Merge remote-tracking branch 'origin/pr/2376' into development-psa
Resolve conflict in updating crypto submodule by manually pointing the
submodule to 2169a5e54d
("PSA: Adapt pk.c, pk_wrap.c, cipher.c to new
key policy init API").
This commit is contained in:
commit
7b9575c654
16 changed files with 99 additions and 81 deletions
4
.gitmodules
vendored
4
.gitmodules
vendored
|
@ -1,4 +1,4 @@
|
|||
[submodule "crypto"]
|
||||
path = crypto
|
||||
url = git@github.com:ARMmbed/mbedtls-psa.git
|
||||
branch = feature-psa
|
||||
url = https://github.com/ARMmbed/mbed-crypto
|
||||
branch = development
|
||||
|
|
2
crypto
2
crypto
|
@ -1 +1 @@
|
|||
Subproject commit 58600557bba1774479d7aa29be46d182ce9e072a
|
||||
Subproject commit 2169a5e54ded734f7844af1a16c39b993c2a992c
|
|
@ -137,7 +137,7 @@ typedef enum
|
|||
typedef struct
|
||||
{
|
||||
psa_algorithm_t alg;
|
||||
psa_key_slot_t slot;
|
||||
psa_key_handle_t slot;
|
||||
mbedtls_cipher_psa_key_ownership slot_state;
|
||||
} mbedtls_cipher_context_psa;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
|
|
@ -273,7 +273,7 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
|
|||
* ECC key pair.
|
||||
* \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
|
||||
*/
|
||||
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_slot_t key );
|
||||
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
|
||||
|
@ -761,7 +761,7 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
|
|||
* \return An Mbed TLS error code otherwise.
|
||||
*/
|
||||
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
|
||||
psa_key_slot_t *slot,
|
||||
psa_key_handle_t *slot,
|
||||
psa_algorithm_t hash_alg );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
|
|
|
@ -42,21 +42,6 @@
|
|||
#include "md.h"
|
||||
#include "pk.h"
|
||||
|
||||
/* Slot allocation */
|
||||
|
||||
static inline psa_status_t mbedtls_psa_get_free_key_slot( psa_key_slot_t *key )
|
||||
{
|
||||
for( psa_key_slot_t slot = 1; slot <= 32; slot++ )
|
||||
{
|
||||
if( psa_get_key_information( slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT )
|
||||
{
|
||||
*key = slot;
|
||||
return( PSA_SUCCESS );
|
||||
}
|
||||
}
|
||||
return( PSA_ERROR_INSUFFICIENT_MEMORY );
|
||||
}
|
||||
|
||||
/* Translations for symmetric crypto. */
|
||||
|
||||
static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
|
||||
|
@ -231,6 +216,23 @@ static inline psa_ecc_curve_t mbedtls_psa_translate_ecc_group( mbedtls_ecp_group
|
|||
}
|
||||
}
|
||||
|
||||
#define MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( curve ) \
|
||||
( curve == PSA_ECC_CURVE_SECP192R1 ? 192 : \
|
||||
curve == PSA_ECC_CURVE_SECP224R1 ? 224 : \
|
||||
curve == PSA_ECC_CURVE_SECP256R1 ? 256 : \
|
||||
curve == PSA_ECC_CURVE_SECP384R1 ? 384 : \
|
||||
curve == PSA_ECC_CURVE_SECP521R1 ? 521 : \
|
||||
curve == PSA_ECC_CURVE_SECP192K1 ? 192 : \
|
||||
curve == PSA_ECC_CURVE_SECP224K1 ? 224 : \
|
||||
curve == PSA_ECC_CURVE_SECP256K1 ? 256 : \
|
||||
curve == PSA_ECC_CURVE_BRAINPOOL_P256R1 ? 256 : \
|
||||
curve == PSA_ECC_CURVE_BRAINPOOL_P384R1 ? 384 : \
|
||||
curve == PSA_ECC_CURVE_BRAINPOOL_P512R1 ? 512 : \
|
||||
0 )
|
||||
|
||||
#define MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( curve ) \
|
||||
( ( MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( curve ) + 7 ) / 8 )
|
||||
|
||||
/* Translations for PK layer */
|
||||
|
||||
static inline int mbedtls_psa_err_translate_pk( psa_status_t status )
|
||||
|
@ -259,6 +261,19 @@ static inline int mbedtls_psa_err_translate_pk( psa_status_t status )
|
|||
}
|
||||
}
|
||||
|
||||
/* Translations for ECC */
|
||||
|
||||
/* This function transforms an ECC group identifier from
|
||||
* https://www.iana.org/assignments/tls-parameters/tls-parameters.xhtml#tls-parameters-8
|
||||
* into a PSA ECC group identifier. */
|
||||
static inline psa_ecc_curve_t mbedtls_psa_parse_tls_ecc_group(
|
||||
uint16_t tls_ecc_grp_reg_id )
|
||||
{
|
||||
/* The PSA identifiers are currently aligned with those from
|
||||
* the TLS Supported Groups registry, so no conversion is necessary. */
|
||||
return( (psa_ecc_curve_t) tls_ecc_grp_reg_id );
|
||||
}
|
||||
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
#endif /* MBEDTLS_PSA_UTIL_H */
|
||||
|
|
|
@ -929,11 +929,11 @@ struct mbedtls_ssl_config
|
|||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_slot_t psk_opaque; /*!< PSA key slot holding opaque PSK.
|
||||
* This field should only be set via
|
||||
* mbedtls_ssl_conf_psk_opaque().
|
||||
* If either no PSK or a raw PSK have
|
||||
* been configured, this has value \c 0. */
|
||||
psa_key_handle_t psk_opaque; /*!< PSA key slot holding opaque PSK.
|
||||
* This field should only be set via
|
||||
* mbedtls_ssl_conf_psk_opaque().
|
||||
* If either no PSK or a raw PSK have
|
||||
* been configured, this has value \c 0. */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
unsigned char *psk; /*!< The raw pre-shared key. This field should
|
||||
|
@ -2129,7 +2129,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
|
|||
* \param psk The identifier of the key slot holding the PSK.
|
||||
* Until \p conf is destroyed or this function is successfully
|
||||
* called again, the key slot \p psk must be populated with a
|
||||
* key of type #PSA_ALG_CATEGORY_KEY_DERIVATION whose policy
|
||||
* key of type PSA_ALG_CATEGORY_KEY_DERIVATION whose policy
|
||||
* allows its use for the key derivation algorithm applied
|
||||
* in the handshake.
|
||||
* \param psk_identity The pointer to the pre-shared key identity.
|
||||
|
@ -2144,7 +2144,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
|
|||
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
|
||||
*/
|
||||
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
||||
psa_key_slot_t psk,
|
||||
psa_key_handle_t psk,
|
||||
const unsigned char *psk_identity,
|
||||
size_t psk_identity_len );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
@ -2176,7 +2176,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
|
|||
* \param psk The identifier of the key slot holding the PSK.
|
||||
* For the duration of the current handshake, the key slot
|
||||
* must be populated with a key of type
|
||||
* #PSA_ALG_CATEGORY_KEY_DERIVATION whose policy allows its
|
||||
* PSA_ALG_CATEGORY_KEY_DERIVATION whose policy allows its
|
||||
* use for the key derivation algorithm
|
||||
* applied in the handshake.
|
||||
*
|
||||
|
@ -2184,7 +2184,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
|
|||
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
|
||||
*/
|
||||
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
|
||||
psa_key_slot_t psk );
|
||||
psa_key_handle_t psk );
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
||||
/**
|
||||
|
|
|
@ -284,7 +284,7 @@ struct mbedtls_ssl_handshake_params
|
|||
#endif
|
||||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_slot_t psk_opaque; /*!< Opaque PSK from the callback */
|
||||
psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
unsigned char *psk; /*!< PSK from the callback */
|
||||
size_t psk_len; /*!< Length of PSK from callback */
|
||||
|
|
|
@ -302,12 +302,18 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
|
|||
if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
|
||||
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
|
||||
|
||||
/* Find a fresh key slot to use. */
|
||||
status = mbedtls_psa_get_free_key_slot( &cipher_psa->slot );
|
||||
key_type = mbedtls_psa_translate_cipher_type(
|
||||
ctx->cipher_info->type );
|
||||
if( key_type == 0 )
|
||||
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
||||
|
||||
/* Allocate a key slot to use. */
|
||||
status = psa_allocate_key( &cipher_psa->slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
|
||||
/* Indicate that we own the key slot and need to
|
||||
* destroy it in mbedtls_cipher_free(). */
|
||||
|
||||
/* Indicate that we own the key slot and need to
|
||||
* destroy it in mbedtls_cipher_free(). */
|
||||
cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
|
||||
|
||||
/* From that point on, the responsibility for destroying the
|
||||
|
@ -316,7 +322,7 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
|
|||
* mbedtls_cipher_free() needs to be called in any case. */
|
||||
|
||||
/* Setup policy for the new key slot. */
|
||||
psa_key_policy_init( &key_policy );
|
||||
key_policy = psa_key_policy_init();
|
||||
|
||||
/* Mbed TLS' cipher layer doesn't enforce the mode of operation
|
||||
* (encrypt vs. decrypt): it is possible to setup a key for encryption
|
||||
|
@ -330,10 +336,6 @@ int mbedtls_cipher_setkey( mbedtls_cipher_context_t *ctx,
|
|||
return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
|
||||
|
||||
/* Populate new key slot. */
|
||||
key_type = mbedtls_psa_translate_cipher_type(
|
||||
ctx->cipher_info->type );
|
||||
if( key_type == 0 )
|
||||
return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
|
||||
status = psa_import_key( cipher_psa->slot,
|
||||
key_type, key, key_bytelen );
|
||||
if( status != PSA_SUCCESS )
|
||||
|
|
19
library/pk.c
19
library/pk.c
|
@ -147,10 +147,10 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
|
|||
/*
|
||||
* Initialise a PSA-wrapping context
|
||||
*/
|
||||
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_slot_t key )
|
||||
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key )
|
||||
{
|
||||
const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info;
|
||||
psa_key_slot_t *pk_ctx;
|
||||
psa_key_handle_t *pk_ctx;
|
||||
psa_key_type_t type;
|
||||
|
||||
if( ctx == NULL || ctx->pk_info != NULL )
|
||||
|
@ -168,7 +168,7 @@ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_slot_t key )
|
|||
|
||||
ctx->pk_info = info;
|
||||
|
||||
pk_ctx = (psa_key_slot_t *) ctx->pk_ctx;
|
||||
pk_ctx = (psa_key_handle_t *) ctx->pk_ctx;
|
||||
*pk_ctx = key;
|
||||
|
||||
return( 0 );
|
||||
|
@ -547,13 +547,13 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
|
|||
* Currently only works for EC private keys.
|
||||
*/
|
||||
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
|
||||
psa_key_slot_t *slot,
|
||||
psa_key_handle_t *slot,
|
||||
psa_algorithm_t hash_alg )
|
||||
{
|
||||
#if !defined(MBEDTLS_ECP_C)
|
||||
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
|
||||
#else
|
||||
psa_key_slot_t key;
|
||||
psa_key_handle_t key;
|
||||
const mbedtls_ecp_keypair *ec;
|
||||
unsigned char d[MBEDTLS_ECP_MAX_BYTES];
|
||||
size_t d_len;
|
||||
|
@ -572,20 +572,21 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
|
|||
return( ret );
|
||||
|
||||
curve_id = mbedtls_ecp_curve_info_from_grp_id( ec->grp.id )->tls_id;
|
||||
key_type = PSA_KEY_TYPE_ECC_KEYPAIR(
|
||||
mbedtls_psa_parse_tls_ecc_group ( curve_id ) );
|
||||
|
||||
/* find a free key slot */
|
||||
if( PSA_SUCCESS != mbedtls_psa_get_free_key_slot( &key ) )
|
||||
/* allocate a key slot */
|
||||
if( PSA_SUCCESS != psa_allocate_key( &key ) )
|
||||
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
|
||||
|
||||
/* set policy */
|
||||
psa_key_policy_init( &policy );
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_SIGN,
|
||||
PSA_ALG_ECDSA(hash_alg) );
|
||||
if( PSA_SUCCESS != psa_set_key_policy( key, &policy ) )
|
||||
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
|
||||
|
||||
/* import private key in slot */
|
||||
key_type = PSA_KEY_TYPE_ECC_KEYPAIR(curve_id);
|
||||
if( PSA_SUCCESS != psa_import_key( key, key_type, d, d_len ) )
|
||||
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
|
||||
|
||||
|
|
|
@ -546,7 +546,7 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
|
|||
const unsigned char *sig, size_t sig_len )
|
||||
{
|
||||
int ret;
|
||||
psa_key_slot_t key_slot;
|
||||
psa_key_handle_t key_slot;
|
||||
psa_key_policy_t policy;
|
||||
psa_key_type_t psa_type;
|
||||
mbedtls_pk_context key;
|
||||
|
@ -571,16 +571,16 @@ static int ecdsa_verify_wrap( void *ctx, mbedtls_md_type_t md_alg,
|
|||
if( key_len <= 0 )
|
||||
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
|
||||
|
||||
if( ( ret = mbedtls_psa_get_free_key_slot( &key_slot ) ) != PSA_SUCCESS )
|
||||
return( mbedtls_psa_err_translate_pk( ret ) );
|
||||
|
||||
psa_md = mbedtls_psa_translate_md( md_alg );
|
||||
if( psa_md == 0 )
|
||||
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
|
||||
psa_sig_md = PSA_ALG_ECDSA( psa_md );
|
||||
psa_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve );
|
||||
|
||||
psa_key_policy_init( &policy );
|
||||
if( ( ret = psa_allocate_key( &key_slot ) ) != PSA_SUCCESS )
|
||||
return( mbedtls_psa_err_translate_pk( ret ) );
|
||||
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_VERIFY, psa_sig_md );
|
||||
if( ( ret = psa_set_key_policy( key_slot, &policy ) ) != PSA_SUCCESS )
|
||||
{
|
||||
|
@ -879,7 +879,7 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
|
|||
|
||||
static void *pk_opaque_alloc_wrap( void )
|
||||
{
|
||||
void *ctx = mbedtls_calloc( 1, sizeof( psa_key_slot_t ) );
|
||||
void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) );
|
||||
|
||||
/* no _init() function to call, an calloc() already zeroized */
|
||||
|
||||
|
@ -888,13 +888,13 @@ static void *pk_opaque_alloc_wrap( void )
|
|||
|
||||
static void pk_opaque_free_wrap( void *ctx )
|
||||
{
|
||||
mbedtls_platform_zeroize( ctx, sizeof( psa_key_slot_t ) );
|
||||
mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) );
|
||||
mbedtls_free( ctx );
|
||||
}
|
||||
|
||||
static size_t pk_opaque_get_bitlen( const void *ctx )
|
||||
{
|
||||
const psa_key_slot_t *key = (const psa_key_slot_t *) ctx;
|
||||
const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
|
||||
size_t bits;
|
||||
|
||||
if( PSA_SUCCESS != psa_get_key_information( *key, NULL, &bits ) )
|
||||
|
@ -999,7 +999,7 @@ static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
|
|||
unsigned char *sig, size_t *sig_len,
|
||||
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
|
||||
{
|
||||
const psa_key_slot_t *key = (const psa_key_slot_t *) ctx;
|
||||
const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
|
||||
psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
|
||||
size_t bits, buf_len;
|
||||
psa_status_t status;
|
||||
|
|
|
@ -168,7 +168,7 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
|
|||
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE )
|
||||
{
|
||||
size_t buffer_size;
|
||||
psa_key_slot_t* key_slot = (psa_key_slot_t*) key->pk_ctx;
|
||||
psa_key_handle_t* key_slot = (psa_key_handle_t*) key->pk_ctx;
|
||||
|
||||
if ( *p < start )
|
||||
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
|
||||
|
|
|
@ -798,7 +798,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
|
|||
psa_status_t status;
|
||||
psa_algorithm_t alg;
|
||||
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
|
||||
psa_key_slot_t psk;
|
||||
psa_key_handle_t psk;
|
||||
|
||||
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
|
||||
|
||||
|
@ -7617,7 +7617,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
|
|||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
||||
psa_key_slot_t psk_slot,
|
||||
psa_key_handle_t psk_slot,
|
||||
const unsigned char *psk_identity,
|
||||
size_t psk_identity_len )
|
||||
{
|
||||
|
@ -7640,7 +7640,7 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
|||
}
|
||||
|
||||
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
|
||||
psa_key_slot_t psk_slot )
|
||||
psa_key_handle_t psk_slot )
|
||||
{
|
||||
if( psk_slot == 0 || ssl->handshake == NULL )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
|
|
@ -571,7 +571,7 @@ int main( int argc, char *argv[] )
|
|||
const char *pers = "ssl_client2";
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_slot_t slot = 0;
|
||||
psa_key_handle_t slot = 0;
|
||||
psa_algorithm_t alg = 0;
|
||||
psa_key_policy_t policy;
|
||||
psa_status_t status;
|
||||
|
@ -594,7 +594,7 @@ int main( int argc, char *argv[] )
|
|||
mbedtls_x509_crt clicert;
|
||||
mbedtls_pk_context pkey;
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_slot_t key_slot = 0; /* invalid key slot */
|
||||
psa_key_handle_t key_slot = 0; /* invalid key slot */
|
||||
#endif
|
||||
#endif
|
||||
char *p, *q;
|
||||
|
@ -1594,14 +1594,14 @@ int main( int argc, char *argv[] )
|
|||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
/* The algorithm has already been determined earlier. */
|
||||
status = mbedtls_psa_get_free_key_slot( &slot );
|
||||
status = psa_allocate_key( &slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
goto exit;
|
||||
}
|
||||
|
||||
psa_key_policy_init( &policy );
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
|
||||
|
||||
status = psa_set_key_policy( slot, &policy );
|
||||
|
|
|
@ -806,7 +806,7 @@ struct _psk_entry
|
|||
size_t key_len;
|
||||
unsigned char key[MBEDTLS_PSK_MAX_LEN];
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_key_slot_t slot;
|
||||
psa_key_handle_t slot;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
psk_entry *next;
|
||||
};
|
||||
|
@ -822,7 +822,7 @@ int psk_free( psk_entry *head )
|
|||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_status_t status;
|
||||
psa_key_slot_t const slot = head->slot;
|
||||
psa_key_handle_t const slot = head->slot;
|
||||
|
||||
if( slot != 0 )
|
||||
{
|
||||
|
@ -1231,7 +1231,7 @@ int idle( mbedtls_net_context *fd,
|
|||
}
|
||||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
static psa_status_t psa_setup_psk_key_slot( psa_key_slot_t slot,
|
||||
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
|
||||
psa_algorithm_t alg,
|
||||
unsigned char *psk,
|
||||
size_t psk_len )
|
||||
|
@ -1239,7 +1239,7 @@ static psa_status_t psa_setup_psk_key_slot( psa_key_slot_t slot,
|
|||
psa_status_t status;
|
||||
psa_key_policy_t policy;
|
||||
|
||||
psa_key_policy_init( &policy );
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
|
||||
|
||||
status = psa_set_key_policy( slot, &policy );
|
||||
|
@ -1268,7 +1268,7 @@ int main( int argc, char *argv[] )
|
|||
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
psa_algorithm_t alg = 0;
|
||||
psa_key_slot_t psk_slot = 0;
|
||||
psa_key_handle_t psk_slot = 0;
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
|
||||
size_t psk_len = 0;
|
||||
|
@ -2667,7 +2667,7 @@ int main( int argc, char *argv[] )
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( opt.psk_opaque != 0 )
|
||||
{
|
||||
status = mbedtls_psa_get_free_key_slot( &psk_slot );
|
||||
status = psa_allocate_key( &psk_slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
fprintf( stderr, "ALLOC FAIL\n" );
|
||||
|
@ -2711,7 +2711,7 @@ int main( int argc, char *argv[] )
|
|||
psk_entry *cur_psk;
|
||||
for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
|
||||
{
|
||||
status = mbedtls_psa_get_free_key_slot( &cur_psk->slot );
|
||||
status = psa_allocate_key( &cur_psk->slot );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
|
||||
|
|
|
@ -74,21 +74,21 @@ size_t mbedtls_rsa_key_len_func( void *ctx )
|
|||
* or PK_PSA_INVALID_SLOT if no slot was available.
|
||||
* The key uses NIST P-256 and is usable for signing with SHA-256.
|
||||
*/
|
||||
psa_key_slot_t pk_psa_genkey( void )
|
||||
psa_key_handle_t pk_psa_genkey( void )
|
||||
{
|
||||
psa_key_slot_t key;
|
||||
psa_key_handle_t key;
|
||||
|
||||
const int curve = PSA_ECC_CURVE_SECP256R1;
|
||||
const psa_key_type_t type = PSA_KEY_TYPE_ECC_KEYPAIR(curve);
|
||||
const size_t bits = 256;
|
||||
psa_key_policy_t policy;
|
||||
|
||||
/* find a free key slot */
|
||||
if( PSA_SUCCESS != mbedtls_psa_get_free_key_slot( &key ) )
|
||||
/* Allocate a key slot */
|
||||
if( PSA_SUCCESS != psa_allocate_key( &key ) )
|
||||
return( PK_PSA_INVALID_SLOT );
|
||||
|
||||
/* set up policy on key slot */
|
||||
psa_key_policy_init( &policy );
|
||||
policy = psa_key_policy_init();
|
||||
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_SIGN,
|
||||
PSA_ALG_ECDSA(PSA_ALG_SHA_256) );
|
||||
if( PSA_SUCCESS != psa_set_key_policy( key, &policy ) )
|
||||
|
@ -112,7 +112,7 @@ psa_key_slot_t pk_psa_genkey( void )
|
|||
void pk_psa_utils( )
|
||||
{
|
||||
mbedtls_pk_context pk, pk2;
|
||||
psa_key_slot_t key;
|
||||
psa_key_handle_t key;
|
||||
|
||||
const char * const name = "Opaque";
|
||||
const size_t bitlen = 256; /* harcoded in genkey() */
|
||||
|
@ -778,7 +778,7 @@ exit:
|
|||
void pk_psa_sign( )
|
||||
{
|
||||
mbedtls_pk_context pk;
|
||||
psa_key_slot_t key;
|
||||
psa_key_handle_t key;
|
||||
unsigned char hash[50], sig[100], pkey[100];
|
||||
size_t sig_len, klen = 0;
|
||||
|
||||
|
|
|
@ -133,7 +133,7 @@ void x509_csr_check_opaque( char *key_file, int md_type, int key_usage,
|
|||
int cert_type )
|
||||
{
|
||||
mbedtls_pk_context key;
|
||||
psa_key_slot_t slot;
|
||||
psa_key_handle_t slot;
|
||||
psa_algorithm_t md_alg_psa;
|
||||
mbedtls_x509write_csr req;
|
||||
unsigned char buf[4096];
|
||||
|
|
Loading…
Reference in a new issue