From 3d158ebd2f4c4f07d80a025462d6bea7b14efa47 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 12:39:25 +0100 Subject: [PATCH 01/15] Update KEYPAIR macros to PSA 1.0 --- library/ssl_cli.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index f1bf7046a..41e19ebf5 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3271,7 +3271,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) /* Generate ECDH private key. */ status = psa_generate_key( handshake->ecdh_psa_privkey, - PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ), + PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve ), MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ), NULL, 0 ); if( status != PSA_SUCCESS ) From 7374ee6139cda1e820d9279a311f56d4ea822333 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 12:43:12 +0100 Subject: [PATCH 02/15] Update GENERATOR_INIT macro to PSA 1.0 --- library/ssl_cli.c | 3 ++- library/ssl_tls.c | 4 ++-- 2 files changed, 4 insertions(+), 3 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 41e19ebf5..36153a977 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3238,7 +3238,8 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) unsigned char *own_pubkey_ecpoint; size_t own_pubkey_ecpoint_len; - psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; + psa_key_derivation_operation_t generator = + PSA_KEY_DERIVATION_OPERATION_INIT; header_len = 4; diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d04fa9bd7..3f9818cd2 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -632,7 +632,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, psa_algorithm_t alg; psa_key_policy_t policy; psa_key_handle_t master_slot; - psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; + psa_crypto_generator_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); @@ -1108,7 +1108,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) /* Perform PSK-to-MS expansion in a single step. */ psa_status_t status; psa_algorithm_t alg; - psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; + psa_crypto_generator_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; psa_key_handle_t psk; MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) ); From 7d7ded85fbbede074c5956b4f1bfd6ad67c73105 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 12:47:23 +0100 Subject: [PATCH 03/15] Update psa_key_agreement to PSA 1.0 --- library/ssl_cli.c | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 36153a977..882dc711a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3301,11 +3301,12 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) content_len = own_pubkey_ecpoint_len + 1; /* Compute ECDH shared secret. */ - status = psa_key_agreement( &generator, - handshake->ecdh_psa_privkey, - handshake->ecdh_psa_peerkey, - handshake->ecdh_psa_peerkey_len, - PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); + status = psa_key_derivation_key_agreement( + &generator, + handshake->ecdh_psa_privkey, + handshake->ecdh_psa_peerkey, + handshake->ecdh_psa_peerkey_len, + PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); From 8dee877e8ae05399f791cbd4edb6d87d24407ae9 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 12:53:32 +0100 Subject: [PATCH 04/15] Update psa_crypto_generator_t to PSA 1.0 --- library/ssl_tls.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 3f9818cd2..465ca0605 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -632,7 +632,8 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, psa_algorithm_t alg; psa_key_policy_t policy; psa_key_handle_t master_slot; - psa_crypto_generator_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; + psa_key_derivation_operation_t generator = + PSA_KEY_DERIVATION_OPERATION_INIT; if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); @@ -1108,8 +1109,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) /* Perform PSK-to-MS expansion in a single step. */ psa_status_t status; psa_algorithm_t alg; - psa_crypto_generator_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; psa_key_handle_t psk; + psa_key_derivation_operation_t generator = + PSA_KEY_DERIVATION_OPERATION_INIT; MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) ); From 6de99db44971e30c8b25a81dabee17d87db30b4e Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 12:55:06 +0100 Subject: [PATCH 05/15] Update psa_generator_read to PSA 1.0 --- library/ssl_cli.c | 6 +++--- library/ssl_tls.c | 7 ++++--- 2 files changed, 7 insertions(+), 6 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 882dc711a..e69aa2749 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3315,9 +3315,9 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ssl->handshake->pmslen = MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve ); - status = psa_generator_read( &generator, - ssl->handshake->premaster, - ssl->handshake->pmslen ); + status = psa_key_derivation_output_bytes( &generator, + ssl->handshake->premaster, + ssl->handshake->pmslen ); if( status != PSA_SUCCESS ) { psa_generator_abort( &generator ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 465ca0605..4b36c4c29 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -668,7 +668,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_generator_read( &generator, dstbuf, dlen ); + status = psa_key_derivation_output_bytes( &generator, dstbuf, dlen ); if( status != PSA_SUCCESS ) { psa_generator_abort( &generator ); @@ -1135,8 +1135,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_generator_read( &generator, session->master, - master_secret_len ); + status = psa_key_derivation_output_bytes( &generator, + session->master, + master_secret_len ); if( status != PSA_SUCCESS ) { psa_generator_abort( &generator ); From bd096101b5fb292642b15a0255800dc6f3664f17 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 12:57:15 +0100 Subject: [PATCH 06/15] Update psa_generator_abort to PSA 1.0 --- library/ssl_cli.c | 4 ++-- library/ssl_tls.c | 12 ++++++------ 2 files changed, 8 insertions(+), 8 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index e69aa2749..46456c14a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3320,11 +3320,11 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ssl->handshake->pmslen ); if( status != PSA_SUCCESS ) { - psa_generator_abort( &generator ); + psa_key_derivation_abort( &generator ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_generator_abort( &generator ); + status = psa_key_derivation_abort( &generator ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 4b36c4c29..944907d4c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -663,7 +663,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, dlen ); if( status != PSA_SUCCESS ) { - psa_generator_abort( &generator ); + psa_key_derivation_abort( &generator ); psa_destroy_key( master_slot ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } @@ -671,12 +671,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, status = psa_key_derivation_output_bytes( &generator, dstbuf, dlen ); if( status != PSA_SUCCESS ) { - psa_generator_abort( &generator ); + psa_key_derivation_abort( &generator ); psa_destroy_key( master_slot ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_generator_abort( &generator ); + status = psa_key_derivation_abort( &generator ); if( status != PSA_SUCCESS ) { psa_destroy_key( master_slot ); @@ -1131,7 +1131,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) master_secret_len ); if( status != PSA_SUCCESS ) { - psa_generator_abort( &generator ); + psa_key_derivation_abort( &generator ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } @@ -1140,11 +1140,11 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) master_secret_len ); if( status != PSA_SUCCESS ) { - psa_generator_abort( &generator ); + psa_key_derivation_abort( &generator ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_generator_abort( &generator ); + status = psa_key_derivation_abort( &generator ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } From ed73b04c6ecc67c9ab47246d7669313cb4dede78 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 13:51:41 +0100 Subject: [PATCH 07/15] Update psa_import_key to PSA 1.0 --- library/ssl_tls.c | 15 ++++++--------- 1 file changed, 6 insertions(+), 9 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 944907d4c..8f384c4dd 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -630,7 +630,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, { psa_status_t status; psa_algorithm_t alg; - psa_key_policy_t policy; + psa_key_attributes_t attributes; psa_key_handle_t master_slot; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; @@ -643,15 +643,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, else alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); - policy = psa_key_policy_init(); - psa_key_policy_set_usage( &policy, - PSA_KEY_USAGE_DERIVE, - alg ); - status = psa_set_key_policy( master_slot, &policy ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); - status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen ); + status = psa_import_key( &attributes, secret, slen, &master_slot ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); From 7bb5e6b4da24da3a9f5e688b2e85d3ae9b1238b1 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 30 Jul 2019 13:52:24 +0100 Subject: [PATCH 08/15] Update psa_create_key to PSA 1.0 --- library/ssl_cli.c | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 46456c14a..137a82d2a 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) { psa_status_t status; - psa_key_policy_t policy; + psa_key_attributes_t attributes; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -3262,19 +3262,18 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) * yet support the provisioning of salt + label to the KDF. * For the time being, we therefore need to split the computation * of the ECDH secret and the application of the TLS 1.2 PRF. */ - policy = psa_key_policy_init(); - psa_key_policy_set_usage( &policy, - PSA_KEY_USAGE_DERIVE, - PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); - status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); + attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &attributes, + PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); + psa_set_key_type( &attributes, + PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve ) + ); + psa_set_key_bits( &key_attributes, + PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) ); /* Generate ECDH private key. */ - status = psa_generate_key( handshake->ecdh_psa_privkey, - PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve ), - MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ), - NULL, 0 ); + status = psa_generate_key( &attributes, handshake->ecdh_psa_privkey ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); From 53b8ec27a22e12bf86ce338483774dfd1818679b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Aug 2019 10:28:27 +0100 Subject: [PATCH 09/15] Make variable naming consistent --- library/ssl_cli.c | 13 +++++++------ library/ssl_tls.c | 12 ++++++------ 2 files changed, 13 insertions(+), 12 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 137a82d2a..3675443cc 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA ) { psa_status_t status; - psa_key_attributes_t attributes; + psa_key_attributes_t key_attributes; mbedtls_ssl_handshake_params *handshake = ssl->handshake; @@ -3262,18 +3262,19 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) * yet support the provisioning of salt + label to the KDF. * For the time being, we therefore need to split the computation * of the ECDH secret and the application of the TLS 1.2 PRF. */ - attributes = psa_key_attributes_init(); - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &attributes, + key_attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); - psa_set_key_type( &attributes, + psa_set_key_type( &key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve ) ); psa_set_key_bits( &key_attributes, PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) ); /* Generate ECDH private key. */ - status = psa_generate_key( &attributes, handshake->ecdh_psa_privkey ); + status = psa_generate_key( &key_attributes, + handshake->ecdh_psa_privkey ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8f384c4dd..bf402757b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -630,7 +630,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, { psa_status_t status; psa_algorithm_t alg; - psa_key_attributes_t attributes; + psa_key_attributes_t key_attributes; psa_key_handle_t master_slot; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; @@ -643,12 +643,12 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, else alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256); - attributes = psa_key_attributes_init(); - psa_set_key_usage_flags( &attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &attributes, alg ); - psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); + key_attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, alg ); + psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); - status = psa_import_key( &attributes, secret, slen, &master_slot ); + status = psa_import_key( &key_attributes, secret, slen, &master_slot ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); From 1239d70870e1e73a9b921e8a71b654adf2978f1a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Aug 2019 10:33:26 +0100 Subject: [PATCH 10/15] Remove calls to psa_allocate_key In PSA 1.0 keys are allocated implicitly by other functions (like psa_import_key) and psa_allocate_key is not needed and does not exist anymore. --- library/ssl_cli.c | 6 ------ library/ssl_tls.c | 3 --- 2 files changed, 9 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 3675443cc..4a466ea35 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3249,12 +3249,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) * Generate EC private key for ECDHE exchange. */ - /* Allocate a new key slot for the private key. */ - - status = psa_allocate_key( &handshake->ecdh_psa_privkey ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - /* The master secret is obtained from the shared ECDH secret by * applying the TLS 1.2 PRF with a specific salt and label. While * the PSA Crypto API encourages combining key agreement schemes diff --git a/library/ssl_tls.c b/library/ssl_tls.c index bf402757b..d6024778a 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -635,9 +635,6 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT; - if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - if( md_type == MBEDTLS_MD_SHA384 ) alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384); else From df3b0892ce2f5aea104750b62823c74fb67da7be Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Aug 2019 11:12:24 +0100 Subject: [PATCH 11/15] Use psa_raw_key_agreement In PSA 1.0 raw key agreement has been moved from psa_key_derivation_key_agreement() to its own separate function call, called psa_raw_key_agreement(). --- library/ssl_cli.c | 39 ++++++++++----------------------------- 1 file changed, 10 insertions(+), 29 deletions(-) diff --git a/library/ssl_cli.c b/library/ssl_cli.c index 4a466ea35..f403aa036 100644 --- a/library/ssl_cli.c +++ b/library/ssl_cli.c @@ -3238,9 +3238,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) unsigned char *own_pubkey_ecpoint; size_t own_pubkey_ecpoint_len; - psa_key_derivation_operation_t generator = - PSA_KEY_DERIVATION_OPERATION_INIT; - header_len = 4; MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) ); @@ -3258,8 +3255,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) * of the ECDH secret and the application of the TLS 1.2 PRF. */ key_attributes = psa_key_attributes_init(); psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); - psa_set_key_algorithm( &key_attributes, - PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); + psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH ); psa_set_key_type( &key_attributes, PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve ) ); @@ -3268,7 +3264,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) /* Generate ECDH private key. */ status = psa_generate_key( &key_attributes, - handshake->ecdh_psa_privkey ); + &handshake->ecdh_psa_privkey ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); @@ -3294,31 +3290,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl ) own_pubkey_ecpoint, own_pubkey_ecpoint_len ); content_len = own_pubkey_ecpoint_len + 1; - /* Compute ECDH shared secret. */ - status = psa_key_derivation_key_agreement( - &generator, - handshake->ecdh_psa_privkey, - handshake->ecdh_psa_peerkey, - handshake->ecdh_psa_peerkey_len, - PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) ); - if( status != PSA_SUCCESS ) - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - /* The ECDH secret is the premaster secret used for key derivation. */ - ssl->handshake->pmslen = - MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve ); - - status = psa_key_derivation_output_bytes( &generator, - ssl->handshake->premaster, - ssl->handshake->pmslen ); - if( status != PSA_SUCCESS ) - { - psa_key_derivation_abort( &generator ); - return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - } - - status = psa_key_derivation_abort( &generator ); + /* Compute ECDH shared secret. */ + status = psa_raw_key_agreement( PSA_ALG_ECDH, + handshake->ecdh_psa_privkey, + handshake->ecdh_psa_peerkey, + handshake->ecdh_psa_peerkey_len, + ssl->handshake->premaster, + sizeof( ssl->handshake->premaster ), + &ssl->handshake->pmslen ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); From be4efc2b38e3f6218de1ea1a71f06e979e0f0326 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Aug 2019 11:38:18 +0100 Subject: [PATCH 12/15] Move the examples to PSA 1.0 --- programs/ssl/ssl_client2.c | 25 ++++++------------------- programs/ssl/ssl_server2.c | 37 +++++++++---------------------------- 2 files changed, 15 insertions(+), 47 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 4221159d4..f8d84f959 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -902,7 +902,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_handle_t slot = 0; psa_algorithm_t alg = 0; - psa_key_policy_t policy; + psa_key_attributes_t key_attributes; psa_status_t status; #endif @@ -2068,25 +2068,12 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opt.psk_opaque != 0 ) { - /* The algorithm has already been determined earlier. */ - status = psa_allocate_key( &slot ); - if( status != PSA_SUCCESS ) - { - ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - goto exit; - } + key_attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, alg ); + psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); - policy = psa_key_policy_init(); - psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg ); - - status = psa_set_key_policy( slot, &policy ); - if( status != PSA_SUCCESS ) - { - ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - goto exit; - } - - status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len ); + status = psa_import_key( &key_attributes, psk, psk_len, &slot ); if( status != PSA_SUCCESS ) { ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index bbe93cb47..e8a6cfbe7 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1431,25 +1431,20 @@ int idle( mbedtls_net_context *fd, } #if defined(MBEDTLS_USE_PSA_CRYPTO) -static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot, +static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot, psa_algorithm_t alg, unsigned char *psk, size_t psk_len ) { psa_status_t status; - psa_key_policy_t policy; + psa_key_attributes_t key_attributes; - policy = psa_key_policy_init(); - psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg ); + key_attributes = psa_key_attributes_init(); + psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE ); + psa_set_key_algorithm( &key_attributes, alg ); + psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE ); - status = psa_set_key_policy( slot, &policy ); - if( status != PSA_SUCCESS ) - { - fprintf( stderr, "POLICY\n" ); - return( status ); - } - - status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len ); + status = psa_import_key( &key_attributes, psk, psk_len, slot ); if( status != PSA_SUCCESS ) { fprintf( stderr, "IMPORT\n" ); @@ -3076,16 +3071,8 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_USE_PSA_CRYPTO) if( opt.psk_opaque != 0 ) { - status = psa_allocate_key( &psk_slot ); - if( status != PSA_SUCCESS ) - { - fprintf( stderr, "ALLOC FAIL\n" ); - ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - goto exit; - } - /* The algorithm has already been determined earlier. */ - status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len ); + status = psa_setup_psk_key_slot( &psk_slot, alg, psk, psk_len ); if( status != PSA_SUCCESS ) { fprintf( stderr, "SETUP FAIL\n" ); @@ -3120,14 +3107,8 @@ int main( int argc, char *argv[] ) psk_entry *cur_psk; for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next ) { - status = psa_allocate_key( &cur_psk->slot ); - if( status != PSA_SUCCESS ) - { - ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; - goto exit; - } - status = psa_setup_psk_key_slot( cur_psk->slot, alg, + status = psa_setup_psk_key_slot( &cur_psk->slot, alg, cur_psk->key, cur_psk->key_len ); if( status != PSA_SUCCESS ) From 8e65c502021830bfcaaa6132cce5b72e79083411 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Thu, 8 Aug 2019 15:29:37 +0100 Subject: [PATCH 13/15] Update Visual studio project file Updating the submodule resulted in new header and source files, we need to update the shipped project files too. --- visualc/VS2010/mbedTLS.vcxproj | 1 + 1 file changed, 1 insertion(+) diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 484c93933..8f4f0895a 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -238,6 +238,7 @@ + From edf6d5a02500adc6cc560870bcb5452d49304bc4 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 16 Aug 2019 11:05:43 +0100 Subject: [PATCH 14/15] Update submodule --- crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/crypto b/crypto index 24b8f9f17..89e765569 160000 --- a/crypto +++ b/crypto @@ -1 +1 @@ -Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b +Subproject commit 89e76556910c2704313fe23b174f2742702a3a29 From da6ac019636d9187b01dd3f6dd2f0cfcaaeb3f3b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 16 Aug 2019 13:47:29 +0100 Subject: [PATCH 15/15] Rename local variables --- library/ssl_tls.c | 24 ++++++++++++------------ 1 file changed, 12 insertions(+), 12 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d6024778a..56745e3f5 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -632,7 +632,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, psa_algorithm_t alg; psa_key_attributes_t key_attributes; psa_key_handle_t master_slot; - psa_key_derivation_operation_t generator = + psa_key_derivation_operation_t derivation = PSA_KEY_DERIVATION_OPERATION_INIT; if( md_type == MBEDTLS_MD_SHA384 ) @@ -649,7 +649,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); - status = psa_key_derivation( &generator, + status = psa_key_derivation( &derivation, master_slot, alg, random, rlen, (unsigned char const *) label, @@ -657,20 +657,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, dlen ); if( status != PSA_SUCCESS ) { - psa_key_derivation_abort( &generator ); + psa_key_derivation_abort( &derivation ); psa_destroy_key( master_slot ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_key_derivation_output_bytes( &generator, dstbuf, dlen ); + status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen ); if( status != PSA_SUCCESS ) { - psa_key_derivation_abort( &generator ); + psa_key_derivation_abort( &derivation ); psa_destroy_key( master_slot ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_key_derivation_abort( &generator ); + status = psa_key_derivation_abort( &derivation ); if( status != PSA_SUCCESS ) { psa_destroy_key( master_slot ); @@ -1104,7 +1104,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) psa_status_t status; psa_algorithm_t alg; psa_key_handle_t psk; - psa_key_derivation_operation_t generator = + psa_key_derivation_operation_t derivation = PSA_KEY_DERIVATION_OPERATION_INIT; MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) ); @@ -1118,27 +1118,27 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl ) else alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); - status = psa_key_derivation( &generator, psk, alg, + status = psa_key_derivation( &derivation, psk, alg, salt, salt_len, (unsigned char const *) lbl, (size_t) strlen( lbl ), master_secret_len ); if( status != PSA_SUCCESS ) { - psa_key_derivation_abort( &generator ); + psa_key_derivation_abort( &derivation ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_key_derivation_output_bytes( &generator, + status = psa_key_derivation_output_bytes( &derivation, session->master, master_secret_len ); if( status != PSA_SUCCESS ) { - psa_key_derivation_abort( &generator ); + psa_key_derivation_abort( &derivation ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); } - status = psa_key_derivation_abort( &generator ); + status = psa_key_derivation_abort( &derivation ); if( status != PSA_SUCCESS ) return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); }