From 3768ac12a892f8d8c71ab16614ade94e8a9b090f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 26 Jan 2021 16:58:00 +0100 Subject: [PATCH 1/7] Add MBEDTLS_PSA_CRYPTO_CLIENT configuration option Signed-off-by: Ronald Cron --- include/mbedtls/config.h | 16 ++++++++++++++++ library/version_features.c | 3 +++ programs/test/query_config.c | 8 ++++++++ 3 files changed, 27 insertions(+) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 251d4f057a..c3132a5e12 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1338,6 +1338,22 @@ */ #define MBEDTLS_PKCS1_V21 +/** \def MBEDTLS_PSA_CRYPTO_CLIENT + * + * Enable support for PSA crypto client. + * + * \note This option allows to include the code necessary for a PSA + * crypto client when the PSA crypto implementation is not included in + * the library (MBEDTLS_PSA_CRYPTO_C disabled). The code included is the + * code to set and get PSA key attributes. + * The development of PSA drivers partially relying on the library to + * fulfill the hardware gaps is another possible usage of this option. + * + * \warning This interface is experimental and may change or be removed + * without notice. + */ +//#define MBEDTLS_PSA_CRYPTO_CLIENT + /** \def MBEDTLS_PSA_CRYPTO_DRIVERS * * Enable support for the experimental PSA crypto driver interface. diff --git a/library/version_features.c b/library/version_features.c index c6f46d9ec4..93329879ad 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -438,6 +438,9 @@ static const char * const features[] = { #if defined(MBEDTLS_PKCS1_V21) "MBEDTLS_PKCS1_V21", #endif /* MBEDTLS_PKCS1_V21 */ +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + "MBEDTLS_PSA_CRYPTO_CLIENT", +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) "MBEDTLS_PSA_CRYPTO_DRIVERS", #endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 0dc06c091a..6962adf3fa 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1226,6 +1226,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PKCS1_V21 */ +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + if( strcmp( "MBEDTLS_PSA_CRYPTO_CLIENT", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_CLIENT ); + return( 0 ); + } +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ + #if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) if( strcmp( "MBEDTLS_PSA_CRYPTO_DRIVERS", config ) == 0 ) { From d7906327caecce0c1fc30897ea31a716bd5fdcde Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 28 Jan 2021 16:07:56 +0100 Subject: [PATCH 2/7] psa: Add psa_crypto_client.c Signed-off-by: Ronald Cron --- library/CMakeLists.txt | 1 + library/Makefile | 1 + library/psa_crypto_client.c | 28 ++++++++++++++++++++++++++++ visualc/VS2010/mbedTLS.vcxproj | 1 + 4 files changed, 31 insertions(+) create mode 100644 library/psa_crypto_client.c diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index b309b6e65a..b2a074113a 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -61,6 +61,7 @@ set(src_crypto platform_util.c poly1305.c psa_crypto.c + psa_crypto_client.c psa_crypto_driver_wrappers.c psa_crypto_se.c psa_crypto_slot_management.c diff --git a/library/Makefile b/library/Makefile index ae33bf2cc2..b431cf577c 100644 --- a/library/Makefile +++ b/library/Makefile @@ -118,6 +118,7 @@ OBJS_CRYPTO= \ platform_util.o \ poly1305.o \ psa_crypto.o \ + psa_crypto_client.o \ psa_crypto_driver_wrappers.o \ psa_crypto_se.o \ psa_crypto_slot_management.o \ diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c new file mode 100644 index 0000000000..4fd93f7917 --- /dev/null +++ b/library/psa_crypto_client.c @@ -0,0 +1,28 @@ +/* + * PSA crypto client code + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#include "common.h" + +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) || defined(MBEDTLS_PSA_CRYPTO_C) + +#include "psa_crypto_service_integration.h" +#include "psa/crypto.h" + +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT || MBEDTLS_PSA_CRYPTO_C */ diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 78832eb6ca..1af0eb32bb 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -317,6 +317,7 @@ + From 21b5616ea301e2ce5ed9978b24877391f180478f Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 28 Jan 2021 16:36:00 +0100 Subject: [PATCH 3/7] psa: Move PSA client code Signed-off-by: Ronald Cron --- library/psa_crypto.c | 49 -------------------------------- library/psa_crypto_client.c | 56 +++++++++++++++++++++++++++++++++++++ 2 files changed, 56 insertions(+), 49 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 39144a3782..f54715dc3f 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -1502,55 +1502,6 @@ exit: return( overall_status ); } -void psa_reset_key_attributes( psa_key_attributes_t *attributes ) -{ - mbedtls_free( attributes->domain_parameters ); - memset( attributes, 0, sizeof( *attributes ) ); -} - -psa_status_t psa_set_key_domain_parameters( psa_key_attributes_t *attributes, - psa_key_type_t type, - const uint8_t *data, - size_t data_length ) -{ - uint8_t *copy = NULL; - - if( data_length != 0 ) - { - copy = mbedtls_calloc( 1, data_length ); - if( copy == NULL ) - return( PSA_ERROR_INSUFFICIENT_MEMORY ); - memcpy( copy, data, data_length ); - } - /* After this point, this function is guaranteed to succeed, so it - * can start modifying `*attributes`. */ - - if( attributes->domain_parameters != NULL ) - { - mbedtls_free( attributes->domain_parameters ); - attributes->domain_parameters = NULL; - attributes->domain_parameters_size = 0; - } - - attributes->domain_parameters = copy; - attributes->domain_parameters_size = data_length; - attributes->core.type = type; - return( PSA_SUCCESS ); -} - -psa_status_t psa_get_key_domain_parameters( - const psa_key_attributes_t *attributes, - uint8_t *data, size_t data_size, size_t *data_length ) -{ - if( attributes->domain_parameters_size > data_size ) - return( PSA_ERROR_BUFFER_TOO_SMALL ); - *data_length = attributes->domain_parameters_size; - if( attributes->domain_parameters_size != 0 ) - memcpy( data, attributes->domain_parameters, - attributes->domain_parameters_size ); - return( PSA_SUCCESS ); -} - #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || \ defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) static psa_status_t psa_get_rsa_public_exponent( diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c index 4fd93f7917..1c4d8ddbfc 100644 --- a/library/psa_crypto_client.c +++ b/library/psa_crypto_client.c @@ -25,4 +25,60 @@ #include "psa_crypto_service_integration.h" #include "psa/crypto.h" +#include +#include "mbedtls/platform.h" +#if !defined(MBEDTLS_PLATFORM_C) +#define mbedtls_calloc calloc +#define mbedtls_free free +#endif + +void psa_reset_key_attributes( psa_key_attributes_t *attributes ) +{ + mbedtls_free( attributes->domain_parameters ); + memset( attributes, 0, sizeof( *attributes ) ); +} + +psa_status_t psa_set_key_domain_parameters( psa_key_attributes_t *attributes, + psa_key_type_t type, + const uint8_t *data, + size_t data_length ) +{ + uint8_t *copy = NULL; + + if( data_length != 0 ) + { + copy = mbedtls_calloc( 1, data_length ); + if( copy == NULL ) + return( PSA_ERROR_INSUFFICIENT_MEMORY ); + memcpy( copy, data, data_length ); + } + /* After this point, this function is guaranteed to succeed, so it + * can start modifying `*attributes`. */ + + if( attributes->domain_parameters != NULL ) + { + mbedtls_free( attributes->domain_parameters ); + attributes->domain_parameters = NULL; + attributes->domain_parameters_size = 0; + } + + attributes->domain_parameters = copy; + attributes->domain_parameters_size = data_length; + attributes->core.type = type; + return( PSA_SUCCESS ); +} + +psa_status_t psa_get_key_domain_parameters( + const psa_key_attributes_t *attributes, + uint8_t *data, size_t data_size, size_t *data_length ) +{ + if( attributes->domain_parameters_size > data_size ) + return( PSA_ERROR_BUFFER_TOO_SMALL ); + *data_length = attributes->domain_parameters_size; + if( attributes->domain_parameters_size != 0 ) + memcpy( data, attributes->domain_parameters, + attributes->domain_parameters_size ); + return( PSA_SUCCESS ); +} + #endif /* MBEDTLS_PSA_CRYPTO_CLIENT || MBEDTLS_PSA_CRYPTO_C */ From f7b666c50823e4cceb1ef35f82cd56085529e612 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 28 Jan 2021 18:20:21 +0100 Subject: [PATCH 4/7] tests: psa: Move PSA key attributes tests Move PSA key attributes tests to their own test suite to be able to run them when MBEDTLS_PSA_CRYPTO_CLIENT is enabled but not MBEDTLS_PSA_CRYPTO_C. Signed-off-by: Ronald Cron --- tests/CMakeLists.txt | 1 + tests/suites/test_suite_psa_crypto.data | 27 ---- tests/suites/test_suite_psa_crypto.function | 121 ---------------- .../test_suite_psa_crypto_attributes.data | 26 ++++ .../test_suite_psa_crypto_attributes.function | 129 ++++++++++++++++++ 5 files changed, 156 insertions(+), 148 deletions(-) create mode 100644 tests/suites/test_suite_psa_crypto_attributes.data create mode 100644 tests/suites/test_suite_psa_crypto_attributes.function diff --git a/tests/CMakeLists.txt b/tests/CMakeLists.txt index f8ce925df2..6873dad081 100644 --- a/tests/CMakeLists.txt +++ b/tests/CMakeLists.txt @@ -141,6 +141,7 @@ add_test_suite(pkparse) add_test_suite(pkwrite) add_test_suite(poly1305) add_test_suite(psa_crypto) +add_test_suite(psa_crypto_attributes) add_test_suite(psa_crypto_entropy) add_test_suite(psa_crypto_hash) add_test_suite(psa_crypto_init) diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index a760554720..d09f24e040 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1,33 +1,6 @@ PSA compile-time sanity checks static_checks: -PSA key attributes structure -attributes_set_get:0xffff1234:0x6963:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:128 - -PSA key attributes: id only -persistence_attributes:0x1234:0x5678:-1:-1:0:0x1234:0x5678:PSA_KEY_LIFETIME_PERSISTENT - -PSA key attributes: lifetime=3 only -persistence_attributes:-1:0:3:-1:0:0:0:3 - -PSA key attributes: id then back to volatile -persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_VOLATILE:-1:0:0:0x5678:PSA_KEY_LIFETIME_VOLATILE - -PSA key attributes: id then back to non local volatile -persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_VOLATILE,1):-1:0:0:0x5678:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_VOLATILE,1) - -PSA key attributes: id then lifetime -persistence_attributes:0x1234:0x5678:3:-1:0:0x1234:0x5678:3 - -PSA key attributes: lifetime then id -persistence_attributes:0x1234:0x5678:3:0x1235:0x5679:0x1235:0x5679:3 - -PSA key attributes: non local volatile lifetime then id -persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_VOLATILE,3):0x1235:0x5679:0x1235:0x5679:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT,3) - -PSA key attributes: slot number -slot_number_attribute: - PSA import/export raw: 1 bytes import_export:"2a":PSA_KEY_TYPE_RAW_DATA:PSA_KEY_USAGE_EXPORT:0:8:0:PSA_SUCCESS:1 diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 79c012f765..3469035131 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -1349,127 +1349,6 @@ void static_checks( ) } /* END_CASE */ -/* BEGIN_CASE */ -void attributes_set_get( int owner_id_arg, int id_arg, int lifetime_arg, - int usage_flags_arg, int alg_arg, - int type_arg, int bits_arg ) -{ - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); - psa_key_lifetime_t lifetime = lifetime_arg; - psa_key_usage_t usage_flags = usage_flags_arg; - psa_algorithm_t alg = alg_arg; - psa_key_type_t type = type_arg; - size_t bits = bits_arg; - - TEST_EQUAL( - MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); - TEST_EQUAL( - MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); - TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_type( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_bits( &attributes ), 0 ); - - psa_set_key_id( &attributes, id ); - psa_set_key_lifetime( &attributes, lifetime ); - psa_set_key_usage_flags( &attributes, usage_flags ); - psa_set_key_algorithm( &attributes, alg ); - psa_set_key_type( &attributes, type ); - psa_set_key_bits( &attributes, bits ); - - TEST_ASSERT( mbedtls_svc_key_id_equal( - psa_get_key_id( &attributes ), id ) ); - TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); - TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags ); - TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); - TEST_EQUAL( psa_get_key_type( &attributes ), type ); - TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); - - psa_reset_key_attributes( &attributes ); - - TEST_EQUAL( - MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); - TEST_EQUAL( - MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); - TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_type( &attributes ), 0 ); - TEST_EQUAL( psa_get_key_bits( &attributes ), 0 ); -} -/* END_CASE */ - -/* BEGIN_CASE */ -void persistence_attributes( int id1_arg, int owner_id1_arg, int lifetime_arg, - int id2_arg, int owner_id2_arg, - int expected_id_arg, int expected_owner_id_arg, - int expected_lifetime_arg ) -{ - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - mbedtls_svc_key_id_t id1 = - mbedtls_svc_key_id_make( owner_id1_arg, id1_arg ); - psa_key_lifetime_t lifetime = lifetime_arg; - mbedtls_svc_key_id_t id2 = - mbedtls_svc_key_id_make( owner_id2_arg, id2_arg ); - mbedtls_svc_key_id_t expected_id = - mbedtls_svc_key_id_make( expected_owner_id_arg, expected_id_arg ); - psa_key_lifetime_t expected_lifetime = expected_lifetime_arg; - - if( id1_arg != -1 ) - psa_set_key_id( &attributes, id1 ); - if( lifetime_arg != -1 ) - psa_set_key_lifetime( &attributes, lifetime ); - if( id2_arg != -1 ) - psa_set_key_id( &attributes, id2 ); - - TEST_ASSERT( mbedtls_svc_key_id_equal( - psa_get_key_id( &attributes ), expected_id ) ); - TEST_EQUAL( psa_get_key_lifetime( &attributes ), expected_lifetime ); -} -/* END_CASE */ - -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_SE_C */ -void slot_number_attribute( ) -{ - psa_key_slot_number_t slot_number = 0xdeadbeef; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - - /* Initially, there is no slot number. */ - TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), - PSA_ERROR_INVALID_ARGUMENT ); - - /* Test setting a slot number. */ - psa_set_key_slot_number( &attributes, 0 ); - PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) ); - TEST_EQUAL( slot_number, 0 ); - - /* Test changing the slot number. */ - psa_set_key_slot_number( &attributes, 42 ); - PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) ); - TEST_EQUAL( slot_number, 42 ); - - /* Test clearing the slot number. */ - psa_clear_key_slot_number( &attributes ); - TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), - PSA_ERROR_INVALID_ARGUMENT ); - - /* Clearing again should have no effect. */ - psa_clear_key_slot_number( &attributes ); - TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), - PSA_ERROR_INVALID_ARGUMENT ); - - /* Test that reset clears the slot number. */ - psa_set_key_slot_number( &attributes, 42 ); - PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) ); - TEST_EQUAL( slot_number, 42 ); - psa_reset_key_attributes( &attributes ); - TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), - PSA_ERROR_INVALID_ARGUMENT ); -} -/* END_CASE */ - /* BEGIN_CASE */ void import_with_policy( int type_arg, int usage_arg, int alg_arg, diff --git a/tests/suites/test_suite_psa_crypto_attributes.data b/tests/suites/test_suite_psa_crypto_attributes.data new file mode 100644 index 0000000000..15ff325e04 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_attributes.data @@ -0,0 +1,26 @@ +PSA key attributes structure +attributes_set_get:0xffff1234:0x6963:PSA_KEY_LIFETIME_PERSISTENT:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_CCM:PSA_KEY_TYPE_AES:128 + +PSA key attributes: id only +persistence_attributes:0x1234:0x5678:-1:-1:0:0x1234:0x5678:PSA_KEY_LIFETIME_PERSISTENT + +PSA key attributes: lifetime=3 only +persistence_attributes:-1:0:3:-1:0:0:0:3 + +PSA key attributes: id then back to volatile +persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_VOLATILE:-1:0:0:0x5678:PSA_KEY_LIFETIME_VOLATILE + +PSA key attributes: id then back to non local volatile +persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_VOLATILE,1):-1:0:0:0x5678:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_VOLATILE,1) + +PSA key attributes: id then lifetime +persistence_attributes:0x1234:0x5678:3:-1:0:0x1234:0x5678:3 + +PSA key attributes: lifetime then id +persistence_attributes:0x1234:0x5678:3:0x1235:0x5679:0x1235:0x5679:3 + +PSA key attributes: non local volatile lifetime then id +persistence_attributes:0x1234:0x5678:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_VOLATILE,3):0x1235:0x5679:0x1235:0x5679:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_LIFETIME_PERSISTENT,3) + +PSA key attributes: slot number +slot_number_attribute: diff --git a/tests/suites/test_suite_psa_crypto_attributes.function b/tests/suites/test_suite_psa_crypto_attributes.function new file mode 100644 index 0000000000..1b5b309241 --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_attributes.function @@ -0,0 +1,129 @@ +/* BEGIN_HEADER */ +#include "psa/crypto.h" +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_CRYPTO_C + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void attributes_set_get( int owner_id_arg, int id_arg, int lifetime_arg, + int usage_flags_arg, int alg_arg, + int type_arg, int bits_arg ) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t id = mbedtls_svc_key_id_make( owner_id_arg, id_arg ); + psa_key_lifetime_t lifetime = lifetime_arg; + psa_key_usage_t usage_flags = usage_flags_arg; + psa_algorithm_t alg = alg_arg; + psa_key_type_t type = type_arg; + size_t bits = bits_arg; + + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_type( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_bits( &attributes ), 0 ); + + psa_set_key_id( &attributes, id ); + psa_set_key_lifetime( &attributes, lifetime ); + psa_set_key_usage_flags( &attributes, usage_flags ); + psa_set_key_algorithm( &attributes, alg ); + psa_set_key_type( &attributes, type ); + psa_set_key_bits( &attributes, bits ); + + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), id ) ); + TEST_EQUAL( psa_get_key_lifetime( &attributes ), lifetime ); + TEST_EQUAL( psa_get_key_usage_flags( &attributes ), usage_flags ); + TEST_EQUAL( psa_get_key_algorithm( &attributes ), alg ); + TEST_EQUAL( psa_get_key_type( &attributes ), type ); + TEST_EQUAL( psa_get_key_bits( &attributes ), bits ); + + psa_reset_key_attributes( &attributes ); + + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_KEY_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( + MBEDTLS_SVC_KEY_ID_GET_OWNER_ID( psa_get_key_id( &attributes ) ), 0 ); + TEST_EQUAL( psa_get_key_lifetime( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_usage_flags( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_algorithm( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_type( &attributes ), 0 ); + TEST_EQUAL( psa_get_key_bits( &attributes ), 0 ); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void persistence_attributes( int id1_arg, int owner_id1_arg, int lifetime_arg, + int id2_arg, int owner_id2_arg, + int expected_id_arg, int expected_owner_id_arg, + int expected_lifetime_arg ) +{ + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + mbedtls_svc_key_id_t id1 = + mbedtls_svc_key_id_make( owner_id1_arg, id1_arg ); + psa_key_lifetime_t lifetime = lifetime_arg; + mbedtls_svc_key_id_t id2 = + mbedtls_svc_key_id_make( owner_id2_arg, id2_arg ); + mbedtls_svc_key_id_t expected_id = + mbedtls_svc_key_id_make( expected_owner_id_arg, expected_id_arg ); + psa_key_lifetime_t expected_lifetime = expected_lifetime_arg; + + if( id1_arg != -1 ) + psa_set_key_id( &attributes, id1 ); + if( lifetime_arg != -1 ) + psa_set_key_lifetime( &attributes, lifetime ); + if( id2_arg != -1 ) + psa_set_key_id( &attributes, id2 ); + + TEST_ASSERT( mbedtls_svc_key_id_equal( + psa_get_key_id( &attributes ), expected_id ) ); + TEST_EQUAL( psa_get_key_lifetime( &attributes ), expected_lifetime ); +} +/* END_CASE */ + +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_SE_C */ +void slot_number_attribute( ) +{ + psa_key_slot_number_t slot_number = 0xdeadbeef; + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + + /* Initially, there is no slot number. */ + TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), + PSA_ERROR_INVALID_ARGUMENT ); + + /* Test setting a slot number. */ + psa_set_key_slot_number( &attributes, 0 ); + PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) ); + TEST_EQUAL( slot_number, 0 ); + + /* Test changing the slot number. */ + psa_set_key_slot_number( &attributes, 42 ); + PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) ); + TEST_EQUAL( slot_number, 42 ); + + /* Test clearing the slot number. */ + psa_clear_key_slot_number( &attributes ); + TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), + PSA_ERROR_INVALID_ARGUMENT ); + + /* Clearing again should have no effect. */ + psa_clear_key_slot_number( &attributes ); + TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), + PSA_ERROR_INVALID_ARGUMENT ); + + /* Test that reset clears the slot number. */ + psa_set_key_slot_number( &attributes, 42 ); + PSA_ASSERT( psa_get_key_slot_number( &attributes, &slot_number ) ); + TEST_EQUAL( slot_number, 42 ); + psa_reset_key_attributes( &attributes ); + TEST_EQUAL( psa_get_key_slot_number( &attributes, &slot_number ), + PSA_ERROR_INVALID_ARGUMENT ); +} +/* END_CASE */ From 336678bccc275c5505a13e6bc970a4600e29ec8e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 28 Jan 2021 17:54:24 +0100 Subject: [PATCH 5/7] tests: psa: Test PSA client-only code Signed-off-by: Ronald Cron --- tests/scripts/all.sh | 11 +++++++++++ tests/suites/main_test.function | 7 +++++++ .../suites/test_suite_psa_crypto_attributes.function | 2 +- tests/suites/test_suite_psa_crypto_metadata.function | 2 +- 4 files changed, 20 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 676c804493..cc68d74ec5 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -798,6 +798,17 @@ component_test_psa_crypto_key_id_encodes_owner () { make test } +component_test_psa_crypto_client () { + msg "build: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make" + scripts/config.py unset MBEDTLS_PSA_CRYPTO_C + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C + scripts/config.py set MBEDTLS_PSA_CRYPTO_CLIENT + make + + msg "test: default config - PSA_CRYPTO_C + PSA_CRYPTO_CLIENT, make" + make test +} + component_test_zlib_make() { msg "build: zlib enabled, make" scripts/config.py set MBEDTLS_ZLIB_SUPPORT diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 98dab3ebbd..b67bb4370d 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -33,6 +33,13 @@ #include "psa/crypto.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ +/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT + * is defined to run tests with dependency on MBEDTLS_PSA_CRYPTO_CLIENT. + */ +#if defined(MBEDTLS_PSA_CRYPTO_C) +#define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /* MBEDTLS_PSA_CRYPTO_C */ + /* Test code may use deprecated identifiers only if the preprocessor symbol * MBEDTLS_TEST_DEPRECATED is defined. When building tests, set * MBEDTLS_TEST_DEPRECATED explicitly if MBEDTLS_DEPRECATED_WARNING is diff --git a/tests/suites/test_suite_psa_crypto_attributes.function b/tests/suites/test_suite_psa_crypto_attributes.function index 1b5b309241..ce34fae74b 100644 --- a/tests/suites/test_suite_psa_crypto_attributes.function +++ b/tests/suites/test_suite_psa_crypto_attributes.function @@ -3,7 +3,7 @@ /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PSA_CRYPTO_C + * depends_on:MBEDTLS_PSA_CRYPTO_CLIENT * END_DEPENDENCIES */ diff --git a/tests/suites/test_suite_psa_crypto_metadata.function b/tests/suites/test_suite_psa_crypto_metadata.function index 45f639eb23..10ffe0f38a 100644 --- a/tests/suites/test_suite_psa_crypto_metadata.function +++ b/tests/suites/test_suite_psa_crypto_metadata.function @@ -184,7 +184,7 @@ exit: ; /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PSA_CRYPTO_C + * depends_on:MBEDTLS_PSA_CRYPTO_CLIENT * END_DEPENDENCIES */ From 395889f9b7b9b4c9ed206d2f4cc8f60c5646f882 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 9 Feb 2021 12:36:49 +0100 Subject: [PATCH 6/7] psa: Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined when MBEDTLS_PSA_CRYPTO_C is defined and guard PSA client code only with MBEDTLS_PSA_CRYPTO_CLIENT. The definition of MBEDTLS_PSA_CRYPTO_CLIENT is done in crypto_types.h before the definition of psa_key_attributes_t. That way as PSA crypto client code is related to key attributes we can be quite confident that MBEDTLS_PSA_CRYPTO_CLIENT will be defined when needed. Signed-off-by: Ronald Cron --- include/psa/crypto_types.h | 7 +++++++ library/psa_crypto_client.c | 7 +++---- tests/suites/main_test.function | 7 ------- 3 files changed, 10 insertions(+), 11 deletions(-) diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h index 98048813a2..386c7d794b 100644 --- a/include/psa/crypto_types.h +++ b/include/psa/crypto_types.h @@ -35,6 +35,13 @@ #include "crypto_platform.h" +/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT + * is defined as well to include all PSA code. + */ +#if defined(MBEDTLS_PSA_CRYPTO_C) +#define MBEDTLS_PSA_CRYPTO_CLIENT +#endif /* MBEDTLS_PSA_CRYPTO_C */ + #include /** \defgroup error Error codes diff --git a/library/psa_crypto_client.c b/library/psa_crypto_client.c index 1c4d8ddbfc..e84cf3015b 100644 --- a/library/psa_crypto_client.c +++ b/library/psa_crypto_client.c @@ -19,12 +19,11 @@ */ #include "common.h" - -#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) || defined(MBEDTLS_PSA_CRYPTO_C) - #include "psa_crypto_service_integration.h" #include "psa/crypto.h" +#if defined(MBEDTLS_PSA_CRYPTO_CLIENT) + #include #include "mbedtls/platform.h" #if !defined(MBEDTLS_PLATFORM_C) @@ -81,4 +80,4 @@ psa_status_t psa_get_key_domain_parameters( return( PSA_SUCCESS ); } -#endif /* MBEDTLS_PSA_CRYPTO_CLIENT || MBEDTLS_PSA_CRYPTO_C */ +#endif /* MBEDTLS_PSA_CRYPTO_CLIENT */ diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index b67bb4370d..98dab3ebbd 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -33,13 +33,6 @@ #include "psa/crypto.h" #endif /* MBEDTLS_USE_PSA_CRYPTO */ -/* If MBEDTLS_PSA_CRYPTO_C is defined, make sure MBEDTLS_PSA_CRYPTO_CLIENT - * is defined to run tests with dependency on MBEDTLS_PSA_CRYPTO_CLIENT. - */ -#if defined(MBEDTLS_PSA_CRYPTO_C) -#define MBEDTLS_PSA_CRYPTO_CLIENT -#endif /* MBEDTLS_PSA_CRYPTO_C */ - /* Test code may use deprecated identifiers only if the preprocessor symbol * MBEDTLS_TEST_DEPRECATED is defined. When building tests, set * MBEDTLS_TEST_DEPRECATED explicitly if MBEDTLS_DEPRECATED_WARNING is From 07907ae84e571055bb4aa12e25f22bd144000415 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 9 Feb 2021 13:51:34 +0100 Subject: [PATCH 7/7] Add change log entry Signed-off-by: Ronald Cron --- ChangeLog.d/psa-crypto-client.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/psa-crypto-client.txt diff --git a/ChangeLog.d/psa-crypto-client.txt b/ChangeLog.d/psa-crypto-client.txt new file mode 100644 index 0000000000..3070ee95bb --- /dev/null +++ b/ChangeLog.d/psa-crypto-client.txt @@ -0,0 +1,4 @@ +Changes + * A new library C file psa_crypto_client.c has been created to contain + the PSA code needed by a PSA crypto client when the PSA crypto + implementation is not included into the library.