diff --git a/CMakeLists.txt b/CMakeLists.txt index 479863e77a..6d16079939 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -281,6 +281,15 @@ if(MBEDTLS_FATAL_WARNINGS) endif(CMAKE_COMPILER_IS_IAR) endif(MBEDTLS_FATAL_WARNINGS) +if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP) + set(CMAKE_CXX_STANDARD 11) + set(CMAKE_CXX_STANDARD_REQUIRED ON) + set(CMAKE_CXX_EXTENSIONS OFF) + if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU) + set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pedantic") + endif() +endif() + if(CMAKE_BUILD_TYPE STREQUAL "Coverage") if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG) set(CMAKE_SHARED_LINKER_FLAGS "--coverage") diff --git a/ChangeLog.d/psa_generate_key_custom.txt b/ChangeLog.d/psa_generate_key_custom.txt new file mode 100644 index 0000000000..3fc1bd7d1f --- /dev/null +++ b/ChangeLog.d/psa_generate_key_custom.txt @@ -0,0 +1,9 @@ +API changes + * The experimental functions psa_generate_key_ext() and + psa_key_derivation_output_key_ext() have been replaced by + psa_generate_key_custom() and psa_key_derivation_output_key_custom(). + They have almost exactly the same interface, but the variable-length + data is passed in a separate parameter instead of a flexible array + member. This resolves a build failure under C++ compilers that do not + support flexible array members (a C99 feature not adopted by C++). + Fixes #9020. diff --git a/docs/psa-transition.md b/docs/psa-transition.md index bbb7da2470..dea14fe4dd 100644 --- a/docs/psa-transition.md +++ b/docs/psa-transition.md @@ -779,7 +779,7 @@ A finite-field Diffie-Hellman key can be used for key agreement with the algorit The easiest way to create a key pair object is by randomly generating it with [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5). Compared with the low-level functions from the legacy API (`mbedtls_rsa_gen_key`, `mbedtls_ecp_gen_privkey`, `mbedtls_ecp_gen_keypair`, `mbedtls_ecp_gen_keypair_base`, `mbedtls_ecdsa_genkey`), this directly creates an object that can be used with high-level APIs, but removes some of the flexibility. Note that if you want to export the generated private key, you must pass the flag [`PSA_KEY_USAGE_EXPORT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga7dddccdd1303176e87a4d20c87b589ed) to [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de); exporting the public key with [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) is always permitted. -For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_ext`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga6776360ae8046a4456a5f990f997da58) to select a different public exponent. As of Mbed TLS 3.6.0, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers. +For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_custom`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#ga0415617443afe42a712027bbb8ad89f0) to select a different public exponent. As of Mbed TLS 3.6.1, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers. To create a key object from existing material, use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b). This function has the same basic goal as the PK parse functions (`mbedtls_pk_parse_key`, `mbedtls_pk_parse_public_key`, `mbedtls_pk_parse_subpubkey`), but only supports a single format that just contains the number(s) that make up the key, with very little metadata. The table below summarizes the PSA import/export format for key pairs and public keys; see the documentation of [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) for more details. diff --git a/scripts/common.make b/scripts/common.make index d102a97a56..9c7fd735e6 100644 --- a/scripts/common.make +++ b/scripts/common.make @@ -20,14 +20,14 @@ include $(MBEDTLS_PATH)/framework/exported.make CFLAGS ?= -O2 WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral +WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic LDFLAGS ?= LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include \ -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tf-psa-crypto/include \ -I$(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/include \ -D_FILE_OFFSET_BITS=64 -LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tests/include -D_FILE_OFFSET_BITS=64 +LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) $(LOCAL_CFLAGS) ifdef PSASIM LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \ diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja index 8b91f0bb72..d3b7d6fb31 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja @@ -731,7 +731,8 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data( static inline psa_status_t psa_driver_wrapper_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; @@ -740,7 +741,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) int is_default_production = - psa_key_production_parameters_are_default(params, params_data_length); + psa_custom_key_parameters_are_default(custom, custom_data_length); if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production ) { /* We don't support passing custom production parameters @@ -811,7 +812,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key( /* Software fallback */ status = psa_generate_key_internal( - attributes, params, params_data_length, + attributes, custom, custom_data, custom_data_length, key_buffer, key_buffer_size, key_buffer_length ); break; diff --git a/tests/include/test/psa_test_wrappers.h b/tests/include/test/psa_test_wrappers.h index 95518559c5..b83f405be1 100644 --- a/tests/include/test/psa_test_wrappers.h +++ b/tests/include/test/psa_test_wrappers.h @@ -354,13 +354,14 @@ psa_status_t mbedtls_test_wrap_psa_generate_key( #define psa_generate_key(arg0_attributes, arg1_key) \ mbedtls_test_wrap_psa_generate_key(arg0_attributes, arg1_key) -psa_status_t mbedtls_test_wrap_psa_generate_key_ext( +psa_status_t mbedtls_test_wrap_psa_generate_key_custom( const psa_key_attributes_t *arg0_attributes, - const psa_key_production_parameters_t *arg1_params, - size_t arg2_params_data_length, - mbedtls_svc_key_id_t *arg3_key); -#define psa_generate_key_ext(arg0_attributes, arg1_params, arg2_params_data_length, arg3_key) \ - mbedtls_test_wrap_psa_generate_key_ext(arg0_attributes, arg1_params, arg2_params_data_length, arg3_key) + const psa_custom_key_parameters_t *arg1_custom, + const uint8_t *arg2_custom_data, + size_t arg3_custom_data_length, + mbedtls_svc_key_id_t *arg4_key); +#define psa_generate_key_custom(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key) \ + mbedtls_test_wrap_psa_generate_key_custom(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key) psa_status_t mbedtls_test_wrap_psa_generate_random( uint8_t *arg0_output, @@ -496,14 +497,15 @@ psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key( #define psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key) \ mbedtls_test_wrap_psa_key_derivation_output_key(arg0_attributes, arg1_operation, arg2_key) -psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext( +psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_custom( const psa_key_attributes_t *arg0_attributes, psa_key_derivation_operation_t *arg1_operation, - const psa_key_production_parameters_t *arg2_params, - size_t arg3_params_data_length, - mbedtls_svc_key_id_t *arg4_key); -#define psa_key_derivation_output_key_ext(arg0_attributes, arg1_operation, arg2_params, arg3_params_data_length, arg4_key) \ - mbedtls_test_wrap_psa_key_derivation_output_key_ext(arg0_attributes, arg1_operation, arg2_params, arg3_params_data_length, arg4_key) + const psa_custom_key_parameters_t *arg2_custom, + const uint8_t *arg3_custom_data, + size_t arg4_custom_data_length, + mbedtls_svc_key_id_t *arg5_key); +#define psa_key_derivation_output_key_custom(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key) \ + mbedtls_test_wrap_psa_key_derivation_output_key_custom(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key) psa_status_t mbedtls_test_wrap_psa_key_derivation_set_capacity( psa_key_derivation_operation_t *arg0_operation, diff --git a/tests/psa-client-server/psasim/src/psa_functions_codes.h b/tests/psa-client-server/psasim/src/psa_functions_codes.h index bc1b84442a..1301ff2d63 100644 --- a/tests/psa-client-server/psasim/src/psa_functions_codes.h +++ b/tests/psa-client-server/psasim/src/psa_functions_codes.h @@ -40,7 +40,7 @@ enum { PSA_EXPORT_KEY, PSA_EXPORT_PUBLIC_KEY, PSA_GENERATE_KEY, - PSA_GENERATE_KEY_EXT, + PSA_GENERATE_KEY_CUSTOM, PSA_GENERATE_RANDOM, PSA_GET_KEY_ATTRIBUTES, PSA_HASH_ABORT, @@ -62,7 +62,7 @@ enum { PSA_KEY_DERIVATION_KEY_AGREEMENT, PSA_KEY_DERIVATION_OUTPUT_BYTES, PSA_KEY_DERIVATION_OUTPUT_KEY, - PSA_KEY_DERIVATION_OUTPUT_KEY_EXT, + PSA_KEY_DERIVATION_OUTPUT_KEY_CUSTOM, PSA_KEY_DERIVATION_SET_CAPACITY, PSA_KEY_DERIVATION_SETUP, PSA_MAC_ABORT, diff --git a/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c b/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c index 4200f6c04d..d4d9d60884 100644 --- a/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c +++ b/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c @@ -2803,9 +2803,10 @@ fail: } -psa_status_t psa_generate_key_ext( +psa_status_t psa_generate_key_custom( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, size_t custom_data_length, mbedtls_svc_key_id_t *key ) { @@ -2817,7 +2818,8 @@ psa_status_t psa_generate_key_ext( size_t needed = psasim_serialise_begin_needs() + psasim_serialise_psa_key_attributes_t_needs(*attributes) + - psasim_serialise_psa_key_production_parameters_t_needs(params, params_data_length) + + psasim_serialise_psa_custom_key_parameters_t_needs(*custom) + + psasim_serialise_buffer_needs(custom_data, custom_data_length) + psasim_serialise_mbedtls_svc_key_id_t_needs(*key); ser_params = malloc(needed); @@ -2839,9 +2841,15 @@ psa_status_t psa_generate_key_ext( if (!ok) { goto fail; } - ok = psasim_serialise_psa_key_production_parameters_t( + ok = psasim_serialise_psa_custom_key_parameters_t( &pos, &remaining, - params, params_data_length); + *custom); + if (!ok) { + goto fail; + } + ok = psasim_serialise_buffer( + &pos, &remaining, + custom_data, custom_data_length); if (!ok) { goto fail; } @@ -2852,10 +2860,10 @@ psa_status_t psa_generate_key_ext( goto fail; } - ok = psa_crypto_call(PSA_GENERATE_KEY_EXT, + ok = psa_crypto_call(PSA_GENERATE_KEY_CUSTOM, ser_params, (size_t) (pos - ser_params), &ser_result, &result_length); if (!ok) { - printf("PSA_GENERATE_KEY_EXT server call failed\n"); + printf("PSA_GENERATE_KEY_CUSTOM server call failed\n"); goto fail; } @@ -4572,10 +4580,11 @@ fail: } -psa_status_t psa_key_derivation_output_key_ext( +psa_status_t psa_key_derivation_output_key_custom( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, size_t custom_data_length, mbedtls_svc_key_id_t *key ) { @@ -4588,7 +4597,8 @@ psa_status_t psa_key_derivation_output_key_ext( psasim_serialise_begin_needs() + psasim_serialise_psa_key_attributes_t_needs(*attributes) + psasim_serialise_psa_key_derivation_operation_t_needs(*operation) + - psasim_serialise_psa_key_production_parameters_t_needs(params, params_data_length) + + psasim_serialise_psa_custom_key_parameters_t_needs(*custom) + + psasim_serialise_buffer_needs(custom_data, custom_data_length) + psasim_serialise_mbedtls_svc_key_id_t_needs(*key); ser_params = malloc(needed); @@ -4616,9 +4626,15 @@ psa_status_t psa_key_derivation_output_key_ext( if (!ok) { goto fail; } - ok = psasim_serialise_psa_key_production_parameters_t( + ok = psasim_serialise_psa_custom_key_parameters_t( &pos, &remaining, - params, params_data_length); + *custom); + if (!ok) { + goto fail; + } + ok = psasim_serialise_buffer( + &pos, &remaining, + custom_data, custom_data_length); if (!ok) { goto fail; } @@ -4629,10 +4645,10 @@ psa_status_t psa_key_derivation_output_key_ext( goto fail; } - ok = psa_crypto_call(PSA_KEY_DERIVATION_OUTPUT_KEY_EXT, + ok = psa_crypto_call(PSA_KEY_DERIVATION_OUTPUT_KEY_CUSTOM, ser_params, (size_t) (pos - ser_params), &ser_result, &result_length); if (!ok) { - printf("PSA_KEY_DERIVATION_OUTPUT_KEY_EXT server call failed\n"); + printf("PSA_KEY_DERIVATION_OUTPUT_KEY_CUSTOM server call failed\n"); goto fail; } diff --git a/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c b/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c index cab32c47c1..b2ed070c8a 100644 --- a/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c +++ b/tests/psa-client-server/psasim/src/psa_sim_crypto_server.c @@ -3116,14 +3116,15 @@ fail: } // Returns 1 for success, 0 for failure -int psa_generate_key_ext_wrapper( +int psa_generate_key_custom_wrapper( uint8_t *in_params, size_t in_params_len, uint8_t **out_params, size_t *out_params_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes; - psa_key_production_parameters_t *params = NULL; - size_t params_data_length; + psa_custom_key_parameters_t custom; + uint8_t *custom_data = NULL; + size_t custom_data_length; mbedtls_svc_key_id_t key; uint8_t *pos = in_params; @@ -3143,9 +3144,16 @@ int psa_generate_key_ext_wrapper( goto fail; } - ok = psasim_deserialise_psa_key_production_parameters_t( + ok = psasim_deserialise_psa_custom_key_parameters_t( &pos, &remaining, - ¶ms, ¶ms_data_length); + &custom); + if (!ok) { + goto fail; + } + + ok = psasim_deserialise_buffer( + &pos, &remaining, + &custom_data, &custom_data_length); if (!ok) { goto fail; } @@ -3159,9 +3167,10 @@ int psa_generate_key_ext_wrapper( // Now we call the actual target function - status = psa_generate_key_ext( + status = psa_generate_key_custom( &attributes, - params, params_data_length, + &custom, + custom_data, custom_data_length, &key ); @@ -3201,14 +3210,14 @@ int psa_generate_key_ext_wrapper( *out_params = result; *out_params_len = result_size; - free(params); + free(custom_data); return 1; // success fail: free(result); - free(params); + free(custom_data); return 0; // This shouldn't happen! } @@ -5079,15 +5088,16 @@ fail: } // Returns 1 for success, 0 for failure -int psa_key_derivation_output_key_ext_wrapper( +int psa_key_derivation_output_key_custom_wrapper( uint8_t *in_params, size_t in_params_len, uint8_t **out_params, size_t *out_params_len) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t attributes; psa_key_derivation_operation_t *operation; - psa_key_production_parameters_t *params = NULL; - size_t params_data_length; + psa_custom_key_parameters_t custom; + uint8_t *custom_data = NULL; + size_t custom_data_length; mbedtls_svc_key_id_t key; uint8_t *pos = in_params; @@ -5114,9 +5124,16 @@ int psa_key_derivation_output_key_ext_wrapper( goto fail; } - ok = psasim_deserialise_psa_key_production_parameters_t( + ok = psasim_deserialise_psa_custom_key_parameters_t( &pos, &remaining, - ¶ms, ¶ms_data_length); + &custom); + if (!ok) { + goto fail; + } + + ok = psasim_deserialise_buffer( + &pos, &remaining, + &custom_data, &custom_data_length); if (!ok) { goto fail; } @@ -5130,10 +5147,11 @@ int psa_key_derivation_output_key_ext_wrapper( // Now we call the actual target function - status = psa_key_derivation_output_key_ext( + status = psa_key_derivation_output_key_custom( &attributes, operation, - params, params_data_length, + &custom, + custom_data, custom_data_length, &key ); @@ -5181,14 +5199,14 @@ int psa_key_derivation_output_key_ext_wrapper( *out_params = result; *out_params_len = result_size; - free(params); + free(custom_data); return 1; // success fail: free(result); - free(params); + free(custom_data); return 0; // This shouldn't happen! } @@ -7712,9 +7730,9 @@ psa_status_t psa_crypto_call(psa_msg_t msg) ok = psa_generate_key_wrapper(in_params, in_params_len, &out_params, &out_params_len); break; - case PSA_GENERATE_KEY_EXT: - ok = psa_generate_key_ext_wrapper(in_params, in_params_len, - &out_params, &out_params_len); + case PSA_GENERATE_KEY_CUSTOM: + ok = psa_generate_key_custom_wrapper(in_params, in_params_len, + &out_params, &out_params_len); break; case PSA_GENERATE_RANDOM: ok = psa_generate_random_wrapper(in_params, in_params_len, @@ -7800,9 +7818,9 @@ psa_status_t psa_crypto_call(psa_msg_t msg) ok = psa_key_derivation_output_key_wrapper(in_params, in_params_len, &out_params, &out_params_len); break; - case PSA_KEY_DERIVATION_OUTPUT_KEY_EXT: - ok = psa_key_derivation_output_key_ext_wrapper(in_params, in_params_len, - &out_params, &out_params_len); + case PSA_KEY_DERIVATION_OUTPUT_KEY_CUSTOM: + ok = psa_key_derivation_output_key_custom_wrapper(in_params, in_params_len, + &out_params, &out_params_len); break; case PSA_KEY_DERIVATION_SET_CAPACITY: ok = psa_key_derivation_set_capacity_wrapper(in_params, in_params_len, diff --git a/tests/psa-client-server/psasim/src/psa_sim_generate.pl b/tests/psa-client-server/psasim/src/psa_sim_generate.pl index bc63975e83..e0e9b19f0d 100755 --- a/tests/psa-client-server/psasim/src/psa_sim_generate.pl +++ b/tests/psa-client-server/psasim/src/psa_sim_generate.pl @@ -564,13 +564,6 @@ EOF print $fh < UINT32_MAX / 2) { /* arbitrary limit */ - return 0; /* too big to serialise */ - } - - /* We use 32-bit lengths, which should be enough for any reasonable usage :) */ - /* (the UINT32_MAX / 2 above is an even more conservative check to avoid overflow here) */ - uint32_t len = (uint32_t) (sizeof(data_length) + sizeof(*params) + data_length); - if (*remaining < SER_TAG_SIZE + sizeof(uint32_t) + len) { + if (*remaining < sizeof(value)) { return 0; } - char tag[SER_TAG_SIZE] = "PKPP"; - - memcpy(*pos, tag, sizeof(tag)); - memcpy(*pos + sizeof(tag), &len, sizeof(len)); - *pos += sizeof(tag) + sizeof(len); - *remaining -= sizeof(tag) + sizeof(len); - - memcpy(*pos, &data_length, sizeof(data_length)); - memcpy(*pos + sizeof(data_length), params, sizeof(*params) + data_length); - *pos += sizeof(data_length) + sizeof(*params) + data_length; - *remaining -= sizeof(data_length) + sizeof(*params) + data_length; + memcpy(*pos, &value, sizeof(value)); + *pos += sizeof(value); return 1; } -int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos, - size_t *remaining, - psa_key_production_parameters_t **params, - size_t *data_length) +int psasim_deserialise_psa_custom_key_parameters_t(uint8_t **pos, + size_t *remaining, + psa_custom_key_parameters_t *value) { - if (*remaining < SER_TAG_SIZE + sizeof(uint32_t)) { - return 0; /* can't even be an empty serialisation */ + if (*remaining < sizeof(*value)) { + return 0; } - char tag[SER_TAG_SIZE] = "PKPP"; /* expected */ - uint32_t len; + memcpy(value, *pos, sizeof(*value)); - memcpy(&len, *pos + sizeof(tag), sizeof(len)); - - if (memcmp(*pos, tag, sizeof(tag)) != 0) { - return 0; /* wrong tag */ - } - - *pos += sizeof(tag) + sizeof(len); - *remaining -= sizeof(tag) + sizeof(len); - - if (*remaining < sizeof(*data_length)) { - return 0; /* missing data_length */ - } - memcpy(data_length, *pos, sizeof(*data_length)); - - if ((size_t) len != (sizeof(data_length) + sizeof(**params) + *data_length)) { - return 0; /* wrong length */ - } - - if (*remaining < sizeof(*data_length) + sizeof(**params) + *data_length) { - return 0; /* not enough data provided */ - } - - *pos += sizeof(data_length); - *remaining -= sizeof(data_length); - - psa_key_production_parameters_t *out = malloc(sizeof(**params) + *data_length); - if (out == NULL) { - return 0; /* allocation failure */ - } - - memcpy(out, *pos, sizeof(*out) + *data_length); - *pos += sizeof(*out) + *data_length; - *remaining -= sizeof(*out) + *data_length; - - *params = out; + *pos += sizeof(*value); + *remaining -= sizeof(*value); return 1; } diff --git a/tests/psa-client-server/psasim/src/psa_sim_serialise.h b/tests/psa-client-server/psasim/src/psa_sim_serialise.h index f60e371c30..523ce8028b 100644 --- a/tests/psa-client-server/psasim/src/psa_sim_serialise.h +++ b/tests/psa-client-server/psasim/src/psa_sim_serialise.h @@ -421,55 +421,48 @@ int psasim_deserialise_buffer(uint8_t **pos, size_t *remaining, int psasim_deserialise_return_buffer(uint8_t **pos, size_t *remaining, uint8_t *buffer, size_t buffer_length); -/** Return how much space is needed by \c psasim_serialise_psa_key_production_parameters_t() - * to serialise a psa_key_production_parameters_t (a structure with a flexible array member). +/** Return how much buffer space is needed by \c psasim_serialise_psa_custom_key_parameters_t() + * to serialise a `psa_custom_key_parameters_t`. * - * \param params Pointer to the struct to be serialised + * \param value The value that will be serialised into the buffer * (needed in case some serialisations are value- * dependent). - * \param data_length Number of bytes in the data[] of the struct to be serialised. * - * \return The number of bytes needed in the serialisation buffer by - * \c psasim_serialise_psa_key_production_parameters_t() to serialise - * the specified structure. + * \return The number of bytes needed in the buffer by + * \c psasim_serialise_psa_custom_key_parameters_t() to serialise + * the given value. */ -size_t psasim_serialise_psa_key_production_parameters_t_needs( - const psa_key_production_parameters_t *params, - size_t buffer_size); +size_t psasim_serialise_psa_custom_key_parameters_t_needs( + psa_custom_key_parameters_t value); -/** Serialise a psa_key_production_parameters_t. +/** Serialise a `psa_custom_key_parameters_t` into a buffer. * * \param pos[in,out] Pointer to a `uint8_t *` holding current position * in the buffer. * \param remaining[in,out] Pointer to a `size_t` holding number of bytes * remaining in the buffer. - * \param params Pointer to the structure to be serialised. - * \param data_length Number of bytes in the data[] of the struct to be serialised. + * \param value The value to serialise into the buffer. * * \return \c 1 on success ("okay"), \c 0 on error. */ -int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos, - size_t *remaining, - const psa_key_production_parameters_t *params, - size_t data_length); +int psasim_serialise_psa_custom_key_parameters_t(uint8_t **pos, + size_t *remaining, + psa_custom_key_parameters_t value); -/** Deserialise a psa_key_production_parameters_t. +/** Deserialise a `psa_custom_key_parameters_t` from a buffer. * * \param pos[in,out] Pointer to a `uint8_t *` holding current position - * in the serialisation buffer. + * in the buffer. * \param remaining[in,out] Pointer to a `size_t` holding number of bytes - * remaining in the serialisation buffer. - * \param params Pointer to a `psa_key_production_parameters_t *` to - * receive the address of a newly-allocated structure, - * which the caller must `free()`. - * \param data_length Pointer to a `size_t` to receive the number of - * bytes in the data[] member of the structure deserialised. + * remaining in the buffer. + * \param value Pointer to a `psa_custom_key_parameters_t` to receive the value + * deserialised from the buffer. * * \return \c 1 on success ("okay"), \c 0 on error. */ -int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos, size_t *remaining, - psa_key_production_parameters_t **params, - size_t *buffer_length); +int psasim_deserialise_psa_custom_key_parameters_t(uint8_t **pos, + size_t *remaining, + psa_custom_key_parameters_t *value); /** Return how much buffer space is needed by \c psasim_serialise_psa_status_t() * to serialise a `psa_status_t`. diff --git a/tests/psa-client-server/psasim/src/psa_sim_serialise.pl b/tests/psa-client-server/psasim/src/psa_sim_serialise.pl index 75e6cd01c0..31c93aeb20 100755 --- a/tests/psa-client-server/psasim/src/psa_sim_serialise.pl +++ b/tests/psa-client-server/psasim/src/psa_sim_serialise.pl @@ -38,7 +38,7 @@ die($usage) unless $which eq "c" || $which eq "h"; my @types = qw(unsigned-int int size_t uint16_t uint32_t uint64_t buffer - psa_key_production_parameters_t + psa_custom_key_parameters_t psa_status_t psa_algorithm_t psa_key_derivation_step_t psa_hash_operation_t psa_aead_operation_t @@ -66,8 +66,6 @@ if ($which eq "h") { for my $type (@types) { if ($type eq "buffer") { print declare_buffer_functions(); - } elsif ($type eq "psa_key_production_parameters_t") { - print declare_psa_key_production_parameters_t_functions(); } else { print declare_needs($type, ""); print declare_serialise($type, ""); @@ -98,8 +96,6 @@ if ($which eq "h") { for my $type (@types) { if ($type eq "buffer") { print define_buffer_functions(); - } elsif ($type eq "psa_key_production_parameters_t") { - print define_psa_key_production_parameters_t_functions(); } elsif (exists($isa{$type})) { print define_needs_isa($type, $isa{$type}); print define_serialise_isa($type, $isa{$type}); @@ -304,62 +300,6 @@ int psasim_deserialise_return_buffer(uint8_t **pos, size_t *remaining, EOF } -sub declare_psa_key_production_parameters_t_functions -{ - return <<'EOF'; - -/** Return how much space is needed by \c psasim_serialise_psa_key_production_parameters_t() - * to serialise a psa_key_production_parameters_t (a structure with a flexible array member). - * - * \param params Pointer to the struct to be serialised - * (needed in case some serialisations are value- - * dependent). - * \param data_length Number of bytes in the data[] of the struct to be serialised. - * - * \return The number of bytes needed in the serialisation buffer by - * \c psasim_serialise_psa_key_production_parameters_t() to serialise - * the specified structure. - */ -size_t psasim_serialise_psa_key_production_parameters_t_needs( - const psa_key_production_parameters_t *params, - size_t buffer_size); - -/** Serialise a psa_key_production_parameters_t. - * - * \param pos[in,out] Pointer to a `uint8_t *` holding current position - * in the buffer. - * \param remaining[in,out] Pointer to a `size_t` holding number of bytes - * remaining in the buffer. - * \param params Pointer to the structure to be serialised. - * \param data_length Number of bytes in the data[] of the struct to be serialised. - * - * \return \c 1 on success ("okay"), \c 0 on error. - */ -int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos, - size_t *remaining, - const psa_key_production_parameters_t *params, - size_t data_length); - -/** Deserialise a psa_key_production_parameters_t. - * - * \param pos[in,out] Pointer to a `uint8_t *` holding current position - * in the serialisation buffer. - * \param remaining[in,out] Pointer to a `size_t` holding number of bytes - * remaining in the serialisation buffer. - * \param params Pointer to a `psa_key_production_parameters_t *` to - * receive the address of a newly-allocated structure, - * which the caller must `free()`. - * \param data_length Pointer to a `size_t` to receive the number of - * bytes in the data[] member of the structure deserialised. - * - * \return \c 1 on success ("okay"), \c 0 on error. - */ -int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos, size_t *remaining, - psa_key_production_parameters_t **params, - size_t *buffer_length); -EOF -} - sub h_header { return <<'EOF'; @@ -816,105 +756,6 @@ int psasim_deserialise_return_buffer(uint8_t **pos, EOF } -sub define_psa_key_production_parameters_t_functions -{ - return <<'EOF'; - -#define SER_TAG_SIZE 4 - -size_t psasim_serialise_psa_key_production_parameters_t_needs( - const psa_key_production_parameters_t *params, - size_t data_length) -{ - /* We will serialise with 4-byte tag = "PKPP" + 4-byte overall length at the beginning, - * followed by size_t data_length, then the actual data from the structure. - */ - return SER_TAG_SIZE + sizeof(uint32_t) + sizeof(data_length) + sizeof(*params) + data_length; -} - -int psasim_serialise_psa_key_production_parameters_t(uint8_t **pos, - size_t *remaining, - const psa_key_production_parameters_t *params, - size_t data_length) -{ - if (data_length > UINT32_MAX / 2) { /* arbitrary limit */ - return 0; /* too big to serialise */ - } - - /* We use 32-bit lengths, which should be enough for any reasonable usage :) */ - /* (the UINT32_MAX / 2 above is an even more conservative check to avoid overflow here) */ - uint32_t len = (uint32_t) (sizeof(data_length) + sizeof(*params) + data_length); - if (*remaining < SER_TAG_SIZE + sizeof(uint32_t) + len) { - return 0; - } - - char tag[SER_TAG_SIZE] = "PKPP"; - - memcpy(*pos, tag, sizeof(tag)); - memcpy(*pos + sizeof(tag), &len, sizeof(len)); - *pos += sizeof(tag) + sizeof(len); - *remaining -= sizeof(tag) + sizeof(len); - - memcpy(*pos, &data_length, sizeof(data_length)); - memcpy(*pos + sizeof(data_length), params, sizeof(*params) + data_length); - *pos += sizeof(data_length) + sizeof(*params) + data_length; - *remaining -= sizeof(data_length) + sizeof(*params) + data_length; - - return 1; -} - -int psasim_deserialise_psa_key_production_parameters_t(uint8_t **pos, - size_t *remaining, - psa_key_production_parameters_t **params, - size_t *data_length) -{ - if (*remaining < SER_TAG_SIZE + sizeof(uint32_t)) { - return 0; /* can't even be an empty serialisation */ - } - - char tag[SER_TAG_SIZE] = "PKPP"; /* expected */ - uint32_t len; - - memcpy(&len, *pos + sizeof(tag), sizeof(len)); - - if (memcmp(*pos, tag, sizeof(tag)) != 0) { - return 0; /* wrong tag */ - } - - *pos += sizeof(tag) + sizeof(len); - *remaining -= sizeof(tag) + sizeof(len); - - if (*remaining < sizeof(*data_length)) { - return 0; /* missing data_length */ - } - memcpy(data_length, *pos, sizeof(*data_length)); - - if ((size_t) len != (sizeof(data_length) + sizeof(**params) + *data_length)) { - return 0; /* wrong length */ - } - - if (*remaining < sizeof(*data_length) + sizeof(**params) + *data_length) { - return 0; /* not enough data provided */ - } - - *pos += sizeof(data_length); - *remaining -= sizeof(data_length); - - psa_key_production_parameters_t *out = malloc(sizeof(**params) + *data_length); - if (out == NULL) { - return 0; /* allocation failure */ - } - - memcpy(out, *pos, sizeof(*out) + *data_length); - *pos += sizeof(*out) + *data_length; - *remaining -= sizeof(*out) + *data_length; - - *params = out; - - return 1; -} -EOF -} sub c_header { diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 993e23cbb4..082ed01b15 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -642,8 +642,9 @@ KNOWN_TASKS = { re.compile(r'mbedtls_ct_memmove_left .*') ], 'test_suite_psa_crypto': [ - # We don't support generate_key_ext entry points + # We don't support generate_key_custom entry points # in drivers yet. + re.compile(r'PSA generate key custom: RSA, e=.*'), re.compile(r'PSA generate key ext: RSA, e=.*'), ], } diff --git a/tests/scripts/components-build-system.sh b/tests/scripts/components-build-system.sh index d1440c3c84..4bb41aebe5 100644 --- a/tests/scripts/components-build-system.sh +++ b/tests/scripts/components-build-system.sh @@ -11,7 +11,7 @@ component_test_make_shared () { msg "build/test: make shared" # ~ 40s - make SHARED=1 all check + make SHARED=1 TEST_CPP=1 all check ldd programs/util/strerror | grep libmbedcrypto programs/test/dlopen_demo.sh } @@ -65,7 +65,7 @@ component_test_cmake_out_of_source () { mkdir "$OUT_OF_SOURCE_DIR" cd "$OUT_OF_SOURCE_DIR" # Note: Explicitly generate files as these are turned off in releases - cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON "$MBEDTLS_ROOT_DIR" + cmake -D CMAKE_BUILD_TYPE:String=Check -D GEN_FILES=ON _D TEST_CPP=1 "$MBEDTLS_ROOT_DIR" make msg "test: cmake 'out-of-source' build" diff --git a/tests/src/psa_test_wrappers.c b/tests/src/psa_test_wrappers.c index 7415e293b5..deac3005e3 100644 --- a/tests/src/psa_test_wrappers.c +++ b/tests/src/psa_test_wrappers.c @@ -604,14 +604,21 @@ psa_status_t mbedtls_test_wrap_psa_generate_key( return status; } -/* Wrapper for psa_generate_key_ext */ -psa_status_t mbedtls_test_wrap_psa_generate_key_ext( +/* Wrapper for psa_generate_key_custom */ +psa_status_t mbedtls_test_wrap_psa_generate_key_custom( const psa_key_attributes_t *arg0_attributes, - const psa_key_production_parameters_t *arg1_params, - size_t arg2_params_data_length, - mbedtls_svc_key_id_t *arg3_key) + const psa_custom_key_parameters_t *arg1_custom, + const uint8_t *arg2_custom_data, + size_t arg3_custom_data_length, + mbedtls_svc_key_id_t *arg4_key) { - psa_status_t status = (psa_generate_key_ext)(arg0_attributes, arg1_params, arg2_params_data_length, arg3_key); +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_POISON(arg2_custom_data, arg3_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ + psa_status_t status = (psa_generate_key_custom)(arg0_attributes, arg1_custom, arg2_custom_data, arg3_custom_data_length, arg4_key); +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_UNPOISON(arg2_custom_data, arg3_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ return status; } @@ -870,15 +877,22 @@ psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key( return status; } -/* Wrapper for psa_key_derivation_output_key_ext */ -psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_ext( +/* Wrapper for psa_key_derivation_output_key_custom */ +psa_status_t mbedtls_test_wrap_psa_key_derivation_output_key_custom( const psa_key_attributes_t *arg0_attributes, psa_key_derivation_operation_t *arg1_operation, - const psa_key_production_parameters_t *arg2_params, - size_t arg3_params_data_length, - mbedtls_svc_key_id_t *arg4_key) + const psa_custom_key_parameters_t *arg2_custom, + const uint8_t *arg3_custom_data, + size_t arg4_custom_data_length, + mbedtls_svc_key_id_t *arg5_key) { - psa_status_t status = (psa_key_derivation_output_key_ext)(arg0_attributes, arg1_operation, arg2_params, arg3_params_data_length, arg4_key); +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_POISON(arg3_custom_data, arg4_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ + psa_status_t status = (psa_key_derivation_output_key_custom)(arg0_attributes, arg1_operation, arg2_custom, arg3_custom_data, arg4_custom_data_length, arg5_key); +#if !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) + MBEDTLS_TEST_MEMORY_UNPOISON(arg3_custom_data, arg4_custom_data_length); +#endif /* !defined(MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS) */ return status; } diff --git a/tf-psa-crypto/core/psa_crypto.c b/tf-psa-crypto/core/psa_crypto.c index 8100afc471..0ad4196241 100644 --- a/tf-psa-crypto/core/psa_crypto.c +++ b/tf-psa-crypto/core/psa_crypto.c @@ -6412,27 +6412,28 @@ exit: return status; } -static const psa_key_production_parameters_t default_production_parameters = - PSA_KEY_PRODUCTION_PARAMETERS_INIT; +static const psa_custom_key_parameters_t default_custom_production = + PSA_CUSTOM_KEY_PARAMETERS_INIT; -int psa_key_production_parameters_are_default( - const psa_key_production_parameters_t *params, - size_t params_data_length) +int psa_custom_key_parameters_are_default( + const psa_custom_key_parameters_t *custom, + size_t custom_data_length) { - if (params->flags != 0) { + if (custom->flags != 0) { return 0; } - if (params_data_length != 0) { + if (custom_data_length != 0) { return 0; } return 1; } -psa_status_t psa_key_derivation_output_key_ext( +psa_status_t psa_key_derivation_output_key_custom( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, - const psa_key_production_parameters_t *params, - size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, mbedtls_svc_key_id_t *key) { psa_status_t status; @@ -6447,7 +6448,8 @@ psa_status_t psa_key_derivation_output_key_ext( return PSA_ERROR_INVALID_ARGUMENT; } - if (!psa_key_production_parameters_are_default(params, params_data_length)) { + (void) custom_data; /* We only accept 0-length data */ + if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -6487,9 +6489,10 @@ psa_status_t psa_key_derivation_output_key( psa_key_derivation_operation_t *operation, mbedtls_svc_key_id_t *key) { - return psa_key_derivation_output_key_ext(attributes, operation, - &default_production_parameters, 0, - key); + return psa_key_derivation_output_key_custom(attributes, operation, + &default_custom_production, + NULL, 0, + key); } @@ -7863,15 +7866,18 @@ static psa_status_t psa_validate_key_type_and_size_for_key_generation( psa_status_t psa_generate_key_internal( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_type_t type = attributes->type; /* Only used for RSA */ - (void) params; - (void) params_data_length; + (void) custom; + (void) custom_data; + (void) custom_data_length; if (key_type_is_raw_bytes(type)) { status = psa_generate_random_internal(key_buffer, key_buffer_size); @@ -7889,7 +7895,7 @@ psa_status_t psa_generate_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { return mbedtls_psa_rsa_generate_key(attributes, - params, params_data_length, + custom_data, custom_data_length, key_buffer, key_buffer_size, key_buffer_length); @@ -7921,10 +7927,11 @@ psa_status_t psa_generate_key_internal( return PSA_SUCCESS; } -psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key) +psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, + mbedtls_svc_key_id_t *key) { psa_status_t status; psa_key_slot_t *slot = NULL; @@ -7946,12 +7953,12 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (attributes->type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - if (params->flags != 0) { + if (custom->flags != 0) { return PSA_ERROR_INVALID_ARGUMENT; } } else #endif - if (!psa_key_production_parameters_are_default(params, params_data_length)) { + if (!psa_custom_key_parameters_are_default(custom, custom_data_length)) { return PSA_ERROR_INVALID_ARGUMENT; } @@ -7992,7 +7999,8 @@ psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, } status = psa_driver_wrapper_generate_key(attributes, - params, params_data_length, + custom, + custom_data, custom_data_length, slot->key.data, slot->key.bytes, &slot->key.bytes); if (status != PSA_SUCCESS) { @@ -8013,9 +8021,10 @@ exit: psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, mbedtls_svc_key_id_t *key) { - return psa_generate_key_ext(attributes, - &default_production_parameters, 0, - key); + return psa_generate_key_custom(attributes, + &default_custom_production, + NULL, 0, + key); } /****************************************************************/ diff --git a/tf-psa-crypto/core/psa_crypto_core.h b/tf-psa-crypto/core/psa_crypto_core.h index 9462d2e8be..e7ff151a8b 100644 --- a/tf-psa-crypto/core/psa_crypto_core.h +++ b/tf-psa-crypto/core/psa_crypto_core.h @@ -343,17 +343,18 @@ psa_status_t psa_export_public_key_internal( const uint8_t *key_buffer, size_t key_buffer_size, uint8_t *data, size_t data_size, size_t *data_length); -/** Whether a key production parameters structure is the default. +/** Whether a key custom production parameters structure is the default. * - * Calls to a key generation driver with non-default production parameters + * Calls to a key generation driver with non-default custom production parameters * require a driver supporting custom production parameters. * - * \param[in] params The key production parameters to check. - * \param params_data_length Size of `params->data` in bytes. + * \param[in] custom The key custom production parameters to check. + * \param custom_data_length Size of the associated variable-length data + * in bytes. */ -int psa_key_production_parameters_are_default( - const psa_key_production_parameters_t *params, - size_t params_data_length); +int psa_custom_key_parameters_are_default( + const psa_custom_key_parameters_t *custom, + size_t custom_data_length); /** * \brief Generate a key. @@ -362,9 +363,9 @@ int psa_key_production_parameters_are_default( * entry point. * * \param[in] attributes The attributes for the key to generate. - * \param[in] params The production parameters from - * psa_generate_key_ext(). - * \param params_data_length The size of `params->data` in bytes. + * \param[in] custom Custom parameters for the key generation. + * \param[in] custom_data Variable-length data associated with \c custom. + * \param custom_data_length Length of `custom_data` in bytes. * \param[out] key_buffer Buffer where the key data is to be written. * \param[in] key_buffer_size Size of \p key_buffer in bytes. * \param[out] key_buffer_length On success, the number of bytes written in @@ -379,8 +380,9 @@ int psa_key_production_parameters_are_default( * The size of \p key_buffer is too small. */ psa_status_t psa_generate_key_internal(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); diff --git a/tf-psa-crypto/core/psa_crypto_rsa.c b/tf-psa-crypto/core/psa_crypto_rsa.c index 2f613b32da..f8e36d8b12 100644 --- a/tf-psa-crypto/core/psa_crypto_rsa.c +++ b/tf-psa-crypto/core/psa_crypto_rsa.c @@ -241,7 +241,7 @@ static psa_status_t psa_rsa_read_exponent(const uint8_t *e_bytes, psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length) { psa_status_t status; @@ -249,8 +249,8 @@ psa_status_t mbedtls_psa_rsa_generate_key( int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int exponent = 65537; - if (params_data_length != 0) { - status = psa_rsa_read_exponent(params->data, params_data_length, + if (custom_data_length != 0) { + status = psa_rsa_read_exponent(custom_data, custom_data_length, &exponent); if (status != PSA_SUCCESS) { return status; diff --git a/tf-psa-crypto/core/psa_crypto_rsa.h b/tf-psa-crypto/core/psa_crypto_rsa.h index ffeef26be1..1a780006a9 100644 --- a/tf-psa-crypto/core/psa_crypto_rsa.h +++ b/tf-psa-crypto/core/psa_crypto_rsa.h @@ -105,17 +105,11 @@ psa_status_t mbedtls_psa_rsa_export_public_key( /** * \brief Generate an RSA key. * - * \note The signature of the function is that of a PSA driver generate_key - * entry point. - * * \param[in] attributes The attributes for the RSA key to generate. - * \param[in] params Production parameters for the key - * generation. This function only uses - * `params->data`, - * which contains the public exponent. + * \param[in] custom_data The public exponent to use. * This can be a null pointer if * \c params_data_length is 0. - * \param params_data_length Length of `params->data` in bytes. + * \param custom_data_length Length of \p custom_data in bytes. * This can be 0, in which case the * public exponent will be 65537. * \param[out] key_buffer Buffer where the key data is to be written. @@ -132,7 +126,7 @@ psa_status_t mbedtls_psa_rsa_export_public_key( */ psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, size_t params_data_length, + const uint8_t *custom_data, size_t custom_data_length, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length); /** Sign an already-calculated hash with an RSA private key. diff --git a/tf-psa-crypto/include/psa/crypto.h b/tf-psa-crypto/include/psa/crypto.h index 3525da221f..917e533555 100644 --- a/tf-psa-crypto/include/psa/crypto.h +++ b/tf-psa-crypto/include/psa/crypto.h @@ -119,8 +119,8 @@ static psa_key_attributes_t psa_key_attributes_init(void); * value in the structure. * The persistent key will be written to storage when the attribute * structure is passed to a key creation function such as - * psa_import_key(), psa_generate_key(), psa_generate_key_ext(), - * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext() + * psa_import_key(), psa_generate_key(), psa_generate_key_custom(), + * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom() * or psa_copy_key(). * * This function may be declared as `static` (i.e. without external @@ -164,8 +164,8 @@ static void mbedtls_set_key_owner_id(psa_key_attributes_t *attributes, * value in the structure. * The persistent key will be written to storage when the attribute * structure is passed to a key creation function such as - * psa_import_key(), psa_generate_key(), psa_generate_key_ext(), - * psa_key_derivation_output_key(), psa_key_derivation_output_key_ext() + * psa_import_key(), psa_generate_key(), psa_generate_key_custom(), + * psa_key_derivation_output_key(), psa_key_derivation_output_key_custom() * or psa_copy_key(). * * This function may be declared as `static` (i.e. without external @@ -3234,7 +3234,7 @@ static psa_key_derivation_operation_t psa_key_derivation_operation_init(void); * of or after providing inputs. For some algorithms, this step is mandatory * because the output depends on the maximum capacity. * -# To derive a key, call psa_key_derivation_output_key() or - * psa_key_derivation_output_key_ext(). + * psa_key_derivation_output_key_custom(). * To derive a byte string for a different purpose, call * psa_key_derivation_output_bytes(). * Successive calls to these functions use successive output bytes @@ -3457,7 +3457,7 @@ psa_status_t psa_key_derivation_input_integer( * \note Once all inputs steps are completed, the operations will allow: * - psa_key_derivation_output_bytes() if each input was either a direct input * or a key with #PSA_KEY_USAGE_DERIVE set; - * - psa_key_derivation_output_key() or psa_key_derivation_output_key_ext() + * - psa_key_derivation_output_key() or psa_key_derivation_output_key_custom() * if the input for step * #PSA_KEY_DERIVATION_INPUT_SECRET or #PSA_KEY_DERIVATION_INPUT_PASSWORD * was from a key slot with #PSA_KEY_USAGE_DERIVE and each other input was @@ -3707,9 +3707,9 @@ psa_status_t psa_key_derivation_output_bytes( * on the derived key based on the attributes and strength of the secret key. * * \note This function is equivalent to calling - * psa_key_derivation_output_key_ext() - * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * and `params_data_length == 0` (i.e. `params->data` is empty). + * psa_key_derivation_output_key_custom() + * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + * and `custom_data_length == 0` (i.e. `custom_data` is empty). * * \param[in] attributes The attributes for the new key. * If the key type to be created is @@ -3781,17 +3781,14 @@ psa_status_t psa_key_derivation_output_key( * the policy must be the same as in the current * operation. * \param[in,out] operation The key derivation operation object to read from. - * \param[in] params Customization parameters for the key derivation. - * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * with \p params_data_length = 0, + * \param[in] custom Customization parameters for the key generation. + * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + * with \p custom_data_length = 0, * this function is equivalent to * psa_key_derivation_output_key(). - * Mbed TLS currently only supports the default - * production parameters, i.e. - * #PSA_KEY_PRODUCTION_PARAMETERS_INIT, - * for all key types. - * \param params_data_length - * Length of `params->data` in bytes. + * \param[in] custom_data Variable-length data associated with \c custom. + * \param custom_data_length + * Length of `custom_data` in bytes. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key * identifier defined in \p attributes. @@ -3834,11 +3831,12 @@ psa_status_t psa_key_derivation_output_key( * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_key_derivation_output_key_ext( +psa_status_t psa_key_derivation_output_key_custom( const psa_key_attributes_t *attributes, psa_key_derivation_operation_t *operation, - const psa_key_production_parameters_t *params, - size_t params_data_length, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, mbedtls_svc_key_id_t *key); /** Compare output data from a key derivation operation to an expected value. @@ -3927,7 +3925,7 @@ psa_status_t psa_key_derivation_verify_bytes( * operation. The value of this key was likely * computed by a previous call to * psa_key_derivation_output_key() or - * psa_key_derivation_output_key_ext(). + * psa_key_derivation_output_key_custom(). * * \retval #PSA_SUCCESS \emptydescription * \retval #PSA_ERROR_INVALID_SIGNATURE @@ -4095,9 +4093,9 @@ psa_status_t psa_generate_random(uint8_t *output, * between 2^{n-1} and 2^n where n is the bit size specified in the * attributes. * - * \note This function is equivalent to calling psa_generate_key_ext() - * with the production parameters #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * and `params_data_length == 0` (i.e. `params->data` is empty). + * \note This function is equivalent to calling psa_generate_key_custom() + * with the custom production parameters #PSA_CUSTOM_KEY_PARAMETERS_INIT + * and `custom_data_length == 0` (i.e. `custom_data` is empty). * * \param[in] attributes The attributes for the new key. * \param[out] key On success, an identifier for the newly created @@ -4137,7 +4135,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * See the description of psa_generate_key() for the operation of this * function with the default production parameters. In addition, this function * supports the following production customizations, described in more detail - * in the documentation of ::psa_key_production_parameters_t: + * in the documentation of ::psa_custom_key_parameters_t: * * - RSA keys: generation with a custom public exponent. * @@ -4145,13 +4143,14 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * versions of Mbed TLS. * * \param[in] attributes The attributes for the new key. - * \param[in] params Customization parameters for the key generation. - * When this is #PSA_KEY_PRODUCTION_PARAMETERS_INIT - * with \p params_data_length = 0, + * \param[in] custom Customization parameters for the key generation. + * When this is #PSA_CUSTOM_KEY_PARAMETERS_INIT + * with \p custom_data_length = 0, * this function is equivalent to * psa_generate_key(). - * \param params_data_length - * Length of `params->data` in bytes. + * \param[in] custom_data Variable-length data associated with \c custom. + * \param custom_data_length + * Length of `custom_data` in bytes. * \param[out] key On success, an identifier for the newly created * key. For persistent keys, this is the key * identifier defined in \p attributes. @@ -4180,10 +4179,11 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes, * It is implementation-dependent whether a failure to initialize * results in this error code. */ -psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes, - const psa_key_production_parameters_t *params, - size_t params_data_length, - mbedtls_svc_key_id_t *key); +psa_status_t psa_generate_key_custom(const psa_key_attributes_t *attributes, + const psa_custom_key_parameters_t *custom, + const uint8_t *custom_data, + size_t custom_data_length, + mbedtls_svc_key_id_t *key); /**@}*/ diff --git a/tf-psa-crypto/include/psa/crypto_struct.h b/tf-psa-crypto/include/psa/crypto_struct.h index 3913551aa8..eabc2f4cd0 100644 --- a/tf-psa-crypto/include/psa/crypto_struct.h +++ b/tf-psa-crypto/include/psa/crypto_struct.h @@ -223,21 +223,19 @@ static inline struct psa_key_derivation_s psa_key_derivation_operation_init( return v; } -struct psa_key_production_parameters_s { +struct psa_custom_key_parameters_s { /* Future versions may add other fields in this structure. */ uint32_t flags; - uint8_t data[]; }; /** The default production parameters for key generation or key derivation. * - * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext() - * with `params=PSA_KEY_PRODUCTION_PARAMETERS_INIT` and - * `params_data_length == 0` is equivalent to - * calling psa_generate_key() or psa_key_derivation_output_key() + * Calling psa_generate_key_custom() or psa_key_derivation_output_key_custom() + * with `custom=PSA_CUSTOM_KEY_PARAMETERS_INIT` and `custom_data_length=0` is + * equivalent to calling psa_generate_key() or psa_key_derivation_output_key() * respectively. */ -#define PSA_KEY_PRODUCTION_PARAMETERS_INIT { 0 } +#define PSA_CUSTOM_KEY_PARAMETERS_INIT { 0 } struct psa_key_policy_s { psa_key_usage_t MBEDTLS_PRIVATE(usage); diff --git a/tf-psa-crypto/include/psa/crypto_types.h b/tf-psa-crypto/include/psa/crypto_types.h index c21bad86cc..bb857abb09 100644 --- a/tf-psa-crypto/include/psa/crypto_types.h +++ b/tf-psa-crypto/include/psa/crypto_types.h @@ -457,27 +457,27 @@ typedef uint16_t psa_key_derivation_step_t; /** \brief Custom parameters for key generation or key derivation. * - * This is a structure type with at least the following fields: + * This is a structure type with at least the following field: * * - \c flags: an unsigned integer type. 0 for the default production parameters. - * - \c data: a flexible array of bytes. * - * The interpretation of this structure depend on the type of the - * created key. + * Functions that take such a structure as input also take an associated + * input buffer \c custom_data of length \c custom_data_length. + * + * The interpretation of this structure and the associated \c custom_data + * parameter depend on the type of the created key. * * - #PSA_KEY_TYPE_RSA_KEY_PAIR: * - \c flags: must be 0. - * - \c data: the public exponent, in little-endian order. + * - \c custom_data: the public exponent, in little-endian order. * This must be an odd integer and must not be 1. * Implementations must support 65537, should support 3 and may * support other values. * When not using a driver, Mbed TLS supports values up to \c INT_MAX. - * If this is empty or if the custom production parameters are omitted - * altogether, the default value 65537 is used. + * If this is empty, the default value 65537 is used. * - Other key types: reserved for future use. \c flags must be 0. - * */ -typedef struct psa_key_production_parameters_s psa_key_production_parameters_t; +typedef struct psa_custom_key_parameters_s psa_custom_key_parameters_t; /**@}*/ diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data index 32c7274444..eb84bc588b 100644 --- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data +++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.data @@ -6935,17 +6935,17 @@ PSA key derivation: PBKDF2-AES-CMAC-PRF-128-> AES-256 depends_on:PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH derive_key_type:PSA_ALG_PBKDF2_AES_CMAC_PRF_128:"706173737764":"01":"73616c74":PSA_KEY_TYPE_AES:256:"28e288c6345bb5ecf7ca70274208a3ba0f1148b5868537d5e09d3ee6813b1f52" -PSA key derivation: default params -> AES-128 +PSA key derivation custom: default -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" +derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"":PSA_SUCCESS:"3cb25f25faacd57a90434f64d0362f2a" -PSA key derivation: params.flags=1 -> AES-128 +PSA key derivation custom: flags=1 -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" +derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:1:"":PSA_ERROR_INVALID_ARGUMENT:"" -PSA key derivation: params.data non-empty -> AES-128 +PSA key derivation custom: data non-empty -> AES-128 depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES -derive_key_ext:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" +derive_key_custom:PSA_ALG_HKDF(PSA_ALG_SHA_256):"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":"000102030405060708090a0b0c":"f0f1f2f3f4f5f6f7f8f9":PSA_KEY_TYPE_AES:128:0:"2a":PSA_ERROR_INVALID_ARGUMENT:"" PSA key derivation: invalid type (0) depends_on:PSA_WANT_ALG_HKDF:PSA_WANT_ALG_SHA_256 @@ -7520,82 +7520,82 @@ PSA generate key: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE generate_key:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0 -PSA generate key ext: RSA, params.flags=1 +PSA generate key custom: RSA, flags=1 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:1:"":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: RSA, empty e +PSA generate key custom: RSA, empty e depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"":PSA_SUCCESS -PSA generate key ext: RSA, e=3 +PSA generate key custom: RSA, e=3 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"03":PSA_SUCCESS -PSA generate key ext: RSA, e=3 with leading zeros +PSA generate key custom: RSA, e=3 with leading zeros depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"000003":PSA_SUCCESS # TODO: currently errors with NOT_SUPPORTED because e is converted to an int # and the conversion errors out if there are too many digits without checking # for leading zeros. This is a very minor bug. Re-enable this test when this # bug is fixed. -#PSA generate key ext: RSA, e=3 with many leading zeros +#PSA generate key custom: RSA, e=3 with many leading zeros #depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -#generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS +#generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0000000000000000000000000000000003":PSA_SUCCESS -PSA generate key ext: RSA, e=513 +PSA generate key custom: RSA, e=513 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"0201":PSA_SUCCESS -PSA generate key ext: RSA, e=65537 +PSA generate key custom: RSA, e=65537 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"010001":PSA_SUCCESS -PSA generate key ext: RSA, e=2^31-1 +PSA generate key custom: RSA, e=2^31-1 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:PSA_WANT_ALG_RSA_PKCS1V15_CRYPT:INT_MAX>=0x7fffffff -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:PSA_ALG_RSA_PKCS1V15_CRYPT:0:"7fffffff":PSA_SUCCESS -PSA generate key ext: RSA, e=2^31+3 (too large for built-in RSA) +PSA generate key custom: RSA, e=2^31+3 (too large for built-in RSA) depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0x7fffffff -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"80000003":PSA_ERROR_NOT_SUPPORTED -PSA generate key ext: RSA, e=2^64+3 (too large for built-in RSA) +PSA generate key custom: RSA, e=2^64+3 (too large for built-in RSA) depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_GENERATE:INT_MAX<=0xffffffffffffffff -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"010000000000000003":PSA_ERROR_NOT_SUPPORTED -PSA generate key ext: RSA, e=1 +PSA generate key custom: RSA, e=1 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"01":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: RSA, e=0 +PSA generate key custom: RSA, e=0 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"00":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: RSA, e=2 +PSA generate key custom: RSA, e=2 depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"02":PSA_ERROR_INVALID_ARGUMENT # Check that with a driver, we reject a custom e as unsupported, # as opposed to silently using the default e. # When we add proper driver support, remove this test case and remove # the dependency on MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE from # the positive/invalid_argument test cases. -PSA generate key ext: RSA, e=3 with driver and no fallback (not yet supported) +PSA generate key custom: RSA, e=3 with driver and no fallback (not yet supported) depends_on:PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE:!MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE -generate_key_ext:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED +generate_key_custom:PSA_KEY_TYPE_RSA_KEY_PAIR:PSA_VENDOR_RSA_GENERATE_MIN_KEY_BITS:PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT:0:0:"03":PSA_ERROR_NOT_SUPPORTED -PSA generate key ext: ECC, flags=0 +PSA generate key custom: ECC, flags=0 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS +generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"":PSA_SUCCESS -PSA generate key ext: ECC, flags=1 +PSA generate key custom: ECC, flags=1 depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT +generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:1:"":PSA_ERROR_INVALID_ARGUMENT -PSA generate key ext: ECC, params.data non-empty +PSA generate key custom: ECC, data non-empty depends_on:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ALG_ECDH -generate_key_ext:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT +generate_key_custom:PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1):256:PSA_KEY_USAGE_DERIVE:PSA_ALG_ECDH:0:"2a":PSA_ERROR_INVALID_ARGUMENT PSA concurrent key generation: bad type (RSA public key) depends_on:PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY:MBEDTLS_THREADING_PTHREAD @@ -7741,9 +7741,6 @@ PSA concurrent key generation: FFDH, 1024 bits, invalid bits depends_on:PSA_WANT_ALG_FFDH:PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE:MBEDTLS_THREADING_PTHREAD concurrently_generate_keys:PSA_KEY_TYPE_DH_KEY_PAIR(PSA_DH_FAMILY_RFC7919):1024:PSA_KEY_USAGE_EXPORT:PSA_ALG_FFDH:PSA_ERROR_NOT_SUPPORTED:0:8:5 -Key production parameters initializers -key_production_parameters_init: - PSA import persistent key: raw data, 8 bits depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C persistent_key_load_key_from_storage:"2a":PSA_KEY_TYPE_RAW_DATA:8:PSA_KEY_USAGE_EXPORT:0:IMPORT_KEY diff --git a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function index 0c8552bd55..f6503f7e4d 100644 --- a/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function +++ b/tf-psa-crypto/tests/suites/test_suite_psa_crypto.function @@ -1312,30 +1312,6 @@ exit: } #endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE */ -static int setup_key_production_parameters( - psa_key_production_parameters_t **params, size_t *params_data_length, - int flags_arg, const data_t *params_data) -{ - *params_data_length = params_data->len; - /* If there are N bytes of padding at the end of - * psa_key_production_parameters_t, then it's enough to allocate - * MIN(sizeof(psa_key_production_parameters_t), - * offsetof(psa_key_production_parameters_t, data) + params_data_length). - * - * For simplicity, here, we allocate up to N more bytes than necessary. - * In practice, the current layout of psa_key_production_parameters_t - * makes padding extremely unlikely, so we don't worry about testing - * that the library code doesn't try to access these extra N bytes. - */ - *params = mbedtls_calloc(1, sizeof(**params) + *params_data_length); - TEST_ASSERT(*params != NULL); - (*params)->flags = (uint32_t) flags_arg; - memcpy((*params)->data, params_data->x, params_data->len); - return 1; -exit: - return 0; -} - #if defined(MBEDTLS_THREADING_PTHREAD) typedef struct same_key_context { @@ -9592,23 +9568,23 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void derive_key_ext(int alg_arg, - data_t *key_data, - data_t *input1, - data_t *input2, - int key_type_arg, int bits_arg, - int flags_arg, - data_t *params_data, - psa_status_t expected_status, - data_t *expected_export) +void derive_key_custom(int alg_arg, + data_t *key_data, + data_t *input1, + data_t *input2, + int key_type_arg, int bits_arg, + int flags_arg, + data_t *custom_data, + psa_status_t expected_status, + data_t *expected_export) { mbedtls_svc_key_id_t base_key = MBEDTLS_SVC_KEY_ID_INIT; mbedtls_svc_key_id_t derived_key = MBEDTLS_SVC_KEY_ID_INIT; const psa_algorithm_t alg = alg_arg; const psa_key_type_t key_type = key_type_arg; const size_t bits = bits_arg; - psa_key_production_parameters_t *params = NULL; - size_t params_data_length = 0; + psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; + custom.flags = flags_arg; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT; const size_t export_buffer_size = PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, bits); @@ -9638,14 +9614,11 @@ void derive_key_ext(int alg_arg, psa_set_key_algorithm(&derived_attributes, 0); psa_set_key_type(&derived_attributes, key_type); psa_set_key_bits(&derived_attributes, bits); - if (!setup_key_production_parameters(¶ms, ¶ms_data_length, - flags_arg, params_data)) { - goto exit; - } - TEST_EQUAL(psa_key_derivation_output_key_ext(&derived_attributes, &operation, - params, params_data_length, - &derived_key), + TEST_EQUAL(psa_key_derivation_output_key_custom( + &derived_attributes, &operation, + &custom, custom_data->x, custom_data->len, + &derived_key), expected_status); if (expected_status == PSA_SUCCESS) { @@ -9658,7 +9631,6 @@ void derive_key_ext(int alg_arg, exit: mbedtls_free(export_buffer); - mbedtls_free(params); psa_key_derivation_abort(&operation); psa_destroy_key(base_key); psa_destroy_key(derived_key); @@ -10153,13 +10125,13 @@ exit: /* END_CASE */ /* BEGIN_CASE */ -void generate_key_ext(int type_arg, - int bits_arg, - int usage_arg, - int alg_arg, - int flags_arg, - data_t *params_data, - int expected_status_arg) +void generate_key_custom(int type_arg, + int bits_arg, + int usage_arg, + int alg_arg, + int flags_arg, + data_t *custom_data, + int expected_status_arg) { mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_type_t type = type_arg; @@ -10168,8 +10140,8 @@ void generate_key_ext(int type_arg, psa_algorithm_t alg = alg_arg; psa_status_t expected_status = expected_status_arg; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_production_parameters_t *params = NULL; - size_t params_data_length = 0; + psa_custom_key_parameters_t custom = PSA_CUSTOM_KEY_PARAMETERS_INIT; + custom.flags = flags_arg; psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; PSA_ASSERT(psa_crypto_init()); @@ -10179,15 +10151,11 @@ void generate_key_ext(int type_arg, psa_set_key_type(&attributes, type); psa_set_key_bits(&attributes, bits); - if (!setup_key_production_parameters(¶ms, ¶ms_data_length, - flags_arg, params_data)) { - goto exit; - } - /* Generate a key */ - psa_status_t status = psa_generate_key_ext(&attributes, - params, params_data_length, - &key); + psa_status_t status = + psa_generate_key_custom(&attributes, + &custom, custom_data->x, custom_data->len, + &key); TEST_EQUAL(status, expected_status); if (expected_status != PSA_SUCCESS) { @@ -10201,7 +10169,7 @@ void generate_key_ext(int type_arg, #if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE) if (type == PSA_KEY_TYPE_RSA_KEY_PAIR) { - TEST_ASSERT(rsa_test_e(key, bits, params_data)); + TEST_ASSERT(rsa_test_e(key, bits, custom_data)); } #endif @@ -10216,24 +10184,11 @@ exit: * thus reset them as required. */ psa_reset_key_attributes(&got_attributes); - mbedtls_free(params); psa_destroy_key(key); PSA_DONE(); } /* END_CASE */ -/* BEGIN_CASE */ -void key_production_parameters_init() -{ - psa_key_production_parameters_t init = PSA_KEY_PRODUCTION_PARAMETERS_INIT; - psa_key_production_parameters_t zero; - memset(&zero, 0, sizeof(zero)); - - TEST_EQUAL(init.flags, 0); - TEST_EQUAL(zero.flags, 0); -} -/* END_CASE */ - /* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_STORAGE_C */ void persistent_key_load_key_from_storage(data_t *data, int type_arg, int bits_arg,