Merge branch 'development' into development-restricted

* development:
  Rename local variables
  Update submodule
  Update Visual studio project file
  Move the examples to PSA 1.0
  Use psa_raw_key_agreement
  Remove calls to psa_allocate_key
  Make variable naming consistent
  Update psa_create_key to PSA 1.0
  Update psa_import_key to PSA 1.0
  Update psa_generator_abort to PSA 1.0
  Update psa_generator_read to PSA 1.0
  Update psa_crypto_generator_t to PSA 1.0
  Update psa_key_agreement to PSA 1.0
  Update GENERATOR_INIT macro to PSA 1.0
  Update KEYPAIR macros to PSA 1.0
This commit is contained in:
Jaeden Amero 2019-08-20 10:28:14 +01:00
commit 4245d4a2c8
6 changed files with 59 additions and 116 deletions

2
crypto

@ -1 +1 @@
Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b
Subproject commit 89e76556910c2704313fe23b174f2742702a3a29

View file

@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
{
psa_status_t status;
psa_key_policy_t policy;
psa_key_attributes_t key_attributes;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -3238,8 +3238,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
unsigned char *own_pubkey_ecpoint;
size_t own_pubkey_ecpoint_len;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
header_len = 4;
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
@ -3248,12 +3246,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* Generate EC private key for ECDHE exchange.
*/
/* Allocate a new key slot for the private key. */
status = psa_allocate_key( &handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
/* The master secret is obtained from the shared ECDH secret by
* applying the TLS 1.2 PRF with a specific salt and label. While
* the PSA Crypto API encourages combining key agreement schemes
@ -3261,19 +3253,18 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
* yet support the provisioning of salt + label to the KDF.
* For the time being, we therefore need to split the computation
* of the ECDH secret and the application of the TLS 1.2 PRF. */
policy = psa_key_policy_init();
psa_key_policy_set_usage( &policy,
PSA_KEY_USAGE_DERIVE,
PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
psa_set_key_type( &key_attributes,
PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve )
);
psa_set_key_bits( &key_attributes,
PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) );
/* Generate ECDH private key. */
status = psa_generate_key( handshake->ecdh_psa_privkey,
PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ),
MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
NULL, 0 );
status = psa_generate_key( &key_attributes,
&handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@ -3299,30 +3290,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
own_pubkey_ecpoint, own_pubkey_ecpoint_len );
content_len = own_pubkey_ecpoint_len + 1;
/* Compute ECDH shared secret. */
status = psa_key_agreement( &generator,
handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len,
PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
/* The ECDH secret is the premaster secret used for key derivation. */
ssl->handshake->pmslen =
MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
status = psa_generator_read( &generator,
ssl->handshake->premaster,
ssl->handshake->pmslen );
if( status != PSA_SUCCESS )
{
psa_generator_abort( &generator );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_generator_abort( &generator );
/* Compute ECDH shared secret. */
status = psa_raw_key_agreement( PSA_ALG_ECDH,
handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len,
ssl->handshake->premaster,
sizeof( ssl->handshake->premaster ),
&ssl->handshake->pmslen );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );

View file

@ -630,31 +630,26 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
{
psa_status_t status;
psa_algorithm_t alg;
psa_key_policy_t policy;
psa_key_attributes_t key_attributes;
psa_key_handle_t master_slot;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
if( md_type == MBEDTLS_MD_SHA384 )
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
else
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
policy = psa_key_policy_init();
psa_key_policy_set_usage( &policy,
PSA_KEY_USAGE_DERIVE,
alg );
status = psa_set_key_policy( master_slot, &policy );
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
status = psa_import_key( &key_attributes, secret, slen, &master_slot );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
status = psa_key_derivation( &generator,
status = psa_key_derivation( &derivation,
master_slot, alg,
random, rlen,
(unsigned char const *) label,
@ -662,20 +657,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
dlen );
if( status != PSA_SUCCESS )
{
psa_generator_abort( &generator );
psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_generator_read( &generator, dstbuf, dlen );
status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
if( status != PSA_SUCCESS )
{
psa_generator_abort( &generator );
psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_generator_abort( &generator );
status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
{
psa_destroy_key( master_slot );
@ -1108,8 +1103,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
/* Perform PSK-to-MS expansion in a single step. */
psa_status_t status;
psa_algorithm_t alg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
psa_key_handle_t psk;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
@ -1122,26 +1118,27 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
else
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
status = psa_key_derivation( &generator, psk, alg,
status = psa_key_derivation( &derivation, psk, alg,
salt, salt_len,
(unsigned char const *) lbl,
(size_t) strlen( lbl ),
master_secret_len );
if( status != PSA_SUCCESS )
{
psa_generator_abort( &generator );
psa_key_derivation_abort( &derivation );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_generator_read( &generator, session->master,
master_secret_len );
status = psa_key_derivation_output_bytes( &derivation,
session->master,
master_secret_len );
if( status != PSA_SUCCESS )
{
psa_generator_abort( &generator );
psa_key_derivation_abort( &derivation );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_generator_abort( &generator );
status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}

View file

@ -902,7 +902,7 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t slot = 0;
psa_algorithm_t alg = 0;
psa_key_policy_t policy;
psa_key_attributes_t key_attributes;
psa_status_t status;
#endif
@ -2068,25 +2068,12 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 )
{
/* The algorithm has already been determined earlier. */
status = psa_allocate_key( &slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
policy = psa_key_policy_init();
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
status = psa_set_key_policy( slot, &policy );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
status = psa_import_key( &key_attributes, psk, psk_len, &slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;

View file

@ -1431,25 +1431,20 @@ int idle( mbedtls_net_context *fd,
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot,
psa_algorithm_t alg,
unsigned char *psk,
size_t psk_len )
{
psa_status_t status;
psa_key_policy_t policy;
psa_key_attributes_t key_attributes;
policy = psa_key_policy_init();
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
status = psa_set_key_policy( slot, &policy );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "POLICY\n" );
return( status );
}
status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
status = psa_import_key( &key_attributes, psk, psk_len, slot );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "IMPORT\n" );
@ -3076,16 +3071,8 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 )
{
status = psa_allocate_key( &psk_slot );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "ALLOC FAIL\n" );
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
/* The algorithm has already been determined earlier. */
status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len );
status = psa_setup_psk_key_slot( &psk_slot, alg, psk, psk_len );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "SETUP FAIL\n" );
@ -3120,14 +3107,8 @@ int main( int argc, char *argv[] )
psk_entry *cur_psk;
for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
{
status = psa_allocate_key( &cur_psk->slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
status = psa_setup_psk_key_slot( cur_psk->slot, alg,
status = psa_setup_psk_key_slot( &cur_psk->slot, alg,
cur_psk->key,
cur_psk->key_len );
if( status != PSA_SUCCESS )

View file

@ -238,6 +238,7 @@
<ClCompile Include="..\..\crypto\library\platform_util.c" />
<ClCompile Include="..\..\crypto\library\poly1305.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto_se.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto_slot_management.c" />
<ClCompile Include="..\..\crypto\library\psa_crypto_storage.c" />
<ClCompile Include="..\..\crypto\library\psa_its_file.c" />