psa: Move from key handle to key identifier
Move all the PSA crypto APIs using key handles to use key identifiers but psa_key_open() and psa_key_close(). This is done without modifying any test as key handles and key identifiers are now the same. Update the library modules using PSA crypto APIs to get rid of key handles. Programs and unit tests are updated to not use key handles in subsequent commits, not in this one. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
parent
e4f6d5c5fe
commit
cf56a0a320
20 changed files with 445 additions and 415 deletions
|
|
@ -446,7 +446,7 @@ exit:
|
|||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
|
||||
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
|
||||
psa_key_handle_t slot,
|
||||
psa_key_id_t key,
|
||||
psa_algorithm_t alg,
|
||||
const unsigned char* seed, size_t seed_length,
|
||||
const unsigned char* label, size_t label_length,
|
||||
|
|
@ -466,7 +466,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
|
|||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
|
||||
if( psa_key_handle_is_null( slot ) )
|
||||
if( mbedtls_svc_key_id_is_null( key ) )
|
||||
{
|
||||
status = psa_key_derivation_input_bytes(
|
||||
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
|
||||
|
|
@ -475,8 +475,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
|
|||
else
|
||||
{
|
||||
status = psa_key_derivation_input_key(
|
||||
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
|
||||
slot );
|
||||
derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
|
||||
}
|
||||
if( status != PSA_SUCCESS )
|
||||
return( status );
|
||||
|
|
@ -507,7 +506,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
{
|
||||
psa_status_t status;
|
||||
psa_algorithm_t alg;
|
||||
psa_key_handle_t master_slot = PSA_KEY_HANDLE_INIT;
|
||||
psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
psa_key_derivation_operation_t derivation =
|
||||
PSA_KEY_DERIVATION_OPERATION_INIT;
|
||||
|
||||
|
|
@ -521,7 +520,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
* this PRF is also used to derive an IV, in particular in EAP-TLS,
|
||||
* and for this use case it makes sense to have a 0-length "secret".
|
||||
* Since the key API doesn't allow importing a key of length 0,
|
||||
* keep master_slot=0, which setup_psa_key_derivation() understands
|
||||
* keep master_key=0, which setup_psa_key_derivation() understands
|
||||
* to mean a 0-length "secret" input. */
|
||||
if( slen != 0 )
|
||||
{
|
||||
|
|
@ -530,13 +529,13 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
psa_set_key_algorithm( &key_attributes, alg );
|
||||
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
|
||||
|
||||
status = psa_import_key( &key_attributes, secret, slen, &master_slot );
|
||||
status = psa_import_key( &key_attributes, secret, slen, &master_key );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = setup_psa_key_derivation( &derivation,
|
||||
master_slot, alg,
|
||||
master_key, alg,
|
||||
random, rlen,
|
||||
(unsigned char const *) label,
|
||||
(size_t) strlen( label ),
|
||||
|
|
@ -544,7 +543,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_key_derivation_abort( &derivation );
|
||||
psa_destroy_key( master_slot );
|
||||
psa_destroy_key( master_key );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
|
|
@ -552,19 +551,19 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
|
|||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_key_derivation_abort( &derivation );
|
||||
psa_destroy_key( master_slot );
|
||||
psa_destroy_key( master_key );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
status = psa_key_derivation_abort( &derivation );
|
||||
if( status != PSA_SUCCESS )
|
||||
{
|
||||
psa_destroy_key( master_slot );
|
||||
psa_destroy_key( master_key );
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
}
|
||||
|
||||
if( ! psa_key_handle_is_null( master_slot ) )
|
||||
status = psa_destroy_key( master_slot );
|
||||
if( ! mbedtls_svc_key_id_is_null( master_key ) )
|
||||
status = psa_destroy_key( master_key );
|
||||
if( status != PSA_SUCCESS )
|
||||
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
|
||||
|
||||
|
|
@ -707,13 +706,13 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
|
|||
{
|
||||
/* If we've used a callback to select the PSK,
|
||||
* the static configuration is irrelevant. */
|
||||
if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
|
||||
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
|
||||
return( 1 );
|
||||
|
||||
return( 0 );
|
||||
}
|
||||
|
||||
if( ! psa_key_handle_is_null( ssl->conf->psk_opaque ) )
|
||||
if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
|
||||
return( 1 );
|
||||
|
||||
return( 0 );
|
||||
|
|
@ -1514,7 +1513,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
|
|||
/* Perform PSK-to-MS expansion in a single step. */
|
||||
psa_status_t status;
|
||||
psa_algorithm_t alg;
|
||||
psa_key_handle_t psk;
|
||||
psa_key_id_t psk;
|
||||
psa_key_derivation_operation_t derivation =
|
||||
PSA_KEY_DERIVATION_OPERATION_INIT;
|
||||
mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
|
||||
|
|
@ -4344,11 +4343,11 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
|
|||
{
|
||||
/* Remove reference to existing PSK, if any. */
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( ! psa_key_handle_is_null( conf->psk_opaque ) )
|
||||
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
|
||||
{
|
||||
/* The maintenance of the PSK key slot is the
|
||||
* user's responsibility. */
|
||||
conf->psk_opaque = PSA_KEY_HANDLE_INIT;
|
||||
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
}
|
||||
/* This and the following branch should never
|
||||
* be taken simultaenously as we maintain the
|
||||
|
|
@ -4432,9 +4431,9 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
|
|||
static void ssl_remove_psk( mbedtls_ssl_context *ssl )
|
||||
{
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
|
||||
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
|
||||
{
|
||||
ssl->handshake->psk_opaque = PSA_KEY_HANDLE_INIT;
|
||||
ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
|
||||
}
|
||||
else
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
|
@ -4469,7 +4468,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
|
|||
|
||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
||||
psa_key_handle_t psk_slot,
|
||||
psa_key_id_t psk,
|
||||
const unsigned char *psk_identity,
|
||||
size_t psk_identity_len )
|
||||
{
|
||||
|
|
@ -4478,9 +4477,9 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
|||
ssl_conf_remove_psk( conf );
|
||||
|
||||
/* Check and set opaque PSK */
|
||||
if( psa_key_handle_is_null( psk_slot ) )
|
||||
if( mbedtls_svc_key_id_is_null( psk ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
conf->psk_opaque = psk_slot;
|
||||
conf->psk_opaque = psk;
|
||||
|
||||
/* Check and set PSK Identity */
|
||||
ret = ssl_conf_set_psk_identity( conf, psk_identity,
|
||||
|
|
@ -4492,14 +4491,14 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
|
|||
}
|
||||
|
||||
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
|
||||
psa_key_handle_t psk_slot )
|
||||
psa_key_id_t psk )
|
||||
{
|
||||
if( ( psa_key_handle_is_null( psk_slot ) ) ||
|
||||
if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
|
||||
( ssl->handshake == NULL ) )
|
||||
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
|
||||
|
||||
ssl_remove_psk( ssl );
|
||||
ssl->handshake->psk_opaque = psk_slot;
|
||||
ssl->handshake->psk_opaque = psk;
|
||||
return( 0 );
|
||||
}
|
||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue