwEAYHKoZIzj0CAQYFK4EEACEDHgADFpOikPfwtXH+K0HV2EsBMnYx9Khg+ZX6
+MywJfw==
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_256_prv.comp.pem b/tests/data_files/ec_256_prv.comp.pem
new file mode 100644
index 0000000..9ef8c97
--- /dev/null
+++ b/tests/data_files/ec_256_prv.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MFcCAQEEIEnJqMGMS4hWOMQxzx3xyZQTFgm1gNT9Q6DKsX2y8T7uoAoGCCqGSM49
+AwEHoSQDIgADd3Jlb4FLOZJ51eHxeB+sbwmaPFyhsONTUYNLCLZeC1c=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_256_pub.comp.pem b/tests/data_files/ec_256_pub.comp.pem
new file mode 100644
index 0000000..bf9655d
--- /dev/null
+++ b/tests/data_files/ec_256_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDIgADd3Jlb4FLOZJ51eHxeB+sbwmaPFyh
+sONTUYNLCLZeC1c=
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_384_prv.comp.pem b/tests/data_files/ec_384_prv.comp.pem
new file mode 100644
index 0000000..3125b41
--- /dev/null
+++ b/tests/data_files/ec_384_prv.comp.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHQCAQEEMD9djZvigLVpbMXMn5TPivfmth3WWSsqsrOkxgdFBBfsMn3Nyu18EAU9
+cZoFdPCnaqAHBgUrgQQAIqE0AzIAA9nGYrULopykeZBFDgQ66vTwxpsVZ20RL2Iq
+cckwWa+ZlpHFaA0rRNERV52xL0pBOg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_384_pub.comp.pem b/tests/data_files/ec_384_pub.comp.pem
new file mode 100644
index 0000000..ccb6702
--- /dev/null
+++ b/tests/data_files/ec_384_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MEYwEAYHKoZIzj0CAQYFK4EEACIDMgAD2cZitQuinKR5kEUOBDrq9PDGmxVnbREv
+YipxyTBZr5mWkcVoDStE0RFXnbEvSkE6
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_521_prv.comp.pem b/tests/data_files/ec_521_prv.comp.pem
new file mode 100644
index 0000000..314c393
--- /dev/null
+++ b/tests/data_files/ec_521_prv.comp.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGYAgEBBEIBsbatB7t55zINpZhg6ijgVShPYFjyed5mbgbUNdKve9oo2Z+ke33Q
+lj4WsAcweO6LijjZZqWC9G0Z/5XfOtloWq6gBwYFK4EEACOhRgNEAAMAHeFC1U9p
+6wOO5LevnTygdzb9nPcZ6zVNaYee5/PBNvsPv58I+Gvl+hKOwaBR0+bGQ+ha2o/6
+zzZjwmC9LIRLb1Y=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_521_pub.comp.pem b/tests/data_files/ec_521_pub.comp.pem
new file mode 100644
index 0000000..4bb8c2b
--- /dev/null
+++ b/tests/data_files/ec_521_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFgwEAYHKoZIzj0CAQYFK4EEACMDRAADAB3hQtVPaesDjuS3r508oHc2/Zz3Ges1
+TWmHnufzwTb7D7+fCPhr5foSjsGgUdPmxkPoWtqP+s82Y8JgvSyES29W
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp256_prv.comp.pem b/tests/data_files/ec_bp256_prv.comp.pem
new file mode 100644
index 0000000..198d21d
--- /dev/null
+++ b/tests/data_files/ec_bp256_prv.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MFgCAQEEICFh1vLbdlJvpiwW81aoDwHzL3dnhLNqqZeZqLdmIID/oAsGCSskAwMC
+CAEBB6EkAyIAA3aMjK5KvKYwbbDtgbDEpiFcN4Bm7G1hbBRuE/HH34Cb
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp256_pub.comp.pem b/tests/data_files/ec_bp256_pub.comp.pem
new file mode 100644
index 0000000..ecd07bc
--- /dev/null
+++ b/tests/data_files/ec_bp256_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDowFAYHKoZIzj0CAQYJKyQDAwIIAQEHAyIAA3aMjK5KvKYwbbDtgbDEpiFcN4Bm
+7G1hbBRuE/HH34Cb
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp384_prv.comp.pem b/tests/data_files/ec_bp384_prv.comp.pem
new file mode 100644
index 0000000..c0e2393
--- /dev/null
+++ b/tests/data_files/ec_bp384_prv.comp.pem
@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHgCAQEEMD3ZLnUNkNfTn8GIXNitEuqUQfIrkzS02WUgKtsUSM4kxYCKhd2a/CKa
+8KMST3Vby6ALBgkrJAMDAggBAQuhNAMyAAJxn50JOmJ+DTUDhcZhzr8AxhkjVm/p
+AGoxB68dhxvGu2iYX9ci6jK+MW+OeDt80ZU=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp384_pub.comp.pem b/tests/data_files/ec_bp384_pub.comp.pem
new file mode 100644
index 0000000..638666d
--- /dev/null
+++ b/tests/data_files/ec_bp384_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MEowFAYHKoZIzj0CAQYJKyQDAwIIAQELAzIAAnGfnQk6Yn4NNQOFxmHOvwDGGSNW
+b+kAajEHrx2HG8a7aJhf1yLqMr4xb454O3zRlQ==
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_bp512_prv.comp.pem b/tests/data_files/ec_bp512_prv.comp.pem
new file mode 100644
index 0000000..73b1c07
--- /dev/null
+++ b/tests/data_files/ec_bp512_prv.comp.pem
@@ -0,0 +1,6 @@
+-----BEGIN EC PRIVATE KEY-----
+MIGYAgEBBEA3LJd49p9ybLyj9KJo8WtNYX0QKA15pqApzVGHn+EBKTTf5TlUVTN9
+9pBtx9bS7qTbsgZcAij3Oz7XFkgOfXHSoAsGCSskAwMCCAEBDaFEA0IAAji37JK2
+HFxsf7wopOx1nUj81OLjdN79XElopU2+91EOUXiG+/w46jmqUpNZ1wpxVsNdPLrH
+zndr2yUd1kvOcSM=
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_bp512_pub.comp.pem b/tests/data_files/ec_bp512_pub.comp.pem
new file mode 100644
index 0000000..c2fbdca
--- /dev/null
+++ b/tests/data_files/ec_bp512_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MFowFAYHKoZIzj0CAQYJKyQDAwIIAQENA0IAAji37JK2HFxsf7wopOx1nUj81OLj
+dN79XElopU2+91EOUXiG+/w46jmqUpNZ1wpxVsNdPLrHzndr2yUd1kvOcSM=
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/ec_prv.sec1.comp.pem b/tests/data_files/ec_prv.sec1.comp.pem
new file mode 100644
index 0000000..ada14c2
--- /dev/null
+++ b/tests/data_files/ec_prv.sec1.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN EC PRIVATE KEY-----
+MEcCAQEEGDOOhqiB4jj1Sb1vBVNJS3Pj1hEw/cbJbaAKBggqhkjOPQMBAaEcAxoA
+A1F1vN8wo3DznVOT5hJyiNgBZ7X0tLd2xg==
+-----END EC PRIVATE KEY-----
diff --git a/tests/data_files/ec_pub.comp.pem b/tests/data_files/ec_pub.comp.pem
new file mode 100644
index 0000000..a3742a3
--- /dev/null
+++ b/tests/data_files/ec_pub.comp.pem
@@ -0,0 +1,4 @@
+-----BEGIN PUBLIC KEY-----
+MDEwEwYHKoZIzj0CAQYIKoZIzj0DAQEDGgACvHl9s65/COw9SWtPtBGz9iClWKUB
+4CIt
+-----END PUBLIC KEY-----
diff --git a/tests/data_files/pkcs7_zerolendata.bin b/tests/data_files/pkcs7_zerolendata.bin
new file mode 100644
index 0000000..e69de29
--- /dev/null
+++ b/tests/data_files/pkcs7_zerolendata.bin
diff --git a/tests/data_files/pkcs7_zerolendata_detached.der b/tests/data_files/pkcs7_zerolendata_detached.der
new file mode 100644
index 0000000..2a389ab
--- /dev/null
+++ b/tests/data_files/pkcs7_zerolendata_detached.der
Binary files differ
diff --git a/tests/data_files/rsa_multiple_san_uri.crt.der b/tests/data_files/rsa_multiple_san_uri.crt.der
new file mode 100644
index 0000000..ac5fab2
--- /dev/null
+++ b/tests/data_files/rsa_multiple_san_uri.crt.der
Binary files differ
diff --git a/tests/data_files/rsa_multiple_san_uri.key b/tests/data_files/rsa_multiple_san_uri.key
new file mode 100644
index 0000000..c8c3492
--- /dev/null
+++ b/tests/data_files/rsa_multiple_san_uri.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCxc5q8z8XR6vH2
+1Ko29Mk3dOKpSOrX9Tb5HtmCQMoKIxnTUQrNkVeOQtiQt6XZo05cbA6Z87kWDgGJ
+P/5Lxofrx13Rp1xZzZ+0AAPfvUCY5tzZwmicQWvu9st6JwTyaLTCzSt0cPTUs5Hi
+hJt9RzSW6GTk5ANjjgoewOMhwh5f84JRURJ2INZjz4namBGe/9f14ZHxKWuxl5in
++z582rSEhLXrPLbaKjT3Jphff51xsusC+pP0xNqkAcrGJ+/Jk0Vk6ClRCd40ZcTB
+4SkOqsZ8/uGWnradkrN74PoMMnSKKOuxlsVMPfzMkrlMbuazO4nK/osTAnoSqMUv
+COBdXkTtAgMBAAECggEANVlTIQa6K3UeD546GlGXmQOcDVbtu8VuJJFgxScjVs7c
+uco4nDrg/tUb9M4xn2/YZDLcZO6AK6BEV/YURsXGIV2L2DcfraQDKoOCpqZoIE/v
+/8vR1YBZqbsqy2ulshdGmPZD5Tr8cGIYLui9MnnQ1rnBc4sVdb3DTyGgZ4rLxP6X
+0BoHw+LQA0wwSbE/NW71qmeDSEDkSkUQISVg6Rp06U0PZaJAWtYoBNKGAsDGAhjc
+vVTXE5B9d+3yOM0InCWFsM/bUvaUv/yxxTcZnVq9Lji3KwDhy63F99pUaFnV6Rf2
+3CKO3VHegWSwMcnYaBbufDqWPHuEDSlZ0nRhrbrKRQKBgQD6dQd0xPHfxIz5l+AC
+1kPHIsUKPEirrJKTVHlxQwT0yVpD+yUkF95HY6NgHVHKnRP9qicqr3raIfA01VQc
+y+lhXo6xUAqYsKvB9m4njERFWMTCVSVU30Klhic/s4R/1abKlvkax1SiQFIRStqC
+onsZ0M1Isw69/I8Yha3mzv/gvwKBgQC1YPXnd5dZmdbe0UibBWjU5X6AQGt+oxL+
++6EP3EfuRmYI3i3r2bdbB3ELd95f8tgV0UagmjQfFoigBsuRfbhrQEPSHMBWYpAV
++TZKxUvmpJXwLEgxcPv7VTTvxw0qL1u1s/dX6WBfEOUgVzPgcp+IJGEr1MZekTqt
+P65coDpZUwKBgAmrLuiBGd1Lly2jgVBauS8c1oJ4pU2LUfVCE5Ydwjk49LUfIuXr
+zfbvj8UMHLY3rifiw7RQJev5124StjaOYKoTnmqV7nLKjzbjroj0T0ZmEOJ3qwNF
+wyrkrOs2oOzWcKPthBxWiZvh48krHJhicWIjv2kJEI6hC10k+/unDhW9AoGAZyRg
+MeRb+OP2wHaapy0IVCi9Kwl3F2h8oOtOx8ooTWNTGq/dxUTlc6pjqnXbyww5vQ5o
+72NBSHxz7SxwDqhDexnsd0tKRNV/wj8ZlKNlah8l9JH568OoR2BI3iF/ZwHPUSCq
+Ax//YZAl+6IbKgOEnNKzP02cEKLdjy+rY5jqFWkCgYEAmEl4mg1IGoVDM6d3iIPP
+JLz5DghV8kP++99vFrJx07D6e/uhzojR73Ye+fq69Vy0yjGXpaRPwwHfvPzDA1hm
+ir7rJWsbbskR+iTn2yKvIpB1wBI1u0SQ4lnJ1ZIVJPVlh4yA29JvPT7/7/2nQ/s6
+v0N2oKrfaiKc7BjCz3eYW4Q=
+-----END PRIVATE KEY-----
diff --git a/tests/data_files/rsa_single_san_uri.crt.der b/tests/data_files/rsa_single_san_uri.crt.der
new file mode 100644
index 0000000..22308c6
--- /dev/null
+++ b/tests/data_files/rsa_single_san_uri.crt.der
Binary files differ
diff --git a/tests/data_files/rsa_single_san_uri.key b/tests/data_files/rsa_single_san_uri.key
new file mode 100644
index 0000000..bb6c0ca
--- /dev/null
+++ b/tests/data_files/rsa_single_san_uri.key
@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCng06zdlkhYiBK
+43H+cK+vkHYvvRA2RtWbLMw+9rV9IrdGQ+iQQ/X1SZfDl2hWUiKTpabcuGYzY38H
+lXW4UXwTB36KEe7G3yF/fbvYzNsdUCAVOzNs/0EMvXJeD/Dm5CBMEsG6V0ovHmkc
+c80fQYQiSxgjpWyRpKdP+z/2imGph9onuu7EWOpAXGArozlLL5OixQ2dmutsc5ap
+hfgwq6za00uKsFifolRtAhiH86N0vjiAJkzZR83uBlI285sj5+EzRrtjVv+kgsLW
+gLDlj3bgsuKQDfxWhe+mpy2PIJ41kqktCz1qew3wyHI2ysE+6htHYQMNbCtkRMdX
+/4t1yx95AgMBAAECggEAIIhn6IK7nLgp/WFe6kOIW1h7G5pkY6YuJgz1PeU8Kilr
+3sGhkSMhyZmZV+s34EvjWzl4xrUpZCGWsipcyodIyYlTEg2ZihYbs17/9IMUqwS8
+tmLhAfIw+ABzDcGaz7zOaPfbmA0L40rMrzHuTHu05dQfxAyEoWSQ+f+Z1I/bl8jy
+GdXQVtqZzqJcWXbXt+3+B4f2/d7K5xzb7lv/8zhAf/zoG9srMByPa6/Do5rVas5Q
+NmzJPwXngxE5dJcHsWU4FkHbSbJj0khW858MJ4o5Ddw5ZOPimqlcmpClb01wCdXf
+13o2ozKGE/xq3InU7MA4ad0tLMdEM8R7yhUZ9Xe/gQKBgQDYXt4BhiamnSl1tHR8
+MiiyzkcZuVH04/A6FsnUhcbQF9iCqO9szw50k0z7DVIGS9dSY9kmMdEcpsX6m2XC
+XfEsxHBm0wmJqLUGq3UzM6oDsyZG1fkTg+eMzbVO0sv4xdhJLPpmsck5yJ8t0TxB
+8gIS9yNEw7+w6rZhgSRsMT+WhQKBgQDGMZ0qIdFi1Ae7ueTcBCe+cjgmTG9nXq6+
+qRokU63rPP9y8XTVD6hRmviMRl4skt0F39yGJ7janIQnOBrf2DVEX4Mcf0sY4vDJ
+msDV5jkbzgbAEas0ejO4h+dpRqa4mUiU1JR/Pb1jZHNOg7ZfTw45WPqBGsLTEpAt
+OsKVUgbZZQKBgCIe+8WjwS6fNC2SspfvVQm1i/Lbjbgfxf9zHor8ObkROZyJRZCU
+KoRpwkcI97l0dlVQ16q1SnPJPQljPi3joKfdppggia2CxGFz4nybliEVPGEJV0kj
+kP1cZ04x4eauVIhdpnNRcBlDsQ6Jo4YGwxr4jEBI2k7tBKvlsLe7IHr9AoGAeJmi
+IAwaBIAvAH16lKL2qD2Ki0uBkq4buSrfHHHK59TjQEdLJ4byjk21pm3/SjJHyhZR
+c1TieCw7gj3ypHlE2IkiGAohYVBe4t6HLuF7qL6yfteBjVo69LPGDdqPAs9LSj0c
+61xfTQbH32PoapCJgD3zmPH20Ud/cfZKh2A1iL0CgYEAwQgGxHVo+/d3BhLQvQHt
+64fE+qrZA5oWWwBh8EzR+98eOnDCF3Gm6chrEs9boOzlwxr9LU4TgiBnpyYrQCEw
+AdOA9dhYz91d+chJZjKo635Y9byN9rutr3/EfqZLxWL73k1y5LNAYL+jyAab0Jsw
+l2xG6PNj5rItkgO3j50qA7s=
+-----END PRIVATE KEY-----
diff --git a/tests/scripts/check-generated-files.sh b/tests/scripts/check-generated-files.sh
index 2bb9fea..4d6f930 100755
--- a/tests/scripts/check-generated-files.sh
+++ b/tests/scripts/check-generated-files.sh
@@ -137,4 +137,5 @@
check scripts/generate_visualc_files.pl visualc/VS2013
check scripts/generate_psa_constants.py programs/psa/psa_constant_names_generated.c
check tests/scripts/generate_bignum_tests.py $(tests/scripts/generate_bignum_tests.py --list)
+check tests/scripts/generate_ecp_tests.py $(tests/scripts/generate_ecp_tests.py --list)
check tests/scripts/generate_psa_tests.py $(tests/scripts/generate_psa_tests.py --list)
diff --git a/tests/scripts/generate_ecp_tests.py b/tests/scripts/generate_ecp_tests.py
new file mode 100755
index 0000000..abbfda5
--- /dev/null
+++ b/tests/scripts/generate_ecp_tests.py
@@ -0,0 +1,34 @@
+#!/usr/bin/env python3
+"""Generate test data for ecp functions.
+
+The command line usage, class structure and available methods are the same
+as in generate_bignum_tests.py.
+"""
+
+# Copyright The Mbed TLS Contributors
+# SPDX-License-Identifier: Apache-2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License"); you may
+# not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+import sys
+
+import scripts_path # pylint: disable=unused-import
+from mbedtls_dev import test_data_generation
+# Import modules containing additional test classes
+# Test function classes in these modules will be registered by
+# the framework
+from mbedtls_dev import ecp # pylint: disable=unused-import
+
+if __name__ == '__main__':
+ # Use the section of the docstring relevant to the CLI as description
+ test_data_generation.main(sys.argv[1:], "\n".join(__doc__.splitlines()[:4]))
diff --git a/tests/suites/test_suite_constant_time.function b/tests/suites/test_suite_constant_time.function
index 14dc8ae..a2bf396 100644
--- a/tests/suites/test_suite_constant_time.function
+++ b/tests/suites/test_suite_constant_time.function
@@ -18,7 +18,7 @@
/* BEGIN_CASE */
void mbedtls_ct_memcmp_null()
{
- uint32_t x;
+ uint32_t x = 0;
TEST_ASSERT(mbedtls_ct_memcmp(&x, NULL, 0) == 0);
TEST_ASSERT(mbedtls_ct_memcmp(NULL, &x, 0) == 0);
TEST_ASSERT(mbedtls_ct_memcmp(NULL, NULL, 0) == 0);
diff --git a/tests/suites/test_suite_ecp.function b/tests/suites/test_suite_ecp.function
index c8a0a82..4e74d9b 100644
--- a/tests/suites/test_suite_ecp.function
+++ b/tests/suites/test_suite_ecp.function
@@ -3,7 +3,9 @@
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecdh.h"
+#include "bignum_core.h"
#include "ecp_invasive.h"
+#include "bignum_mod_raw_invasive.h"
#if defined(MBEDTLS_TEST_HOOKS) && \
(defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || \
@@ -1299,3 +1301,89 @@
mbedtls_mpi_free(&expected_n);
}
/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_p192_raw(char *input_N,
+ char *input_X,
+ char *result)
+{
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *res = NULL;
+ size_t limbs_X;
+ size_t limbs_N;
+ size_t limbs_res;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
+
+ size_t limbs = limbs_N;
+ size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
+
+ TEST_EQUAL(limbs_X, 2 * limbs);
+ TEST_EQUAL(limbs_res, limbs);
+
+ TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
+
+ TEST_EQUAL(mbedtls_ecp_mod_p192_raw(X, limbs_X), 0);
+ TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 192);
+ mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
+ ASSERT_COMPARE(X, bytes, res, bytes);
+
+exit:
+ mbedtls_free(X);
+ mbedtls_free(res);
+
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_free(N);
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_TEST_HOOKS */
+void ecp_mod_p521_raw(char *input_N,
+ char *input_X,
+ char *result)
+{
+ mbedtls_mpi_uint *X = NULL;
+ mbedtls_mpi_uint *N = NULL;
+ mbedtls_mpi_uint *res = NULL;
+ size_t limbs_X;
+ size_t limbs_N;
+ size_t limbs_res;
+
+ mbedtls_mpi_mod_modulus m;
+ mbedtls_mpi_mod_modulus_init(&m);
+
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&X, &limbs_X, input_X), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&N, &limbs_N, input_N), 0);
+ TEST_EQUAL(mbedtls_test_read_mpi_core(&res, &limbs_res, result), 0);
+
+ size_t limbs = limbs_N;
+ size_t bytes = limbs * sizeof(mbedtls_mpi_uint);
+
+ TEST_EQUAL(limbs_X, 2 * limbs);
+ TEST_EQUAL(limbs_res, limbs);
+
+ TEST_EQUAL(mbedtls_mpi_mod_modulus_setup(
+ &m, N, limbs,
+ MBEDTLS_MPI_MOD_REP_MONTGOMERY), 0);
+
+ TEST_EQUAL(mbedtls_ecp_mod_p521_raw(X, limbs_X), 0);
+ TEST_LE_U(mbedtls_mpi_core_bitlen(X, limbs_X), 522);
+ mbedtls_mpi_mod_raw_fix_quasi_reduction(X, &m);
+ ASSERT_COMPARE(X, bytes, res, bytes);
+
+exit:
+ mbedtls_free(X);
+ mbedtls_free(res);
+
+ mbedtls_mpi_mod_modulus_free(&m);
+ mbedtls_free(N);
+}
+/* END_CASE */
diff --git a/tests/suites/test_suite_pkcs7.data b/tests/suites/test_suite_pkcs7.data
index 840a24b..9948537 100644
--- a/tests/suites/test_suite_pkcs7.data
+++ b/tests/suites/test_suite_pkcs7.data
@@ -38,6 +38,14 @@
depends_on:MBEDTLS_SHA256_C
pkcs7_parse:"data_files/pkcs7_data_cert_encrypted.der":MBEDTLS_ERR_PKCS7_FEATURE_UNAVAILABLE
+PKCS7 Signed Data Verification Pass zero-len data
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_zerolendata.bin":0:0
+
+PKCS7 Signed Data Verification Fail zero-len data
+depends_on:MBEDTLS_SHA1_C:MBEDTLS_SHA256_C
+pkcs7_verify:"data_files/pkcs7_zerolendata_detached.der":"data_files/pkcs7-rsa-sha256-2.der":"data_files/pkcs7_zerolendata.bin":0:MBEDTLS_ERR_RSA_VERIFY_FAILED
+
PKCS7 Signed Data Verification Pass SHA256 #9
depends_on:MBEDTLS_SHA256_C
pkcs7_verify:"data_files/pkcs7_data_cert_signed_sha256.der":"data_files/pkcs7-rsa-sha256-1.der":"data_files/pkcs7_data.bin":0:0
diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function
index 62f9f66..91fe47b 100644
--- a/tests/suites/test_suite_pkcs7.function
+++ b/tests/suites/test_suite_pkcs7.function
@@ -125,7 +125,8 @@
TEST_ASSERT(file != NULL);
datalen = st.st_size;
- ASSERT_ALLOC(data, datalen);
+ /* Special-case for zero-length input so that data will be non-NULL */
+ ASSERT_ALLOC(data, datalen == 0 ? 1 : datalen);
buflen = fread((void *) data, sizeof(unsigned char), datalen, file);
TEST_EQUAL(buflen, datalen);
diff --git a/tests/suites/test_suite_pkparse.data b/tests/suites/test_suite_pkparse.data
index a493325..317a6c9 100644
--- a/tests/suites/test_suite_pkparse.data
+++ b/tests/suites/test_suite_pkparse.data
@@ -912,34 +912,68 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_pub.pem":0
+Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_pub.comp.pem":0
+
Parse Public EC Key #3 (RFC 5480, secp224r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_224_pub.pem":0
+# Compressed points parsing does not support MBEDTLS_ECP_DP_SECP224R1 and
+# MBEDTLS_ECP_DP_SECP224K1. Therefore a failure is expected in this case
+Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_224_pub.comp.pem":MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE
+
Parse Public EC Key #4 (RFC 5480, secp256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_256_pub.pem":0
+Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_256_pub.comp.pem":0
+
Parse Public EC Key #5 (RFC 5480, secp384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_384_pub.pem":0
+Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_384_pub.comp.pem":0
+
Parse Public EC Key #6 (RFC 5480, secp521r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_521_pub.pem":0
+Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_521_pub.comp.pem":0
+
Parse Public EC Key #7 (RFC 5480, brainpoolP256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.pem":0
+Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_bp256_pub.comp.pem":0
+
Parse Public EC Key #8 (RFC 5480, brainpoolP384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.pem":0
+Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_bp384_pub.comp.pem":0
+
Parse Public EC Key #9 (RFC 5480, brainpoolP512r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.pem":0
+Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_parse_public_keyfile_ec:"data_files/ec_bp512_pub.comp.pem":0
+
Parse EC Key #1 (SEC1 DER)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_prv.sec1.der":"NULL":0
@@ -948,6 +982,10 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pem":"NULL":0
+Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_prv.sec1.comp.pem":"NULL":0
+
Parse EC Key #3 (SEC1 PEM encrypted)
depends_on:MBEDTLS_DES_C:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP192R1_ENABLED:MBEDTLS_CIPHER_MODE_CBC:MBEDTLS_HAS_MD5_VIA_LOWLEVEL_OR_PSA
pk_parse_keyfile_ec:"data_files/ec_prv.sec1.pw.pem":"polar":0
@@ -988,30 +1026,58 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_224_prv.pem":"NULL":0
+Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP224R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_224_prv.comp.pem":"NULL":0
+
Parse EC Key #9 (SEC1 PEM, secp256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_256_prv.pem":"NULL":0
+Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_256_prv.comp.pem":"NULL":0
+
Parse EC Key #10 (SEC1 PEM, secp384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_384_prv.pem":"NULL":0
+Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_384_prv.comp.pem":"NULL":0
+
Parse EC Key #11 (SEC1 PEM, secp521r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_521_prv.pem":"NULL":0
+Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP521R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_521_prv.comp.pem":"NULL":0
+
Parse EC Key #12 (SEC1 PEM, bp256r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_bp256_prv.pem":"NULL":0
+Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP256R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_bp256_prv.comp.pem":"NULL":0
+
Parse EC Key #13 (SEC1 PEM, bp384r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_bp384_prv.pem":"NULL":0
+Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP384R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_bp384_prv.comp.pem":"NULL":0
+
Parse EC Key #14 (SEC1 PEM, bp512r1)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
pk_parse_keyfile_ec:"data_files/ec_bp512_prv.pem":"NULL":0
+Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)
+depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_BP512R1_ENABLED
+pk_parse_keyfile_ec:"data_files/ec_bp512_prv.comp.pem":"NULL":0
+
Parse EC Key #15 (SEC1 DER, secp256k1, SpecifiedECDomain)
depends_on:MBEDTLS_ECP_C:MBEDTLS_ECP_DP_SECP256K1_ENABLED:MBEDTLS_PK_PARSE_EC_EXTENDED
pk_parse_keyfile_ec:"data_files/ec_prv.specdom.der":"NULL":0
diff --git a/tests/suites/test_suite_pkparse.function b/tests/suites/test_suite_pkparse.function
index ff19981..0856f3f 100644
--- a/tests/suites/test_suite_pkparse.function
+++ b/tests/suites/test_suite_pkparse.function
@@ -2,6 +2,7 @@
#include "mbedtls/pk.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
+#include "mbedtls/ecp.h"
#include "mbedtls/legacy_or_psa.h"
/* END_HEADER */
diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data
index c356142..697cdd7 100644
--- a/tests/suites/test_suite_psa_crypto.data
+++ b/tests/suites/test_suite_psa_crypto.data
@@ -4145,6 +4145,30 @@
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
sign_hash_deterministic:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f"
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":1
+
+PSA sign hash int (ops=inf) det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PSA_BUILTIN_ALG_SHA_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"49c9a8c18c4b885638c431cf1df1c994131609b580d4fd43a0cab17db2f13eee":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":"cd40ba1b555ca5994d30ddffc4ad734b1f5c604675b0f249814aa5de3992ef3ddf4d5dc5d2aab1979ce210b560754df671363d99795475882894c048e3b986ca":1
+
+PSA sign hash int (ops=inf): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":"52d92aac1fcc0fea3ecce01a9ed4bc9ac342f92470fd3f54d0d6d2fa5d2940405057a9d49a817c2b193322f05fc93ac1c7a055edac93bec0ade6814ab27b86b5295ac1ddb323818200f00c3d94d959f714f128b64a2e19628037ac009b14774f":1
+
PSA sign hash: RSA PKCS#1 v1.5 SHA-256, wrong hash size
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
sign_hash_fail:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015":128:PSA_ERROR_INVALID_ARGUMENT
@@ -4206,9 +4230,53 @@
sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT
PSA sign hash: deterministic ECDSA not supported
-depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:MBEDTLS_ECP_DP_SECP384R1_ENABLED
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
sign_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, out buf too small
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, out buf too small
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":63:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA sign hash int (ops=inf): det ECDSA SECP256R1 SHA-256, empty out buf
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1 SHA-256, empty out buf
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":0:PSA_SUCCESS:PSA_ERROR_BUFFER_TOO_SMALL:1
+
+PSA sign hash int (ops=inf): det ECDSA SECP256R1, invld hash alg (0)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA SECP256R1, invld hash alg (0)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( 0 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_SUCCESS:PSA_ERROR_INVALID_ARGUMENT:1
+
+PSA sign hash int: det ECDSA SECP256R1, invld hash alg (wildcard)
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_ANY_HASH ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_INVALID_ARGUMENT:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int: invld alg for ECC key
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_PK_PARSE_C
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":72:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int: ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:!PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=inf): det ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign hash int (ops=min): det ECDSA not supported
+depends_on:!PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"2cf24dba5fb0a30e26e83b2ac5b9e29e1b161e5c1fa7425e73043362938b9824":96:PSA_SUCCESS:PSA_ERROR_NOT_SUPPORTED:1
+
PSA sign/verify hash: RSA PKCS#1 v1.5, raw
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
sign_verify_hash:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN_RAW:"616263"
@@ -4249,6 +4317,54 @@
depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
sign_verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA( PSA_ALG_SHA_256 ):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
+
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
+
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
+
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP256R1 SHA-384
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_384):"59e1748777448c69de6b800d7a33bbfb9ff1b463e44354c3553bcdb9c666fa90125a3c79f90397bdf5f6a13de828684f":1
+
+PSA sign/vrfy hash int (ops=inf): rand ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): rand ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
+
+PSA sign/vrfy hash int (ops=inf): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int (ops=min): det ECDSA SECP384R1 SHA-256
+depends_on:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_384
+sign_verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"3f5d8d9be280b5696cc5cc9f94cf8af7e6b61dd6592b2ab2b3a4c607450417ec327dcdcaed7c10053d719a0574f0a76a":PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":1
+
PSA verify hash: RSA PKCS#1 v1.5 SHA-256, good signature
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_PK_PARSE_C
verify_hash:PSA_KEY_TYPE_RSA_PUBLIC_KEY:"30818902818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc30203010001":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
@@ -4369,6 +4485,14 @@
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f"
+PSA vrfy hash int: ECDSA SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int w/keypair: ECDSA SECP256R1, good
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
PSA verify hash: ECDSA SECP256R1, wrong signature size (correct but ASN1-encoded)
depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE
@@ -4397,6 +4521,50 @@
depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
verify_hash_fail:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_INVALID_ARGUMENT
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig size (correct but ASN1-encoded)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"304502206a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151022100ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int (ops=inf): ECDSA SECP256R1, wrong sig of correct size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int (ops=min): ECDSA SECP256R1, wrong sig of correct size
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50e":PSA_SUCCESS:PSA_ERROR_INVALID_SIGNATURE:1
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (empty)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (truncated)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f5":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (trailing junk)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"6a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f21":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: ECDSA SECP256R1, wrong sig (leading junk)
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_PUBLIC_KEY(PSA_ECC_FAMILY_SECP_R1):"04dea5e45d0ea37fc566232a508f4ad20ea13d47e4bf5fa4d54a57a0ba012042087097496efc583fed8b24a5b9be9a51de063f5a00a8b698a16fd7f29b5485f320":PSA_ALG_ECDSA_ANY:"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b":"216a3399f69421ffe1490377adf2ea1f117d81a63cf5bf22e918d51175eb259151ce95d7c26cc04e25503e2f7a1ec3573e3c2412534bb4a19b3a7811742f49f50f":PSA_ERROR_INVALID_SIGNATURE:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA vrfy hash int: invld alg for ECC key
+depends_on:PSA_WANT_ALG_RSA_PSS:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+verify_hash_fail_interruptible:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_RSA_PSS(PSA_ALG_SHA_256):"":"":PSA_ERROR_NOT_SUPPORTED:PSA_ERROR_BAD_STATE:PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED
+
+PSA sign/vrfy hash int state test: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_state_test:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign/vrfy hash int neg tests: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_negative_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
+PSA sign/vrfy hash int max ops tests: randomized ECDSA SECP256R1 SHA-256
+depends_on:PSA_WANT_ALG_ECDSA:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR:MBEDTLS_PK_PARSE_C:PSA_WANT_ECC_SECP_R1_256
+interruptible_signverify_hash_maxops_tests:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):"ab45435712649cb30bbddac49197eebf2740ffc7f874d9244c3460f54f322d3a":PSA_ALG_ECDSA(PSA_ALG_SHA_256):"9ac4335b469bbd791439248504dd0d49c71349a295fee5a1c68507f45a9e1c7b"
+
PSA sign message: RSA PKCS#1 v1.5 SHA-256
depends_on:PSA_WANT_ALG_RSA_PKCS1V15_SIGN:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR:MBEDTLS_PK_PARSE_C
sign_message_deterministic:PSA_KEY_TYPE_RSA_KEY_PAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):"616263":"a73664d55b39c7ea6c1e5b5011724a11e1d7073d3a68f48c836fad153a1d91b6abdbc8f69da13b206cc96af6363b114458b026af14b24fab8929ed634c6a2acace0bcc62d9bb6a984afbcbfcd3a0608d32a2bae535b9cd1ecdf9dd281db1e0025c3bfb5512963ec3b98ddaa69e38bc3c84b1b61a04e5648640856aacc6fc7311"
diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function
index c414b65..20e43c6 100644
--- a/tests/suites/test_suite_psa_crypto.function
+++ b/tests/suites/test_suite_psa_crypto.function
@@ -1220,6 +1220,34 @@
INJECT_ANTICIPATE_KEY_DERIVATION_2,
} ecjpake_injected_failure_t;
+#if defined(MBEDTLS_ECP_RESTARTABLE)
+
+static void interruptible_signverify_get_minmax_completes(uint32_t max_ops,
+ psa_status_t expected_status,
+ size_t *min_completes,
+ size_t *max_completes)
+{
+
+ /* This is slightly contrived, but we only really know that with a minimum
+ value of max_ops that a successful operation should take more than one op
+ to complete, and likewise that with a max_ops of
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED, it should complete in one go. */
+ if (max_ops == 0 || max_ops == 1) {
+
+ if (expected_status == PSA_SUCCESS) {
+ *min_completes = 2;
+ } else {
+ *min_completes = 1;
+ }
+
+ *max_completes = PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED;
+ } else {
+ *min_completes = 1;
+ *max_completes = 1;
+ }
+}
+#endif /* MBEDTLS_ECP_RESTARTABLE */
+
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@@ -6444,6 +6472,117 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void sign_hash_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *input_data,
+ data_t *output_data, int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_OPERATION_INCOMPLETE;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_sign_hash_interruptible_operation_t operation =
+ psa_sign_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+ &min_completes, &max_completes);
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start performing the signature. */
+ PSA_ASSERT(psa_sign_hash_start(&operation, key, alg,
+ input_data->x, input_data->len));
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_sign_hash_complete(&operation, signature, signature_size,
+ &signature_length);
+
+ num_completes++;
+
+ if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+
+ /* Ensure calling get_num_ops() twice still returns the same
+ * number of ops as previously reported. */
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+
+ TEST_EQUAL(num_ops, num_ops_prior);
+ }
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ /* Verify that the signature is what is expected. */
+ ASSERT_COMPARE(output_data->x, output_data->len,
+ signature, signature_length);
+
+ PSA_ASSERT(psa_sign_hash_abort(&operation));
+
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+exit:
+
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void sign_hash_fail(int key_type_arg, data_t *key_data,
int alg_arg, data_t *input_data,
@@ -6489,6 +6628,123 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void sign_hash_fail_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *input_data,
+ int signature_size_arg,
+ int expected_start_status_arg,
+ int expected_complete_status_arg,
+ int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t signature_size = signature_size_arg;
+ psa_status_t actual_status;
+ psa_status_t expected_start_status = expected_start_status_arg;
+ psa_status_t expected_complete_status = expected_complete_status_arg;
+ unsigned char *signature = NULL;
+ size_t signature_length = 0xdeadbeef;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_sign_hash_interruptible_operation_t operation =
+ psa_sign_hash_interruptible_operation_init();
+
+ ASSERT_ALLOC(signature, signature_size);
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops,
+ expected_complete_status,
+ &min_completes,
+ &max_completes);
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start performing the signature. */
+ actual_status = psa_sign_hash_start(&operation, key, alg,
+ input_data->x, input_data->len);
+
+ TEST_EQUAL(actual_status, expected_start_status);
+
+ if (expected_start_status != PSA_SUCCESS) {
+ actual_status = psa_sign_hash_start(&operation, key, alg,
+ input_data->x, input_data->len);
+
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+ }
+
+ num_ops_prior = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ actual_status = psa_sign_hash_complete(&operation, signature,
+ signature_size,
+ &signature_length);
+
+ num_completes++;
+
+ if (actual_status == PSA_SUCCESS ||
+ actual_status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+ }
+ } while (actual_status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_EQUAL(actual_status, expected_complete_status);
+
+ /* Check that another complete returns BAD_STATE. */
+ actual_status = psa_sign_hash_complete(&operation, signature,
+ signature_size,
+ &signature_length);
+
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&operation));
+
+ num_ops = psa_sign_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+ /* The value of *signature_length is unspecified on error, but
+ * whatever it is, it should be less than signature_size, so that
+ * if the caller tries to read *signature_length bytes without
+ * checking the error code then they don't overflow a buffer. */
+ TEST_LE_U(signature_length, signature_size);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+exit:
+ psa_reset_key_attributes(&attributes);
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void sign_verify_hash(int key_type_arg, data_t *key_data,
int alg_arg, data_t *input_data)
@@ -6559,6 +6815,137 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void sign_verify_hash_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *input_data,
+ int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_OPERATION_INCOMPLETE;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+ &min_completes, &max_completes);
+
+ /* Start performing the signature. */
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ /* Continue performing the signature until complete. */
+ do {
+
+ status = psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length);
+
+ num_completes++;
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ /* Check that the signature length looks sensible. */
+ TEST_LE_U(signature_length, signature_size);
+ TEST_ASSERT(signature_length > 0);
+
+ num_completes = 0;
+
+ /* Start verification. */
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_verify_hash_complete(&verify_operation);
+
+ num_completes++;
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ verify_operation = psa_verify_hash_interruptible_operation_init();
+
+ if (input_data->len != 0) {
+ /* Flip a bit in the input and verify that the signature is now
+ * detected as invalid. Flip a bit at the beginning, not at the end,
+ * because ECDSA may ignore the last few bits of the input. */
+ input_data->x[0] ^= 1;
+
+ /* Start verification. */
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_verify_hash_complete(&verify_operation);
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_ERROR_INVALID_SIGNATURE);
+ }
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void verify_hash(int key_type_arg, data_t *key_data,
int alg_arg, data_t *hash_data,
@@ -6591,6 +6978,97 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void verify_hash_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *hash_data,
+ data_t *signature_data, int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_status_t status = PSA_OPERATION_INCOMPLETE;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+
+ psa_verify_hash_interruptible_operation_t operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ TEST_LE_U(signature_data->len, PSA_SIGNATURE_MAX_SIZE);
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops, PSA_SUCCESS,
+ &min_completes, &max_completes);
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start verification. */
+ PSA_ASSERT(psa_verify_hash_start(&operation, key, alg,
+ hash_data->x, hash_data->len,
+ signature_data->x, signature_data->len)
+ );
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ status = psa_verify_hash_complete(&operation);
+
+ num_completes++;
+
+ if (status == PSA_SUCCESS || status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+
+ /* Ensure calling get_num_ops() twice still returns the same
+ * number of ops as previously reported. */
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+
+ TEST_EQUAL(num_ops, num_ops_prior);
+ }
+ } while (status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_ASSERT(status == PSA_SUCCESS);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_verify_hash_abort(&operation));
+
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+exit:
+ psa_reset_key_attributes(&attributes);
+ psa_destroy_key(key);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void verify_hash_fail(int key_type_arg, data_t *key_data,
int alg_arg, data_t *hash_data,
@@ -6625,6 +7103,479 @@
}
/* END_CASE */
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void verify_hash_fail_interruptible(int key_type_arg, data_t *key_data,
+ int alg_arg, data_t *hash_data,
+ data_t *signature_data,
+ int expected_start_status_arg,
+ int expected_complete_status_arg,
+ int max_ops_arg)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_status_t actual_status;
+ psa_status_t expected_start_status = expected_start_status_arg;
+ psa_status_t expected_complete_status = expected_complete_status_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint32_t num_ops = 0;
+ uint32_t max_ops = max_ops_arg;
+ size_t num_ops_prior = 0;
+ size_t num_completes = 0;
+ size_t min_completes = 0;
+ size_t max_completes = 0;
+ psa_verify_hash_interruptible_operation_t operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+
+ psa_interruptible_set_max_ops(max_ops);
+
+ interruptible_signverify_get_minmax_completes(max_ops,
+ expected_complete_status,
+ &min_completes,
+ &max_completes);
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Start verification. */
+ actual_status = psa_verify_hash_start(&operation, key, alg,
+ hash_data->x, hash_data->len,
+ signature_data->x,
+ signature_data->len);
+
+ TEST_EQUAL(actual_status, expected_start_status);
+
+ if (expected_start_status != PSA_SUCCESS) {
+ actual_status = psa_verify_hash_start(&operation, key, alg,
+ hash_data->x, hash_data->len,
+ signature_data->x,
+ signature_data->len);
+
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+ }
+
+ num_ops_prior = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops_prior == 0);
+
+ /* Continue performing the signature until complete. */
+ do {
+ actual_status = psa_verify_hash_complete(&operation);
+
+ num_completes++;
+
+ if (actual_status == PSA_SUCCESS ||
+ actual_status == PSA_OPERATION_INCOMPLETE) {
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ /* We are asserting here that every complete makes progress
+ * (completes some ops), which is true of the internal
+ * implementation and probably any implementation, however this is
+ * not mandated by the PSA specification. */
+ TEST_ASSERT(num_ops > num_ops_prior);
+
+ num_ops_prior = num_ops;
+ }
+ } while (actual_status == PSA_OPERATION_INCOMPLETE);
+
+ TEST_EQUAL(actual_status, expected_complete_status);
+
+ /* Check that another complete returns BAD_STATE. */
+ actual_status = psa_verify_hash_complete(&operation);
+ TEST_EQUAL(actual_status, PSA_ERROR_BAD_STATE);
+
+ TEST_LE_U(min_completes, num_completes);
+ TEST_LE_U(num_completes, max_completes);
+
+ PSA_ASSERT(psa_verify_hash_abort(&operation));
+
+ num_ops = psa_verify_hash_get_num_ops(&operation);
+ TEST_ASSERT(num_ops == 0);
+
+exit:
+ psa_reset_key_attributes(&attributes);
+ psa_destroy_key(key);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void interruptible_signverify_hash_state_test(int key_type_arg,
+ data_t *key_data, int alg_arg, data_t *input_data)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ /* --- Attempt completes prior to starts --- */
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* --- Aborts in all other places. --- */
+ psa_sign_hash_abort(&sign_operation);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_OPERATION_INCOMPLETE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+ PSA_OPERATION_INCOMPLETE);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* --- Attempt double starts. --- */
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ TEST_EQUAL(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void interruptible_signverify_hash_negative_tests(int key_type_arg,
+ data_t *key_data, int alg_arg, data_t *input_data)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ size_t signature_length = 0xdeadbeef;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ uint8_t *input_buffer = NULL;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len,
+ &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type,
+ key_bits, alg);
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ /* --- Ensure changing the max ops mid operation works (operation should
+ * complete successfully after setting max ops to unlimited --- */
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_OPERATION_INCOMPLETE);
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_length));
+
+ TEST_EQUAL(psa_verify_hash_complete(&verify_operation),
+ PSA_OPERATION_INCOMPLETE);
+
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* --- Change function inputs mid run, to cause an error (sign only,
+ * verify passes all inputs to start. --- */
+
+ psa_interruptible_set_max_ops(1);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length),
+ PSA_OPERATION_INCOMPLETE);
+
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ 0,
+ &signature_length),
+ PSA_ERROR_BUFFER_TOO_SMALL);
+
+ /* And test that this invalidates the operation. */
+ TEST_EQUAL(psa_sign_hash_complete(&sign_operation, signature,
+ 0,
+ &signature_length),
+ PSA_ERROR_BAD_STATE);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ /* Trash the hash buffer in between start and complete, to ensure
+ * no reliance on external buffers. */
+ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ input_buffer = mbedtls_calloc(1, input_data->len);
+ TEST_ASSERT(input_buffer != NULL);
+
+ memcpy(input_buffer, input_data->x, input_data->len);
+
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_buffer, input_data->len));
+
+ memset(input_buffer, '!', input_data->len);
+ mbedtls_free(input_buffer);
+ input_buffer = NULL;
+
+ PSA_ASSERT(psa_sign_hash_complete(&sign_operation, signature,
+ signature_size,
+ &signature_length));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ input_buffer = mbedtls_calloc(1, input_data->len);
+ TEST_ASSERT(input_buffer != NULL);
+
+ memcpy(input_buffer, input_data->x, input_data->len);
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_buffer, input_data->len,
+ signature, signature_length));
+
+ memset(input_buffer, '!', input_data->len);
+ mbedtls_free(input_buffer);
+ input_buffer = NULL;
+
+ PSA_ASSERT(psa_verify_hash_complete(&verify_operation));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
+/* BEGIN_CASE depends_on:MBEDTLS_ECP_RESTARTABLE */
+void interruptible_signverify_hash_maxops_tests(int key_type_arg,
+ data_t *key_data, int alg_arg, data_t *input_data)
+{
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
+ psa_key_type_t key_type = key_type_arg;
+ psa_algorithm_t alg = alg_arg;
+ psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
+ size_t key_bits;
+ unsigned char *signature = NULL;
+ size_t signature_size;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+ PSA_ASSERT(psa_crypto_init());
+
+ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH |
+ PSA_KEY_USAGE_VERIFY_HASH);
+ psa_set_key_algorithm(&attributes, alg);
+ psa_set_key_type(&attributes, key_type);
+
+ PSA_ASSERT(psa_import_key(&attributes, key_data->x, key_data->len, &key));
+ PSA_ASSERT(psa_get_key_attributes(key, &attributes));
+ key_bits = psa_get_key_bits(&attributes);
+
+ /* Allocate a buffer which has the size advertised by the
+ * library. */
+ signature_size = PSA_SIGN_OUTPUT_SIZE(key_type, key_bits, alg);
+
+ TEST_ASSERT(signature_size != 0);
+ TEST_LE_U(signature_size, PSA_SIGNATURE_MAX_SIZE);
+ ASSERT_ALLOC(signature, signature_size);
+
+ /* Check that default max ops gets set if we don't set it. */
+ PSA_ASSERT(psa_sign_hash_start(&sign_operation, key, alg,
+ input_data->x, input_data->len));
+
+ TEST_EQUAL(psa_interruptible_get_max_ops(),
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+
+ PSA_ASSERT(psa_verify_hash_start(&verify_operation, key, alg,
+ input_data->x, input_data->len,
+ signature, signature_size));
+
+ TEST_EQUAL(psa_interruptible_get_max_ops(),
+ PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED);
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+
+ /* Check that max ops gets set properly. */
+
+ psa_interruptible_set_max_ops(0xbeef);
+
+ TEST_EQUAL(psa_interruptible_get_max_ops(), 0xbeef);
+
+exit:
+ /*
+ * Key attributes may have been returned by psa_get_key_attributes()
+ * thus reset them as required.
+ */
+ psa_reset_key_attributes(&attributes);
+
+ psa_destroy_key(key);
+ mbedtls_free(signature);
+ PSA_DONE();
+}
+/* END_CASE */
+
/* BEGIN_CASE */
void sign_message_deterministic(int key_type_arg,
data_t *key_data,
diff --git a/tests/suites/test_suite_psa_crypto_op_fail.function b/tests/suites/test_suite_psa_crypto_op_fail.function
index 046e3c3..970be84 100644
--- a/tests/suites/test_suite_psa_crypto_op_fail.function
+++ b/tests/suites/test_suite_psa_crypto_op_fail.function
@@ -221,6 +221,13 @@
uint8_t input[1] = { 'A' };
uint8_t output[PSA_SIGNATURE_MAX_SIZE] = { 0 };
size_t length = SIZE_MAX;
+ psa_sign_hash_interruptible_operation_t sign_operation =
+ psa_sign_hash_interruptible_operation_init();
+
+ psa_verify_hash_interruptible_operation_t verify_operation =
+ psa_verify_hash_interruptible_operation_init();
+
+
PSA_INIT();
@@ -237,6 +244,15 @@
psa_sign_hash(key_id, alg,
input, sizeof(input),
output, sizeof(output), &length));
+
+ if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+ TEST_STATUS(expected_status,
+ psa_sign_hash_start(&sign_operation, key_id, alg,
+ input, sizeof(input)));
+
+ PSA_ASSERT(psa_sign_hash_abort(&sign_operation));
+ }
+
if (!private_only) {
/* Determine a plausible signature size to avoid an INVALID_SIGNATURE
* error based on this. */
@@ -253,6 +269,15 @@
psa_verify_hash(key_id, alg,
input, sizeof(input),
output, output_length));
+
+ if (PSA_KEY_TYPE_IS_ECC(key_type)) {
+ TEST_STATUS(expected_status,
+ psa_verify_hash_start(&verify_operation, key_id, alg,
+ input, sizeof(input),
+ output, output_length));
+
+ PSA_ASSERT(psa_verify_hash_abort(&verify_operation));
+ }
}
exit:
diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data
index 048e4f7..4545a53 100644
--- a/tests/suites/test_suite_x509parse.data
+++ b/tests/suites/test_suite_x509parse.data
@@ -122,6 +122,14 @@
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_cert_info:"data_files/cert_example_multi_nocn.crt":"cert. version \: 3\nserial number \: F7\:C6\:7F\:F8\:E9\:A9\:63\:F9\nissuer name \: C=NL\nsubject name \: C=NL\nissued on \: 2014-01-22 10\:04\:33\nexpires on \: 2024-01-22 10\:04\:33\nsigned using \: RSA with SHA1\nRSA key size \: 1024 bits\nbasic constraints \: CA=false\nsubject alt name \:\n dNSName \: www.shotokan-braunschweig.de\n dNSName \: www.massimo-abate.eu\n <unsupported>\n <unsupported>\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+X509 CRT information, Subject Alt Name with uniformResourceIdentifier
+depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_cert_info:"data_files/rsa_single_san_uri.crt.der":"cert. version \: 3\nserial number \: 6F\:75\:EB\:E9\:6D\:25\:BC\:88\:82\:62\:A3\:E0\:68\:A7\:37\:3B\:EC\:75\:8F\:9C\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:38\:05\nexpires on \: 2043-02-09 10\:38\:05\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+
+X509 CRT information, Subject Alt Name with two uniformResourceIdentifiers
+depends_on:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+x509_cert_info:"data_files/rsa_multiple_san_uri.crt.der":"cert. version \: 3\nserial number \: 08\:E2\:93\:18\:91\:26\:D8\:46\:88\:90\:10\:4F\:B5\:86\:CB\:C4\:78\:E6\:EA\:0D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS URI SAN\nissued on \: 2023-02-14 10\:37\:50\nexpires on \: 2043-02-09 10\:37\:50\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=false\nsubject alt name \:\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-c2c082f0609c\n uniformResourceIdentifier \: urn\:example.com\:5ff40f78-9210-494f-8206-abcde1234567\nkey usage \: Digital Signature, Non Repudiation, Key Encipherment\n"
+
X509 CRT information, RSA Certificate Policy any
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
x509_cert_info:"data_files/test-ca-any_policy.crt":"cert. version \: 3\nserial number \: 00\nissuer name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nsubject name \: C=NL, O=PolarSSL, CN=PolarSSL Test CA\nissued on \: 2019-03-21 16\:40\:59\nexpires on \: 2029-03-21 16\:40\:59\nsigned using \: RSA with SHA-256\nRSA key size \: 2048 bits\nbasic constraints \: CA=true\ncertificate policies \: Any Policy\n"