Merge pull request #154 from yanesca/iotcrypt-789-update-tls-prf-to-multipart

Update TLS 1.2 PRF to multipart API
2019-07-04 11:53:04 +01:00 · 2019-07-04 11:53:04 +01:00 · c19dcebbdd
commit c19dcebbdd
parent 14fde3f678 d6dce9f4f3
7 changed files with 698 additions and 242 deletions
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@ -224,6 +224,7 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats );
 psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed,
                                        size_t seed_size);

+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
 /** Set up a key derivation operation.
 *
 * FIMXE This function is no longer part of the official API. Its prototype
@ -280,9 +281,7 @@ psa_status_t psa_key_derivation(psa_key_derivation_operation_t *operation,
                                const uint8_t *label,
                                size_t label_length,
                                size_t capacity);
-
-/* FIXME Deprecated. Remove this as soon as all the tests are updated. */
-#define PSA_ALG_SELECT_RAW                      ((psa_algorithm_t)0x31000001)
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */

 /** \addtogroup crypto_types
 * @{
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@ -191,7 +191,19 @@ typedef struct
 } psa_hkdf_key_derivation_t;
 #endif /* MBEDTLS_MD_C */

+/*
+ * If this option is not turned on, then the function `psa_key_derivation()`
+ * is removed. And the new psa_tls12_prf_key_derivation_t context is used along
+ * with the corresponding new API.
+ *
+ * The sole purpose of this option is to make the transition to the new API
+ * smoother. Once the transition is complete it can and should be removed
+ * along with the old API and its implementation.
+ */
+#define PSA_PRE_1_0_KEY_DERIVATION
+
 #if defined(MBEDTLS_MD_C)
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
 typedef struct psa_tls12_prf_key_derivation_s
 {
    /* The TLS 1.2 PRF uses the key for each HMAC iteration,
@ -220,6 +232,43 @@ typedef struct psa_tls12_prf_key_derivation_s
    uint8_t block_number;

 } psa_tls12_prf_key_derivation_t;
+#else
+
+typedef enum
+{
+    TLS12_PRF_STATE_INIT,       /* no input provided */
+    TLS12_PRF_STATE_SEED_SET,   /* seed has been set */
+    TLS12_PRF_STATE_KEY_SET,    /* key has been set */
+    TLS12_PRF_STATE_LABEL_SET,  /* label has been set */
+    TLS12_PRF_STATE_OUTPUT      /* output has been started */
+} psa_tls12_prf_key_derivation_state_t;
+
+typedef struct psa_tls12_prf_key_derivation_s
+{
+#if PSA_HASH_MAX_SIZE > 0xff
+#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
+#endif
+
+    /* Indicates how many bytes in the current HMAC block have
+     * not yet been read by the user. */
+    uint8_t left_in_block;
+
+    /* The 1-based number of the block. */
+    uint8_t block_number;
+
+    psa_tls12_prf_key_derivation_state_t state;
+
+    uint8_t *seed;
+    size_t seed_length;
+    uint8_t *label;
+    size_t label_length;
+    psa_hmac_internal_data hmac;
+    uint8_t Ai[PSA_HASH_MAX_SIZE];
+
+    /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
+    uint8_t output_block[PSA_HASH_MAX_SIZE];
+} psa_tls12_prf_key_derivation_t;
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
 #endif /* MBEDTLS_MD_C */

 struct psa_key_derivation_s
@ -228,11 +277,8 @@ struct psa_key_derivation_s
    size_t capacity;
    union
    {
-        struct
-        {
-            uint8_t *data;
-            size_t size;
-        } buffer;
+        /* Make the union non-empty even with no supported algorithms. */
+        uint8_t dummy;
 #if defined(MBEDTLS_MD_C)
        psa_hkdf_key_derivation_t hkdf;
        psa_tls12_prf_key_derivation_t tls12_prf;
@ -240,7 +286,8 @@ struct psa_key_derivation_s
    } ctx;
 };

-#define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, {{0, 0}}}
+/* This only zeroes out the first byte in the union, the rest is unspecified. */
+#define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, {0}}
 static inline struct psa_key_derivation_s psa_key_derivation_operation_init( void )
 {
    const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@ -1244,10 +1244,11 @@
 * specified in Section 5 of RFC 5246. It is based on HMAC and can be
 * used with either SHA-256 or SHA-384.
 *
- * This key derivation algorithm uses the following inputs:
+ * This key derivation algorithm uses the following inputs, which must be
+ * passed in the order given here:
+ * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
 * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
 * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
- * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
 *
 * For the application to TLS-1.2 key expansion, the seed is the
 * concatenation of ServerHello.Random + ClientHello.Random,
@ -1288,10 +1289,11 @@
 * The latter is based on HMAC and can be used with either SHA-256
 * or SHA-384.
 *
- * This key derivation algorithm uses the following inputs:
+ * This key derivation algorithm uses the following inputs, which must be
+ * passed in the order given here:
+ * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
 * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key.
 * - #PSA_KEY_DERIVATION_INPUT_LABEL is the label.
- * - #PSA_KEY_DERIVATION_INPUT_SEED is the seed.
 *
 * For the application to TLS-1.2, the seed (which is
 * forwarded to the TLS-1.2 PRF) is the concatenation of the