From 9f17aa48c2fae215c3edd8238d7a1f7b35185b6b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 8 Dec 2020 17:07:25 +0100 Subject: [PATCH] psa: Change psa_driver_wrapper_sign/verify_hash signature Change psa_driver_wrapper_sign/verify_hash signature to that of a sign/verify_hash driver entry point. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 37 ++++++----- library/psa_crypto_driver_wrappers.c | 92 +++++++++++++--------------- library/psa_crypto_driver_wrappers.h | 23 +++---- 3 files changed, 72 insertions(+), 80 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fb97b699c..b40be0714 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3449,22 +3449,21 @@ psa_status_t psa_sign_hash( mbedtls_svc_key_id_t key, goto exit; } + psa_key_attributes_t attributes = { + .core = slot->attr + }; + /* Try any of the available accelerators first */ - status = psa_driver_wrapper_sign_hash( slot, - alg, - hash, - hash_length, - signature, - signature_size, - signature_length ); + status = psa_driver_wrapper_sign_hash( + &attributes, slot->key.data, slot->key.bytes, + alg, hash, hash_length, + signature, signature_size, signature_length ); + if( status != PSA_ERROR_NOT_SUPPORTED || psa_key_lifetime_is_external( slot->attr.lifetime ) ) goto exit; /* If the operation was not supported by any accelerator, try fallback. */ - psa_key_attributes_t attributes = { - .core = slot->attr - }; status = psa_sign_hash_internal( &attributes, slot->key.data, slot->key.bytes, alg, hash, hash_length, @@ -3575,20 +3574,20 @@ psa_status_t psa_verify_hash( mbedtls_svc_key_id_t key, if( status != PSA_SUCCESS ) return( status ); + psa_key_attributes_t attributes = { + .core = slot->attr + }; + /* Try any of the available accelerators first */ - status = psa_driver_wrapper_verify_hash( slot, - alg, - hash, - hash_length, - signature, - signature_length ); + status = psa_driver_wrapper_verify_hash( + &attributes, slot->key.data, slot->key.bytes, + alg, hash, hash_length, + signature, signature_length ); + if( status != PSA_ERROR_NOT_SUPPORTED || psa_key_lifetime_is_external( slot->attr.lifetime ) ) goto exit; - psa_key_attributes_t attributes = { - .core = slot->attr - }; status = psa_verify_hash_internal( &attributes, slot->key.data, slot->key.bytes, alg, hash, hash_length, diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 3cb75576e..759708075 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -57,21 +57,21 @@ #endif /* Start delegation functions */ -psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - uint8_t *signature, - size_t signature_size, - size_t *signature_length ) +psa_status_t psa_driver_wrapper_sign_hash( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, + uint8_t *signature, size_t signature_size, size_t *signature_length ) { + (void)key_buffer_size; + #if defined(PSA_CRYPTO_DRIVER_PRESENT) /* Try dynamically-registered SE interface first */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) { if( drv->asymmetric == NULL || drv->asymmetric->p_sign == NULL ) @@ -79,22 +79,18 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, /* Key is defined in SE, but we have no way to exercise it */ return( PSA_ERROR_NOT_SUPPORTED ); } - return( drv->asymmetric->p_sign( drv_context, - psa_key_slot_get_slot_number( slot ), - alg, - hash, hash_length, - signature, signature_size, - signature_length ) ); + return( drv->asymmetric->p_sign( + drv_context, *( (psa_key_slot_number_t *)key_buffer ), + alg, hash, hash_length, + signature, signature_size, signature_length ) ); } #endif /* PSA_CRYPTO_SE_C */ /* Then try accelerator API */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; - psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime); - psa_key_attributes_t attributes = { - .core = slot->attr - }; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); switch( location ) { @@ -102,9 +98,9 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_DRIVER_TEST) - status = test_transparent_signature_sign_hash( &attributes, - slot->key.data, - slot->key.bytes, + status = test_transparent_signature_sign_hash( attributes, + key_buffer, + key_buffer_size, alg, hash, hash_length, @@ -120,9 +116,9 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TEST_DRIVER_LIFETIME: - return( test_opaque_signature_sign_hash( &attributes, - slot->key.data, - slot->key.bytes, + return( test_opaque_signature_sign_hash( attributes, + key_buffer, + key_buffer_size, alg, hash, hash_length, @@ -138,7 +134,8 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #else /* PSA_CRYPTO_DRIVER_PRESENT */ - (void)slot; + (void)attributes; + (void)key_buffer; (void)alg; (void)hash; (void)hash_length; @@ -150,20 +147,21 @@ psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, #endif /* PSA_CRYPTO_DRIVER_PRESENT */ } -psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, - size_t signature_length ) +psa_status_t psa_driver_wrapper_verify_hash( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length ) { + (void)key_buffer_size; + #if defined(PSA_CRYPTO_DRIVER_PRESENT) /* Try dynamically-registered SE interface first */ #if defined(MBEDTLS_PSA_CRYPTO_SE_C) const psa_drv_se_t *drv; psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) + if( psa_get_se_driver( attributes->core.lifetime, &drv, &drv_context ) ) { if( drv->asymmetric == NULL || drv->asymmetric->p_verify == NULL ) @@ -171,21 +169,18 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, /* Key is defined in SE, but we have no way to exercise it */ return( PSA_ERROR_NOT_SUPPORTED ); } - return( drv->asymmetric->p_verify( drv_context, - psa_key_slot_get_slot_number( slot ), - alg, - hash, hash_length, - signature, signature_length ) ); + return( drv->asymmetric->p_verify( + drv_context, *( (psa_key_slot_number_t *)key_buffer ), + alg, hash, hash_length, + signature, signature_length ) ); } #endif /* PSA_CRYPTO_SE_C */ /* Then try accelerator API */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) psa_status_t status = PSA_ERROR_INVALID_ARGUMENT; - psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION(slot->attr.lifetime); - psa_key_attributes_t attributes = { - .core = slot->attr - }; + psa_key_location_t location = + PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime ); switch( location ) { @@ -193,9 +188,9 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, /* Key is stored in the slot in export representation, so * cycle through all known transparent accelerators */ #if defined(PSA_CRYPTO_DRIVER_TEST) - status = test_transparent_signature_verify_hash( &attributes, - slot->key.data, - slot->key.bytes, + status = test_transparent_signature_verify_hash( attributes, + key_buffer, + key_buffer_size, alg, hash, hash_length, @@ -210,9 +205,9 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TEST_DRIVER_LIFETIME: - return( test_opaque_signature_verify_hash( &attributes, - slot->key.data, - slot->key.bytes, + return( test_opaque_signature_verify_hash( attributes, + key_buffer, + key_buffer_size, alg, hash, hash_length, @@ -227,7 +222,8 @@ psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, return( PSA_ERROR_NOT_SUPPORTED ); #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ #else /* PSA_CRYPTO_DRIVER_PRESENT */ - (void)slot; + (void)attributes; + (void)key_buffer; (void)alg; (void)hash; (void)hash_length; diff --git a/library/psa_crypto_driver_wrappers.h b/library/psa_crypto_driver_wrappers.h index ad16cddea..22d22d61c 100644 --- a/library/psa_crypto_driver_wrappers.h +++ b/library/psa_crypto_driver_wrappers.h @@ -28,20 +28,17 @@ /* * Signature functions */ -psa_status_t psa_driver_wrapper_sign_hash( psa_key_slot_t *slot, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - uint8_t *signature, - size_t signature_size, - size_t *signature_length ); +psa_status_t psa_driver_wrapper_sign_hash( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, + uint8_t *signature, size_t signature_size, size_t *signature_length ); -psa_status_t psa_driver_wrapper_verify_hash( psa_key_slot_t *slot, - psa_algorithm_t alg, - const uint8_t *hash, - size_t hash_length, - const uint8_t *signature, - size_t signature_length ); +psa_status_t psa_driver_wrapper_verify_hash( + const psa_key_attributes_t *attributes, + const uint8_t *key_buffer, size_t key_buffer_size, + psa_algorithm_t alg, const uint8_t *hash, size_t hash_length, + const uint8_t *signature, size_t signature_length ); /* * Key handling functions