mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-27 06:35:22 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Use psa_core_key_attributes_t in key slots in memory

Browse Source 
Change the type of key slots in memory to use
psa_core_key_attributes_t rather than separate fields. The goal is to
simplify some parts of the code. This commit only does the mechanical
replacement, not the substitution.

The bit-field `allocate` is now a flag `PSA_KEY_SLOT_FLAG_ALLOCATED`
in the `flags` field.

Write accessor functions for flags.

Key slots now contain a bit size field which is currently unused.
Subsequent commits will make use of it.
This commit is contained in:
Gilles Peskine 2019-07-30 20:06:31 +02:00
parent 68cc433b5b
commit 8e3387029d
3 changed files with 156 additions and 104 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

163
library/psa_crypto.c
View File

@ -366,7 +366,7 @@ static psa_status_t mbedtls_to_psa_error( int ret )
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
static inline int psa_key_slot_is_external( const psa_key_slot_t *slot )
{
return( psa_key_lifetime_is_external( slot->lifetime ) );
return( psa_key_lifetime_is_external( slot->attr.lifetime ) );
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@ -695,7 +695,7 @@ exit:
}
#endif /* defined(MBEDTLS_ECP_C) */
/** Import key data into a slot. `slot->type` must have been set
/** Import key data into a slot. `slot->attr.type` must have been set
* previously. This function assumes that the slot does not contain
* any key material yet. On failure, the slot content is unchanged. */
psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
@ -704,7 +704,7 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
{
psa_status_t status = PSA_SUCCESS;
if( key_type_is_raw_bytes( slot->type ) )
if( key_type_is_raw_bytes( slot->attr.type ) )
{
size_t bit_size = PSA_BYTES_TO_BITS( data_length );
/* Ensure that the bytes-to-bit conversion doesn't overflow. */
@ -713,7 +713,7 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
/* Ensure that the bit size fits in its representation type. */
if( bit_size > PSA_MAX_KEY_BITS )
return( PSA_ERROR_NOT_SUPPORTED );
status = prepare_raw_data_slot( slot->type, bit_size,
status = prepare_raw_data_slot( slot->attr.type, bit_size,
&slot->data.raw );
if( status != PSA_SUCCESS )
return( status );
@ -722,25 +722,25 @@ psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
}
else
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->type ) )
if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->attr.type ) )
{
status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( slot->type ),
status = psa_import_ec_private_key( PSA_KEY_TYPE_GET_CURVE( slot->attr.type ),
data, data_length,
&slot->data.ecp );
}
else if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( slot->type ) )
else if( PSA_KEY_TYPE_IS_ECC_PUBLIC_KEY( slot->attr.type ) )
{
status = psa_import_ec_public_key(
PSA_KEY_TYPE_GET_CURVE( slot->type ),
PSA_KEY_TYPE_GET_CURVE( slot->attr.type ),
data, data_length,
&slot->data.ecp );
}
else
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PK_PARSE_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
status = psa_import_rsa_key( slot->type,
status = psa_import_rsa_key( slot->attr.type,
data, data_length,
&slot->data.rsa );
}
@ -854,20 +854,20 @@ static psa_status_t psa_get_key_from_slot( psa_key_handle_t handle,
status = psa_get_key_slot( handle, &slot );
if( status != PSA_SUCCESS )
return( status );
if( slot->type == PSA_KEY_TYPE_NONE )
if( slot->attr.type == PSA_KEY_TYPE_NONE )
return( PSA_ERROR_DOES_NOT_EXIST );
/* Enforce that usage policy for the key slot contains all the flags
* required by the usage parameter. There is one exception: public
* keys can always be exported, so we treat public key objects as
* if they had the export flag. */
if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
if( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) )
usage &= ~PSA_KEY_USAGE_EXPORT;
if( ( slot->policy.usage & usage ) != usage )
if( ( slot->attr.policy.usage & usage ) != usage )
return( PSA_ERROR_NOT_PERMITTED );
/* Enforce that the usage policy permits the requested algortihm. */
if( alg != 0 && ! psa_key_policy_permits( &slot->policy, alg ) )
if( alg != 0 && ! psa_key_policy_permits( &slot->attr.policy, alg ) )
return( PSA_ERROR_NOT_PERMITTED );
*p_slot = slot;
@ -914,17 +914,17 @@ static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
if( slot->type == PSA_KEY_TYPE_NONE )
if( slot->attr.type == PSA_KEY_TYPE_NONE )
{
/* No key material to clean. */
}
else if( key_type_is_raw_bytes( slot->type ) )
else if( key_type_is_raw_bytes( slot->attr.type ) )
{
mbedtls_free( slot->data.raw.data );
}
else
#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
mbedtls_rsa_free( slot->data.rsa );
mbedtls_free( slot->data.rsa );
@ -932,7 +932,7 @@ static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
else
#endif /* defined(MBEDTLS_RSA_C) */
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
mbedtls_ecp_keypair_free( slot->data.ecp );
mbedtls_free( slot->data.ecp );
@ -981,7 +981,7 @@ psa_status_t psa_destroy_key( psa_key_handle_t handle )
return( status );
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
driver = psa_get_se_driver_entry( slot->lifetime );
driver = psa_get_se_driver_entry( slot->attr.lifetime );
if( driver != NULL )
{
/* For a key in a secure element, we need to do three things:
@ -990,9 +990,9 @@ psa_status_t psa_destroy_key( psa_key_handle_t handle )
* persistent data. Start a transaction that will encompass these
* three actions. */
psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_DESTROY_KEY );
psa_crypto_transaction.key.lifetime = slot->lifetime;
psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
psa_crypto_transaction.key.slot = slot->data.se.slot_number;
psa_crypto_transaction.key.id = slot->persistent_storage_id;
psa_crypto_transaction.key.id = slot->attr.id;
status = psa_crypto_save_transaction( );
if( status != PSA_SUCCESS )
{
@ -1006,10 +1006,10 @@ psa_status_t psa_destroy_key( psa_key_handle_t handle )
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT )
{
storage_status =
psa_destroy_persistent_key( slot->persistent_storage_id );
psa_destroy_persistent_key( slot->attr.id );
}
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
@ -1039,18 +1039,18 @@ psa_status_t psa_destroy_key( psa_key_handle_t handle )
static size_t psa_get_key_slot_bits( const psa_key_slot_t *slot )
{
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_get_se_driver( slot->lifetime, NULL, NULL ) )
if( psa_get_se_driver( slot->attr.lifetime, NULL, NULL ) )
return( slot->data.se.bits );
#endif /* defined(MBEDTLS_PSA_CRYPTO_SE_C) */
if( key_type_is_raw_bytes( slot->type ) )
if( key_type_is_raw_bytes( slot->attr.type ) )
return( slot->data.raw.bytes * 8 );
#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
return( PSA_BYTES_TO_BITS( mbedtls_rsa_get_len( slot->data.rsa ) ) );
#endif /* defined(MBEDTLS_RSA_C) */
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
return( slot->data.ecp->grp.pbits );
#endif /* defined(MBEDTLS_ECP_C) */
/* Shouldn't happen except on an empty slot. */
@ -1156,10 +1156,10 @@ exit:
static void psa_get_key_slot_attributes( psa_key_slot_t *slot,
psa_key_attributes_t *attributes )
{
attributes->core.id = slot->persistent_storage_id;
attributes->core.lifetime = slot->lifetime;
attributes->core.policy = slot->policy;
attributes->core.type = slot->type;
attributes->core.id = slot->attr.id;
attributes->core.lifetime = slot->attr.lifetime;
attributes->core.policy = slot->attr.policy;
attributes->core.type = slot->attr.type;
attributes->core.bits = psa_get_key_slot_bits( slot );
}
@ -1179,7 +1179,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
psa_get_key_slot_attributes( slot, attributes );
switch( slot->type )
switch( slot->attr.type )
{
#if defined(MBEDTLS_RSA_C)
case PSA_KEY_TYPE_RSA_KEY_PAIR:
@ -1187,7 +1187,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/* TOnogrepDO: reporting the public exponent for opaque keys
* is not yet implemented. */
if( psa_get_se_driver( slot->lifetime, NULL, NULL ) )
if( psa_get_se_driver( slot->attr.lifetime, NULL, NULL ) )
break;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
status = psa_get_rsa_public_exponent( slot->data.rsa, attributes );
@ -1232,11 +1232,11 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
*data_length = 0;
if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->type ) )
if( export_public_key && ! PSA_KEY_TYPE_IS_ASYMMETRIC( slot->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_get_se_driver( slot->lifetime, &drv, &drv_context ) )
if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) )
{
psa_drv_se_export_key_t method;
if( drv->key_management == NULL )
@ -1252,7 +1252,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
if( key_type_is_raw_bytes( slot->type ) )
if( key_type_is_raw_bytes( slot->attr.type ) )
{
if( slot->data.raw.bytes > data_size )
return( PSA_ERROR_BUFFER_TOO_SMALL );
@ -1266,7 +1266,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
return( PSA_SUCCESS );
}
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->type ) && !export_public_key )
if( PSA_KEY_TYPE_IS_ECC_KEY_PAIR( slot->attr.type ) && !export_public_key )
{
psa_status_t status;
@ -1285,12 +1285,12 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
else
{
#if defined(MBEDTLS_PK_WRITE_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) ||
PSA_KEY_TYPE_IS_ECC( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ||
PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
mbedtls_pk_context pk;
int ret;
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
#if defined(MBEDTLS_RSA_C)
mbedtls_pk_init( &pk );
@ -1310,7 +1310,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
return( PSA_ERROR_NOT_SUPPORTED );
#endif
}
if( export_public_key || PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) )
if( export_public_key || PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) )
{
ret = pk_write_pubkey_simple( &pk, data, data_size );
}
@ -1412,7 +1412,7 @@ static psa_status_t psa_set_key_policy_internal(
PSA_KEY_USAGE_DERIVE ) ) != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
slot->policy = *policy;
slot->attr.policy = *policy;
return( PSA_SUCCESS );
}
@ -1460,7 +1460,7 @@ static psa_status_t psa_start_key_creation(
status = psa_set_key_policy_internal( slot, &attributes->core.policy );
if( status != PSA_SUCCESS )
return( status );
slot->lifetime = attributes->core.lifetime;
slot->attr.lifetime = attributes->core.lifetime;
if( attributes->core.lifetime != PSA_KEY_LIFETIME_VOLATILE )
{
@ -1469,9 +1469,9 @@ static psa_status_t psa_start_key_creation(
p_drv, 1 );
if( status != PSA_SUCCESS )
return( status );
slot->persistent_storage_id = attributes->core.id;
slot->attr.id = attributes->core.id;
}
slot->type = attributes->core.type;
slot->attr.type = attributes->core.type;
/* Refuse to create overly large keys.
* Note that this doesn't trigger on import if the attributes don't
@ -1501,9 +1501,9 @@ static psa_status_t psa_start_key_creation(
if( status != PSA_SUCCESS )
return( status );
psa_crypto_prepare_transaction( PSA_CRYPTO_TRANSACTION_CREATE_KEY );
psa_crypto_transaction.key.lifetime = slot->lifetime;
psa_crypto_transaction.key.lifetime = slot->attr.lifetime;
psa_crypto_transaction.key.slot = slot->data.se.slot_number;
psa_crypto_transaction.key.id = slot->persistent_storage_id;
psa_crypto_transaction.key.id = slot->attr.id;
status = psa_crypto_save_transaction( );
if( status != PSA_SUCCESS )
{
@ -1546,7 +1546,7 @@ static psa_status_t psa_finish_key_creation(
(void) driver;
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
if( slot->lifetime != PSA_KEY_LIFETIME_VOLATILE )
if( slot->attr.lifetime != PSA_KEY_LIFETIME_VOLATILE )
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_get_key_slot_attributes( slot, &attributes );
@ -1562,7 +1562,7 @@ static psa_status_t psa_finish_key_creation(
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
{
size_t buffer_size =
PSA_KEY_EXPORT_MAX_SIZE( slot->type,
PSA_KEY_EXPORT_MAX_SIZE( slot->attr.type,
psa_get_key_bits( &attributes ) );
uint8_t *buffer = mbedtls_calloc( 1, buffer_size );
size_t length = 0;
@ -1587,7 +1587,7 @@ static psa_status_t psa_finish_key_creation(
status = psa_save_se_persistent_data( driver );
if( status != PSA_SUCCESS )
{
psa_destroy_persistent_key( slot->persistent_storage_id );
psa_destroy_persistent_key( slot->attr.id );
return( status );
}
status = psa_crypto_stop_transaction( );
@ -1640,14 +1640,14 @@ static psa_status_t psa_check_key_slot_attributes(
{
if( attributes->core.type != 0 )
{
if( attributes->core.type != slot->type )
if( attributes->core.type != slot->attr.type )
return( PSA_ERROR_INVALID_ARGUMENT );
}
if( attributes->domain_parameters_size != 0 )
{
#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
mbedtls_mpi actual, required;
int ret;
@ -1712,7 +1712,8 @@ psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
status = drv->key_management->p_import(
psa_get_se_driver_context( driver ),
slot->data.se.slot_number,
slot->lifetime, slot->type, slot->policy.alg, slot->policy.usage,
slot->attr.lifetime, slot->attr.type,
slot->attr.policy.alg, slot->attr.policy.usage,
data, data_length,
&slot->data.se.bits );
}
@ -1745,7 +1746,7 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
size_t buffer_size = 0;
size_t length;
buffer_size = PSA_KEY_EXPORT_MAX_SIZE( source->type,
buffer_size = PSA_KEY_EXPORT_MAX_SIZE( source->attr.type,
psa_get_key_slot_bits( source ) );
buffer = mbedtls_calloc( 1, buffer_size );
if( buffer == NULL && buffer_size != 0 )
@ -1753,7 +1754,7 @@ static psa_status_t psa_copy_key_material( const psa_key_slot_t *source,
status = psa_internal_export_key( source, buffer, buffer_size, &length, 0 );
if( status != PSA_SUCCESS )
goto exit;
target->type = source->type;
target->attr.type = source->attr.type;
status = psa_import_key_into_slot( target, buffer, length );
exit:
@ -1783,7 +1784,7 @@ psa_status_t psa_copy_key( psa_key_handle_t source_handle,
goto exit;
status = psa_restrict_key_policy( &actual_attributes.core.policy,
&source_slot->policy );
&source_slot->attr.policy );
if( status != PSA_SUCCESS )
goto exit;
@ -2573,7 +2574,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
{
const mbedtls_cipher_info_t *cipher_info =
mbedtls_cipher_info_from_psa( full_length_alg,
slot->type, key_bits, NULL );
slot->attr.type, key_bits, NULL );
int ret;
if( cipher_info == NULL )
{
@ -2605,7 +2606,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
goto exit;
}
if( slot->type != PSA_KEY_TYPE_HMAC )
if( slot->attr.type != PSA_KEY_TYPE_HMAC )
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
@ -3145,14 +3146,14 @@ psa_status_t psa_asymmetric_sign( psa_key_handle_t handle,
status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_SIGN, alg );
if( status != PSA_SUCCESS )
goto exit;
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->type ) )
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
{
status = PSA_ERROR_INVALID_ARGUMENT;
goto exit;
}
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEY_PAIR )
if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
status = psa_rsa_sign( slot->data.rsa,
alg,
@ -3163,7 +3164,7 @@ psa_status_t psa_asymmetric_sign( psa_key_handle_t handle,
else
#endif /* defined(MBEDTLS_RSA_C) */
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
#if defined(MBEDTLS_ECDSA_C)
if(
@ -3220,7 +3221,7 @@ psa_status_t psa_asymmetric_verify( psa_key_handle_t handle,
return( status );
#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
return( psa_rsa_verify( slot->data.rsa,
alg,
@ -3230,7 +3231,7 @@ psa_status_t psa_asymmetric_verify( psa_key_handle_t handle,
else
#endif /* defined(MBEDTLS_RSA_C) */
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->type ) )
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
#if defined(MBEDTLS_ECDSA_C)
if( PSA_ALG_IS_ECDSA( alg ) )
@ -3288,12 +3289,12 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->type ) ||
PSA_KEY_TYPE_IS_KEY_PAIR( slot->type ) ) )
if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ||
PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_RSA_C)
if( PSA_KEY_TYPE_IS_RSA( slot->type ) )
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
mbedtls_rsa_context *rsa = slot->data.rsa;
int ret;
@ -3368,11 +3369,11 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_DECRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->type ) )
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_RSA_C)
if( slot->type == PSA_KEY_TYPE_RSA_KEY_PAIR )
if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
mbedtls_rsa_context *rsa = slot->data.rsa;
int ret;
@ -3479,7 +3480,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
goto exit;
key_bits = psa_get_key_slot_bits( slot );
cipher_info = mbedtls_cipher_info_from_psa( alg, slot->type, key_bits, NULL );
cipher_info = mbedtls_cipher_info_from_psa( alg, slot->attr.type, key_bits, NULL );
if( cipher_info == NULL )
{
status = PSA_ERROR_NOT_SUPPORTED;
@ -3491,7 +3492,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
goto exit;
#if defined(MBEDTLS_DES_C)
if( slot->type == PSA_KEY_TYPE_DES && key_bits == 128 )
if( slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128 )
{
/* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */
uint8_t keys[24];
@ -3533,10 +3534,10 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
operation->key_set = 1;
operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 :
PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type ) );
PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->attr.type ) );
if( alg & PSA_ALG_CIPHER_FROM_BLOCK_FLAG )
{
operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->type );
operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_SIZE( slot->attr.type );
}
#if defined(MBEDTLS_CHACHA20_C)
else
@ -3818,7 +3819,7 @@ static psa_status_t psa_aead_setup( aead_operation_t *operation,
key_bits = psa_get_key_slot_bits( operation->slot );
operation->cipher_info =
mbedtls_cipher_info_from_psa( alg, operation->slot->type, key_bits,
mbedtls_cipher_info_from_psa( alg, operation->slot->attr.type, key_bits,
&cipher_id );
if( operation->cipher_info == NULL )
return( PSA_ERROR_NOT_SUPPORTED );
@ -3832,7 +3833,7 @@ static psa_status_t psa_aead_setup( aead_operation_t *operation,
/* CCM allows the following tag lengths: 4, 6, 8, 10, 12, 14, 16.
* The call to mbedtls_ccm_encrypt_and_tag or
* mbedtls_ccm_auth_decrypt will validate the tag length. */
if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->type ) != 16 )
if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->attr.type ) != 16 )
return( PSA_ERROR_INVALID_ARGUMENT );
mbedtls_ccm_init( &operation->ctx.ccm );
status = mbedtls_to_psa_error(
@ -3851,7 +3852,7 @@ static psa_status_t psa_aead_setup( aead_operation_t *operation,
/* GCM allows the following tag lengths: 4, 8, 12, 13, 14, 15, 16.
* The call to mbedtls_gcm_crypt_and_tag or
* mbedtls_gcm_auth_decrypt will validate the tag length. */
if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->type ) != 16 )
if( PSA_BLOCK_CIPHER_BLOCK_SIZE( operation->slot->attr.type ) != 16 )
return( PSA_ERROR_INVALID_ARGUMENT );
mbedtls_gcm_init( &operation->ctx.gcm );
status = mbedtls_to_psa_error(
@ -4676,7 +4677,7 @@ static psa_status_t psa_generate_derived_key_internal(
size_t bytes = PSA_BITS_TO_BYTES( bits );
psa_status_t status;
if( ! key_type_is_raw_bytes( slot->type ) )
if( ! key_type_is_raw_bytes( slot->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
if( bits % 8 != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
@ -4688,7 +4689,7 @@ static psa_status_t psa_generate_derived_key_internal(
if( status != PSA_SUCCESS )
goto exit;
#if defined(MBEDTLS_DES_C)
if( slot->type == PSA_KEY_TYPE_DES )
if( slot->attr.type == PSA_KEY_TYPE_DES )
psa_des_set_key_parity( data, bytes );
#endif /* MBEDTLS_DES_C */
status = psa_import_key_into_slot( slot, data, bytes );
@ -4997,7 +4998,7 @@ psa_status_t psa_key_derivation( psa_key_derivation_operation_t *operation,
if( status != PSA_SUCCESS )
return( status );
if( slot->type != PSA_KEY_TYPE_DERIVE )
if( slot->attr.type != PSA_KEY_TYPE_DERIVE )
return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_key_derivation_internal( operation,
@ -5372,7 +5373,7 @@ psa_status_t psa_key_derivation_input_key(
operation->alg );
if( status != PSA_SUCCESS )
return( status );
if( slot->type != PSA_KEY_TYPE_DERIVE )
if( slot->attr.type != PSA_KEY_TYPE_DERIVE )
return( PSA_ERROR_INVALID_ARGUMENT );
/* Don't allow a key to be used as an input that is usually public.
* This is debatable. It's ok from a cryptographic perspective to
@ -5452,7 +5453,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
{
#if defined(MBEDTLS_ECDH_C)
case PSA_ALG_ECDH:
if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->type ) )
if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
return( psa_key_agreement_ecdh( peer_key, peer_key_length,
private_key->data.ecp,
@ -5635,7 +5636,7 @@ static psa_status_t psa_generate_key_internal(
psa_key_slot_t *slot, size_t bits,
const uint8_t *domain_parameters, size_t domain_parameters_size )
{
psa_key_type_t type = slot->type;
psa_key_type_t type = slot->attr.type;
if( domain_parameters == NULL && domain_parameters_size != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );

60
library/psa_crypto_core.h
View File

@ -39,11 +39,7 @@
*/
typedef struct
{
psa_key_type_t type;
psa_key_lifetime_t lifetime;
psa_key_file_id_t persistent_storage_id;
psa_key_policy_t policy;
unsigned allocated : 1;
psa_core_key_attributes_t attr;
union
{
/* Raw-data key (key_type_is_raw_bytes() in psa_crypto.c) */
@ -69,6 +65,60 @@ typedef struct
} data;
} psa_key_slot_t;
/** Flag for psa_key_slot_t::attr::core::flags indicating that the
* slot is in use. */
#define PSA_KEY_SLOT_FLAG_ALLOCATED ( (uint16_t) 0x0001 )
/** Retrieve flags from psa_key_slot_t::attr::core::flags.
*
* \param[in] slot The key slot to query.
* \param mask The mask of bits to extract.
*
* \return The key attribute flags in the given slot,
* bitwise-anded with \p mask.
*/
static inline uint16_t psa_key_slot_get_flags( const psa_key_slot_t *slot,
uint16_t mask )
{
return( slot->attr.flags & mask );
}
/** Set flags in psa_key_slot_t::attr::core::flags.
*
* \param[in,out] slot The key slot to modify.
* \param mask The mask of bits to modify.
* \param value The new value of the selected bits.
*/
static inline void psa_key_slot_set_flags( psa_key_slot_t *slot,
uint16_t mask,
uint16_t value )
{
slot->attr.flags = ( ( ~mask & slot->attr.flags ) |
( mask & value ) );
}
/** Turn on flags in psa_key_slot_t::attr::core::flags.
*
* \param[in,out] slot The key slot to modify.
* \param mask The mask of bits to set.
*/
static inline void psa_key_slot_set_bits_in_flags( psa_key_slot_t *slot,
uint16_t mask )
{
slot->attr.flags |= mask;
}
/** Turn off flags in psa_key_slot_t::attr::core::flags.
*
* \param[in,out] slot The key slot to modify.
* \param mask The mask of bits to clear.
*/
static inline void psa_key_slot_clear_bits( psa_key_slot_t *slot,
uint16_t mask )
{
slot->attr.flags &= ~mask;
}
/** Completely wipe a slot in memory, including its policy.
*
* Persistent storage is not affected.

37
library/psa_crypto_slot_management.c
View File

@ -72,7 +72,7 @@ psa_status_t psa_get_key_slot( psa_key_handle_t handle,
slot = &global_data.key_slots[handle - 1];
/* If the slot hasn't been allocated, the handle is invalid. */
if( ! slot->allocated )
if( ! psa_key_slot_get_flags( slot, PSA_KEY_SLOT_FLAG_ALLOCATED ) )
return( PSA_ERROR_INVALID_HANDLE );
*p_slot = slot;
@ -108,9 +108,10 @@ psa_status_t psa_internal_allocate_key_slot( psa_key_handle_t *handle,
for( *handle = PSA_KEY_SLOT_COUNT; *handle != 0; --( *handle ) )
{
*p_slot = &global_data.key_slots[*handle - 1];
if( ! ( *p_slot )->allocated )
if( ! psa_key_slot_get_flags( *p_slot, PSA_KEY_SLOT_FLAG_ALLOCATED ) )
{
( *p_slot )->allocated = 1;
psa_key_slot_set_bits_in_flags( *p_slot,
PSA_KEY_SLOT_FLAG_ALLOCATED );
return( PSA_SUCCESS );
}
}
@ -126,17 +127,17 @@ static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *p_slot )
size_t key_data_length = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_set_key_id( &attributes, p_slot->persistent_storage_id );
psa_set_key_id( &attributes, p_slot->attr.id );
status = psa_load_persistent_key( &attributes,
&key_data, &key_data_length );
if( status != PSA_SUCCESS )
goto exit;
p_slot->lifetime = psa_get_key_lifetime( &attributes );
p_slot->type = psa_get_key_type( &attributes );
p_slot->policy = attributes.core.policy;
p_slot->attr.lifetime = psa_get_key_lifetime( &attributes );
p_slot->attr.type = psa_get_key_type( &attributes );
p_slot->attr.policy = attributes.core.policy;
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_key_lifetime_is_external( p_slot->lifetime ) )
if( psa_key_lifetime_is_external( p_slot->attr.lifetime ) )
{
if( key_data_length != sizeof( p_slot->data.se ) )
{
@ -233,8 +234,8 @@ psa_status_t psa_open_key( psa_key_file_id_t id, psa_key_handle_t *handle )
if( status != PSA_SUCCESS )
return( status );
slot->lifetime = PSA_KEY_LIFETIME_PERSISTENT;
slot->persistent_storage_id = id;
slot->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
slot->attr.id = id;
status = psa_load_persistent_key_into_slot( slot );
if( status != PSA_SUCCESS )
@ -270,27 +271,27 @@ void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats )
for( key = 1; key <= PSA_KEY_SLOT_COUNT; key++ )
{
psa_key_slot_t *slot = &global_data.key_slots[key - 1];
if( slot->type == PSA_KEY_TYPE_NONE )
if( slot->attr.type == PSA_KEY_TYPE_NONE )
{
if( slot->allocated )
if( psa_key_slot_get_flags( slot, PSA_KEY_SLOT_FLAG_ALLOCATED ) )
++stats->half_filled_slots;
else
++stats->empty_slots;
continue;
}
if( slot->lifetime == PSA_KEY_LIFETIME_VOLATILE )
if( slot->attr.lifetime == PSA_KEY_LIFETIME_VOLATILE )
++stats->volatile_slots;
else if( slot->lifetime == PSA_KEY_LIFETIME_PERSISTENT )
else if( slot->attr.lifetime == PSA_KEY_LIFETIME_PERSISTENT )
{
++stats->persistent_slots;
if( slot->persistent_storage_id > stats->max_open_internal_key_id )
stats->max_open_internal_key_id = slot->persistent_storage_id;
if( slot->attr.id > stats->max_open_internal_key_id )
stats->max_open_internal_key_id = slot->attr.id;
}
else
{
++stats->external_slots;
if( slot->persistent_storage_id > stats->max_open_external_key_id )
stats->max_open_external_key_id = slot->persistent_storage_id;
if( slot->attr.id > stats->max_open_external_key_id )
stats->max_open_external_key_id = slot->attr.id;
}
}
}