Merge remote-tracking branch 'origin/pr/2767' into development

* origin/pr/2767: Rename local variables Update submodule Update Visual studio project file Move the examples to PSA 1.0 Use psa_raw_key_agreement Remove calls to psa_allocate_key Make variable naming consistent Update psa_create_key to PSA 1.0 Update psa_import_key to PSA 1.0 Update psa_generator_abort to PSA 1.0 Update psa_generator_read to PSA 1.0 Update psa_crypto_generator_t to PSA 1.0 Update psa_key_agreement to PSA 1.0 Update GENERATOR_INIT macro to PSA 1.0 Update KEYPAIR macros to PSA 1.0
2019-08-20 09:45:38 +01:00 · 2019-08-20 09:45:38 +01:00 · 9ed851d27f
commit 9ed851d27f
parent 8813fef228 da6ac01963
6 changed files with 59 additions and 116 deletions
--- a/2
+++ b/2
@ -1 +1 @@
-Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b
+Subproject commit 89e76556910c2704313fe23b174f2742702a3a29
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@ -3229,7 +3229,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
        ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA )
    {
        psa_status_t status;
-        psa_key_policy_t policy;
+        psa_key_attributes_t key_attributes;
        mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -3238,8 +3238,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
        unsigned char *own_pubkey_ecpoint;
        size_t own_pubkey_ecpoint_len;
        psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
        header_len = 4;
        MBEDTLS_SSL_DEBUG_MSG( 1, ( "Perform PSA-based ECDH computation." ) );
@ -3248,12 +3246,6 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
         * Generate EC private key for ECDHE exchange.
         */
        /* Allocate a new key slot for the private key. */
        status = psa_allocate_key( &handshake->ecdh_psa_privkey );
        if( status != PSA_SUCCESS )
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
        /* The master secret is obtained from the shared ECDH secret by
         * applying the TLS 1.2 PRF with a specific salt and label. While
         * the PSA Crypto API encourages combining key agreement schemes
@ -3261,19 +3253,18 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
         * yet support the provisioning of salt + label to the KDF.
         * For the time being, we therefore need to split the computation
         * of the ECDH secret and the application of the TLS 1.2 PRF. */
-        policy = psa_key_policy_init();
+        key_attributes = psa_key_attributes_init();
-        psa_key_policy_set_usage( &policy,
+        psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
-                                  PSA_KEY_USAGE_DERIVE,
+        psa_set_key_algorithm( &key_attributes, PSA_ALG_ECDH );
-                                  PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
+        psa_set_key_type( &key_attributes,
-        status = psa_set_key_policy( handshake->ecdh_psa_privkey, &policy );
+                          PSA_KEY_TYPE_ECC_KEY_PAIR( handshake->ecdh_psa_curve )
-        if( status != PSA_SUCCESS )
+                        );
-            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
+        psa_set_key_bits( &key_attributes,
                          PSA_ECC_CURVE_BITS( handshake->ecdh_psa_curve ) );
        /* Generate ECDH private key. */
-        status = psa_generate_key( handshake->ecdh_psa_privkey,
+        status = psa_generate_key( &key_attributes,
-                          PSA_KEY_TYPE_ECC_KEYPAIR( handshake->ecdh_psa_curve ),
+                                   &handshake->ecdh_psa_privkey );
                          MBEDTLS_PSA_ECC_KEY_BITS_OF_CURVE( handshake->ecdh_psa_curve ),
                          NULL, 0 );
        if( status != PSA_SUCCESS )
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@ -3299,30 +3290,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
                own_pubkey_ecpoint, own_pubkey_ecpoint_len );
        content_len = own_pubkey_ecpoint_len + 1;
        /* The ECDH secret is the premaster secret used for key derivation. */
        /* Compute ECDH shared secret. */
-        status = psa_key_agreement( &generator,
+        status = psa_raw_key_agreement( PSA_ALG_ECDH,
                                        handshake->ecdh_psa_privkey,
                                        handshake->ecdh_psa_peerkey,
                                        handshake->ecdh_psa_peerkey_len,
                                    PSA_ALG_ECDH( PSA_ALG_SELECT_RAW ) );
        if( status != PSA_SUCCESS )
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
        /* The ECDH secret is the premaster secret used for key derivation. */
        ssl->handshake->pmslen =
            MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
        status = psa_generator_read( &generator,
                                        ssl->handshake->premaster,
-                                     ssl->handshake->pmslen );
+                                        sizeof( ssl->handshake->premaster ),
-        if( status != PSA_SUCCESS )
+                                        &ssl->handshake->pmslen );
        {
            psa_generator_abort( &generator );
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
        }
        status = psa_generator_abort( &generator );
        if( status != PSA_SUCCESS )
            return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -630,31 +630,26 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
 {
    psa_status_t status;
    psa_algorithm_t alg;
-    psa_key_policy_t policy;
+    psa_key_attributes_t key_attributes;
    psa_key_handle_t master_slot;
-    psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
+    psa_key_derivation_operation_t derivation =
-
+        PSA_KEY_DERIVATION_OPERATION_INIT;
    if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
        return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
    if( md_type == MBEDTLS_MD_SHA384 )
        alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_384);
    else
        alg = PSA_ALG_TLS12_PRF(PSA_ALG_SHA_256);
-    policy = psa_key_policy_init();
+    key_attributes = psa_key_attributes_init();
-    psa_key_policy_set_usage( &policy,
+    psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
-                              PSA_KEY_USAGE_DERIVE,
+    psa_set_key_algorithm( &key_attributes, alg );
-                              alg );
+    psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
-    status = psa_set_key_policy( master_slot, &policy );
+
    status = psa_import_key( &key_attributes, secret, slen, &master_slot );
    if( status != PSA_SUCCESS )
        return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
-    status = psa_import_key( master_slot, PSA_KEY_TYPE_DERIVE, secret, slen );
+    status = psa_key_derivation( &derivation,
    if( status != PSA_SUCCESS )
        return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
    status = psa_key_derivation( &generator,
                                 master_slot, alg,
                                 random, rlen,
                                 (unsigned char const *) label,
@ -662,20 +657,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
                                 dlen );
    if( status != PSA_SUCCESS )
    {
-        psa_generator_abort( &generator );
+        psa_key_derivation_abort( &derivation );
        psa_destroy_key( master_slot );
        return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
    }
-    status = psa_generator_read( &generator, dstbuf, dlen );
+    status = psa_key_derivation_output_bytes( &derivation, dstbuf, dlen );
    if( status != PSA_SUCCESS )
    {
-        psa_generator_abort( &generator );
+        psa_key_derivation_abort( &derivation );
        psa_destroy_key( master_slot );
        return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
    }
-    status = psa_generator_abort( &generator );
+    status = psa_key_derivation_abort( &derivation );
    if( status != PSA_SUCCESS )
    {
        psa_destroy_key( master_slot );
@ -1108,8 +1103,9 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
            /* Perform PSK-to-MS expansion in a single step. */
            psa_status_t status;
            psa_algorithm_t alg;
            psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
            psa_key_handle_t psk;
            psa_key_derivation_operation_t derivation =
                PSA_KEY_DERIVATION_OPERATION_INIT;
            MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
@ -1122,26 +1118,27 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
            else
                alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
-            status = psa_key_derivation( &generator, psk, alg,
+            status = psa_key_derivation( &derivation, psk, alg,
                                         salt, salt_len,
                                         (unsigned char const *) lbl,
                                         (size_t) strlen( lbl ),
                                         master_secret_len );
            if( status != PSA_SUCCESS )
            {
-                psa_generator_abort( &generator );
+                psa_key_derivation_abort( &derivation );
                return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
            }
-            status = psa_generator_read( &generator, session->master,
+            status = psa_key_derivation_output_bytes( &derivation,
                                                      session->master,
                                                      master_secret_len );
            if( status != PSA_SUCCESS )
            {
-                psa_generator_abort( &generator );
+                psa_key_derivation_abort( &derivation );
                return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
            }
-            status = psa_generator_abort( &generator );
+            status = psa_key_derivation_abort( &derivation );
            if( status != PSA_SUCCESS )
                return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
        }
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@ -902,7 +902,7 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
    psa_key_handle_t slot = 0;
    psa_algorithm_t alg = 0;
-    psa_key_policy_t policy;
+    psa_key_attributes_t key_attributes;
    psa_status_t status;
 #endif
@ -2068,25 +2068,12 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
    if( opt.psk_opaque != 0 )
    {
-        /* The algorithm has already been determined earlier. */
+        key_attributes = psa_key_attributes_init();
-        status = psa_allocate_key( &slot );
+        psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
-        if( status != PSA_SUCCESS )
+        psa_set_key_algorithm( &key_attributes, alg );
-        {
+        psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
            ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
            goto exit;
        }
-        policy = psa_key_policy_init();
+        status = psa_import_key( &key_attributes, psk, psk_len, &slot );
        psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
        status = psa_set_key_policy( slot, &policy );
        if( status != PSA_SUCCESS )
        {
            ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
            goto exit;
        }
        status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
        if( status != PSA_SUCCESS )
        {
            ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -1431,25 +1431,20 @@ int idle( mbedtls_net_context *fd,
 }
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
-static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
+static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot,
                                            psa_algorithm_t alg,
                                            unsigned char *psk,
                                            size_t psk_len )
 {
    psa_status_t status;
-    psa_key_policy_t policy;
+    psa_key_attributes_t key_attributes;
-    policy = psa_key_policy_init();
+    key_attributes = psa_key_attributes_init();
-    psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_DERIVE, alg );
+    psa_set_key_usage_flags( &key_attributes, PSA_KEY_USAGE_DERIVE );
    psa_set_key_algorithm( &key_attributes, alg );
    psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
-    status = psa_set_key_policy( slot, &policy );
+    status = psa_import_key( &key_attributes, psk, psk_len, slot );
    if( status != PSA_SUCCESS )
    {
        fprintf( stderr, "POLICY\n" );
        return( status );
    }
    status = psa_import_key( slot, PSA_KEY_TYPE_DERIVE, psk, psk_len );
    if( status != PSA_SUCCESS )
    {
        fprintf( stderr, "IMPORT\n" );
@ -3076,16 +3071,8 @@ int main( int argc, char *argv[] )
 #if defined(MBEDTLS_USE_PSA_CRYPTO)
        if( opt.psk_opaque != 0 )
        {
            status = psa_allocate_key( &psk_slot );
            if( status != PSA_SUCCESS )
            {
                fprintf( stderr, "ALLOC FAIL\n" );
                ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
                goto exit;
            }
            /* The algorithm has already been determined earlier. */
-            status = psa_setup_psk_key_slot( psk_slot, alg, psk, psk_len );
+            status = psa_setup_psk_key_slot( &psk_slot, alg, psk, psk_len );
            if( status != PSA_SUCCESS )
            {
                fprintf( stderr, "SETUP FAIL\n" );
@ -3120,14 +3107,8 @@ int main( int argc, char *argv[] )
            psk_entry *cur_psk;
            for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
            {
                status = psa_allocate_key( &cur_psk->slot );
                if( status != PSA_SUCCESS )
                {
                    ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
                    goto exit;
                }
-                status = psa_setup_psk_key_slot( cur_psk->slot, alg,
+                status = psa_setup_psk_key_slot( &cur_psk->slot, alg,
                                                 cur_psk->key,
                                                 cur_psk->key_len );
                if( status != PSA_SUCCESS )
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@ -238,6 +238,7 @@
    <ClCompile Include="..\..\crypto\library\platform_util.c" />
    <ClCompile Include="..\..\crypto\library\poly1305.c" />
    <ClCompile Include="..\..\crypto\library\psa_crypto.c" />
    <ClCompile Include="..\..\crypto\library\psa_crypto_se.c" />
    <ClCompile Include="..\..\crypto\library\psa_crypto_slot_management.c" />
    <ClCompile Include="..\..\crypto\library\psa_crypto_storage.c" />
    <ClCompile Include="..\..\crypto\library\psa_its_file.c" />
		`@ -1 +1 @@`
			`Subproject commit 24b8f9f1719fefa179c7d1e00717f415f4a0868b`				`Subproject commit 89e76556910c2704313fe23b174f2742702a3a29`