Commit graph

541 commits

Author SHA1 Message Date
Gilles Peskine
3825e14e65 Fix policy validity check on key creation.
Add a non-regression test.
2019-07-31 16:54:38 +02:00
Gilles Peskine
41e50d26ea Remove "allocated" flag from key slots
The flag to mark key slots as allocated was introduced to mark slots
that are claimed and in use, but do not have key material yet, at a
time when creating a key used several API functions: allocate a slot,
then progressively set its metadata, and finally create the key
material. Now that all of these steps are combined into a single
API function call, the notion of allocated-but-not-filled slot is no
longer relevant. So remove the corresponding flag.

A slot is occupied iff there is a key in it. (For a key in a secure
element, the key material is not present, but the slot contains the
key metadata.) This key must have a type which is nonzero, so use this
as an indicator that a slot is in use.
2019-07-31 16:54:38 +02:00
Gilles Peskine
76aa09c9a9 Take advantage of psa_core_key_attributes_t internally #2
Key creation and psa_get_key_attributes
2019-07-31 16:54:37 +02:00
Gilles Peskine
b46bef2f76 Store the key size in the slot in memory
There is now a field for the key size in the key slot in memory. Use
it.

This makes psa_get_key_attributes() marginally faster at the expense
of memory that is available anyway in the current memory layout (16
bits for the size, 16 bits for flags). That's not the goal, though:
the goal is to simplify the code, in particular to make it more
uniform between transparent keys (whose size can be recomputed) and
keys in secure elements (whose size cannot be recomputed).

For keys in a secure element, the bit size is now saved by serializing
the type psa_key_bits_t (which is an alias for uint16_t) rather than
size_t.
2019-07-31 14:16:50 +02:00
Gilles Peskine
4ed0e6f11a Switch storage functions over to psa_core_key_attributes_t 2019-07-31 14:15:27 +02:00
Gilles Peskine
8e3387029d Use psa_core_key_attributes_t in key slots in memory
Change the type of key slots in memory to use
psa_core_key_attributes_t rather than separate fields. The goal is to
simplify some parts of the code. This commit only does the mechanical
replacement, not the substitution.

The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED`
in the `flags` field.

Write accessor functions for flags.

Key slots now contain a bit size field which is currently unused.
Subsequent commits will make use of it.
2019-07-31 14:15:27 +02:00
Gilles Peskine
68cc433b5b Store key sizes in 16 bits in attributes
This is larger than the maximum key size introduced in the previous
commit, by design.

Make some room for flags (not used yet).
2019-07-30 21:08:38 +02:00
Gilles Peskine
c744d99386 Limit keys to 65528 bits
65528 bits is more than any reasonable key until we start supporting
post-quantum cryptography.

This limit is chosen to allow bit-sizes to be stored in 16 bits, with
65535 left to indicate an invalid value. It's a whole number of bytes,
which facilitates some calculations, in particular allowing a key of
exactly PSA_CRYPTO_MAX_STORAGE_SIZE to be created but not one bit
more.

As a resource usage limit, this is arguably too large, but that's out
of scope of the current commit.

Test that key import, generation and derivation reject overly large
sizes.
2019-07-30 20:58:33 +02:00
Gilles Peskine
7e0cff90b9 Move attribute fields to a substructure
Move the "core attributes" to a substructure of psa_key_attribute_t.
The motivation is to be able to use the new structure
psa_core_key_attributes_t internally.
2019-07-30 20:58:27 +02:00
Gilles Peskine
e60d1d08a4 SE keys: save the bit size in storage
For a key in a secure element, save the bit size alongside the slot
number.

This is a quick-and-dirty implementation where the storage format
depends on sizeof(size_t), which is fragile. This should be replaced
by a more robust implementation before going into production.
2019-07-29 18:11:09 +02:00
Gilles Peskine
1801740a7c SE driver: report the bit size on key import
Add a parameter to the key import method of a secure element driver to
make it report the key size in bits. This is necessary (otherwise the
core has no idea what the bit-size is), and making import report it is
easier than adding a separate method (for other key creation methods,
this information is an input, not an output).
2019-07-29 18:07:09 +02:00
Gilles Peskine
dc5bfe9784 SE keys: implement and test psa_get_key_attributes 2019-07-29 18:07:03 +02:00
Gilles Peskine
424f89453b SE keys: store the bit size internally (partial implementation)
This commit blindingly copies the size from the attributes. This is
not correct for copy and import.
2019-07-29 17:06:06 +02:00
Gilles Peskine
adb1c52149
Merge pull request #157 from gilles-peskine-arm/psa-se_driver-create_key
Secure element key creation foundation
2019-07-26 14:39:55 +02:00
Gilles Peskine
66be51c35d If starting a transaction fails, wipe the transaction data
Nothing has been saved to disk yet, but there is stale data in
psa_crypto_transaction. This stale data should not be reused, but do
wipe it to reduce the risk of it mattering somehow in the future.
2019-07-26 13:23:51 +02:00
Gilles Peskine
f9bb29ec26 Add boilerplate to recover a transaction during init 2019-07-25 17:52:59 +02:00
Gilles Peskine
4aea1036c6 Bug fix: don't start a transaction for non-SE keys 2019-07-25 17:38:34 +02:00
Gilles Peskine
2e0f388d2a Don't explicitly dereference function pointers
Be stylistically consistent.
2019-07-25 11:42:19 +02:00
Gilles Peskine
60450a4812 Improve comments 2019-07-25 11:32:45 +02:00
Gilles Peskine
725f22a545 Bug fix: save the driver's persistent data in destroy_key 2019-07-25 11:32:27 +02:00
Gilles Peskine
adad813d7b psa_key_slot_is_external exists. Use it. 2019-07-25 11:32:27 +02:00
Gilles Peskine
f77a6acf83 Fix indentation 2019-07-25 10:51:03 +02:00
Gilles Peskine
4b73422318 Transaction support: be more future-proof
If there's ever a non-SE-related transaction, make sure it gets
handled during init.
2019-07-24 15:56:31 +02:00
Gilles Peskine
f4ee662868 SE keys: error out in key creation function that lack support 2019-07-24 13:44:30 +02:00
Gilles Peskine
28f8f3068f SE keys: ensure that functions that lack support properly error out
Introduce a new function psa_get_transparent_key which returns
NOT_SUPPORTED if the key is in a secure element. Use this function in
functions that don't support keys in a secure element.

After this commit, all functions that access a key slot directly via
psa_get_key_slot or psa_get_key_from_slot rather than via
psa_get_transparent_key have at least enough support for secure
elements not to crash or otherwise cause undefined behavior. Lesser
bad behavior such as wrong results or resource leakage is still
possible in error cases.
2019-07-24 13:30:31 +02:00
Gilles Peskine
1df83d4f5b SE keys: implement persistent storage
For a key in a secure element, persist the key slot.

This is implemented in the nominal case. Failures may not be handled
properly.
2019-07-23 16:13:14 +02:00
Gilles Peskine
bfd322ff34 Use a key attribute structure in the internal storage interface
Pass information via a key attribute structure rather than as separate
parameters to psa_crypto_storage functions. This makes it easier to
maintain the code when the metadata of a key evolves.

This has negligible impact on code size (+4B with "gcc -Os" on x86_64).
2019-07-23 13:31:54 +02:00
Gilles Peskine
fc76265385 Do secure element key creation and destruction in a transaction
Key creation and key destruction for a key in a secure element both
require updating three pieces of data: the key data in the secure
element, the key metadata in internal storage, and the SE driver's
persistent data. Perform these actions in a transaction so that
recovery is possible if the action is interrupted midway.
2019-07-22 19:46:22 +02:00
Gilles Peskine
c11c4dcf95 Favor stdint.h types in internal types
Use uint8_t for PSA buffers. Keep unsigned char for generic libc
buffers and for mbedtls buffers.
2019-07-15 11:17:53 +02:00
Gilles Peskine
7228da25f9 Favor stdint.h types in implementation-specific API 2019-07-15 11:16:18 +02:00
Andrew Thoelke
163639b830 Apply same changes to implementation source code 2019-07-15 11:14:56 +02:00
Gilles Peskine
5d309672af SE keys: support import and export 2019-07-12 23:47:28 +02:00
Gilles Peskine
354f7671f4 SE keys: support destroy
When destroying a key in a secure element, call the driver's destroy
method and update the driver's persistent data in storage.
2019-07-12 23:46:38 +02:00
Gilles Peskine
cbaff467ef SE keys: allocate a slot before creating the key 2019-07-12 23:46:04 +02:00
Gilles Peskine
73167e128f SE keys: store the slot number in the memory slot 2019-07-12 23:44:37 +02:00
Gilles Peskine
8abe6a2d5c Driver table entries are now mutable
Since driver table entries contain the driver context, which is
mutable, they can't be const anymore.
2019-07-12 23:42:20 +02:00
Gilles Peskine
011e4284a1 Look up the SE driver when creating a key
When creating a key with a lifetime that places it in a secure
element, retrieve the appropriate driver table entry.

This commit doesn't yet achieve behavior: so far the code only
retrieves the driver, it doesn't call the driver.
2019-07-12 11:47:50 +02:00
Adrian L. Shaw
2282cfa660 Remove GMAC algorithm (for now)
It can't be implemented with the current version of the API
2019-07-11 15:51:45 +01:00
Jaeden Amero
c19dcebbdd
Merge pull request #154 from yanesca/iotcrypt-789-update-tls-prf-to-multipart
Update TLS 1.2 PRF to multipart API
2019-07-04 11:53:04 +01:00
Janos Follath
d6dce9f4f3 Fix zero-length seed or label in TLS 1.2 PRF
The psa_tls12_prf_set_seed() and psa_tls12_prf_set_label() functions did
not work on platforms where malloc(0) returns NULL.

It does not affect the TLS use case but these PRFs are used in other
protocols as well and might not be used the same way. For example EAP
uses the TLS PRF with an empty secret. (This would not trigger the bug,
but is a strong indication that it is not safe to assume that certain
inputs to this function are not zero length.)

The conditional block includes the memcpy() call as well to avoid
passing a NULL pointer as a parameter resulting in undefined behaviour.

The current tests are already using zero length label and seed, there is
no need to add new test for this bug.
2019-07-04 09:11:38 +01:00
Janos Follath
0c1ed84258 Improve style 2019-06-28 15:10:06 +01:00
Gilles Peskine
a8ade16ffd Gate secure element support by a separate config option
Secure element support has its own source file, and in addition
requires many hooks in other files. This is a nontrivial amount of
code, so make it optional (but default on).
2019-06-26 20:01:35 +02:00
Janos Follath
40e1393816 Optimize TLS PRF PSK key calculation 2019-06-26 13:23:10 +01:00
Janos Follath
76c3984477 Clarify TLS PRF algorithm description 2019-06-26 12:50:36 +01:00
Janos Follath
30090bc2cf Fix error code
PSA_ERROR_BAD_STATE means that the function was called on a context in a
bad state.

This error is something that can't happen while only using the PSA API and
therefore a PSA_ERROR_CORRUPTION_DETECTED is a more appropriate error
code.
2019-06-26 09:15:08 +01:00
Janos Follath
5fe19734d5 Make key derivation initialisation consistent
The macro initialiser might leave bytes in the union unspecified.
Zeroising it in setup makes sure that the behaviour is the same
independently of the initialisation method used.
2019-06-26 09:15:08 +01:00
Janos Follath
ea29bfb148 Add tls12_prf key derivation to the new API
The TLS 1.2 pseudorandom function does a lot of distinct HMAC operations
with the same key. To save the battery and CPU cycles spent on
calculating the paddings and hashing the inner padding, we keep the
hash context in the status right after the inner padding having been
hashed and clone it as needed.
2019-06-26 09:15:08 +01:00
Janos Follath
844eb0e5fa Add tls12_prf_read for the new API
Technically we could have reused the old one for the new API, but then
we had to set an extra field during setup. The new version works when
all the fields that haven't been set explicitely are zero-initialised.
2019-06-26 09:15:08 +01:00
Janos Follath
7742feea53 Add stub for new tls12_prf_generate_next_block 2019-06-26 09:15:08 +01:00
Janos Follath
6c6c8fceaa Improve style 2019-06-26 09:15:08 +01:00
Janos Follath
6660f0eb98 Add TLS 1.2 PSK master secret generation 2019-06-26 09:15:08 +01:00
Janos Follath
51f4a0f9ac Style: enforce 80 column limit 2019-06-26 09:15:08 +01:00
Janos Follath
c56215163f Simplify psa_key_derivation_input_bytes
The specific key derivation input functions support a subset of the
input options and need to check it anyway. Checking it at the top level
is redundant, it brings a very little value and comes with a cost in
code size and maintainability.
2019-06-26 09:15:08 +01:00
Janos Follath
adbec81cc4 Remove the deprecated PSA_ALG_SELECT_RAW option
This change affects the psa_key_derivation_s structure. With the buffer
removed from the union, it is empty if MBEDTLS_MD_C is not defined.

We can avoid undefined behaviour by adding a new dummy field that is
always present or make the whole union conditional on MBEDTLS_MD_C.

In this latter case the initialiser macro has to depend on MBEDTLS_MD_C
as well. Furthermore the first structure would be either
psa_hkdf_key_derivation_t or psa_tls12_prf_key_derivation_t both of
which are very deep and would make the initialisation macro difficult
to maintain, therefore we go with the first option.
2019-06-26 09:15:08 +01:00
Janos Follath
63028dd906 Add label input for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
8155054e28 Add key import for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
f08e2654ed Add seed input for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
ef83f5e98e Move raw key derivation input to a new function 2019-06-26 09:15:08 +01:00
Janos Follath
b80a94e2ea Rename psa_key_derivation_input_raw
The function dispatches between all the available methods and
does not just handle the raw key derivation case like the name suggests.
2019-06-26 09:15:08 +01:00
Janos Follath
b03233e196 Add stubs for psa_tls12_prf_input 2019-06-26 09:15:08 +01:00
Janos Follath
6a1d262803 Adapt psa_key_derivation_abort to the new context 2019-06-26 09:15:08 +01:00
Janos Follath
999f648437 Add new psa_tls12_prf_key_derivation_t
As part of adapting TLS 1.2 key derivation to the PSA 1.0 API we need to
change the context structure.
2019-06-26 09:15:08 +01:00
Janos Follath
083036af64 Safely erase key material upon abort
Some key derivation operation contexts (like
psa_tls12_prf_key_derivation_t) directly contain buffers with parts of
the derived key. Erase them safely as part of the abort.
2019-06-26 09:15:58 +01:00
Janos Follath
71a4c9125b Add flag for removing deprecated API
Add the compile time option PSA_PRE_1_0_KEY_DERIVATION. If this is not
turned on, then the function `psa_key_derivation()` is removed.

Most of the tests regarding key derivation haven't been adapted to the
new API yet and some of them have only been adapted partially. When this
new option is turned off, the tests using the old API and test cases
using the old API of partially adapted tests are skipped.

The sole purpose of this option is to make the transition to the new API
smoother. Once the transition is complete it can and should be removed
along with the old API and its implementation.
2019-06-26 09:15:08 +01:00
Gilles Peskine
8f2a6dcc25 Support PSA_KEY_DERIVATION_INPUT_SEED 2019-06-25 12:02:31 +01:00
Gilles Peskine
d089021128 Unregister drivers on library deinitialization 2019-06-24 19:55:48 +02:00
Jaeden Amero
7654161dbf psa: Add NV seed as an entropy source when needed
When MBEDTLS_PSA_INJECT_ENTROPY is used, we now require also defining
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES. When
MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES is defined, we do not add entropy
sources by default. This includes the NV seed entropy source, which the
PSA entropy injection API is built upon.

The PSA entropy injection feature depends on using NV seed as an entropy
source. Add NV seed as an entropy source for PSA entropy injection.

Fixes e3dbdd8d90 ("Gate entropy injection through a dedicated configuration option")
2019-06-05 11:09:38 +01:00
Gilles Peskine
267c65666a Simplify key slot allocation
Now that psa_allocate_key() is no longer a public function, expose
psa_internal_allocate_key_slot() instead, which provides a pointer to
the slot to its caller.
2019-06-05 11:34:54 +02:00
Gilles Peskine
f46f81ceb5 Remove obsolete key creation functions
Remove the key creation functions from before the attribute-based API,
i.e. the key creation functions that worked by allocating a slot, then
setting metadata through the handle and finally creating key material.
2019-06-05 11:34:54 +02:00
Gilles Peskine
f25c9ec02e Minor documentation improvements 2019-05-27 14:08:27 +02:00
Gilles Peskine
96f0b3b1d3 Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-27 14:08:27 +02:00
Gilles Peskine
549ea8676a Minor documentation improvements 2019-05-22 11:45:59 +02:00
Gilles Peskine
2c86ebc2f8 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allowed to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-21 17:06:27 +02:00
Gilles Peskine
d6f371b1ba Keys may allow a second algorithm
Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.
2019-05-21 17:06:03 +02:00
Gilles Peskine
eff4942202
Merge pull request #268 from ARMmbed/psa-error_tampering_detected
Rename PSA_ERROR_TAMPERING_DETECTED to PSA_ERROR_CORRUPTION_DETECTED
2019-05-17 11:06:09 +02:00
Gilles Peskine
35ef36b62f Rename psa_generate_random_key back to psa_generate_key
generate_key is a more classical name. The longer name was only
introduced to avoid confusion with getting a key from a generator,
which is key derivation, but we no longer use the generator
terminology so this reason no longer applies.

perl -i -pe 's/psa_generate_random_key/psa_generate_key/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
c93b80c350 Rename *KEYPAIR* to *KEY_PAIR*
Be consistent with PUBLIC_KEY.

perl -i -pe 's/KEYPAIR/KEY_PAIR/g' $(git ls-files)
2019-05-17 10:56:57 +02:00
Gilles Peskine
4b3eb69271 Rename PSA_ERROR_TAMPERING_DETECTED to ..._CORRUPTION_DETECTED
“Tampering detected” was misleading because in the real world it can
also arise due to a software bug. “Corruption detected” is neutral and
more precisely reflects what can trigger the error.

perl -i -pe 's/PSA_ERROR_TAMPERING_DETECTED/PSA_ERROR_CORRUPTION_DETECTED/gi' $(git ls-files)
2019-05-16 21:35:18 +02:00
Gilles Peskine
be697d8324 Shorten the name of psa_key_agreement_raw_shared_secret
There is less of a risk of confusion with the KA+KDF function now.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cf7292e257 Wrap and reindent some lines
After renaming several identifiers, re-wrap and re-indent some lines
to make the code prettier.
2019-05-16 18:55:25 +02:00
Gilles Peskine
51ae0e4b79 Rename "generator" to "operation"
Generators are now key derivation operations.

Keep "random generator" intact.
2019-05-16 18:55:25 +02:00
Gilles Peskine
cbe6650394 Rename generator-related internal identifiers
perl -pe 's/crypto_generator/key_derivation/gi' $(git ls-files)
    perl -pe 's/_generator/_key_derivation/gi' $(git ls-files)
2019-05-16 18:55:25 +02:00
Gilles Peskine
03410b5c5f Rename PSA_KDF_STEP_xxx -> PSA_KEY_DERIVATION_INPUT_xxx
More consistent with the new function names.
2019-05-16 18:55:25 +02:00
Gilles Peskine
a99d3fbd05 Rename generator functions to psa_key_derivation_xxx
Generators are mostly about key derivation (currently: only about key
derivation). "Generator" is not a commonly used term in cryptography.
So favor "derivation" as terminology. Call a generator a key
derivation operation structure, since it behaves like other multipart
operation structures. Furthermore, the function names are not fully
consistent.

In this commit, I rename the functions to consistently have the prefix
"psa_key_derivation_". I used the following command:

    perl -i -pe '%t = (
        psa_crypto_generator_t => "psa_key_derivation_operation_t",
        psa_crypto_generator_init => "psa_key_derivation_init",
        psa_key_derivation_setup => "psa_key_derivation_setup",
        psa_key_derivation_input_key => "psa_key_derivation_input_key",
        psa_key_derivation_input_bytes => "psa_key_derivation_input_bytes",
        psa_key_agreement => "psa_key_derivation_key_agreement",
        psa_set_generator_capacity => "psa_key_derivation_set_capacity",
        psa_get_generator_capacity => "psa_key_derivation_get_capacity",
        psa_generator_read => "psa_key_derivation_output_bytes",
        psa_generate_derived_key => "psa_key_derivation_output_key",
        psa_generator_abort => "psa_key_derivation_abort",
        PSA_CRYPTO_GENERATOR_INIT => "PSA_KEY_DERIVATION_OPERATION_INIT",
        PSA_GENERATOR_UNBRIDLED_CAPACITY => "PSA_KEY_DERIVATION_UNLIMITED_CAPACITY",
        ); s/\b(@{[join("|", keys %t)]})\b/$t{$1}/ge' $(git ls-files)
2019-05-16 18:55:21 +02:00
Jaeden Amero
99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Jaeden Amero
16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero
76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero
826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Gilles Peskine
c9d910bed6 EC key pair import: check the buffer size
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allow to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-16 00:18:48 +02:00
Gilles Peskine
73676cbc50 Put handle parameter last: psa_import_key
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
98dd779eb5 Put handle parameter last: psa_generate_derived_key
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
c160d9ec83 psa_copy_key: enforce PSA_KEY_USAGE_COPY
Implement the check and add a negative test.
2019-05-14 14:32:03 +02:00
Gilles Peskine
8e0206aa26 New usage flag PSA_KEY_USAGE_COPY
Document the new flag and allow its use.
2019-05-14 14:24:28 +02:00
Jaeden Amero
1fe90fab30
Merge pull request #101 from gilles-peskine-arm/psa-key_attributes-verify_attributes
Check unused attributes in import and copy
2019-05-13 11:48:40 +01:00
Gilles Peskine
f9666595e1 Implement and test the new key identifier range
Only allow creating keys in the application (user) range. Allow
opening keys in the implementation (vendor) range as well.

Compared with what the implementation allowed, which was undocumented:
0 is now allowed; values from 0x40000000 to 0xfffeffff are now
forbidden.
2019-05-06 18:56:30 +02:00
Gilles Peskine
26869f2d9b Implement ChaCha20 and ChaCha20-Poly1305
Smoke tests: test data for ChaCha20 calculated with PyCryptodome; test
vector from RFC 7539 for ChaCha20-Poly1305.
2019-05-06 15:59:44 +02:00
Gilles Peskine
f7e7b01a25 Minor refactoring in AEAD code
Make it a little easier to add ChaCha20-Poly1305.

This also fixes the error code in case mbedtls_gcm_setkey() fails with
a status that doesn't map to INVALID_ARGUMENT.
2019-05-06 15:59:44 +02:00
Gilles Peskine
ff2d200fa5 Always include platform.h for MBEDTLS_ERR_PLATFORM_xxx
Recognize MBEDTLS_ERR_PLATFORM_xxx in mbedtls_to_psa_error().
2019-05-06 15:59:44 +02:00
Gilles Peskine
4ce2a9dcbf Check unused attributes in import and copy
In psa_import_key and psa_copy_key, some information comes from the
key data (input buffer or source key) rather than from the attributes:
key size for import, key size and type and domain parameters for copy.
If an unused attribute is nonzero in the attribute structure, check
that it matches the correct value. This protects against application
errors.
2019-05-03 16:57:15 +02:00
Adrian L. Shaw
5a5a79ae2a Rename psa_generate_key() and psa_generator_import_key() 2019-05-03 15:44:28 +01:00