Merge branch 'development' into development-restricted

* development:
  Rename local variables
  Update submodule
  Update Visual studio project file
  Move the examples to PSA 1.0
  Use psa_raw_key_agreement
  Remove calls to psa_allocate_key
  Make variable naming consistent
  Update psa_create_key to PSA 1.0
  Update psa_import_key to PSA 1.0
  Update psa_generator_abort to PSA 1.0
  Update psa_generator_read to PSA 1.0
  Update psa_crypto_generator_t to PSA 1.0
  Update psa_key_agreement to PSA 1.0
  Update GENERATOR_INIT macro to PSA 1.0
  Update KEYPAIR macros to PSA 1.0
This commit is contained in:
Jaeden Amero 2019-08-20 10:28:14 +01:00
commit 4245d4a2c8
6 changed files with 59 additions and 116 deletions

2
crypto

@ -1 +1 @@
Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b Subproject commit 89e76556910c2704313fe23b174f2742702a3a29

View File

@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
{ {
psa_status_t status; psa_status_t status;
psa_key_policy_t policy; psa_key_attributes_t key_attributes;
mbedtls_ssl_handshake_params *handshake = ssl->handshake; mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -3238,8 +3238,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
unsigned char *own_pubkey_ecpoint; unsigned char *own_pubkey_ecpoint;
size_t own_pubkey_ecpoint_len; size_t own_pubkey_ecpoint_len;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
header_len = 4; header_len = 4;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
@ -3248,12 +3246,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* Generate EC private key for ECDHE exchange. * Generate EC private key for ECDHE exchange.
*/ */
/* Allocate a new key slot for the private key. */
status = psa_allocate_key( &handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
/* The master secret is obtained from the shared ECDH secret by /* The master secret is obtained from the shared ECDH secret by
* applying the TLS 1.2 PRF with a specific salt and label. While * applying the TLS 1.2 PRF with a specific salt and label. While
* the PSA Crypto API encourages combining key agreement schemes * the PSA Crypto API encourages combining key agreement schemes
@ -3261,19 +3253,18 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* yet support the provisioning of salt + label to the KDF. * yet support the provisioning of salt + label to the KDF.
* For the time being, we therefore need to split the computation * For the time being, we therefore need to split the computation
* of the ECDH secret and the application of the TLS 1.2 PRF. */ * of the ECDH secret and the application of the TLS 1.2 PRF. */
policy = psa_key_policy_init(); key_attributes = psa_key_attributes_init();
psa_key_policy_set_usage( &policy, psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
PSA_KEY_USAGE_DERIVE, psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); psa_set_key_type( &key_attributes,
status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy ); PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve )
if( status != PSA_SUCCESS ) );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); psa_set_key_bits( &key_attributes,
PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) );
/* Generate ECDH private key. */ /* Generate ECDH private key. */
status = psa_generate_key( handshake->ecdh_psa_privkey, status = psa_generate_key( &key_attributes,
PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ), &handshake->ecdh_psa_privkey );
MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
NULL, 0 );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@ -3299,30 +3290,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
own_pubkey_ecpoint, own_pubkey_ecpoint_len ); own_pubkey_ecpoint, own_pubkey_ecpoint_len );
content_len = own_pubkey_ecpoint_len + 1; content_len = own_pubkey_ecpoint_len + 1;
/* Compute ECDH shared secret. */
status = psa_key_agreement( &generator,
handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len,
PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
/* The ECDH secret is the premaster secret used for key derivation. */ /* The ECDH secret is the premaster secret used for key derivation. */
ssl->handshake->pmslen = /* Compute ECDH shared secret. */
MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve ); status = psa_raw_key_agreement( PSA_ALG_ECDH,
handshake->ecdh_psa_privkey,
status = psa_generator_read( &generator, handshake->ecdh_psa_peerkey,
ssl->handshake->premaster, handshake->ecdh_psa_peerkey_len,
ssl->handshake->pmslen ); ssl->handshake->premaster,
if( status != PSA_SUCCESS ) sizeof( ssl->handshake->premaster ),
{ &ssl->handshake->pmslen );
psa_generator_abort( &generator );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_generator_abort( &generator );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );

View File

@ -630,31 +630,26 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
{ {
psa_status_t status; psa_status_t status;
psa_algorithm_t alg; psa_algorithm_t alg;
psa_key_policy_t policy; psa_key_attributes_t key_attributes;
psa_key_handle_t master_slot; psa_key_handle_t master_slot;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
if( md_type == MBEDTLS_MD_SHA384 ) if( md_type == MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
else else
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
policy = psa_key_policy_init(); key_attributes = psa_key_attributes_init();
psa_key_policy_set_usage( &policy, psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
PSA_KEY_USAGE_DERIVE, psa_set_key_algorithm( &key_attributes, alg );
alg ); psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
status = psa_set_key_policy( master_slot, &policy );
status = psa_import_key( &key_attributes, secret, slen, &master_slot );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen ); status = psa_key_derivation( &derivation,
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
status = psa_key_derivation( &generator,
master_slot, alg, master_slot, alg,
random, rlen, random, rlen,
(unsigned char const *) label, (unsigned char const *) label,
@ -662,20 +657,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
dlen ); dlen );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot ); psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_read( &generator, dstbuf, dlen ); status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot ); psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_abort( &generator ); status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_destroy_key( master_slot ); psa_destroy_key( master_slot );
@ -1108,8 +1103,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
/* Perform PSK-to-MS expansion in a single step. */ /* Perform PSK-to-MS expansion in a single step. */
psa_status_t status; psa_status_t status;
psa_algorithm_t alg; psa_algorithm_t alg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
psa_key_handle_t psk; psa_key_handle_t psk;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
@ -1122,26 +1118,27 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
else else
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
status = psa_key_derivation( &generator, psk, alg, status = psa_key_derivation( &derivation, psk, alg,
salt, salt_len, salt, salt_len,
(unsigned char const *) lbl, (unsigned char const *) lbl,
(size_t) strlen( lbl ), (size_t) strlen( lbl ),
master_secret_len ); master_secret_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &derivation );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_read( &generator, session->master, status = psa_key_derivation_output_bytes( &derivation,
master_secret_len ); session->master,
master_secret_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &derivation );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_abort( &generator ); status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }

View File

@ -902,7 +902,7 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t slot = 0; psa_key_handle_t slot = 0;
psa_algorithm_t alg = 0; psa_algorithm_t alg = 0;
psa_key_policy_t policy; psa_key_attributes_t key_attributes;
psa_status_t status; psa_status_t status;
#endif #endif
@ -2068,25 +2068,12 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 ) if( opt.psk_opaque != 0 )
{ {
/* The algorithm has already been determined earlier. */ key_attributes = psa_key_attributes_init();
status = psa_allocate_key( &slot ); psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
if( status != PSA_SUCCESS ) psa_set_key_algorithm( &key_attributes, alg );
{ psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
policy = psa_key_policy_init(); status = psa_import_key( &key_attributes, psk, psk_len, &slot );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
status = psa_set_key_policy( slot, &policy );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;

View File

@ -1431,25 +1431,20 @@ int idle( mbedtls_net_context *fd,
} }
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot, static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot,
psa_algorithm_t alg, psa_algorithm_t alg,
unsigned char *psk, unsigned char *psk,
size_t psk_len ) size_t psk_len )
{ {
psa_status_t status; psa_status_t status;
psa_key_policy_t policy; psa_key_attributes_t key_attributes;
policy = psa_key_policy_init(); key_attributes = psa_key_attributes_init();
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg ); psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
status = psa_set_key_policy( slot, &policy ); status = psa_import_key( &key_attributes, psk, psk_len, slot );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "POLICY\n" );
return( status );
}
status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
fprintf( stderr, "IMPORT\n" ); fprintf( stderr, "IMPORT\n" );
@ -3076,16 +3071,8 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 ) if( opt.psk_opaque != 0 )
{ {
status = psa_allocate_key( &psk_slot );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "ALLOC FAIL\n" );
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
/* The algorithm has already been determined earlier. */ /* The algorithm has already been determined earlier. */
status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len ); status = psa_setup_psk_key_slot( &psk_slot, alg, psk, psk_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
fprintf( stderr, "SETUP FAIL\n" ); fprintf( stderr, "SETUP FAIL\n" );
@ -3120,14 +3107,8 @@ int main( int argc, char *argv[] )
psk_entry *cur_psk; psk_entry *cur_psk;
for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next ) for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
{ {
status = psa_allocate_key( &cur_psk->slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
status = psa_setup_psk_key_slot( cur_psk->slot, alg, status = psa_setup_psk_key_slot( &cur_psk->slot, alg,
cur_psk->key, cur_psk->key,
cur_psk->key_len ); cur_psk->key_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )

View File

@ -238,6 +238,7 @@
<ClCompile Include="..\..\crypto\library\platform_util.c" /> <ClCompile Include="..\..\crypto\library\platform_util.c" />
<ClCompile Include="..\..\crypto\library\poly1305.c" /> <ClCompile Include="..\..\crypto\library\poly1305.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto.c" /> <ClCompile Include="..\..\crypto\library\psa_crypto.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto_se.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto_slot_management.c" /> <ClCompile Include="..\..\crypto\library\psa_crypto_slot_management.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto_storage.c" /> <ClCompile Include="..\..\crypto\library\psa_crypto_storage.c" />
<ClCompile Include="..\..\crypto\library\psa_its_file.c" /> <ClCompile Include="..\..\crypto\library\psa_its_file.c" />