diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 5fa7966d9..56bb0035f 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -1,7 +1,7 @@ /* * Functions to delegate cryptographic operations to an available * and appropriate accelerator. - * Warning: auto-generated file. + * Warning: This file will be auto-generated in the future. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -27,20 +27,26 @@ /* Include test driver definition when running tests */ #if defined(PSA_CRYPTO_DRIVER_TEST) -#undef PSA_CRYPTO_DRIVER_PRESENT +#ifndef PSA_CRYPTO_DRIVER_PRESENT #define PSA_CRYPTO_DRIVER_PRESENT -#undef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT +#endif +#ifndef PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT #define PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT +#endif #include "drivers/test_driver.h" #endif /* PSA_CRYPTO_DRIVER_TEST */ -/* Include driver definition file for each registered driver here */ +/* Repeat above block for each JSON-declared driver during autogeneration */ + #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ /* Support the 'old' SE interface when asked to */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#undef PSA_CRYPTO_DRIVER_PRESENT +/* PSA_CRYPTO_DRIVER_PRESENT is defined when either a new-style or old-style + * SE driver is present, to avoid unused argument errors at compile time. */ +#ifndef PSA_CRYPTO_DRIVER_PRESENT #define PSA_CRYPTO_DRIVER_PRESENT +#endif #include "psa_crypto_se.h" #endif @@ -65,7 +71,7 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, drv->asymmetric->p_sign == NULL ) { /* Key is defined in SE, but we have no way to exercise it */ - return PSA_ERROR_INVALID_ARGUMENT; + return( PSA_ERROR_NOT_SUPPORTED ); } return( drv->asymmetric->p_sign( drv_context, slot->data.se.slot_number, @@ -101,10 +107,10 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, signature_length ); /* Declared with fallback == true */ if( status != PSA_ERROR_NOT_SUPPORTED ) - return status; + return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ /* Fell through, meaning no accelerator supports this operation */ - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TEST_DRIVER_LIFETIME: @@ -120,10 +126,10 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, #endif /* PSA_CRYPTO_DRIVER_TEST */ default: /* Key is declared with a lifetime not known to us */ - return status; + return( status ); } #else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #else /* PSA_CRYPTO_DRIVER_PRESENT */ (void)slot; @@ -134,7 +140,7 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, (void)signature_size; (void)signature_length; - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_DRIVER_PRESENT */ } @@ -157,7 +163,7 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, drv->asymmetric->p_verify == NULL ) { /* Key is defined in SE, but we have no way to exercise it */ - return PSA_ERROR_INVALID_ARGUMENT; + return( PSA_ERROR_NOT_SUPPORTED ); } return( drv->asymmetric->p_verify( drv_context, slot->data.se.slot_number, @@ -191,10 +197,10 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, signature_length ); /* Declared with fallback == true */ if( status != PSA_ERROR_NOT_SUPPORTED ) - return status; + return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ /* Fell through, meaning no accelerator supports this operation */ - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TEST_DRIVER_LIFETIME: @@ -209,10 +215,10 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, #endif /* PSA_CRYPTO_DRIVER_TEST */ default: /* Key is declared with a lifetime not known to us */ - return status; + return( status ); } #else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #else /* PSA_CRYPTO_DRIVER_PRESENT */ (void)slot; @@ -222,56 +228,45 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, (void)signature; (void)signature_length; - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_DRIVER_PRESENT */ } #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) +/** Calculate the size to allocate for buffering a key with given attributes. + * + * This function provides a way to get the expected size for storing a key with + * the given attributes. This will be the size of the export representation for + * cleartext keys, and a driver-defined size for keys stored by opaque drivers. + * + * \param[in] attributes The key attribute structure of the key to store. + * \param[out] expected_size On success, a byte size large enough to contain + * the declared key. + * + * \retval #PSA_SUCCESS + * \retval #PSA_ERROR_NOT_SUPPORTED + */ static psa_status_t get_expected_key_size( const psa_key_attributes_t *attributes, size_t *expected_size ) { + size_t buffer_size = 0; if( PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ) == PSA_KEY_LOCATION_LOCAL_STORAGE ) { - if( PSA_KEY_TYPE_IS_UNSTRUCTURED( attributes->core.type ) ) - { - *expected_size = PSA_BITS_TO_BYTES( attributes->core.bits ); - return PSA_SUCCESS; - } + buffer_size = PSA_KEY_EXPORT_MAX_SIZE( attributes->core.type, + attributes->core.bits ); - if( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) ) - { - if( PSA_KEY_TYPE_IS_KEY_PAIR( attributes->core.type ) ) - { - *expected_size = PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE( attributes->core.bits ); - return PSA_SUCCESS; - } - else - { - *expected_size = PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE( attributes->core.bits ); - return PSA_SUCCESS; - } - } + if( buffer_size == 0 ) + return( PSA_ERROR_NOT_SUPPORTED ); - if( PSA_KEY_TYPE_IS_RSA( attributes->core.type ) ) - { - if( PSA_KEY_TYPE_IS_KEY_PAIR( attributes->core.type ) ) - { - *expected_size = PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE( attributes->core.bits ); - return PSA_SUCCESS; - } - else - { - *expected_size = PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE( attributes->core.bits ); - return PSA_SUCCESS; - } - } - - return PSA_ERROR_NOT_SUPPORTED; + *expected_size = buffer_size; + return( PSA_SUCCESS ); } else { - /* TBD: opaque driver support, need to calculate size through driver-defined size function */ - return PSA_ERROR_NOT_SUPPORTED; + /* TBD: opaque driver support: need to calculate size through a + * driver-defined size function, since the size of an opaque (wrapped) + * key will be different for each implementation. */ + return( PSA_ERROR_NOT_SUPPORTED ); } } #endif /* PSA_CRYPTO_DRIVER_PRESENT */ @@ -292,7 +287,7 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib drv->key_management->p_generate == NULL ) { /* Key is defined as being in SE, but we have no way to generate it */ - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); } return( drv->key_management->p_generate( drv_context, @@ -309,11 +304,11 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib status = get_expected_key_size( attributes, &export_size ); if( status != PSA_SUCCESS ) - return status; + return( status ); slot->data.key.data = mbedtls_calloc(1, export_size); if( slot->data.key.data == NULL ) - return PSA_ERROR_INSUFFICIENT_MEMORY; + return( PSA_ERROR_INSUFFICIENT_MEMORY ); slot->data.key.bytes = export_size; switch( location ) @@ -365,13 +360,13 @@ psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attrib return( status ); #else /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #else /* PSA_CRYPTO_DRIVER_PRESENT */ (void) attributes; (void) slot; - return PSA_ERROR_NOT_SUPPORTED; + return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_DRIVER_PRESENT */ } diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index f0b5db09f..42993792a 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -1,7 +1,7 @@ /* * Function signatures for functionality that can be provided by * cryptographic accelerators. - * Warning: auto-generated file. + * Warning: This file will be auto-generated in the future. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 diff --git a/tests/include/drivers/keygen.h b/tests/include/drivers/keygen.h index f0eb56915..af1f49985 100644 --- a/tests/include/drivers/keygen.h +++ b/tests/include/drivers/keygen.h @@ -1,5 +1,5 @@ /* - * Test driver for signature functions + * Test driver for generating keys. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 diff --git a/tests/include/drivers/signature.h b/tests/include/drivers/signature.h index 900f0c8bb..1506bac70 100644 --- a/tests/include/drivers/signature.h +++ b/tests/include/drivers/signature.h @@ -1,5 +1,5 @@ /* - * Test driver for signature functions + * Test driver for signature functions. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 diff --git a/tests/src/drivers/keygen.c b/tests/src/drivers/keygen.c index 4f30f0efc..a21ec27ce 100644 --- a/tests/src/drivers/keygen.c +++ b/tests/src/drivers/keygen.c @@ -1,5 +1,6 @@ /* - * Test driver for signature functions + * Test driver for generating keys. + * Currently only supports generating ECC keys. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -63,11 +64,12 @@ psa_status_t test_transparent_generate_key( /* Copied from psa_crypto.c */ #if defined(MBEDTLS_ECP_C) - if ( PSA_KEY_TYPE_IS_ECC( attributes->core.type ) && PSA_KEY_TYPE_IS_KEY_PAIR( attributes->core.type ) ) + if ( PSA_KEY_TYPE_IS_ECC( psa_get_key_type( attributes ) ) + && PSA_KEY_TYPE_IS_KEY_PAIR( psa_get_key_type( attributes ) ) ) { - psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( attributes->core.type ); + psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( psa_get_key_type( attributes ) ); mbedtls_ecp_group_id grp_id = - mbedtls_ecc_group_of_psa( curve, PSA_BITS_TO_BYTES( attributes->core.bits ) ); + mbedtls_ecc_group_of_psa( curve, PSA_BITS_TO_BYTES( psa_get_key_bits( attributes ) ) ); const mbedtls_ecp_curve_info *curve_info = mbedtls_ecp_curve_info_from_grp_id( grp_id ); mbedtls_ecp_keypair ecp; @@ -79,7 +81,7 @@ psa_status_t test_transparent_generate_key( return( PSA_ERROR_NOT_SUPPORTED ); if( grp_id == MBEDTLS_ECP_DP_NONE || curve_info == NULL ) return( PSA_ERROR_NOT_SUPPORTED ); - if( curve_info->bit_size != attributes->core.bits ) + if( curve_info->bit_size != psa_get_key_bits( attributes ) ) return( PSA_ERROR_INVALID_ARGUMENT ); mbedtls_ecp_keypair_init( &ecp ); ret = mbedtls_ecp_gen_key( grp_id, &ecp, @@ -92,7 +94,7 @@ psa_status_t test_transparent_generate_key( } /* Make sure to use export representation */ - size_t bytes = PSA_BITS_TO_BYTES( attributes->core.bits ); + size_t bytes = PSA_BITS_TO_BYTES( psa_get_key_bits( attributes ) ); if( key_size < bytes ) { mbedtls_ecp_keypair_free( &ecp ); diff --git a/tests/src/drivers/signature.c b/tests/src/drivers/signature.c index 04c5de4a2..d1a600928 100644 --- a/tests/src/drivers/signature.c +++ b/tests/src/drivers/signature.c @@ -1,5 +1,7 @@ /* - * Test driver for signature functions + * Test driver for signature functions. + * Currently supports signing and verifying precalculated hashes, using + * only deterministic ECDSA on curves secp256r1, secp384r1 and secp521r1. */ /* Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -130,10 +132,7 @@ psa_status_t test_transparent_signature_sign_hash( signature + curve_bytes, curve_bytes ) ); cleanup: - /* There's no easy way to translate the error code except through a - * library function that's not exported. Use a debugger. */ - if( ret == 0 ) - status = PSA_SUCCESS; + status = mbedtls_to_psa_error( ret ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s ); mbedtls_ecp_keypair_free( &ecp ); @@ -258,10 +257,7 @@ psa_status_t test_transparent_signature_verify_hash( MBEDTLS_MPI_CHK( mbedtls_ecdsa_verify( &ecp.grp, hash, hash_length, &ecp.Q, &r, &s ) ); cleanup: - /* There's no easy way to translate the error code except through a - * library function that's not exported. Use a debugger. */ - if( ret == 0 ) - status = PSA_SUCCESS; + status = mbedtls_to_psa_error( ret ); mbedtls_mpi_free( &r ); mbedtls_mpi_free( &s ); mbedtls_ecp_keypair_free( &ecp );