eden-emu/mbedtls
15
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Merge pull request #4160 from stevew817/feature/driver_builtin_keys

Browse source 
Add implementation for MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS

Merging as it has been ready for four days now and I prefer not having to go through other rebases especially given the coming change of scope of development (3.0 rather than 2.2x).
This commit is contained in:
Ronald Cron 2021-04-23 09:40:31 +02:00 committed by GitHub
commit b5939e814e
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
25 changed files with 919 additions and 270 deletions
Download patch file Download diff file Expand all files Collapse all files

19
library/psa_crypto.c
View file

@ -604,20 +604,8 @@ MBEDTLS_STATIC_TESTABLE psa_status_t psa_mac_key_can_do(
return( PSA_ERROR_INVALID_ARGUMENT );
}
/** Try to allocate a buffer to an empty key slot.
*
* \param[in,out] slot Key slot to attach buffer to.
* \param[in] buffer_length Requested size of the buffer.
*
* \retval #PSA_SUCCESS
* The buffer has been successfully allocated.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* Not enough memory was available for allocation.
* \retval #PSA_ERROR_ALREADY_EXISTS
* Trying to allocate a buffer to a non-empty key slot.
*/
static psa_status_t psa_allocate_buffer_to_slot( psa_key_slot_t *slot,
size_t buffer_length )
psa_status_t psa_allocate_buffer_to_slot( psa_key_slot_t *slot,
size_t buffer_length )
{
if( slot->key.data != NULL )
return( PSA_ERROR_ALREADY_EXISTS );
@ -1075,8 +1063,7 @@ static psa_status_t psa_get_and_lock_transparent_key_slot_with_policy(
psa_get_and_lock_key_slot_with_policy( key, p_slot, usage, alg )
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/** Wipe key data from a slot. Preserve metadata such as the policy. */
static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
{
/* Data pointer will always be either a valid pointer or NULL in an
* initialized slot, so we can just free it. */

18
library/psa_crypto_core.h
View file

@ -180,6 +180,24 @@ static inline psa_key_slot_number_t psa_key_slot_get_slot_number(
*/
psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot );
/** Try to allocate a buffer to an empty key slot.
*
* \param[in,out] slot Key slot to attach buffer to.
* \param[in] buffer_length Requested size of the buffer.
*
* \retval #PSA_SUCCESS
* The buffer has been successfully allocated.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* Not enough memory was available for allocation.
* \retval #PSA_ERROR_ALREADY_EXISTS
* Trying to allocate a buffer to a non-empty key slot.
*/
psa_status_t psa_allocate_buffer_to_slot( psa_key_slot_t *slot,
size_t buffer_length );
/** Wipe key data from a slot. Preserves metadata such as the policy. */
psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot );
/** Copy key data (in export format) into an empty key slot.
*
* This function assumes that the slot does not contain

58
library/psa_crypto_driver_wrappers.c
View file

@ -129,7 +129,7 @@ psa_status_t psa_driver_wrapper_sign_hash(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_signature_sign_hash( attributes,
key_buffer,
key_buffer_size,
@ -211,7 +211,7 @@ psa_status_t psa_driver_wrapper_verify_hash(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_signature_verify_hash( attributes,
key_buffer,
key_buffer_size,
@ -229,8 +229,8 @@ psa_status_t psa_driver_wrapper_verify_hash(
}
}
/** Get the key buffer size for the key material of a generated key in the
* case of an opaque driver without storage.
/** Get the key buffer size required to store the key material of a key
* associated with an opaque driver without storage.
*
* \param[in] attributes The key attributes.
* \param[out] key_buffer_size Minimum buffer size to contain the key material
@ -256,7 +256,17 @@ psa_status_t psa_driver_wrapper_get_key_buffer_size(
switch( location )
{
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
/* Emulate property 'builtin_key_size' */
if( psa_key_id_is_builtin(
MBEDTLS_SVC_KEY_ID_GET_KEY_ID(
psa_get_key_id( attributes ) ) ) )
{
*key_buffer_size = sizeof( psa_drv_slot_number_t );
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
#ifdef TEST_DRIVER_KEY_CONTEXT_SIZE_FUNCTION
*key_buffer_size = test_size_function( key_type, key_bits );
return( PSA_SUCCESS );
@ -353,7 +363,7 @@ psa_status_t psa_driver_wrapper_generate_key(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
status = test_opaque_generate_key(
attributes, key_buffer, key_buffer_size, key_buffer_length );
break;
@ -485,7 +495,7 @@ psa_status_t psa_driver_wrapper_export_key(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_export_key( attributes,
key_buffer,
key_buffer_size,
@ -559,7 +569,7 @@ psa_status_t psa_driver_wrapper_export_public_key(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_export_public_key( attributes,
key_buffer,
key_buffer_size,
@ -574,6 +584,30 @@ psa_status_t psa_driver_wrapper_export_public_key(
}
}
psa_status_t psa_driver_wrapper_get_builtin_key(
psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
{
psa_key_location_t location = PSA_KEY_LIFETIME_GET_LOCATION( attributes->core.lifetime );
switch( location )
{
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_get_builtin_key(
slot_number,
attributes,
key_buffer, key_buffer_size, key_buffer_length ) );
#endif /* PSA_CRYPTO_DRIVER_TEST */
default:
(void) slot_number;
(void) key_buffer;
(void) key_buffer_size;
(void) key_buffer_length;
return( PSA_ERROR_DOES_NOT_EXIST );
}
}
/*
* Cipher functions
*/
@ -616,7 +650,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt(
return( PSA_ERROR_NOT_SUPPORTED );
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_cipher_encrypt( &attributes,
slot->key.data,
slot->key.bytes,
@ -683,7 +717,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt(
return( PSA_ERROR_NOT_SUPPORTED );
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
return( test_opaque_cipher_decrypt( &attributes,
slot->key.data,
slot->key.bytes,
@ -760,7 +794,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
status = test_opaque_cipher_encrypt_setup(
&operation->ctx.opaque_test_driver_ctx,
attributes,
@ -831,7 +865,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup(
/* Add cases for opaque driver here */
#if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT)
#if defined(PSA_CRYPTO_DRIVER_TEST)
case PSA_CRYPTO_TEST_DRIVER_LIFETIME:
case PSA_CRYPTO_TEST_DRIVER_LOCATION:
status = test_opaque_cipher_decrypt_setup(
&operation->ctx.opaque_test_driver_ctx,
attributes,

5
library/psa_crypto_driver_wrappers.h
View file

@ -68,6 +68,11 @@ psa_status_t psa_driver_wrapper_generate_key(
const psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length );
psa_status_t psa_driver_wrapper_get_builtin_key(
psa_drv_slot_number_t slot_number,
psa_key_attributes_t *attributes,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length );
/*
* Cipher functions
*/

94
library/psa_crypto_slot_management.c
View file

@ -26,6 +26,7 @@
#include "psa/crypto.h"
#include "psa_crypto_core.h"
#include "psa_crypto_driver_wrappers.h"
#include "psa_crypto_slot_management.h"
#include "psa_crypto_storage.h"
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@ -274,6 +275,77 @@ exit:
}
#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
static psa_status_t psa_load_builtin_key_into_slot( psa_key_slot_t *slot )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE;
psa_drv_slot_number_t slot_number = 0;
size_t key_buffer_size = 0;
size_t key_buffer_length = 0;
if( ! psa_key_id_is_builtin(
MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id ) ) )
{
return( PSA_ERROR_DOES_NOT_EXIST );
}
/* Check the platform function to see whether this key actually exists */
status = mbedtls_psa_platform_get_builtin_key(
slot->attr.id, &lifetime, &slot_number );
if( status != PSA_SUCCESS )
return( status );
/* Set required key attributes to ensure get_builtin_key can retrieve the
* full attributes. */
psa_set_key_id( &attributes, slot->attr.id );
psa_set_key_lifetime( &attributes, lifetime );
/* Get the full key attributes from the driver in order to be able to
* calculate the required buffer size. */
status = psa_driver_wrapper_get_builtin_key(
slot_number, &attributes,
NULL, 0, NULL );
if( status != PSA_ERROR_BUFFER_TOO_SMALL )
{
/* Builtin keys cannot be defined by the attributes alone */
if( status == PSA_SUCCESS )
status = PSA_ERROR_CORRUPTION_DETECTED;
return( status );
}
/* If the key should exist according to the platform, then ask the driver
* what its expected size is. */
status = psa_driver_wrapper_get_key_buffer_size( &attributes,
&key_buffer_size );
if( status != PSA_SUCCESS )
return( status );
/* Allocate a buffer of the required size and load the builtin key directly
* into the (now properly sized) slot buffer. */
status = psa_allocate_buffer_to_slot( slot, key_buffer_size );
if( status != PSA_SUCCESS )
return( status );
status = psa_driver_wrapper_get_builtin_key(
slot_number, &attributes,
slot->key.data, slot->key.bytes, &key_buffer_length );
if( status != PSA_SUCCESS )
goto exit;
/* Copy actual key length and core attributes into the slot on success */
slot->key.bytes = key_buffer_length;
slot->attr = attributes.core;
exit:
if( status != PSA_SUCCESS )
psa_remove_key_data_from_memory( slot );
return( status );
}
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot )
{
@ -291,17 +363,29 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
if( status != PSA_ERROR_DOES_NOT_EXIST )
return( status );
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
/* Loading keys from storage requires support for such a mechanism */
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \
defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
psa_key_id_t volatile_key_id;
status = psa_get_empty_key_slot( &volatile_key_id, p_slot );
if( status != PSA_SUCCESS )
return( status );
(*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
(*p_slot)->attr.id = key;
(*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
status = PSA_ERROR_DOES_NOT_EXIST;
#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
/* Load keys in the 'builtin' range through their own interface */
status = psa_load_builtin_key_into_slot( *p_slot );
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
if( status == PSA_ERROR_DOES_NOT_EXIST )
status = psa_load_persistent_key_into_slot( *p_slot );
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
status = psa_load_persistent_key_into_slot( *p_slot );
if( status != PSA_SUCCESS )
{
psa_wipe_key_slot( *p_slot );
@ -309,9 +393,9 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
status = PSA_ERROR_INVALID_HANDLE;
}
return( status );
#else
#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
return( PSA_ERROR_INVALID_HANDLE );
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
}
psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot )

3
library/version_features.c
View file

@ -438,6 +438,9 @@ static const char * const features[] = {
#if defined(MBEDTLS_PKCS1_V21)
"MBEDTLS_PKCS1_V21",
#endif /* MBEDTLS_PKCS1_V21 */
#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS)
"MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS",
#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
"MBEDTLS_PSA_CRYPTO_CLIENT",
#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */