eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Adapt programs to PSA openless APIs

Browse source 
PSA and SSL programs are PSA clients thus should use
psa_key_id_t as the type for key identifiers, not
mbedtls_svc_key_id_t.

As a consequence, PSA, ssl_server2 and ssl_client2
programs cannot compile and must not be compiled if
MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER is defined.
Thus, add MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
compilation guard to those programs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron 2020-09-16 16:49:27 +02:00
parent c3623dbc76
commit adc2ff28b0
4 changed files with 102 additions and 100 deletions
Download patch file Download diff file Expand all files Collapse all files

44
programs/psa/crypto_examples.c
View file

@ -45,13 +45,15 @@
#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_AES_C) || \ #if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_AES_C) || \
!defined(MBEDTLS_CIPHER_MODE_CBC) || !defined(MBEDTLS_CIPHER_MODE_CTR) || \ !defined(MBEDTLS_CIPHER_MODE_CBC) || !defined(MBEDTLS_CIPHER_MODE_CTR) || \
!defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) !defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main( void ) int main( void )
{ {
printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or " printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or "
"MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR " "MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR "
"and/or MBEDTLS_CIPHER_MODE_WITH_PADDING " "and/or MBEDTLS_CIPHER_MODE_WITH_PADDING "
"not defined.\r\n" ); "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER"
" defined.\r\n" );
return( 0 ); return( 0 );
} }
#else #else
@ -92,7 +94,7 @@ exit:
return( status ); return( status );
} }
static psa_status_t cipher_encrypt( psa_key_handle_t key_handle, static psa_status_t cipher_encrypt( psa_key_id_t key,
psa_algorithm_t alg, psa_algorithm_t alg,
uint8_t * iv, uint8_t * iv,
size_t iv_size, size_t iv_size,
@ -108,7 +110,7 @@ static psa_status_t cipher_encrypt( psa_key_handle_t key_handle,
size_t iv_len = 0; size_t iv_len = 0;
memset( &operation, 0, sizeof( operation ) ); memset( &operation, 0, sizeof( operation ) );
status = psa_cipher_encrypt_setup( &operation, key_handle, alg ); status = psa_cipher_encrypt_setup( &operation, key, alg );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = psa_cipher_generate_iv( &operation, iv, iv_size, &iv_len ); status = psa_cipher_generate_iv( &operation, iv, iv_size, &iv_len );
@ -123,7 +125,7 @@ exit:
return( status ); return( status );
} }
static psa_status_t cipher_decrypt( psa_key_handle_t key_handle, static psa_status_t cipher_decrypt( psa_key_id_t key,
psa_algorithm_t alg, psa_algorithm_t alg,
const uint8_t * iv, const uint8_t * iv,
size_t iv_size, size_t iv_size,
@ -138,7 +140,7 @@ static psa_status_t cipher_decrypt( psa_key_handle_t key_handle,
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT; psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
memset( &operation, 0, sizeof( operation ) ); memset( &operation, 0, sizeof( operation ) );
status = psa_cipher_decrypt_setup( &operation, key_handle, alg ); status = psa_cipher_decrypt_setup( &operation, key, alg );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = psa_cipher_set_iv( &operation, iv, iv_size ); status = psa_cipher_set_iv( &operation, iv, iv_size );
@ -165,7 +167,7 @@ cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( void )
psa_status_t status; psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t key_handle = PSA_KEY_HANDLE_INIT; psa_key_id_t key = 0;
size_t output_len = 0; size_t output_len = 0;
uint8_t iv[block_size]; uint8_t iv[block_size];
uint8_t input[block_size]; uint8_t input[block_size];
@ -181,15 +183,15 @@ cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( void )
psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
psa_set_key_bits( &attributes, key_bits ); psa_set_key_bits( &attributes, key_bits );
status = psa_generate_key( &attributes, &key_handle ); status = psa_generate_key( &attributes, &key );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = cipher_encrypt( key_handle, alg, iv, sizeof( iv ), status = cipher_encrypt( key, alg, iv, sizeof( iv ),
input, sizeof( input ), part_size, input, sizeof( input ), part_size,
encrypt, sizeof( encrypt ), &output_len ); encrypt, sizeof( encrypt ), &output_len );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = cipher_decrypt( key_handle, alg, iv, sizeof( iv ), status = cipher_decrypt( key, alg, iv, sizeof( iv ),
encrypt, output_len, part_size, encrypt, output_len, part_size,
decrypt, sizeof( decrypt ), &output_len ); decrypt, sizeof( decrypt ), &output_len );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
@ -198,7 +200,7 @@ cipher_example_encrypt_decrypt_aes_cbc_nopad_1_block( void )
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
exit: exit:
psa_destroy_key( key_handle ); psa_destroy_key( key );
return( status ); return( status );
} }
@ -215,7 +217,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( void )
psa_status_t status; psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t key_handle = PSA_KEY_HANDLE_INIT; psa_key_id_t key = 0;
size_t output_len = 0; size_t output_len = 0;
uint8_t iv[block_size], input[input_size], uint8_t iv[block_size], input[input_size],
encrypt[input_size + block_size], decrypt[input_size + block_size]; encrypt[input_size + block_size], decrypt[input_size + block_size];
@ -229,15 +231,15 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( void )
psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
psa_set_key_bits( &attributes, key_bits ); psa_set_key_bits( &attributes, key_bits );
status = psa_generate_key( &attributes, &key_handle ); status = psa_generate_key( &attributes, &key );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = cipher_encrypt( key_handle, alg, iv, sizeof( iv ), status = cipher_encrypt( key, alg, iv, sizeof( iv ),
input, sizeof( input ), part_size, input, sizeof( input ), part_size,
encrypt, sizeof( encrypt ), &output_len ); encrypt, sizeof( encrypt ), &output_len );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = cipher_decrypt( key_handle, alg, iv, sizeof( iv ), status = cipher_decrypt( key, alg, iv, sizeof( iv ),
encrypt, output_len, part_size, encrypt, output_len, part_size,
decrypt, sizeof( decrypt ), &output_len ); decrypt, sizeof( decrypt ), &output_len );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
@ -246,7 +248,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_cbc_pkcs7_multi( void )
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
exit: exit:
psa_destroy_key( key_handle ); psa_destroy_key( key );
return( status ); return( status );
} }
@ -262,7 +264,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi( void )
psa_status_t status; psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t key_handle = PSA_KEY_HANDLE_INIT; psa_key_id_t key = 0;
size_t output_len = 0; size_t output_len = 0;
uint8_t iv[block_size], input[input_size], encrypt[input_size], uint8_t iv[block_size], input[input_size], encrypt[input_size],
decrypt[input_size]; decrypt[input_size];
@ -276,15 +278,15 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi( void )
psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
psa_set_key_bits( &attributes, key_bits ); psa_set_key_bits( &attributes, key_bits );
status = psa_generate_key( &attributes, &key_handle ); status = psa_generate_key( &attributes, &key );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = cipher_encrypt( key_handle, alg, iv, sizeof( iv ), status = cipher_encrypt( key, alg, iv, sizeof( iv ),
input, sizeof( input ), part_size, input, sizeof( input ), part_size,
encrypt, sizeof( encrypt ), &output_len ); encrypt, sizeof( encrypt ), &output_len );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
status = cipher_decrypt( key_handle, alg, iv, sizeof( iv ), status = cipher_decrypt( key, alg, iv, sizeof( iv ),
encrypt, output_len, part_size, encrypt, output_len, part_size,
decrypt, sizeof( decrypt ), &output_len ); decrypt, sizeof( decrypt ), &output_len );
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
@ -293,7 +295,7 @@ static psa_status_t cipher_example_encrypt_decrypt_aes_ctr_multi( void )
ASSERT_STATUS( status, PSA_SUCCESS ); ASSERT_STATUS( status, PSA_SUCCESS );
exit: exit:
psa_destroy_key( key_handle ); psa_destroy_key( key );
return( status ); return( status );
} }

114
programs/psa/key_ladder_demo.c
View file

@ -65,15 +65,17 @@
#include <psa/crypto.h> #include <psa/crypto.h>
/* If the build options we need are not enabled, compile a placeholder. */ /* If the build options we need are not enabled, compile a placeholder. */
#if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \ #if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \ !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \
!defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main( void ) int main( void )
{ {
printf("MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or " printf( "MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or "
"MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or " "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or "
"MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO " "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO "
"not defined.\n"); "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER "
"defined.\n" );
return( 0 ); return( 0 );
} }
#else #else
@ -167,7 +169,7 @@ enum program_mode
/* Save a key to a file. In the real world, you may want to export a derived /* Save a key to a file. In the real world, you may want to export a derived
* key sometimes, to share it with another party. */ * key sometimes, to share it with another party. */
static psa_status_t save_key( psa_key_handle_t key_handle, static psa_status_t save_key( psa_key_id_t key,
const char *output_file_name ) const char *output_file_name )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
@ -175,7 +177,7 @@ static psa_status_t save_key( psa_key_handle_t key_handle,
size_t key_size; size_t key_size;
FILE *key_file = NULL; FILE *key_file = NULL;
PSA_CHECK( psa_export_key( key_handle, PSA_CHECK( psa_export_key( key,
key_data, sizeof( key_data ), key_data, sizeof( key_data ),
&key_size ) ); &key_size ) );
SYS_CHECK( ( key_file = fopen( output_file_name, "wb" ) ) != NULL ); SYS_CHECK( ( key_file = fopen( output_file_name, "wb" ) ) != NULL );
@ -197,7 +199,7 @@ exit:
static psa_status_t generate( const char *key_file_name ) static psa_status_t generate( const char *key_file_name )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_handle_t key_handle = PSA_KEY_HANDLE_INIT; psa_key_id_t key = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_usage_flags( &attributes, psa_set_key_usage_flags( &attributes,
@ -206,12 +208,12 @@ static psa_status_t generate( const char *key_file_name )
psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE );
psa_set_key_bits( &attributes, PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ) ); psa_set_key_bits( &attributes, PSA_BYTES_TO_BITS( KEY_SIZE_BYTES ) );
PSA_CHECK( psa_generate_key( &attributes, &key_handle ) ); PSA_CHECK( psa_generate_key( &attributes, &key ) );
PSA_CHECK( save_key( key_handle, key_file_name ) ); PSA_CHECK( save_key( key, key_file_name ) );
exit: exit:
(void) psa_destroy_key( key_handle ); (void) psa_destroy_key( key );
return( status ); return( status );
} }
@ -223,7 +225,7 @@ exit:
static psa_status_t import_key_from_file( psa_key_usage_t usage, static psa_status_t import_key_from_file( psa_key_usage_t usage,
psa_algorithm_t alg, psa_algorithm_t alg,
const char *key_file_name, const char *key_file_name,
psa_key_handle_t *master_key_handle ) psa_key_id_t *master_key )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -232,8 +234,6 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage,
FILE *key_file = NULL; FILE *key_file = NULL;
unsigned char extra_byte; unsigned char extra_byte;
*master_key_handle = PSA_KEY_HANDLE_INIT;
SYS_CHECK( ( key_file = fopen( key_file_name, "rb" ) ) != NULL ); SYS_CHECK( ( key_file = fopen( key_file_name, "rb" ) ) != NULL );
SYS_CHECK( ( key_size = fread( key_data, 1, sizeof( key_data ), SYS_CHECK( ( key_size = fread( key_data, 1, sizeof( key_data ),
key_file ) ) != 0 ); key_file ) ) != 0 );
@ -250,8 +250,7 @@ static psa_status_t import_key_from_file( psa_key_usage_t usage,
psa_set_key_usage_flags( &attributes, usage ); psa_set_key_usage_flags( &attributes, usage );
psa_set_key_algorithm( &attributes, alg ); psa_set_key_algorithm( &attributes, alg );
psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE ); psa_set_key_type( &attributes, PSA_KEY_TYPE_DERIVE );
PSA_CHECK( psa_import_key( &attributes, key_data, key_size, PSA_CHECK( psa_import_key( &attributes, key_data, key_size, master_key ) );
master_key_handle ) );
exit: exit:
if( key_file != NULL ) if( key_file != NULL )
fclose( key_file ); fclose( key_file );
@ -259,21 +258,22 @@ exit:
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
/* If the key creation hasn't happened yet or has failed, /* If the key creation hasn't happened yet or has failed,
* *master_key_handle is 0. psa_destroy_key(0) is guaranteed to do * *master_key is null. psa_destroy_key( 0 ) is
* nothing and return PSA_ERROR_INVALID_HANDLE. */ * guaranteed to do nothing and return PSA_SUCCESS. */
(void) psa_destroy_key( *master_key_handle ); (void) psa_destroy_key( *master_key );
*master_key_handle = PSA_KEY_HANDLE_INIT; *master_key = 0;
} }
return( status ); return( status );
} }
/* Derive the intermediate keys, using the list of labels provided on /* Derive the intermediate keys, using the list of labels provided on
* the command line. On input, *key_handle is a handle to the master key. * the command line. On input, *key is the master key identifier.
* This function closes the master key. On successful output, *key_handle * This function destroys the master key. On successful output, *key
* is a handle to the final derived key. */ * is the identifier of the final derived key.
*/
static psa_status_t derive_key_ladder( const char *ladder[], static psa_status_t derive_key_ladder( const char *ladder[],
size_t ladder_depth, size_t ladder_depth,
psa_key_handle_t *key_handle ) psa_key_id_t *key )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -297,17 +297,17 @@ static psa_status_t derive_key_ladder( const char *ladder[],
DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH ) ); DERIVE_KEY_SALT, DERIVE_KEY_SALT_LENGTH ) );
PSA_CHECK( psa_key_derivation_input_key( PSA_CHECK( psa_key_derivation_input_key(
&operation, PSA_KEY_DERIVATION_INPUT_SECRET, &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
*key_handle ) ); *key ) );
PSA_CHECK( psa_key_derivation_input_bytes( PSA_CHECK( psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_INFO, &operation, PSA_KEY_DERIVATION_INPUT_INFO,
(uint8_t*) ladder[i], strlen( ladder[i] ) ) ); (uint8_t*) ladder[i], strlen( ladder[i] ) ) );
/* When the parent key is not the master key, destroy it, /* When the parent key is not the master key, destroy it,
* since it is no longer needed. */ * since it is no longer needed. */
PSA_CHECK( psa_close_key( *key_handle ) ); PSA_CHECK( psa_destroy_key( *key ) );
*key_handle = PSA_KEY_HANDLE_INIT; *key = 0;
/* Derive the next intermediate key from the parent key. */ /* Derive the next intermediate key from the parent key. */
PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation, PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
key_handle ) ); key ) );
PSA_CHECK( psa_key_derivation_abort( &operation ) ); PSA_CHECK( psa_key_derivation_abort( &operation ) );
} }
@ -315,22 +315,22 @@ exit:
psa_key_derivation_abort( &operation ); psa_key_derivation_abort( &operation );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_close_key( *key_handle ); psa_destroy_key( *key );
*key_handle = PSA_KEY_HANDLE_INIT; *key = 0;
} }
return( status ); return( status );
} }
/* Derive a wrapping key from the last intermediate key. */ /* Derive a wrapping key from the last intermediate key. */
static psa_status_t derive_wrapping_key( psa_key_usage_t usage, static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
psa_key_handle_t derived_key_handle, psa_key_id_t derived_key,
psa_key_handle_t *wrapping_key_handle ) psa_key_id_t *wrapping_key )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
*wrapping_key_handle = PSA_KEY_HANDLE_INIT; *wrapping_key = 0;
/* Set up a key derivation operation from the key derived from /* Set up a key derivation operation from the key derived from
* the master key. */ * the master key. */
@ -340,7 +340,7 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH ) ); WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH ) );
PSA_CHECK( psa_key_derivation_input_key( PSA_CHECK( psa_key_derivation_input_key(
&operation, PSA_KEY_DERIVATION_INPUT_SECRET, &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
derived_key_handle ) ); derived_key ) );
PSA_CHECK( psa_key_derivation_input_bytes( PSA_CHECK( psa_key_derivation_input_bytes(
&operation, PSA_KEY_DERIVATION_INPUT_INFO, &operation, PSA_KEY_DERIVATION_INPUT_INFO,
NULL, 0 ) ); NULL, 0 ) );
@ -351,7 +351,7 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
psa_set_key_type( &attributes, PSA_KEY_TYPE_AES ); psa_set_key_type( &attributes, PSA_KEY_TYPE_AES );
psa_set_key_bits( &attributes, WRAPPING_KEY_BITS ); psa_set_key_bits( &attributes, WRAPPING_KEY_BITS );
PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation, PSA_CHECK( psa_key_derivation_output_key( &attributes, &operation,
wrapping_key_handle ) ); wrapping_key ) );
exit: exit:
psa_key_derivation_abort( &operation ); psa_key_derivation_abort( &operation );
@ -360,7 +360,7 @@ exit:
static psa_status_t wrap_data( const char *input_file_name, static psa_status_t wrap_data( const char *input_file_name,
const char *output_file_name, const char *output_file_name,
psa_key_handle_t wrapping_key_handle ) psa_key_id_t wrapping_key )
{ {
psa_status_t status; psa_status_t status;
FILE *input_file = NULL; FILE *input_file = NULL;
@ -408,7 +408,7 @@ static psa_status_t wrap_data( const char *input_file_name,
/* Wrap the data. */ /* Wrap the data. */
PSA_CHECK( psa_generate_random( header.iv, WRAPPING_IV_SIZE ) ); PSA_CHECK( psa_generate_random( header.iv, WRAPPING_IV_SIZE ) );
PSA_CHECK( psa_aead_encrypt( wrapping_key_handle, WRAPPING_ALG, PSA_CHECK( psa_aead_encrypt( wrapping_key, WRAPPING_ALG,
header.iv, WRAPPING_IV_SIZE, header.iv, WRAPPING_IV_SIZE,
(uint8_t *) &header, sizeof( header ), (uint8_t *) &header, sizeof( header ),
buffer, input_size, buffer, input_size,
@ -437,7 +437,7 @@ exit:
static psa_status_t unwrap_data( const char *input_file_name, static psa_status_t unwrap_data( const char *input_file_name,
const char *output_file_name, const char *output_file_name,
psa_key_handle_t wrapping_key_handle ) psa_key_id_t wrapping_key )
{ {
psa_status_t status; psa_status_t status;
FILE *input_file = NULL; FILE *input_file = NULL;
@ -489,7 +489,7 @@ static psa_status_t unwrap_data( const char *input_file_name,
input_file = NULL; input_file = NULL;
/* Unwrap the data. */ /* Unwrap the data. */
PSA_CHECK( psa_aead_decrypt( wrapping_key_handle, WRAPPING_ALG, PSA_CHECK( psa_aead_decrypt( wrapping_key, WRAPPING_ALG,
header.iv, WRAPPING_IV_SIZE, header.iv, WRAPPING_IV_SIZE,
(uint8_t *) &header, sizeof( header ), (uint8_t *) &header, sizeof( header ),
buffer, ciphertext_size, buffer, ciphertext_size,
@ -527,8 +527,8 @@ static psa_status_t run( enum program_mode mode,
const char *output_file_name ) const char *output_file_name )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_handle_t derivation_key_handle = PSA_KEY_HANDLE_INIT; psa_key_id_t derivation_key = 0;
psa_key_handle_t wrapping_key_handle = PSA_KEY_HANDLE_INIT; psa_key_id_t wrapping_key = 0;
/* Initialize the PSA crypto library. */ /* Initialize the PSA crypto library. */
PSA_CHECK( psa_crypto_init( ) ); PSA_CHECK( psa_crypto_init( ) );
@ -541,30 +541,30 @@ static psa_status_t run( enum program_mode mode,
PSA_CHECK( import_key_from_file( PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT, PSA_CHECK( import_key_from_file( PSA_KEY_USAGE_DERIVE | PSA_KEY_USAGE_EXPORT,
KDF_ALG, KDF_ALG,
key_file_name, key_file_name,
&derivation_key_handle ) ); &derivation_key ) );
/* Calculate the derived key for this session. */ /* Calculate the derived key for this session. */
PSA_CHECK( derive_key_ladder( ladder, ladder_depth, PSA_CHECK( derive_key_ladder( ladder, ladder_depth,
&derivation_key_handle ) ); &derivation_key ) );
switch( mode ) switch( mode )
{ {
case MODE_SAVE: case MODE_SAVE:
PSA_CHECK( save_key( derivation_key_handle, output_file_name ) ); PSA_CHECK( save_key( derivation_key, output_file_name ) );
break; break;
case MODE_UNWRAP: case MODE_UNWRAP:
PSA_CHECK( derive_wrapping_key( PSA_KEY_USAGE_DECRYPT, PSA_CHECK( derive_wrapping_key( PSA_KEY_USAGE_DECRYPT,
derivation_key_handle, derivation_key,
&wrapping_key_handle ) ); &wrapping_key ) );
PSA_CHECK( unwrap_data( input_file_name, output_file_name, PSA_CHECK( unwrap_data( input_file_name, output_file_name,
wrapping_key_handle ) ); wrapping_key ) );
break; break;
case MODE_WRAP: case MODE_WRAP:
PSA_CHECK( derive_wrapping_key( PSA_KEY_USAGE_ENCRYPT, PSA_CHECK( derive_wrapping_key( PSA_KEY_USAGE_ENCRYPT,
derivation_key_handle, derivation_key,
&wrapping_key_handle ) ); &wrapping_key ) );
PSA_CHECK( wrap_data( input_file_name, output_file_name, PSA_CHECK( wrap_data( input_file_name, output_file_name,
wrapping_key_handle ) ); wrapping_key ) );
break; break;
default: default:
/* Unreachable but some compilers don't realize it. */ /* Unreachable but some compilers don't realize it. */
@ -572,11 +572,11 @@ static psa_status_t run( enum program_mode mode,
} }
exit: exit:
/* Close any remaining key. Deinitializing the crypto library would do /* Destroy any remaining key. Deinitializing the crypto library would do
* this anyway, but explicitly closing handles makes the code easier * this anyway since they are volatile keys, but explicitly destroying
* to reuse. */ * keys makes the code easier. */
(void) psa_close_key( derivation_key_handle ); (void) psa_destroy_key( derivation_key );
(void) psa_close_key( wrapping_key_handle ); (void) psa_destroy_key( wrapping_key );
/* Deinitialize the PSA crypto library. */ /* Deinitialize the PSA crypto library. */
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
return( status ); return( status );

18
programs/ssl/ssl_client2.c
View file

@ -42,12 +42,14 @@
#if !defined(MBEDTLS_ENTROPY_C) || \ #if !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C) !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main( void ) int main( void )
{ {
mbedtls_printf("MBEDTLS_ENTROPY_C and/or " mbedtls_printf( "MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined.\n"); "MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined "
" and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined.\n" );
mbedtls_exit( 0 ); mbedtls_exit( 0 );
} }
#else #else
@ -1207,7 +1209,7 @@ int main( int argc, char *argv[] )
const char *pers = "ssl_client2"; const char *pers = "ssl_client2";
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t slot = PSA_KEY_HANDLE_INIT; psa_key_id_t slot = 0;
psa_algorithm_t alg = 0; psa_algorithm_t alg = 0;
psa_key_attributes_t key_attributes; psa_key_attributes_t key_attributes;
psa_status_t status; psa_status_t status;
@ -1232,7 +1234,7 @@ int main( int argc, char *argv[] )
mbedtls_x509_crt clicert; mbedtls_x509_crt clicert;
mbedtls_pk_context pkey; mbedtls_pk_context pkey;
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t key_slot = PSA_KEY_HANDLE_INIT; /* invalid key slot */ psa_key_id_t key_slot = 0; /* invalid key slot */
#endif #endif
#endif #endif
char *p, *q; char *p, *q;
@ -3577,10 +3579,8 @@ exit:
if( ( status != PSA_SUCCESS ) && if( ( status != PSA_SUCCESS ) &&
( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) ) ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) )
{ {
mbedtls_printf( "Failed to destroy key slot %u-%u - error was %d", mbedtls_printf( "Failed to destroy key slot %u - error was %d",
MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( slot ), (int) slot, (int) status );
MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot ),
(int) status );
if( ret == 0 ) if( ret == 0 )
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
} }

26
programs/ssl/ssl_server2.c
View file

@ -42,12 +42,14 @@
#if !defined(MBEDTLS_ENTROPY_C) || \ #if !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \ !defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_SRV_C) || \
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C) !defined(MBEDTLS_NET_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
int main( void ) int main( void )
{ {
mbedtls_printf("MBEDTLS_ENTROPY_C and/or " mbedtls_printf( "MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or " "MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_SRV_C and/or "
"MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined.\n"); "MBEDTLS_NET_C and/or MBEDTLS_CTR_DRBG_C and/or not defined "
" and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER defined.\n" );
mbedtls_exit( 0 ); mbedtls_exit( 0 );
} }
#else #else
@ -1285,7 +1287,7 @@ struct _psk_entry
size_t key_len; size_t key_len;
unsigned char key[MBEDTLS_PSK_MAX_LEN]; unsigned char key[MBEDTLS_PSK_MAX_LEN];
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t slot; psa_key_id_t slot;
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
psk_entry *next; psk_entry *next;
}; };
@ -1301,9 +1303,9 @@ int psk_free( psk_entry *head )
{ {
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status; psa_status_t status;
psa_key_handle_t const slot = head->slot; psa_key_id_t const slot = head->slot;
if( ! psa_key_handle_is_null( slot ) ) if( slot != 0 )
{ {
status = psa_destroy_key( slot ); status = psa_destroy_key( slot );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
@ -1376,7 +1378,7 @@ int psk_callback( void *p_info, mbedtls_ssl_context *ssl,
memcmp( name, cur->name, name_len ) == 0 ) memcmp( name, cur->name, name_len ) == 0 )
{ {
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! psa_key_handle_is_null( cur->slot ) ) if( cur->slot != 0 )
return( mbedtls_ssl_set_hs_psk_opaque( ssl, cur->slot ) ); return( mbedtls_ssl_set_hs_psk_opaque( ssl, cur->slot ) );
else else
#endif #endif
@ -1711,7 +1713,7 @@ int idle( mbedtls_net_context *fd,
} }
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t *slot, static psa_status_t psa_setup_psk_key_slot( psa_key_id_t *slot,
psa_algorithm_t alg, psa_algorithm_t alg,
unsigned char *psk, unsigned char *psk,
size_t psk_len ) size_t psk_len )
@ -1795,7 +1797,7 @@ int main( int argc, char *argv[] )
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED) #if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg = 0; psa_algorithm_t alg = 0;
psa_key_handle_t psk_slot = PSA_KEY_HANDLE_INIT; psa_key_id_t psk_slot = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */ #endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char psk[MBEDTLS_PSK_MAX_LEN]; unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = 0; size_t psk_len = 0;
@ -4518,10 +4520,8 @@ exit:
if( ( status != PSA_SUCCESS ) && if( ( status != PSA_SUCCESS ) &&
( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) ) ( opt.query_config_mode == DFL_QUERY_CONFIG_MODE ) )
{ {
mbedtls_printf( "Failed to destroy key slot %u-%u - error was %d", mbedtls_printf( "Failed to destroy key slot %u - error was %d",
MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psk_slot ), (int) psk_slot, (int) status );
MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psk_slot ),
(int) status );
} }
} }
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED && #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED &&