diff --git a/crypto b/crypto
index 24b8f9f17..89e765569 160000
--- a/crypto
+++ b/crypto
@@ -1 +1 @@
-Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b
+Subproject commit 89e76556910c2704313fe23b174f2742702a3a29
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index f1bf7046a..f403aa036 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
{
psa_status_t status;
- psa_key_policy_t policy;
+ psa_key_attributes_t key_attributes;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@@ -3238,8 +3238,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
unsigned char *own_pubkey_ecpoint;
size_t own_pubkey_ecpoint_len;
- psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
-
header_len = 4;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
@@ -3248,12 +3246,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* Generate EC private key for ECDHE exchange.
*/
- /* Allocate a new key slot for the private key. */
-
- status = psa_allocate_key( &handshake->ecdh_psa_privkey );
- if( status != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
-
/* The master secret is obtained from the shared ECDH secret by
* applying the TLS 1.2 PRF with a specific salt and label. While
* the PSA Crypto API encourages combining key agreement schemes
@@ -3261,19 +3253,18 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* yet support the provisioning of salt + label to the KDF.
* For the time being, we therefore need to split the computation
* of the ECDH secret and the application of the TLS 1.2 PRF. */
- policy = psa_key_policy_init();
- psa_key_policy_set_usage( &policy,
- PSA_KEY_USAGE_DERIVE,
- PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
- status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy );
- if( status != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
+ psa_set_key_type( &key_attributes,
+ PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve )
+ );
+ psa_set_key_bits( &key_attributes,
+ PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) );
/* Generate ECDH private key. */
- status = psa_generate_key( handshake->ecdh_psa_privkey,
- PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ),
- MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
- NULL, 0 );
+ status = psa_generate_key( &key_attributes,
+ &handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@@ -3299,30 +3290,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
own_pubkey_ecpoint, own_pubkey_ecpoint_len );
content_len = own_pubkey_ecpoint_len + 1;
- /* Compute ECDH shared secret. */
- status = psa_key_agreement( &generator,
- handshake->ecdh_psa_privkey,
- handshake->ecdh_psa_peerkey,
- handshake->ecdh_psa_peerkey_len,
- PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
- if( status != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
-
/* The ECDH secret is the premaster secret used for key derivation. */
- ssl->handshake->pmslen =
- MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
-
- status = psa_generator_read( &generator,
- ssl->handshake->premaster,
- ssl->handshake->pmslen );
- if( status != PSA_SUCCESS )
- {
- psa_generator_abort( &generator );
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- }
-
- status = psa_generator_abort( &generator );
+ /* Compute ECDH shared secret. */
+ status = psa_raw_key_agreement( PSA_ALG_ECDH,
+ handshake->ecdh_psa_privkey,
+ handshake->ecdh_psa_peerkey,
+ handshake->ecdh_psa_peerkey_len,
+ ssl->handshake->premaster,
+ sizeof( ssl->handshake->premaster ),
+ &ssl->handshake->pmslen );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d04fa9bd7..56745e3f5 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -630,31 +630,26 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
{
psa_status_t status;
psa_algorithm_t alg;
- psa_key_policy_t policy;
+ psa_key_attributes_t key_attributes;
psa_key_handle_t master_slot;
- psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
-
- if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+ psa_key_derivation_operation_t derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
if( md_type == MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
else
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
- policy = psa_key_policy_init();
- psa_key_policy_set_usage( &policy,
- PSA_KEY_USAGE_DERIVE,
- alg );
- status = psa_set_key_policy( master_slot, &policy );
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &key_attributes, alg );
+ psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
+
+ status = psa_import_key( &key_attributes, secret, slen, &master_slot );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );
- if( status != PSA_SUCCESS )
- return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
-
- status = psa_key_derivation( &generator,
+ status = psa_key_derivation( &derivation,
master_slot, alg,
random, rlen,
(unsigned char const *) label,
@@ -662,20 +657,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
dlen );
if( status != PSA_SUCCESS )
{
- psa_generator_abort( &generator );
+ psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
- status = psa_generator_read( &generator, dstbuf, dlen );
+ status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
if( status != PSA_SUCCESS )
{
- psa_generator_abort( &generator );
+ psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
- status = psa_generator_abort( &generator );
+ status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
{
psa_destroy_key( master_slot );
@@ -1108,8 +1103,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
/* Perform PSK-to-MS expansion in a single step. */
psa_status_t status;
psa_algorithm_t alg;
- psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
psa_key_handle_t psk;
+ psa_key_derivation_operation_t derivation =
+ PSA_KEY_DERIVATION_OPERATION_INIT;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
@@ -1122,26 +1118,27 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
else
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
- status = psa_key_derivation( &generator, psk, alg,
+ status = psa_key_derivation( &derivation, psk, alg,
salt, salt_len,
(unsigned char const *) lbl,
(size_t) strlen( lbl ),
master_secret_len );
if( status != PSA_SUCCESS )
{
- psa_generator_abort( &generator );
+ psa_key_derivation_abort( &derivation );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
- status = psa_generator_read( &generator, session->master,
- master_secret_len );
+ status = psa_key_derivation_output_bytes( &derivation,
+ session->master,
+ master_secret_len );
if( status != PSA_SUCCESS )
{
- psa_generator_abort( &generator );
+ psa_key_derivation_abort( &derivation );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
- status = psa_generator_abort( &generator );
+ status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index 4221159d4..f8d84f959 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -902,7 +902,7 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t slot = 0;
psa_algorithm_t alg = 0;
- psa_key_policy_t policy;
+ psa_key_attributes_t key_attributes;
psa_status_t status;
#endif
@@ -2068,25 +2068,12 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 )
{
- /* The algorithm has already been determined earlier. */
- status = psa_allocate_key( &slot );
- if( status != PSA_SUCCESS )
- {
- ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- goto exit;
- }
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &key_attributes, alg );
+ psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
- policy = psa_key_policy_init();
- psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
-
- status = psa_set_key_policy( slot, &policy );
- if( status != PSA_SUCCESS )
- {
- ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- goto exit;
- }
-
- status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
+ status = psa_import_key( &key_attributes, psk, psk_len, &slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index bbe93cb47..e8a6cfbe7 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -1431,25 +1431,20 @@ int idle( mbedtls_net_context *fd,
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
+static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot,
psa_algorithm_t alg,
unsigned char *psk,
size_t psk_len )
{
psa_status_t status;
- psa_key_policy_t policy;
+ psa_key_attributes_t key_attributes;
- policy = psa_key_policy_init();
- psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
+ key_attributes = psa_key_attributes_init();
+ psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
+ psa_set_key_algorithm( &key_attributes, alg );
+ psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
- status = psa_set_key_policy( slot, &policy );
- if( status != PSA_SUCCESS )
- {
- fprintf( stderr, "POLICY\n" );
- return( status );
- }
-
- status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
+ status = psa_import_key( &key_attributes, psk, psk_len, slot );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "IMPORT\n" );
@@ -3076,16 +3071,8 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 )
{
- status = psa_allocate_key( &psk_slot );
- if( status != PSA_SUCCESS )
- {
- fprintf( stderr, "ALLOC FAIL\n" );
- ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- goto exit;
- }
-
/* The algorithm has already been determined earlier. */
- status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len );
+ status = psa_setup_psk_key_slot( &psk_slot, alg, psk, psk_len );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "SETUP FAIL\n" );
@@ -3120,14 +3107,8 @@ int main( int argc, char *argv[] )
psk_entry *cur_psk;
for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
{
- status = psa_allocate_key( &cur_psk->slot );
- if( status != PSA_SUCCESS )
- {
- ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
- goto exit;
- }
- status = psa_setup_psk_key_slot( cur_psk->slot, alg,
+ status = psa_setup_psk_key_slot( &cur_psk->slot, alg,
cur_psk->key,
cur_psk->key_len );
if( status != PSA_SUCCESS )
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 484c93933..8f4f0895a 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -238,6 +238,7 @@
+