Merge branch 'development' into development-restricted
* development: Rename local variables Update submodule Update Visual studio project file Move the examples to PSA 1.0 Use psa_raw_key_agreement Remove calls to psa_allocate_key Make variable naming consistent Update psa_create_key to PSA 1.0 Update psa_import_key to PSA 1.0 Update psa_generator_abort to PSA 1.0 Update psa_generator_read to PSA 1.0 Update psa_crypto_generator_t to PSA 1.0 Update psa_key_agreement to PSA 1.0 Update GENERATOR_INIT macro to PSA 1.0 Update KEYPAIR macros to PSA 1.0
This commit is contained in:
commit
4245d4a2c8
6 changed files with 59 additions and 116 deletions
2
crypto
2
crypto
|
@ -1 +1 @@
|
|||
Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b
|
||||
Subproject commit 89e76556910c2704313fe23b174f2742702a3a29
|
|
@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
|
||||
{
|
||||
psa_status_t status;
|
||||
psa_key_policy_t policy;
|
||||
psa_key_attributes_t key_attributes;
|
||||
|
||||
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
|
||||
|
||||
|
@ -3238,8 +3238,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
unsigned char *own_pubkey_ecpoint;
|
||||
size_t own_pubkey_ecpoint_len;
|
||||
|
||||
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
|
||||
|
||||
header_len = 4;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
|
||||
|
@ -3248,12 +3246,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
* Generate EC private key for ECDHE exchange.
|
||||
*/
|
||||
|
||||
/* Allocate a new key slot for the private key. */
|
||||
|
||||
status = psa_allocate_key( &handshake->ecdh_psa_privkey );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
/* The master secret is obtained from the shared ECDH secret by
|
||||
* applying the TLS 1.2 PRF with a specific salt and label. While
|
||||
* the PSA Crypto API encourages combining key agreement schemes
|
||||
|
@ -3261,19 +3253,18 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
* yet support the provisioning of salt + label to the KDF.
|
||||
* For the time being, we therefore need to split the computation
|
||||
* of the ECDH secret and the application of the TLS 1.2 PRF. */
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy,
|
||||
PSA_KEY_USAGE_DERIVE,
|
||||
PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
|
||||
status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
|
||||
psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
|
||||
psa_set_key_type( &key_attributes,
|
||||
PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve )
|
||||
);
|
||||
psa_set_key_bits( &key_attributes,
|
||||
PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) );
|
||||
|
||||
/* Generate ECDH private key. */
|
||||
status = psa_generate_key( handshake->ecdh_psa_privkey,
|
||||
PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ),
|
||||
MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
|
||||
NULL, 0 );
|
||||
status = psa_generate_key( &key_attributes,
|
||||
&handshake->ecdh_psa_privkey );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
|
@ -3299,30 +3290,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
|
|||
own_pubkey_ecpoint, own_pubkey_ecpoint_len );
|
||||
content_len = own_pubkey_ecpoint_len + 1;
|
||||
|
||||
/* Compute ECDH shared secret. */
|
||||
status = psa_key_agreement( &generator,
|
||||
handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey,
|
||||
handshake->ecdh_psa_peerkey_len,
|
||||
PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
/* The ECDH secret is the premaster secret used for key derivation. */
|
||||
|
||||
ssl->handshake->pmslen =
|
||||
MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
|
||||
|
||||
status = psa_generator_read( &generator,
|
||||
ssl->handshake->premaster,
|
||||
ssl->handshake->pmslen );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_generator_abort( &generator );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = psa_generator_abort( &generator );
|
||||
/* Compute ECDH shared secret. */
|
||||
status = psa_raw_key_agreement( PSA_ALG_ECDH,
|
||||
handshake->ecdh_psa_privkey,
|
||||
handshake->ecdh_psa_peerkey,
|
||||
handshake->ecdh_psa_peerkey_len,
|
||||
ssl->handshake->premaster,
|
||||
sizeof( ssl->handshake->premaster ),
|
||||
&ssl->handshake->pmslen );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
|
|
|
@ -630,31 +630,26 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
{
|
||||
psa_status_t status;
|
||||
psa_algorithm_t alg;
|
||||
psa_key_policy_t policy;
|
||||
psa_key_attributes_t key_attributes;
|
||||
psa_key_handle_t master_slot;
|
||||
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
|
||||
|
||||
if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
psa_key_derivation_operation_t derivation =
|
||||
PSA_KEY_DERIVATION_OPERATION_INIT;
|
||||
|
||||
if( md_type == MBEDTLS_MD_SHA384 )
|
||||
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
|
||||
else
|
||||
alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
|
||||
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy,
|
||||
PSA_KEY_USAGE_DERIVE,
|
||||
alg );
|
||||
status = psa_set_key_policy( master_slot, &policy );
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
|
||||
psa_set_key_algorithm( &key_attributes, alg );
|
||||
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
|
||||
|
||||
status = psa_import_key( &key_attributes, secret, slen, &master_slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
status = psa_key_derivation( &generator,
|
||||
status = psa_key_derivation( &derivation,
|
||||
master_slot, alg,
|
||||
random, rlen,
|
||||
(unsigned char const *) label,
|
||||
|
@ -662,20 +657,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
dlen );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_generator_abort( &generator );
|
||||
psa_key_derivation_abort( &derivation );
|
||||
psa_destroy_key( master_slot );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = psa_generator_read( &generator, dstbuf, dlen );
|
||||
status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_generator_abort( &generator );
|
||||
psa_key_derivation_abort( &derivation );
|
||||
psa_destroy_key( master_slot );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = psa_generator_abort( &generator );
|
||||
status = psa_key_derivation_abort( &derivation );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_destroy_key( master_slot );
|
||||
|
@ -1108,8 +1103,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
/* Perform PSK-to-MS expansion in a single step. */
|
||||
psa_status_t status;
|
||||
psa_algorithm_t alg;
|
||||
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
|
||||
psa_key_handle_t psk;
|
||||
psa_key_derivation_operation_t derivation =
|
||||
PSA_KEY_DERIVATION_OPERATION_INIT;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
|
||||
|
||||
|
@ -1122,26 +1118,27 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
else
|
||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
||||
|
||||
status = psa_key_derivation( &generator, psk, alg,
|
||||
status = psa_key_derivation( &derivation, psk, alg,
|
||||
salt, salt_len,
|
||||
(unsigned char const *) lbl,
|
||||
(size_t) strlen( lbl ),
|
||||
master_secret_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_generator_abort( &generator );
|
||||
psa_key_derivation_abort( &derivation );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = psa_generator_read( &generator, session->master,
|
||||
master_secret_len );
|
||||
status = psa_key_derivation_output_bytes( &derivation,
|
||||
session->master,
|
||||
master_secret_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_generator_abort( &generator );
|
||||
psa_key_derivation_abort( &derivation );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = psa_generator_abort( &generator );
|
||||
status = psa_key_derivation_abort( &derivation );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
|
|
@ -902,7 +902,7 @@ int main( int argc, char *argv[] )
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_handle_t slot = 0;
|
||||
psa_algorithm_t alg = 0;
|
||||
psa_key_policy_t policy;
|
||||
psa_key_attributes_t key_attributes;
|
||||
psa_status_t status;
|
||||
#endif
|
||||
|
||||
|
@ -2068,25 +2068,12 @@ int main( int argc, char *argv[] )
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
/* The algorithm has already been determined earlier. */
|
||||
status = psa_allocate_key( &slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
goto exit;
|
||||
}
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
|
||||
psa_set_key_algorithm( &key_attributes, alg );
|
||||
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
|
||||
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
|
||||
|
||||
status = psa_set_key_policy( slot, &policy );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
|
||||
status = psa_import_key( &key_attributes, psk, psk_len, &slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
|
|
|
@ -1431,25 +1431,20 @@ int idle( mbedtls_net_context *fd,
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
|
||||
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot,
|
||||
psa_algorithm_t alg,
|
||||
unsigned char *psk,
|
||||
size_t psk_len )
|
||||
{
|
||||
psa_status_t status;
|
||||
psa_key_policy_t policy;
|
||||
psa_key_attributes_t key_attributes;
|
||||
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
|
||||
key_attributes = psa_key_attributes_init();
|
||||
psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
|
||||
psa_set_key_algorithm( &key_attributes, alg );
|
||||
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
|
||||
|
||||
status = psa_set_key_policy( slot, &policy );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
fprintf( stderr, "POLICY\n" );
|
||||
return( status );
|
||||
}
|
||||
|
||||
status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
|
||||
status = psa_import_key( &key_attributes, psk, psk_len, slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
fprintf( stderr, "IMPORT\n" );
|
||||
|
@ -3076,16 +3071,8 @@ int main( int argc, char *argv[] )
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
status = psa_allocate_key( &psk_slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
fprintf( stderr, "ALLOC FAIL\n" );
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
/* The algorithm has already been determined earlier. */
|
||||
status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len );
|
||||
status = psa_setup_psk_key_slot( &psk_slot, alg, psk, psk_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
fprintf( stderr, "SETUP FAIL\n" );
|
||||
|
@ -3120,14 +3107,8 @@ int main( int argc, char *argv[] )
|
|||
psk_entry *cur_psk;
|
||||
for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
|
||||
{
|
||||
status = psa_allocate_key( &cur_psk->slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
status = psa_setup_psk_key_slot( cur_psk->slot, alg,
|
||||
status = psa_setup_psk_key_slot( &cur_psk->slot, alg,
|
||||
cur_psk->key,
|
||||
cur_psk->key_len );
|
||||
if( status != PSA_SUCCESS )
|
||||
|
|
|
@ -238,6 +238,7 @@
|
|||
<ClCompile Include="..\..\crypto\library\platform_util.c" />
|
||||
<ClCompile Include="..\..\crypto\library\poly1305.c" />
|
||||
<ClCompile Include="..\..\crypto\library\psa_crypto.c" />
|
||||
<ClCompile Include="..\..\crypto\library\psa_crypto_se.c" />
|
||||
<ClCompile Include="..\..\crypto\library\psa_crypto_slot_management.c" />
|
||||
<ClCompile Include="..\..\crypto\library\psa_crypto_storage.c" />
|
||||
<ClCompile Include="..\..\crypto\library\psa_its_file.c" />
|
||||
|
|
Loading…
Reference in a new issue