diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index ce97f6a35..908ba93b9 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -561,11 +561,6 @@ #error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) -#error "MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined, but it cannot coexist with MBEDTLS_USE_PSA_CRYPTO." -#endif - #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ !defined(MBEDTLS_OID_C) ) #error "MBEDTLS_RSA_C defined, but not all prerequisites" diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h index 5f9f29ff6..9ad7a1df6 100644 --- a/include/mbedtls/pk.h +++ b/include/mbedtls/pk.h @@ -351,7 +351,7 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info ); * \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure. */ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, - const psa_key_id_t key ); + const mbedtls_svc_key_id_t key ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PK_RSA_ALT_SUPPORT) @@ -898,7 +898,7 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n ); * \return An Mbed TLS error code otherwise. */ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk, - psa_key_id_t *key, + mbedtls_svc_key_id_t *key, psa_algorithm_t hash_alg ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 072ebbe46..77a7aaa64 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1380,7 +1380,7 @@ struct mbedtls_ssl_config #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field + mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psk_opaque); /*!< PSA key slot holding opaque PSK. This field * should only be set via * mbedtls_ssl_conf_psk_opaque(). * If either no PSK or a raw PSK have been @@ -3042,7 +3042,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf, * \return Another negative error code on other kinds of failure. */ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf, - psa_key_id_t psk, + mbedtls_svc_key_id_t psk, const unsigned char *psk_identity, size_t psk_identity_len ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -3088,7 +3088,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, * \return An \c MBEDTLS_ERR_SSL_XXX error code on failure. */ int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl, - psa_key_id_t psk ); + mbedtls_svc_key_id_t psk ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ /** diff --git a/library/cipher_wrap.h b/library/cipher_wrap.h index 90563d85d..e27d6afce 100644 --- a/library/cipher_wrap.h +++ b/library/cipher_wrap.h @@ -130,7 +130,7 @@ typedef enum typedef struct { psa_algorithm_t alg; - psa_key_id_t slot; + mbedtls_svc_key_id_t slot; mbedtls_cipher_psa_key_ownership slot_state; } mbedtls_cipher_context_psa; #endif /* MBEDTLS_USE_PSA_CRYPTO */ diff --git a/library/pk.c b/library/pk.c index ea4869c14..e36452093 100644 --- a/library/pk.c +++ b/library/pk.c @@ -151,11 +151,11 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info ) * Initialise a PSA-wrapping context */ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, - const psa_key_id_t key ) + const mbedtls_svc_key_id_t key ) { const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t *pk_ctx; + mbedtls_svc_key_id_t *pk_ctx; psa_key_type_t type; if( ctx == NULL || ctx->pk_info != NULL ) @@ -175,7 +175,7 @@ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, ctx->pk_info = info; - pk_ctx = (psa_key_id_t *) ctx->pk_ctx; + pk_ctx = (mbedtls_svc_key_id_t *) ctx->pk_ctx; *pk_ctx = key; return( 0 ); @@ -598,7 +598,7 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx ) * Currently only works for EC private keys. */ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk, - psa_key_id_t *key, + mbedtls_svc_key_id_t *key, psa_algorithm_t hash_alg ) { #if !defined(MBEDTLS_ECP_C) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 80c0aad27..0bb87a491 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -560,7 +560,7 @@ static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg, mbedtls_ecdsa_context *ctx = ctx_arg; int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_id_t key_id = 0; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_status_t status; mbedtls_pk_context key; int key_len; @@ -894,7 +894,7 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = { static void *pk_opaque_alloc_wrap( void ) { - void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) ); + void *ctx = mbedtls_calloc( 1, sizeof( mbedtls_svc_key_id_t ) ); /* no _init() function to call, an calloc() already zeroized */ @@ -903,13 +903,13 @@ static void *pk_opaque_alloc_wrap( void ) static void pk_opaque_free_wrap( void *ctx ) { - mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) ); + mbedtls_platform_zeroize( ctx, sizeof( mbedtls_svc_key_id_t ) ); mbedtls_free( ctx ); } static size_t pk_opaque_get_bitlen( const void *ctx ) { - const psa_key_id_t *key = (const psa_key_id_t *) ctx; + const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx; size_t bits; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -1033,7 +1033,7 @@ static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg, ((void) p_rng); return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE ); #else /* !MBEDTLS_ECDSA_C */ - const psa_key_id_t *key = (const psa_key_id_t *) ctx; + const mbedtls_svc_key_id_t *key = (const mbedtls_svc_key_id_t *) ctx; psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) ); psa_status_t status; diff --git a/library/pkwrite.c b/library/pkwrite.c index 71cc0f0c5..b923c38d8 100644 --- a/library/pkwrite.c +++ b/library/pkwrite.c @@ -198,7 +198,7 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start, if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE ) { size_t buffer_size; - psa_key_id_t* key_id = (psa_key_id_t*) key->pk_ctx; + mbedtls_svc_key_id_t* key_id = (mbedtls_svc_key_id_t*) key->pk_ctx; if ( *p < start ) return( MBEDTLS_ERR_PK_BAD_INPUT_DATA ); @@ -265,11 +265,11 @@ int mbedtls_pk_write_pubkey_der( const mbedtls_pk_context *key, unsigned char *b { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_type_t key_type; - psa_key_id_t key_id; + mbedtls_svc_key_id_t key_id; psa_ecc_family_t curve; size_t bits; - key_id = *((psa_key_id_t*) key->pk_ctx ); + key_id = *((mbedtls_svc_key_id_t*) key->pk_ctx ); if( PSA_SUCCESS != psa_get_key_attributes( key_id, &attributes ) ) return( MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED ); key_type = psa_get_key_type( &attributes ); diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 40e4aaff8..6aef2869e 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -609,7 +609,7 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_type_t ecdh_psa_type; uint16_t ecdh_bits; - psa_key_id_t ecdh_psa_privkey; + mbedtls_svc_key_id_t ecdh_psa_privkey; unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; size_t ecdh_psa_peerkey_len; #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -630,7 +630,7 @@ struct mbedtls_ssl_handshake_params #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ + mbedtls_svc_key_id_t psk_opaque; /*!< Opaque PSK from the callback */ #endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char *psk; /*!< PSK from the callback */ size_t psk_len; /*!< Length of PSK from callback */ @@ -1247,7 +1247,7 @@ static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl, * 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque() * Return an opaque PSK */ -static inline psa_key_id_t mbedtls_ssl_get_opaque_psk( +static inline mbedtls_svc_key_id_t mbedtls_ssl_get_opaque_psk( const mbedtls_ssl_context *ssl ) { if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) ) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index d868e4965..9dc7b167c 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -333,7 +333,7 @@ static void handle_buffer_resizing( mbedtls_ssl_context *ssl, int downsizing, #if defined(MBEDTLS_USE_PSA_CRYPTO) static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation, - psa_key_id_t key, + mbedtls_svc_key_id_t key, psa_algorithm_t alg, const unsigned char* seed, size_t seed_length, const unsigned char* label, size_t label_length, @@ -393,7 +393,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type, { psa_status_t status; psa_algorithm_t alg; - psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; + mbedtls_svc_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_derivation_operation_t derivation = PSA_KEY_DERIVATION_OPERATION_INIT; @@ -1223,7 +1223,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake, /* Perform PSK-to-MS expansion in a single step. */ psa_status_t status; psa_algorithm_t alg; - psa_key_id_t psk; + mbedtls_svc_key_id_t psk; psa_key_derivation_operation_t derivation = PSA_KEY_DERIVATION_OPERATION_INIT; mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac; @@ -3890,7 +3890,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl, #if defined(MBEDTLS_USE_PSA_CRYPTO) int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf, - psa_key_id_t psk, + mbedtls_svc_key_id_t psk, const unsigned char *psk_identity, size_t psk_identity_len ) { @@ -3915,7 +3915,7 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf, } int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl, - psa_key_id_t psk ) + mbedtls_svc_key_id_t psk ) { if( ( mbedtls_svc_key_id_is_null( psk ) ) || ( ssl->handshake == NULL ) ) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 57f7d8f67..7ecc61d38 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -692,7 +692,7 @@ int main( int argc, char *argv[] ) const char *pers = "ssl_client2"; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t slot = 0; + mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t alg = 0; psa_key_attributes_t key_attributes; psa_status_t status; @@ -716,7 +716,7 @@ int main( int argc, char *argv[] ) mbedtls_x509_crt clicert; mbedtls_pk_context pkey; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t key_slot = 0; /* invalid key slot */ + mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ #endif #endif /* MBEDTLS_X509_CRT_PARSE_C */ char *p, *q; @@ -3061,7 +3061,8 @@ exit: ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) ) { mbedtls_printf( "Failed to destroy key slot %u - error was %d", - (unsigned) slot, (int) status ); + (unsigned) MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot ), + (int) status ); if( ret == 0 ) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 7cbdaf62c..1112a00b9 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -849,7 +849,7 @@ struct _psk_entry size_t key_len; unsigned char key[MBEDTLS_PSK_MAX_LEN]; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t slot; + mbedtls_svc_key_id_t slot; #endif /* MBEDTLS_USE_PSA_CRYPTO */ psk_entry *next; }; @@ -865,9 +865,9 @@ int psk_free( psk_entry *head ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; - psa_key_id_t const slot = head->slot; + mbedtls_svc_key_id_t const slot = head->slot; - if( slot != 0 ) + if( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot ) != 0 ) { status = psa_destroy_key( slot ); if( status != PSA_SUCCESS ) @@ -940,7 +940,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl, memcmp( name, cur->name, name_len ) == 0 ) { #if defined(MBEDTLS_USE_PSA_CRYPTO) - if( cur->slot != 0 ) + if( MBEDTLS_SVC_KEY_ID_GET_KEY_ID( cur->slot ) != 0 ) return( mbedtls_ssl_set_hs_psk_opaque( ssl, cur->slot ) ); else #endif @@ -1208,7 +1208,7 @@ static void ssl_async_cancel( mbedtls_ssl_context *ssl ) #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #if defined(MBEDTLS_USE_PSA_CRYPTO) -static psa_status_t psa_setup_psk_key_slot( psa_key_id_t *slot, +static psa_status_t psa_setup_psk_key_slot( mbedtls_svc_key_id_t *slot, psa_algorithm_t alg, unsigned char *psk, size_t psk_len ) @@ -1291,7 +1291,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; - psa_key_id_t psk_slot = 0; + mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT; #endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; @@ -1323,8 +1323,8 @@ int main( int argc, char *argv[] ) mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; #if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_key_id_t key_slot = 0; /* invalid key slot */ - psa_key_id_t key_slot2 = 0; /* invalid key slot */ + mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ + mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ #endif int key_cert_init = 0, key_cert_init2 = 0; #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -4018,7 +4018,8 @@ exit: ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) ) { mbedtls_printf( "Failed to destroy key slot %u - error was %d", - (unsigned) psk_slot, (int) status ); + (unsigned) MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psk_slot ), + (int) status ); } } #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED && diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index 6b9e7b8da..cf0b49e09 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -52,14 +52,12 @@ #endif #if !defined(MBEDTLS_NET_C) || \ - !defined(MBEDTLS_SSL_TLS_C) || \ - defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) -#define MBEDTLS_SSL_TEST_IMPOSSIBLE \ - "MBEDTLS_NET_C and/or " \ - "MBEDTLS_SSL_TLS_C not defined, " \ - "and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined.\n" + !defined(MBEDTLS_SSL_TLS_C) +#define MBEDTLS_SSL_TEST_IMPOSSIBLE \ + "MBEDTLS_NET_C and/or " \ + "MBEDTLS_SSL_TLS_C not defined." #elif !defined(HAVE_RNG) -#define MBEDTLS_SSL_TEST_IMPOSSIBLE \ +#define MBEDTLS_SSL_TEST_IMPOSSIBLE \ "No random generator is available.\n" #else #undef MBEDTLS_SSL_TEST_IMPOSSIBLE diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6e17a91e3..1e0ff7af5 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -940,9 +940,8 @@ component_test_full_cmake_gcc_asan () { } component_test_psa_crypto_key_id_encodes_owner () { - msg "build: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" + msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER, cmake, gcc, ASan" scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -960,9 +959,8 @@ check_renamed_symbols () { } component_build_psa_crypto_spm () { - msg "build: full config - USE_PSA_CRYPTO + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" + msg "build: full config + PSA_CRYPTO_KEY_ID_ENCODES_OWNER + PSA_CRYPTO_SPM, make, gcc" scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS scripts/config.py set MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER scripts/config.py set MBEDTLS_PSA_CRYPTO_SPM diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index ce934b0e0..7a0b1f7b6 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -4815,13 +4815,15 @@ void test_multiple_psks_opaque( int mode ) unsigned char psk0_raw[10] = { 0 }; unsigned char psk0_raw_identity[] = { 'f', 'o', 'o' }; - psa_key_id_t psk0_opaque = (psa_key_id_t) 1; + mbedtls_svc_key_id_t psk0_opaque = mbedtls_svc_key_id_make( 0x1, (psa_key_id_t) 1 ); + unsigned char psk0_opaque_identity[] = { 'f', 'o', 'o' }; unsigned char psk1_raw[10] = { 0 }; unsigned char psk1_raw_identity[] = { 'b', 'a', 'r' }; - psa_key_id_t psk1_opaque = (psa_key_id_t) 2; + mbedtls_svc_key_id_t psk1_opaque = mbedtls_svc_key_id_make( 0x1, (psa_key_id_t) 2 ); + unsigned char psk1_opaque_identity[] = { 'b', 'a', 'r' }; mbedtls_ssl_config conf;