From 3077f2f9c63fff609952b5d3f2dfa7f65599a97c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 31 Jul 2024 16:59:41 +0200 Subject: [PATCH] Remove experimental, superseded function psa_generate_key_ext Remove the experimental functions psa_generate_key_ext() and psa_key_derivation_output_key_ext(), which require a flexible array member and therefore break C++ code that includes Mbed TLS headers. They have been replaced by psa_generate_key_custom() and psa_key_derivation_output_key_custom(). Signed-off-by: Gilles Peskine --- ChangeLog.d/psa_generate_key_custom.txt | 13 +- tf-psa-crypto/core/psa_crypto.c | 26 --- tf-psa-crypto/include/psa/crypto.h | 139 -------------- tf-psa-crypto/include/psa/crypto_struct.h | 28 --- tf-psa-crypto/include/psa/crypto_types.h | 24 --- .../tests/suites/test_suite_psa_crypto.data | 39 ---- .../suites/test_suite_psa_crypto.function | 181 ------------------ 7 files changed, 4 insertions(+), 446 deletions(-) diff --git a/ChangeLog.d/psa_generate_key_custom.txt b/ChangeLog.d/psa_generate_key_custom.txt index 1695be1f9f..3fc1bd7d1f 100644 --- a/ChangeLog.d/psa_generate_key_custom.txt +++ b/ChangeLog.d/psa_generate_key_custom.txt @@ -1,14 +1,9 @@ API changes * The experimental functions psa_generate_key_ext() and - psa_key_derivation_output_key_ext() are no longer declared when compiling - in C++. This resolves a build failure under C++ compilers that do not - support flexible array members (a C99 feature not adopted by C++). - Fixes #9020. - -New deprecations - * The experimental functions psa_generate_key_ext() and - psa_key_derivation_output_key_ext() are deprecated in favor of + psa_key_derivation_output_key_ext() have been replaced by psa_generate_key_custom() and psa_key_derivation_output_key_custom(). They have almost exactly the same interface, but the variable-length data is passed in a separate parameter instead of a flexible array - member. + member. This resolves a build failure under C++ compilers that do not + support flexible array members (a C99 feature not adopted by C++). + Fixes #9020. diff --git a/tf-psa-crypto/core/psa_crypto.c b/tf-psa-crypto/core/psa_crypto.c index 1a5658d351..0ad4196241 100644 --- a/tf-psa-crypto/core/psa_crypto.c +++ b/tf-psa-crypto/core/psa_crypto.c @@ -6484,20 +6484,6 @@ psa_status_t psa_key_derivation_output_key_custom( return status; } -psa_status_t psa_key_derivation_output_key_ext( - const psa_key_attributes_t *attributes, - psa_key_derivation_operation_t *operation, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key) -{ - return psa_key_derivation_output_key_custom( - attributes, operation, - (const psa_custom_key_parameters_t *) params, - params->data, params_data_length, - key); -} - psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, @@ -8032,18 +8018,6 @@ exit: return status; } -psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key) -{ - return psa_generate_key_custom( - attributes, - (const psa_custom_key_parameters_t *) params, - params->data, params_data_length, - key); -} - psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key) { diff --git a/tf-psa-crypto/include/psa/crypto.h b/tf-psa-crypto/include/psa/crypto.h index 16dd038e34..917e533555 100644 --- a/tf-psa-crypto/include/psa/crypto.h +++ b/tf-psa-crypto/include/psa/crypto.h @@ -3839,88 +3839,6 @@ psa_status_t psa_key_derivation_output_key_custom( size_t custom_data_length, mbedtls_svc_key_id_t *key); -#ifndef __cplusplus -/* Omitted when compiling in C++, because one of the parameters is a - * pointer to a struct with a flexible array member, and that is not - * standard C++. - * https://github.com/Mbed-TLS/mbedtls/issues/9020 - */ -/** Derive a key from an ongoing key derivation operation with custom - * production parameters. - * - * \note - * This is a deprecated variant of psa_key_derivation_output_key_custom(). - * It is equivalent except that the associated variable-length data - * is passed in `params->data` instead of a separate parameter. - * This function will be removed in a future version of Mbed TLS. - * - * \param[in] attributes The attributes for the new key. - * If the key type to be created is - * #PSA_KEY_TYPE_PASSWORD_HASH then the algorithm in - * the policy must be the same as in the current - * operation. - * \param[in,out] operation The key derivation operation object to read from. - * \param[in] params Customization parameters for the key derivation. - * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * with \p params_data_length = 0, - * this function is equivalent to - * psa_key_derivation_output_key(). - * Mbed TLS currently only supports the default - * production parameters, i.e. - * #PSA_KEY_PRODUCTION_PARAMETERS_INIT, - * for all key types. - * \param params_data_length - * Length of `params->data` in bytes. - * \param[out] key On success, an identifier for the newly created - * key. For persistent keys, this is the key - * identifier defined in \p attributes. - * \c 0 on failure. - * - * \retval #PSA_SUCCESS - * Success. - * If the key is persistent, the key material and the key's metadata - * have been saved to persistent storage. - * \retval #PSA_ERROR_ALREADY_EXISTS - * This is an attempt to create a persistent key, and there is - * already a persistent key with the given identifier. - * \retval #PSA_ERROR_INSUFFICIENT_DATA - * There was not enough data to create the desired key. - * Note that in this case, no output is written to the output buffer. - * The operation's capacity is set to 0, thus subsequent calls to - * this function will not succeed, even with a smaller output buffer. - * \retval #PSA_ERROR_NOT_SUPPORTED - * The key type or key size is not supported, either by the - * implementation in general or in this particular location. - * \retval #PSA_ERROR_INVALID_ARGUMENT - * The provided key attributes are not valid for the operation. - * \retval #PSA_ERROR_NOT_PERMITTED - * The #PSA_KEY_DERIVATION_INPUT_SECRET or - * #PSA_KEY_DERIVATION_INPUT_PASSWORD input was not provided through a - * key; or one of the inputs was a key whose policy didn't allow - * #PSA_KEY_USAGE_DERIVE. - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - * \retval #PSA_ERROR_DATA_INVALID \emptydescription - * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - * \retval #PSA_ERROR_BAD_STATE - * The operation state is not valid (it must be active and completed - * all required input steps), or the library has not been previously - * initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_key_derivation_output_key_ext( - const psa_key_attributes_t *attributes, - psa_key_derivation_operation_t *operation, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key); -#endif /* !__cplusplus */ - /** Compare output data from a key derivation operation to an expected value. * * This function calculates output bytes from a key derivation algorithm and @@ -4267,63 +4185,6 @@ psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, size_t custom_data_length, mbedtls_svc_key_id_t *key); -#ifndef __cplusplus -/* Omitted when compiling in C++, because one of the parameters is a - * pointer to a struct with a flexible array member, and that is not - * standard C++. - * https://github.com/Mbed-TLS/mbedtls/issues/9020 - */ -/** - * \brief Generate a key or key pair using custom production parameters. - * - * \note - * This is a deprecated variant of psa_key_derivation_output_key_custom(). - * It is equivalent except that the associated variable-length data - * is passed in `params->data` instead of a separate parameter. - * This function will be removed in a future version of Mbed TLS. - * - * \param[in] attributes The attributes for the new key. - * \param[in] params Customization parameters for the key generation. - * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * with \p params_data_length = 0, - * this function is equivalent to - * psa_generate_key(). - * \param params_data_length - * Length of `params->data` in bytes. - * \param[out] key On success, an identifier for the newly created - * key. For persistent keys, this is the key - * identifier defined in \p attributes. - * \c 0 on failure. - * - * \retval #PSA_SUCCESS - * Success. - * If the key is persistent, the key material and the key's metadata - * have been saved to persistent storage. - * \retval #PSA_ERROR_ALREADY_EXISTS - * This is an attempt to create a persistent key, and there is - * already a persistent key with the given identifier. - * \retval #PSA_ERROR_NOT_SUPPORTED \emptydescription - * \retval #PSA_ERROR_INVALID_ARGUMENT \emptydescription - * \retval #PSA_ERROR_INSUFFICIENT_MEMORY \emptydescription - * \retval #PSA_ERROR_INSUFFICIENT_ENTROPY \emptydescription - * \retval #PSA_ERROR_COMMUNICATION_FAILURE \emptydescription - * \retval #PSA_ERROR_HARDWARE_FAILURE \emptydescription - * \retval #PSA_ERROR_CORRUPTION_DETECTED \emptydescription - * \retval #PSA_ERROR_INSUFFICIENT_STORAGE \emptydescription - * \retval #PSA_ERROR_DATA_INVALID \emptydescription - * \retval #PSA_ERROR_DATA_CORRUPT \emptydescription - * \retval #PSA_ERROR_STORAGE_FAILURE \emptydescription - * \retval #PSA_ERROR_BAD_STATE - * The library has not been previously initialized by psa_crypto_init(). - * It is implementation-dependent whether a failure to initialize - * results in this error code. - */ -psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key); -#endif /* !__cplusplus */ - /**@}*/ /** \defgroup interruptible_hash Interruptible sign/verify hash diff --git a/tf-psa-crypto/include/psa/crypto_struct.h b/tf-psa-crypto/include/psa/crypto_struct.h index 362e921a36..eabc2f4cd0 100644 --- a/tf-psa-crypto/include/psa/crypto_struct.h +++ b/tf-psa-crypto/include/psa/crypto_struct.h @@ -237,34 +237,6 @@ struct psa_custom_key_parameters_s { */ #define PSA_CUSTOM_KEY_PARAMETERS_INIT { 0 } -#ifndef __cplusplus -/* Omitted when compiling in C++, because one of the parameters is a - * pointer to a struct with a flexible array member, and that is not - * standard C++. - * https://github.com/Mbed-TLS/mbedtls/issues/9020 - */ -/* This is a deprecated variant of `struct psa_custom_key_parameters_s`. - * It has exactly the same layout, plus an extra field which is a flexible - * array member. Thus a `const struct psa_key_production_parameters_s *` - * can be passed to any function that reads a - * `const struct psa_custom_key_parameters_s *`. - */ -struct psa_key_production_parameters_s { - uint32_t flags; - uint8_t data[]; -}; - -/** The default production parameters for key generation or key derivation. - * - * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext() - * with `params=PSA_KEY_PRODUCTION_PARAMETERS_INIT` and - * `params_data_length == 0` is equivalent to - * calling psa_generate_key() or psa_key_derivation_output_key() - * respectively. - */ -#define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 } -#endif /* !__cplusplus */ - struct psa_key_policy_s { psa_key_usage_t MBEDTLS_PRIVATE(usage); psa_algorithm_t MBEDTLS_PRIVATE(alg); diff --git a/tf-psa-crypto/include/psa/crypto_types.h b/tf-psa-crypto/include/psa/crypto_types.h index f831486f4e..bb857abb09 100644 --- a/tf-psa-crypto/include/psa/crypto_types.h +++ b/tf-psa-crypto/include/psa/crypto_types.h @@ -479,30 +479,6 @@ typedef uint16_t psa_key_derivation_step_t; */ typedef struct psa_custom_key_parameters_s psa_custom_key_parameters_t; -/** \brief Custom parameters for key generation or key derivation. - * - * This is a structure type with at least the following fields: - * - * - \c flags: an unsigned integer type. 0 for the default production parameters. - * - \c data: a flexible array of bytes. - * - * The interpretation of this structure depend on the type of the - * created key. - * - * - #PSA_KEY_TYPE_RSA_KEY_PAIR: - * - \c flags: must be 0. - * - \c data: the public exponent, in little-endian order. - * This must be an odd integer and must not be 1. - * Implementations must support 65537, should support 3 and may - * support other values. - * When not using a driver, Mbed TLS supports values up to \c INT_MAX. - * If this is empty or if the custom production parameters are omitted - * altogether, the default value 65537 is used. - * - Other key types: reserved for future use. \c flags must be 0. - * - */ -typedef struct psa_key_production_parameters_s psa_key_production_parameters_t; - /**@}*/ #endif /* PSA_CRYPTO_TYPES_H */ diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data index 4149fdbfc9..eb84bc588b 100644 --- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data +++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data @@ -6947,18 +6947,6 @@ PSA key derivation custom: data non-empty -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" -PSA key derivation: default params -> AES-128 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" - -PSA key derivation: params.flags=1 -> AES-128 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" - -PSA key derivation: params.data non-empty -> AES-128 -depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" - PSA key derivation: invalid type (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 derive_key:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_NONE:128:PSA_ERROR_NOT_SUPPORTED:0 @@ -7609,30 +7597,6 @@ PSA generate key custom: ECC, data non-empty depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: RSA, params.flags=1 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT - -PSA generate key ext: RSA, empty e -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS - -PSA generate key ext: RSA, e=513 -depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS - -PSA generate key ext: ECC, flags=0 -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS - -PSA generate key ext: ECC, flags=1 -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT - -PSA generate key ext: ECC, params.data non-empty -depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT - PSA concurrent key generation: bad type (RSA public key) depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_THREADING_PTHREAD concurrently_generate_keys:PSA_KEY_TYPE_RSA_PUBLIC_KEY:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_EXPORT:0:PSA_ERROR_INVALID_ARGUMENT:0:8:5 @@ -7777,9 +7741,6 @@ PSA concurrent key generation: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0:8:5 -Key production parameters initializers -key_production_parameters_init: - PSA import persistent key: raw data, 8 bits depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C persistent_key_load_key_from_storage:"2a":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function index 7f47f27f12..f6503f7e4d 100644 --- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function +++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function @@ -1312,30 +1312,6 @@ exit: } #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ -static int setup_key_production_parameters( - psa_key_production_parameters_t **params, size_t *params_data_length, - int flags_arg, const data_t *params_data) -{ - *params_data_length = params_data->len; - /* If there are N bytes of padding at the end of - * psa_key_production_parameters_t, then it's enough to allocate - * MIN(sizeof(psa_key_production_parameters_t), - * offsetof(psa_key_production_parameters_t, data) + params_data_length). - * - * For simplicity, here, we allocate up to N more bytes than necessary. - * In practice, the current layout of psa_key_production_parameters_t - * makes padding extremely unlikely, so we don't worry about testing - * that the library code doesn't try to access these extra N bytes. - */ - *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length); - TEST_ASSERT(*params != NULL); - (*params)->flags = (uint32_t) flags_arg; - memcpy((*params)->data, params_data->x, params_data->len); - return 1; -exit: - return 0; -} - #if defined(MBEDTLS_THREADING_PTHREAD) typedef struct same_key_context { @@ -9662,81 +9638,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ -void derive_key_ext(int alg_arg, - data_t *key_data, - data_t *input1, - data_t *input2, - int key_type_arg, int bits_arg, - int flags_arg, - data_t *params_data, - psa_status_t expected_status, - data_t *expected_export) -{ - mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; - mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; - const psa_algorithm_t alg = alg_arg; - const psa_key_type_t key_type = key_type_arg; - const size_t bits = bits_arg; - psa_key_production_parameters_t *params = NULL; - size_t params_data_length = 0; - psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; - const size_t export_buffer_size = - PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); - uint8_t *export_buffer = NULL; - psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_attributes_t derived_attributes = PSA_KEY_ATTRIBUTES_INIT; - size_t export_length; - - TEST_CALLOC(export_buffer, export_buffer_size); - PSA_ASSERT(psa_crypto_init()); - - psa_set_key_usage_flags(&base_attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&base_attributes, alg); - psa_set_key_type(&base_attributes, PSA_KEY_TYPE_DERIVE); - PSA_ASSERT(psa_import_key(&base_attributes, key_data->x, key_data->len, - &base_key)); - - if (mbedtls_test_psa_setup_key_derivation_wrap( - &operation, base_key, alg, - input1->x, input1->len, - input2->x, input2->len, - PSA_KEY_DERIVATION_UNLIMITED_CAPACITY, 0) == 0) { - goto exit; - } - - psa_set_key_usage_flags(&derived_attributes, PSA_KEY_USAGE_EXPORT); - psa_set_key_algorithm(&derived_attributes, 0); - psa_set_key_type(&derived_attributes, key_type); - psa_set_key_bits(&derived_attributes, bits); - if (!setup_key_production_parameters(¶ms, ¶ms_data_length, - flags_arg, params_data)) { - goto exit; - } - - TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, - params, params_data_length, - &derived_key), - expected_status); - - if (expected_status == PSA_SUCCESS) { - PSA_ASSERT(psa_export_key(derived_key, - export_buffer, export_buffer_size, - &export_length)); - TEST_MEMORY_COMPARE(export_buffer, export_length, - expected_export->x, expected_export->len); - } - -exit: - mbedtls_free(export_buffer); - mbedtls_free(params); - psa_key_derivation_abort(&operation); - psa_destroy_key(base_key); - psa_destroy_key(derived_key); - PSA_DONE(); -} -/* END_CASE */ - /* BEGIN_CASE */ void derive_key(int alg_arg, data_t *key_data, data_t *input1, data_t *input2, @@ -10288,88 +10189,6 @@ exit: } /* END_CASE */ -/* BEGIN_CASE */ -void generate_key_ext(int type_arg, - int bits_arg, - int usage_arg, - int alg_arg, - int flags_arg, - data_t *params_data, - int expected_status_arg) -{ - mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_type_t type = type_arg; - psa_key_usage_t usage = usage_arg; - size_t bits = bits_arg; - psa_algorithm_t alg = alg_arg; - psa_status_t expected_status = expected_status_arg; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_production_parameters_t *params = NULL; - size_t params_data_length = 0; - psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; - - PSA_ASSERT(psa_crypto_init()); - - psa_set_key_usage_flags(&attributes, usage); - psa_set_key_algorithm(&attributes, alg); - psa_set_key_type(&attributes, type); - psa_set_key_bits(&attributes, bits); - - if (!setup_key_production_parameters(¶ms, ¶ms_data_length, - flags_arg, params_data)) { - goto exit; - } - - /* Generate a key */ - psa_status_t status = psa_generate_key_ext(&attributes, - params, params_data_length, - &key); - - TEST_EQUAL(status, expected_status); - if (expected_status != PSA_SUCCESS) { - goto exit; - } - - /* Test the key information */ - PSA_ASSERT(psa_get_key_attributes(key, &got_attributes)); - TEST_EQUAL(psa_get_key_type(&got_attributes), type); - TEST_EQUAL(psa_get_key_bits(&got_attributes), bits); - -#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) - if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - TEST_ASSERT(rsa_test_e(key, bits, params_data)); - } -#endif - - /* Do something with the key according to its type and permitted usage. */ - if (!mbedtls_test_psa_exercise_key(key, usage, alg, 0)) { - goto exit; - } - -exit: - /* - * Key attributes may have been returned by psa_get_key_attributes() - * thus reset them as required. - */ - psa_reset_key_attributes(&got_attributes); - mbedtls_free(params); - psa_destroy_key(key); - PSA_DONE(); -} -/* END_CASE */ - -/* BEGIN_CASE */ -void key_production_parameters_init() -{ - psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT; - psa_key_production_parameters_t zero; - memset(&zero, 0, sizeof(zero)); - - TEST_EQUAL(init.flags, 0); - TEST_EQUAL(zero.flags, 0); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ void persistent_key_load_key_from_storage(data_t *data, int type_arg, int bits_arg,