Replaces calls to psa_unlock_key_slot with calls to psa_unregister_read.
All instances follow a pattern of a call to psa_get_and_lock_key_slot_X,
followed by some code which reads from a slot, followed by a call to psa_unregister_read.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
This does not yet implement destruction while a key is in use for psa_destroy_key;
that will be implemented in a separate pr.
(I am not sure if I am allowed to change the documentation in the include files.)
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Rename to psa_reserve_free_key_slot, as this function reserves a slot which is
free (not always empty) for filling.
Implement necessary state transitions and state checks.
Rename unlocked_persistent_key_slot to unused_persistent_key_slot.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
This inline function is used in every case we want to change the state of a slot,
except for where we do not care about what the state of the slot was before.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Replaces psa_lock_key_slot and psa_unlock_key_slot.
Future commits will remove the calls to locking/unlocking functions,
and add calls to registering/unregistering functions.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Remove psa_is_key_slot_occupied, any function which calls this can just check
the state variable instead.
Replace psa_is_key_slot_locked with psa_key_slot_has_readers.
References to the now removed functions are changed in future commits.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Remove the `status` field and replace with the `state` field.
Remove the `lock_count` field and replace with the `registered_readers` field.
Add documentation which describes how and why these fields are to be used.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Legacy CCM and GCM can work even when AES_C is not defined thanks
to the block_cipher module, so we can relax guards in
cipher_wrap.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This commit also updates test_suite_pkparse.data file adding
MBEDTLS_CIPHER_C dependencies whenever PKCS[5/12] is used.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Directly export the public part of a key pair without having to go through
intermediate objects (using mbedtls_ecp_point_write_binary would require a
group object and a point object).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Set the public key in a key pair. This complements mbedtls_ecp_read_key and
the functions can be used in either order.
Document the need to call check functions separately.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Sometimes you don't need to have all the parts of a key pair object. Relax
the behavior of mbedtls_ecp_keypair so that you can extract just the parts
that you need.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add a simple function to get the group id from a key object.
This information is available via mbedtls_ecp_export, but that function
consumes a lot of memory, which is a waste if all you need is to identify
the curve.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
And use it in the non-PSA version of mbedtls_pk_sign_ext()
to bypass checks that didn't succeed when used by TLS 1.3.
That is because in the failing scenarios the padding of
the RSA context is not set to PKCS_V21.
See the discussion on PR #7930 for more details.
Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
This makes the function always available with its
its implementation depending on MBEDTLS_USE_PSA_CRYPTO.
Related dependencies and tests are updated as well.
Fixes#7583.
Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
Old versions of clang don't support this pragma, so we have to assume
that the user will have set the flags.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
