From 9023cacf15cffbcbe37d4fc1a463d5cf80f175a4 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 3 May 2021 10:23:12 +0200 Subject: [PATCH] Merge verification policies together MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- include/psa/crypto.h | 2 +- include/psa/crypto_values.h | 28 ++++++++++++---------------- 2 files changed, 13 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto.h b/include/psa/crypto.h index fdab2b14e..b92d194bf 100644 --- a/include/psa/crypto.h +++ b/include/psa/crypto.h @@ -3724,7 +3724,7 @@ psa_status_t psa_key_derivation_verify_bytes( * \param[in,out] operation The key derivation operation object to read from. * \param[in] expected A key of type #PSA_KEY_TYPE_RAW_DATA containing * the expected output. Its policy must include the - * #PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER flag. + * #PSA_KEY_USAGE_VERIFY_DERIVATION flag. * The value of this key was likely computed by a * previous call to psa_key_derivation_output_key(). * diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h index 7c3ca2c6a..faccaf633 100644 --- a/include/psa/crypto_values.h +++ b/include/psa/crypto_values.h @@ -2199,25 +2199,21 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key ) */ #define PSA_KEY_USAGE_DERIVE ((psa_key_usage_t)0x00004000) -/** Whether the key may be used to produce a password hash and verify it - * against an expected value. +/** Whether the key may be used to verify the result of a key derivation, + * including password hashing. * - * This flag allows the key to be used as the input of - * psa_key_derivation_input_key() at the step - * #PSA_KEY_DERIVATION_INPUT_SECRET of #PSA_KEY_DERIVATION_INPUT_PASSWORD - * depending on the algorithm, and allows the use of - * psa_key_derivation_verify_bytes() or - * psa_key_derivation_verify_key() at the end of the operation. - */ -#define PSA_KEY_USAGE_PASSWORD_HASH_AND_VERIFY ((psa_key_usage_t)0x00008000) - -/** Whether the key may be used to as the expected value to which a password - * hash will be compared. + * This flag allows the key to be used: * - * This flag allows key to be used as the \c key argument of - * psa_key_derivation_verify_key(). + * - for a key of type #PSA_KEY_TYPE_RAW_DATA, as the \c key argument of + * psa_key_derivation_verify_key(); + * - for a key of type #PSA_KEY_TYPE_PASSWORD (or #PSA_KEY_TYPE_DERIVE), as + * the input to psa_key_derivation_input_key() at the step + * #PSA_KEY_DERIVATION_INPUT_PASSWORD (or #PSA_KEY_DERIVATION_INPUT_SECRET); + * then at the end of the operation use of psa_key_derivation_verify_bytes() + * or psa_key_derivation_verify_key() will be permitted (but not + * psa_key_derivation_output_xxx() unless #PSA_KEY_USAGE_DERIVE is set). */ -#define PSA_KEY_USAGE_PASSWORD_HASH_VERIFIER ((psa_key_usage_t)0x00010000) +#define PSA_KEY_USAGE_VERIFY_DERIVATION ((psa_key_usage_t)0x00008000) /**@}*/