Merge pull request #113 from gilles-peskine-arm/psa-generator_to_derivation

Replace "generator" with "key derivation"
This commit is contained in:
Jaeden Amero 2019-05-16 18:20:29 +01:00 committed by GitHub
commit eef988fc2d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
11 changed files with 734 additions and 708 deletions

View file

@ -335,7 +335,7 @@ Deriving a new AES-CTR 128-bit encryption key into a given key slot using HKDF w
1. Set up the generator using the `psa_key_derivation` function providing a key slot containing a key that can be used for key derivation and a salt and label (Note: salt and label are optional). 1. Set up the generator using the `psa_key_derivation` function providing a key slot containing a key that can be used for key derivation and a salt and label (Note: salt and label are optional).
1. Initiate a key policy to for the derived key by calling `psa_key_policy_set_usage()` with `PSA_KEY_USAGE_ENCRYPT` parameter and the algorithm `PSA_ALG_CTR`. 1. Initiate a key policy to for the derived key by calling `psa_key_policy_set_usage()` with `PSA_KEY_USAGE_ENCRYPT` parameter and the algorithm `PSA_ALG_CTR`.
1. Set the key policy to the derived key slot. 1. Set the key policy to the derived key slot.
1. Import a key from generator into the desired key slot using (`psa_generate_derived_key`). 1. Import a key from generator into the desired key slot using (`psa_key_derivation_output_key`).
1. Clean up generator. 1. Clean up generator.
At this point the derived key slot holds a new 128-bit AES-CTR encryption key derived from the key, salt and label provided: At this point the derived key slot holds a new 128-bit AES-CTR encryption key derived from the key, salt and label provided:
@ -358,7 +358,7 @@ At this point the derived key slot holds a new 128-bit AES-CTR encryption key de
psa_algorithm_t alg = PSA_ALG_HKDF(PSA_ALG_SHA_256); psa_algorithm_t alg = PSA_ALG_HKDF(PSA_ALG_SHA_256);
psa_key_policy_t policy = PSA_KEY_POLICY_INIT; psa_key_policy_t policy = PSA_KEY_POLICY_INIT;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
size_t derived_bits = 128; size_t derived_bits = 128;
size_t capacity = PSA_BITS_TO_BYTES(derived_bits); size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
@ -378,10 +378,10 @@ At this point the derived key slot holds a new 128-bit AES-CTR encryption key de
psa_set_key_policy(derived_key, &policy); psa_set_key_policy(derived_key, &policy);
psa_generate_derived_key(derived_key, PSA_KEY_TYPE_AES, derived_bits, &generator); psa_key_derivation_output_key(derived_key, PSA_KEY_TYPE_AES, derived_bits, &generator);
/* Clean up generator and key */ /* Clean up generator and key */
psa_generator_abort(&generator); psa_key_derivation_abort(&generator);
/* as part of clean up you may want to clean up the keys used by calling: /* as part of clean up you may want to clean up the keys used by calling:
* psa_destroy_key( base_key ); or psa_destroy_key( derived_key ); */ * psa_destroy_key( base_key ); or psa_destroy_key( derived_key ); */
mbedtls_psa_crypto_free(); mbedtls_psa_crypto_free();

View file

@ -183,10 +183,10 @@ psa_status_t psa_crypto_init(void);
* domain parameters, call psa_set_key_domain_parameters() instead. * domain parameters, call psa_set_key_domain_parameters() instead.
* Skip this step if copying an existing key with psa_copy_key(). * Skip this step if copying an existing key with psa_copy_key().
* -# When generating a random key with psa_generate_random_key() or deriving a key * -# When generating a random key with psa_generate_random_key() or deriving a key
* with psa_generate_derived_key(), set the desired key size with * with psa_key_derivation_output_key(), set the desired key size with
* psa_set_key_bits(). * psa_set_key_bits().
* -# Call a key creation function: psa_import_key(), psa_generate_random_key(), * -# Call a key creation function: psa_import_key(), psa_generate_random_key(),
* psa_generate_derived_key() or psa_copy_key(). This function reads * psa_key_derivation_output_key() or psa_copy_key(). This function reads
* the attribute structure, creates a key with these attributes, and * the attribute structure, creates a key with these attributes, and
* outputs a handle to the newly created key. * outputs a handle to the newly created key.
* -# The attribute structure is now no longer necessary. If you called * -# The attribute structure is now no longer necessary. If you called
@ -217,7 +217,7 @@ typedef struct psa_key_attributes_s psa_key_attributes_t;
* The persistent key will be written to storage when the attribute * The persistent key will be written to storage when the attribute
* structure is passed to a key creation function such as * structure is passed to a key creation function such as
* psa_import_key(), psa_generate_random_key(), * psa_import_key(), psa_generate_random_key(),
* psa_generate_derived_key() or psa_copy_key(). * psa_key_derivation_output_key() or psa_copy_key().
* *
* This function may be declared as `static` (i.e. without external * This function may be declared as `static` (i.e. without external
* linkage). This function may be provided as a function-like macro, * linkage). This function may be provided as a function-like macro,
@ -242,7 +242,7 @@ static void psa_set_key_id(psa_key_attributes_t *attributes,
* The persistent key will be written to storage when the attribute * The persistent key will be written to storage when the attribute
* structure is passed to a key creation function such as * structure is passed to a key creation function such as
* psa_import_key(), psa_generate_random_key(), * psa_import_key(), psa_generate_random_key(),
* psa_generate_derived_key() or psa_copy_key(). * psa_key_derivation_output_key() or psa_copy_key().
* *
* This function may be declared as `static` (i.e. without external * This function may be declared as `static` (i.e. without external
* linkage). This function may be provided as a function-like macro, * linkage). This function may be provided as a function-like macro,
@ -2969,291 +2969,85 @@ psa_status_t psa_asymmetric_decrypt(psa_key_handle_t handle,
/**@}*/ /**@}*/
/** \defgroup generators Generators /** \defgroup key_derivation Key derivation and pseudorandom generation
* @{ * @{
*/ */
/** The type of the state data structure for generators. /** The type of the state data structure for key derivation operations.
* *
* Before calling any function on a generator, the application must * Before calling any function on a key derivation operation object, the
* initialize it by any of the following means: * application must initialize it by any of the following means:
* - Set the structure to all-bits-zero, for example: * - Set the structure to all-bits-zero, for example:
* \code * \code
* psa_crypto_generator_t generator; * psa_key_derivation_operation_t operation;
* memset(&generator, 0, sizeof(generator)); * memset(&operation, 0, sizeof(operation));
* \endcode * \endcode
* - Initialize the structure to logical zero values, for example: * - Initialize the structure to logical zero values, for example:
* \code * \code
* psa_crypto_generator_t generator = {0}; * psa_key_derivation_operation_t operation = {0};
* \endcode * \endcode
* - Initialize the structure to the initializer #PSA_CRYPTO_GENERATOR_INIT, * - Initialize the structure to the initializer #PSA_KEY_DERIVATION_OPERATION_INIT,
* for example: * for example:
* \code * \code
* psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; * psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
* \endcode * \endcode
* - Assign the result of the function psa_crypto_generator_init() * - Assign the result of the function psa_key_derivation_operation_init()
* to the structure, for example: * to the structure, for example:
* \code * \code
* psa_crypto_generator_t generator; * psa_key_derivation_operation_t operation;
* generator = psa_crypto_generator_init(); * operation = psa_key_derivation_operation_init();
* \endcode * \endcode
* *
* This is an implementation-defined \c struct. Applications should not * This is an implementation-defined \c struct. Applications should not
* make any assumptions about the content of this structure except * make any assumptions about the content of this structure except
* as directed by the documentation of a specific implementation. * as directed by the documentation of a specific implementation.
*/ */
typedef struct psa_crypto_generator_s psa_crypto_generator_t; typedef struct psa_key_derivation_s psa_key_derivation_operation_t;
/** \def PSA_CRYPTO_GENERATOR_INIT /** \def PSA_KEY_DERIVATION_OPERATION_INIT
* *
* This macro returns a suitable initializer for a generator object * This macro returns a suitable initializer for a key derivation operation
* of type #psa_crypto_generator_t. * object of type #psa_key_derivation_operation_t.
*/ */
#ifdef __DOXYGEN_ONLY__ #ifdef __DOXYGEN_ONLY__
/* This is an example definition for documentation purposes. /* This is an example definition for documentation purposes.
* Implementations should define a suitable value in `crypto_struct.h`. * Implementations should define a suitable value in `crypto_struct.h`.
*/ */
#define PSA_CRYPTO_GENERATOR_INIT {0} #define PSA_KEY_DERIVATION_OPERATION_INIT {0}
#endif #endif
/** Return an initial value for a generator object. /** Return an initial value for a key derivation operation object.
*/
static psa_crypto_generator_t psa_crypto_generator_init(void);
/** Retrieve the current capacity of a generator.
*
* The capacity of a generator is the maximum number of bytes that it can
* return. Reading *N* bytes from a generator reduces its capacity by *N*.
*
* \param[in] generator The generator to query.
* \param[out] capacity On success, the capacity of the generator.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
*/
psa_status_t psa_get_generator_capacity(const psa_crypto_generator_t *generator,
size_t *capacity);
/** Set the maximum capacity of a generator.
*
* \param[in,out] generator The generator object to modify.
* \param capacity The new capacity of the generator.
* It must be less or equal to the generator's
* current capacity.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p capacity is larger than the generator's current capacity.
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
*/
psa_status_t psa_set_generator_capacity(psa_crypto_generator_t *generator,
size_t capacity);
/** Read some data from a generator.
*
* This function reads and returns a sequence of bytes from a generator.
* The data that is read is discarded from the generator. The generator's
* capacity is decreased by the number of bytes read.
*
* \param[in,out] generator The generator object to read from.
* \param[out] output Buffer where the generator output will be
* written.
* \param output_length Number of bytes to output.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_INSUFFICIENT_DATA
* There were fewer than \p output_length bytes
* in the generator. Note that in this case, no
* output is written to the output buffer.
* The generator's capacity is set to 0, thus
* subsequent calls to this function will not
* succeed, even with a smaller output buffer.
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
*/
psa_status_t psa_generator_read(psa_crypto_generator_t *generator,
uint8_t *output,
size_t output_length);
/** Generate a key deterministically from data read from a generator.
*
* This function uses the output of a generator to derive a key.
* How much output it consumes and how the key is derived depends on the
* key type.
*
* - For key types for which the key is an arbitrary sequence of bytes
* of a given size,
* this function is functionally equivalent to calling #psa_generator_read
* and passing the resulting output to #psa_import_key.
* However, this function has a security benefit:
* if the implementation provides an isolation boundary then
* the key material is not exposed outside the isolation boundary.
* As a consequence, for these key types, this function always consumes
* exactly (\p bits / 8) bytes from the generator.
* The following key types defined in this specification follow this scheme:
*
* - #PSA_KEY_TYPE_AES;
* - #PSA_KEY_TYPE_ARC4;
* - #PSA_KEY_TYPE_CAMELLIA;
* - #PSA_KEY_TYPE_DERIVE;
* - #PSA_KEY_TYPE_HMAC.
*
* - For ECC keys on a Montgomery elliptic curve
* (#PSA_KEY_TYPE_ECC_KEYPAIR(\c curve) where \c curve designates a
* Montgomery curve), this function always draws a byte string whose
* length is determined by the curve, and sets the mandatory bits
* accordingly. That is:
*
* - #PSA_ECC_CURVE_CURVE25519: draw a 32-byte string
* and process it as specified in RFC 7748 §5.
* - #PSA_ECC_CURVE_CURVE448: draw a 56-byte string
* and process it as specified in RFC 7748 §5.
*
* - For key types for which the key is represented by a single sequence of
* \p bits bits with constraints as to which bit sequences are acceptable,
* this function draws a byte string of length (\p bits / 8) bytes rounded
* up to the nearest whole number of bytes. If the resulting byte string
* is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
* This process is repeated until an acceptable byte string is drawn.
* The byte string drawn from the generator is interpreted as specified
* for the output produced by psa_export_key().
* The following key types defined in this specification follow this scheme:
*
* - #PSA_KEY_TYPE_DES.
* Force-set the parity bits, but discard forbidden weak keys.
* For 2-key and 3-key triple-DES, the three keys are generated
* successively (for example, for 3-key triple-DES,
* if the first 8 bytes specify a weak key and the next 8 bytes do not,
* discard the first 8 bytes, use the next 8 bytes as the first key,
* and continue reading output from the generator to derive the other
* two keys).
* - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEYPAIR),
* DSA keys (#PSA_KEY_TYPE_DSA_KEYPAIR), and
* ECC keys on a Weierstrass elliptic curve
* (#PSA_KEY_TYPE_ECC_KEYPAIR(\c curve) where \c curve designates a
* Weierstrass curve).
* For these key types, interpret the byte string as integer
* in big-endian order. Discard it if it is not in the range
* [0, *N* - 2] where *N* is the boundary of the private key domain
* (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
* or the order of the curve's base point for ECC).
* Add 1 to the resulting integer and use this as the private key *x*.
* This method allows compliance to NIST standards, specifically
* the methods titled "key-pair generation by testing candidates"
* in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman,
* in FIPS 186-4 §B.1.2 for DSA, and
* in NIST SP 800-56A §5.6.1.2.2 or
* FIPS 186-4 §B.4.2 for elliptic curve keys.
*
* - For other key types, including #PSA_KEY_TYPE_RSA_KEYPAIR,
* the way in which the generator output is consumed is
* implementation-defined.
*
* In all cases, the data that is read is discarded from the generator.
* The generator's capacity is decreased by the number of bytes read.
*
* \param[in] attributes The attributes for the new key.
* \param[in,out] generator The generator object to read from.
* \param[out] handle On success, a handle to the newly created key.
* \c 0 on failure.
*
* \retval #PSA_SUCCESS
* Success.
* If the key is persistent, the key material and the key's metadata
* have been saved to persistent storage.
* \retval #PSA_ERROR_ALREADY_EXISTS
* This is an attempt to create a persistent key, and there is
* already a persistent key with the given identifier.
* \retval #PSA_ERROR_INSUFFICIENT_DATA
* There was not enough data to create the desired key.
* Note that in this case, no output is written to the output buffer.
* The generator's capacity is set to 0, thus subsequent calls to
* this function will not succeed, even with a smaller output buffer.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The key type or key size is not supported, either by the
* implementation in general or in this particular slot.
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
psa_status_t psa_generate_derived_key(const psa_key_attributes_t *attributes,
psa_crypto_generator_t *generator,
psa_key_handle_t *handle);
/** Abort a generator.
*
* Once a generator has been aborted, its capacity is zero.
* Aborting a generator frees all associated resources except for the
* \c generator structure itself.
*
* This function may be called at any time as long as the generator
* object has been initialized to #PSA_CRYPTO_GENERATOR_INIT, to
* psa_crypto_generator_init() or a zero value. In particular, it is valid
* to call psa_generator_abort() twice, or to call psa_generator_abort()
* on a generator that has not been set up.
*
* Once aborted, the generator object may be called.
*
* \param[in,out] generator The generator to abort.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
*/
psa_status_t psa_generator_abort(psa_crypto_generator_t *generator);
/** Use the maximum possible capacity for a generator.
*
* Use this value as the capacity argument when setting up a generator
* to indicate that the generator should have the maximum possible capacity.
* The value of the maximum possible capacity depends on the generator
* algorithm.
*/
#define PSA_GENERATOR_UNBRIDLED_CAPACITY ((size_t)(-1))
/**@}*/
/** \defgroup derivation Key derivation
* @{
*/ */
static psa_key_derivation_operation_t psa_key_derivation_operation_init(void);
/** Set up a key derivation operation. /** Set up a key derivation operation.
* *
* A key derivation algorithm takes some inputs and uses them to create * A key derivation algorithm takes some inputs and uses them to generate
* a byte generator which can be used to produce keys and other * a byte stream in a deterministic way.
* This byte stream can be used to produce keys and other
* cryptographic material. * cryptographic material.
* *
* To use a generator for key derivation: * To derive a key:
* - Start with an initialized object of type #psa_crypto_generator_t. * - Start with an initialized object of type #psa_key_derivation_operation_t.
* - Call psa_key_derivation_setup() to select the algorithm. * - Call psa_key_derivation_setup() to select the algorithm.
* - Provide the inputs for the key derivation by calling * - Provide the inputs for the key derivation by calling
* psa_key_derivation_input_bytes() or psa_key_derivation_input_key() * psa_key_derivation_input_bytes() or psa_key_derivation_input_key()
* as appropriate. Which inputs are needed, in what order, and whether * as appropriate. Which inputs are needed, in what order, and whether
* they may be keys and if so of what type depends on the algorithm. * they may be keys and if so of what type depends on the algorithm.
* - Optionally set the generator's maximum capacity with * - Optionally set the operation's maximum capacity with
* psa_set_generator_capacity(). You may do this before, in the middle of * psa_key_derivation_set_capacity(). You may do this before, in the middle
* or after providing inputs. For some algorithms, this step is mandatory * of or after providing inputs. For some algorithms, this step is mandatory
* because the output depends on the maximum capacity. * because the output depends on the maximum capacity.
* - Generate output with psa_generator_read() or * - To derive a key, call psa_key_derivation_output_key().
* psa_generate_derived_key(). Successive calls to these functions * To derive a byte string for a different purpose, call
* use successive output bytes from the generator. * - psa_key_derivation_output_bytes().
* - Clean up the generator object with psa_generator_abort(). * Successive calls to these functions use successive output bytes
* calculated by the key derivation algorithm.
* - Clean up the key derivation operation object with
* psa_key_derivation_abort().
* *
* \param[in,out] generator The generator object to set up. It must * \param[in,out] operation The key derivation operation object
* to set up. It must
* have been initialized but not set up yet. * have been initialized but not set up yet.
* \param alg The key derivation algorithm to compute * \param alg The key derivation algorithm to compute
* (\c PSA_ALG_XXX value such that * (\c PSA_ALG_XXX value such that
@ -3271,8 +3065,57 @@ psa_status_t psa_generator_abort(psa_crypto_generator_t *generator);
* \retval #PSA_ERROR_TAMPERING_DETECTED * \retval #PSA_ERROR_TAMPERING_DETECTED
* \retval #PSA_ERROR_BAD_STATE * \retval #PSA_ERROR_BAD_STATE
*/ */
psa_status_t psa_key_derivation_setup(psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_setup(
psa_algorithm_t alg); psa_key_derivation_operation_t *operation,
psa_algorithm_t alg);
/** Retrieve the current capacity of a key derivation operation.
*
* The capacity of a key derivation is the maximum number of bytes that it can
* return. When you get *N* bytes of output from a key derivation operation,
* this reduces its capacity by *N*.
*
* \param[in] operation The operation to query.
* \param[out] capacity On success, the capacity of the operation.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
*/
psa_status_t psa_key_derivation_get_capacity(
const psa_key_derivation_operation_t *operation,
size_t *capacity);
/** Set the maximum capacity of a key derivation operation.
*
* The capacity of a key derivation operation is the maximum number of bytes
* that the key derivation operation can return from this point onwards.
*
* \param[in,out] operation The key derivation operation object to modify.
* \param capacity The new capacity of the operation.
* It must be less or equal to the operation's
* current capacity.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p capacity is larger than the operation's current capacity.
* In this case, the operation object remains valid and its capacity
* remains unchanged.
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
*/
psa_status_t psa_key_derivation_set_capacity(
psa_key_derivation_operation_t *operation,
size_t capacity);
/** Use the maximum possible capacity for a key derivation operation.
*
* Use this value as the capacity argument when setting up a key derivation
* to indicate that the operation should have the maximum possible capacity.
* The value of the maximum possible capacity depends on the key derivation
* algorithm.
*/
#define PSA_KEY_DERIVATION_UNLIMITED_CAPACITY ((size_t)(-1))
/** Provide an input for key derivation or key agreement. /** Provide an input for key derivation or key agreement.
* *
@ -3284,8 +3127,8 @@ psa_status_t psa_key_derivation_setup(psa_crypto_generator_t *generator,
* using psa_key_derivation_input_key() instead of this function. Refer to * using psa_key_derivation_input_key() instead of this function. Refer to
* the documentation of individual step types for information. * the documentation of individual step types for information.
* *
* \param[in,out] generator The generator object to use. It must * \param[in,out] operation The key derivation operation object to use.
* have been set up with * It must have been set up with
* psa_key_derivation_setup() and must not * psa_key_derivation_setup() and must not
* have produced any output yet. * have produced any output yet.
* \param step Which step the input data is for. * \param step Which step the input data is for.
@ -3295,7 +3138,7 @@ psa_status_t psa_key_derivation_setup(psa_crypto_generator_t *generator,
* \retval #PSA_SUCCESS * \retval #PSA_SUCCESS
* Success. * Success.
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step is not compatible with the generator's algorithm. * \c step is not compatible with the operation's algorithm.
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step does not allow direct inputs. * \c step does not allow direct inputs.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@ -3303,16 +3146,17 @@ psa_status_t psa_key_derivation_setup(psa_crypto_generator_t *generator,
* \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED * \retval #PSA_ERROR_TAMPERING_DETECTED
* \retval #PSA_ERROR_BAD_STATE * \retval #PSA_ERROR_BAD_STATE
* The value of \p step is not valid given the state of \p generator. * The value of \p step is not valid given the state of \p operation.
* \retval #PSA_ERROR_BAD_STATE * \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init(). * The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize * It is implementation-dependent whether a failure to initialize
* results in this error code. * results in this error code.
*/ */
psa_status_t psa_key_derivation_input_bytes(psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_input_bytes(
psa_key_derivation_step_t step, psa_key_derivation_operation_t *operation,
const uint8_t *data, psa_key_derivation_step_t step,
size_t data_length); const uint8_t *data,
size_t data_length);
/** Provide an input for key derivation in the form of a key. /** Provide an input for key derivation in the form of a key.
* *
@ -3325,8 +3169,8 @@ psa_status_t psa_key_derivation_input_bytes(psa_crypto_generator_t *generator,
* passed as direct inputs using psa_key_derivation_input_bytes(). Refer to * passed as direct inputs using psa_key_derivation_input_bytes(). Refer to
* the documentation of individual step types for information. * the documentation of individual step types for information.
* *
* \param[in,out] generator The generator object to use. It must * \param[in,out] operation The key derivation operation object to use.
* have been set up with * It must have been set up with
* psa_key_derivation_setup() and must not * psa_key_derivation_setup() and must not
* have produced any output yet. * have produced any output yet.
* \param step Which step the input data is for. * \param step Which step the input data is for.
@ -3340,7 +3184,7 @@ psa_status_t psa_key_derivation_input_bytes(psa_crypto_generator_t *generator,
* \retval #PSA_ERROR_DOES_NOT_EXIST * \retval #PSA_ERROR_DOES_NOT_EXIST
* \retval #PSA_ERROR_NOT_PERMITTED * \retval #PSA_ERROR_NOT_PERMITTED
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step is not compatible with the generator's algorithm. * \c step is not compatible with the operation's algorithm.
* \retval #PSA_ERROR_INVALID_ARGUMENT * \retval #PSA_ERROR_INVALID_ARGUMENT
* \c step does not allow key inputs. * \c step does not allow key inputs.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY * \retval #PSA_ERROR_INSUFFICIENT_MEMORY
@ -3348,15 +3192,16 @@ psa_status_t psa_key_derivation_input_bytes(psa_crypto_generator_t *generator,
* \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED * \retval #PSA_ERROR_TAMPERING_DETECTED
* \retval #PSA_ERROR_BAD_STATE * \retval #PSA_ERROR_BAD_STATE
* The value of \p step is not valid given the state of \p generator. * The value of \p step is not valid given the state of \p operation.
* \retval #PSA_ERROR_BAD_STATE * \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init(). * The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize * It is implementation-dependent whether a failure to initialize
* results in this error code. * results in this error code.
*/ */
psa_status_t psa_key_derivation_input_key(psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_input_key(
psa_key_derivation_step_t step, psa_key_derivation_operation_t *operation,
psa_key_handle_t handle); psa_key_derivation_step_t step,
psa_key_handle_t handle);
/** Perform a key agreement and use the shared secret as input to a key /** Perform a key agreement and use the shared secret as input to a key
* derivation. * derivation.
@ -3365,17 +3210,17 @@ psa_status_t psa_key_derivation_input_key(psa_crypto_generator_t *generator,
* a public key \p peer_key. * a public key \p peer_key.
* The result of this function is passed as input to a key derivation. * The result of this function is passed as input to a key derivation.
* The output of this key derivation can be extracted by reading from the * The output of this key derivation can be extracted by reading from the
* resulting generator to produce keys and other cryptographic material. * resulting operation to produce keys and other cryptographic material.
* *
* \param[in,out] generator The generator object to use. It must * \param[in,out] operation The key derivation operation object to use.
* have been set up with * It must have been set up with
* psa_key_derivation_setup() with a * psa_key_derivation_setup() with a
* key agreement and derivation algorithm * key agreement and derivation algorithm
* \c alg (\c PSA_ALG_XXX value such that * \c alg (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true * #PSA_ALG_IS_KEY_AGREEMENT(\c alg) is true
* and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg) * and #PSA_ALG_IS_RAW_KEY_AGREEMENT(\c alg)
* is false). * is false).
* The generator must be ready for an * The operation must be ready for an
* input of the type given by \p step. * input of the type given by \p step.
* \param step Which step the input data is for. * \param step Which step the input data is for.
* \param private_key Handle to the private key to use. * \param private_key Handle to the private key to use.
@ -3411,24 +3256,197 @@ psa_status_t psa_key_derivation_input_key(psa_crypto_generator_t *generator,
* \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED * \retval #PSA_ERROR_TAMPERING_DETECTED
*/ */
psa_status_t psa_key_agreement(psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_key_agreement(
psa_key_derivation_step_t step, psa_key_derivation_operation_t *operation,
psa_key_handle_t private_key, psa_key_derivation_step_t step,
const uint8_t *peer_key, psa_key_handle_t private_key,
size_t peer_key_length); const uint8_t *peer_key,
size_t peer_key_length);
/** Perform a key agreement and use the shared secret as input to a key /** Read some data from a key derivation operation.
* derivation.
* *
* A key agreement algorithm takes two inputs: a private key \p private_key * This function calculates output bytes from a key derivation algorithm and
* a public key \p peer_key. * return those bytes.
* If you view the key derivation's output as a stream of bytes, this
* function destructively reads the requested number of bytes from the
* stream.
* The operation's capacity decreases by the number of bytes read.
*
* \param[in,out] operation The key derivation operation object to read from.
* \param[out] output Buffer where the output will be written.
* \param output_length Number of bytes to output.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_INSUFFICIENT_DATA
* The operation's capacity was less than
* \p output_length bytes. Note that in this case,
* no output is written to the output buffer.
* The operation's capacity is set to 0, thus
* subsequent calls to this function will not
* succeed, even with a smaller output buffer.
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
*/
psa_status_t psa_key_derivation_output_bytes(
psa_key_derivation_operation_t *operation,
uint8_t *output,
size_t output_length);
/** Derive a key from an ongoing key derivation operation.
*
* This function calculates output bytes from a key derivation algorithm
* and uses those bytes to generate a key deterministically.
* If you view the key derivation's output as a stream of bytes, this
* function destructively reads as many bytes as required from the
* stream.
* The operation's capacity decreases by the number of bytes read.
*
* How much output is produced and consumed from the operation, and how
* the key is derived, depends on the key type:
*
* - For key types for which the key is an arbitrary sequence of bytes
* of a given size, this function is functionally equivalent to
* calling #psa_key_derivation_output_bytes
* and passing the resulting output to #psa_import_key.
* However, this function has a security benefit:
* if the implementation provides an isolation boundary then
* the key material is not exposed outside the isolation boundary.
* As a consequence, for these key types, this function always consumes
* exactly (\p bits / 8) bytes from the operation.
* The following key types defined in this specification follow this scheme:
*
* - #PSA_KEY_TYPE_AES;
* - #PSA_KEY_TYPE_ARC4;
* - #PSA_KEY_TYPE_CAMELLIA;
* - #PSA_KEY_TYPE_DERIVE;
* - #PSA_KEY_TYPE_HMAC.
*
* - For ECC keys on a Montgomery elliptic curve
* (#PSA_KEY_TYPE_ECC_KEYPAIR(\c curve) where \c curve designates a
* Montgomery curve), this function always draws a byte string whose
* length is determined by the curve, and sets the mandatory bits
* accordingly. That is:
*
* - #PSA_ECC_CURVE_CURVE25519: draw a 32-byte string
* and process it as specified in RFC 7748 §5.
* - #PSA_ECC_CURVE_CURVE448: draw a 56-byte string
* and process it as specified in RFC 7748 §5.
*
* - For key types for which the key is represented by a single sequence of
* \p bits bits with constraints as to which bit sequences are acceptable,
* this function draws a byte string of length (\p bits / 8) bytes rounded
* up to the nearest whole number of bytes. If the resulting byte string
* is acceptable, it becomes the key, otherwise the drawn bytes are discarded.
* This process is repeated until an acceptable byte string is drawn.
* The byte string drawn from the operation is interpreted as specified
* for the output produced by psa_export_key().
* The following key types defined in this specification follow this scheme:
*
* - #PSA_KEY_TYPE_DES.
* Force-set the parity bits, but discard forbidden weak keys.
* For 2-key and 3-key triple-DES, the three keys are generated
* successively (for example, for 3-key triple-DES,
* if the first 8 bytes specify a weak key and the next 8 bytes do not,
* discard the first 8 bytes, use the next 8 bytes as the first key,
* and continue reading output from the operation to derive the other
* two keys).
* - Finite-field Diffie-Hellman keys (#PSA_KEY_TYPE_DH_KEYPAIR),
* DSA keys (#PSA_KEY_TYPE_DSA_KEYPAIR), and
* ECC keys on a Weierstrass elliptic curve
* (#PSA_KEY_TYPE_ECC_KEYPAIR(\c curve) where \c curve designates a
* Weierstrass curve).
* For these key types, interpret the byte string as integer
* in big-endian order. Discard it if it is not in the range
* [0, *N* - 2] where *N* is the boundary of the private key domain
* (the prime *p* for Diffie-Hellman, the subprime *q* for DSA,
* or the order of the curve's base point for ECC).
* Add 1 to the resulting integer and use this as the private key *x*.
* This method allows compliance to NIST standards, specifically
* the methods titled "key-pair generation by testing candidates"
* in NIST SP 800-56A §5.6.1.1.4 for Diffie-Hellman,
* in FIPS 186-4 §B.1.2 for DSA, and
* in NIST SP 800-56A §5.6.1.2.2 or
* FIPS 186-4 §B.4.2 for elliptic curve keys.
*
* - For other key types, including #PSA_KEY_TYPE_RSA_KEYPAIR,
* the way in which the operation output is consumed is
* implementation-defined.
*
* In all cases, the data that is read is discarded from the operation.
* The operation's capacity is decreased by the number of bytes read.
*
* \param[in] attributes The attributes for the new key.
* \param[in,out] operation The key derivation operation object to read from.
* \param[out] handle On success, a handle to the newly created key.
* \c 0 on failure.
*
* \retval #PSA_SUCCESS
* Success.
* If the key is persistent, the key material and the key's metadata
* have been saved to persistent storage.
* \retval #PSA_ERROR_ALREADY_EXISTS
* This is an attempt to create a persistent key, and there is
* already a persistent key with the given identifier.
* \retval #PSA_ERROR_INSUFFICIENT_DATA
* There was not enough data to create the desired key.
* Note that in this case, no output is written to the output buffer.
* The operation's capacity is set to 0, thus subsequent calls to
* this function will not succeed, even with a smaller output buffer.
* \retval #PSA_ERROR_NOT_SUPPORTED
* The key type or key size is not supported, either by the
* implementation in general or in this particular slot.
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_INSUFFICIENT_STORAGE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
psa_status_t psa_key_derivation_output_key(
const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
psa_key_handle_t *handle);
/** Abort a key derivation operation.
*
* Once a key derivation operation has been aborted, its capacity is zero.
* Aborting an operation frees all associated resources except for the
* \c operation structure itself.
*
* This function may be called at any time as long as the operation
* object has been initialized to #PSA_KEY_DERIVATION_OPERATION_INIT, to
* psa_key_derivation_operation_init() or a zero value. In particular,
* it is valid to call psa_key_derivation_abort() twice, or to call
* psa_key_derivation_abort() on an operation that has not been set up.
*
* Once aborted, the key derivation operation object may be called.
*
* \param[in,out] operation The operation to abort.
*
* \retval #PSA_SUCCESS
* \retval #PSA_ERROR_BAD_STATE
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED
*/
psa_status_t psa_key_derivation_abort(
psa_key_derivation_operation_t *operation);
/** Perform a key agreement and return the raw shared secret.
* *
* \warning The raw result of a key agreement algorithm such as finite-field * \warning The raw result of a key agreement algorithm such as finite-field
* Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should * Diffie-Hellman or elliptic curve Diffie-Hellman has biases and should
* not be used directly as key material. It should instead be passed as * not be used directly as key material. It should instead be passed as
* input to a key derivation algorithm. To chain a key agreement with * input to a key derivation algorithm. To chain a key agreement with
* a key derivation, use psa_key_agreement() and other functions from * a key derivation, use psa_key_derivation_key_agreement() and other
* the key derivation and generator interface. * functions from the key derivation interface.
* *
* \param alg The key agreement algorithm to compute * \param alg The key agreement algorithm to compute
* (\c PSA_ALG_XXX value such that * (\c PSA_ALG_XXX value such that
@ -3465,13 +3483,13 @@ psa_status_t psa_key_agreement(psa_crypto_generator_t *generator,
* \retval #PSA_ERROR_HARDWARE_FAILURE * \retval #PSA_ERROR_HARDWARE_FAILURE
* \retval #PSA_ERROR_TAMPERING_DETECTED * \retval #PSA_ERROR_TAMPERING_DETECTED
*/ */
psa_status_t psa_key_agreement_raw_shared_secret(psa_algorithm_t alg, psa_status_t psa_raw_key_agreement(psa_algorithm_t alg,
psa_key_handle_t private_key, psa_key_handle_t private_key,
const uint8_t *peer_key, const uint8_t *peer_key,
size_t peer_key_length, size_t peer_key_length,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length); size_t *output_length);
/**@}*/ /**@}*/

View file

@ -157,9 +157,10 @@ psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed,
* - For HKDF (#PSA_ALG_HKDF), \p salt is the salt used in the "extract" step * - For HKDF (#PSA_ALG_HKDF), \p salt is the salt used in the "extract" step
* and \p label is the info string used in the "expand" step. * and \p label is the info string used in the "expand" step.
* *
* \param[in,out] generator The generator object to set up. It must have * \param[in,out] operation The key derivation object to set up. It must
* been initialized as per the documentation for * have been initialized as per the documentation
* #psa_crypto_generator_t and not yet in use. * for #psa_key_derivation_operation_t and not
* yet be in use.
* \param handle Handle to the secret key. * \param handle Handle to the secret key.
* \param alg The key derivation algorithm to compute * \param alg The key derivation algorithm to compute
* (\c PSA_ALG_XXX value such that * (\c PSA_ALG_XXX value such that
@ -169,7 +170,7 @@ psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed,
* \param[in] label Label to use. * \param[in] label Label to use.
* \param label_length Size of the \p label buffer in bytes. * \param label_length Size of the \p label buffer in bytes.
* \param capacity The maximum number of bytes that the * \param capacity The maximum number of bytes that the
* generator will be able to provide. * operation will be able to provide.
* *
* \retval #PSA_SUCCESS * \retval #PSA_SUCCESS
* Success. * Success.
@ -190,7 +191,7 @@ psa_status_t mbedtls_psa_inject_entropy(const unsigned char *seed,
* It is implementation-dependent whether a failure to initialize * It is implementation-dependent whether a failure to initialize
* results in this error code. * results in this error code.
*/ */
psa_status_t psa_key_derivation(psa_crypto_generator_t *generator, psa_status_t psa_key_derivation(psa_key_derivation_operation_t *operation,
psa_key_handle_t handle, psa_key_handle_t handle,
psa_algorithm_t alg, psa_algorithm_t alg,
const uint8_t *salt, const uint8_t *salt,
@ -433,7 +434,7 @@ psa_status_t psa_copy_key_to_handle(psa_key_handle_t source_handle,
psa_status_t psa_generate_derived_key_to_handle(psa_key_handle_t handle, psa_status_t psa_generate_derived_key_to_handle(psa_key_handle_t handle,
psa_key_type_t type, psa_key_type_t type,
size_t bits, size_t bits,
psa_crypto_generator_t *generator); psa_key_derivation_operation_t *operation);
psa_status_t psa_generate_random_key_to_handle(psa_key_handle_t handle, psa_status_t psa_generate_random_key_to_handle(psa_key_handle_t handle,
psa_key_type_t type, psa_key_type_t type,

View file

@ -188,14 +188,14 @@ typedef struct
uint8_t block_number; uint8_t block_number;
unsigned int state : 2; unsigned int state : 2;
unsigned int info_set : 1; unsigned int info_set : 1;
} psa_hkdf_generator_t; } psa_hkdf_key_derivation_t;
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
typedef struct psa_tls12_prf_generator_s typedef struct psa_tls12_prf_key_derivation_s
{ {
/* The TLS 1.2 PRF uses the key for each HMAC iteration, /* The TLS 1.2 PRF uses the key for each HMAC iteration,
* hence we must store it for the lifetime of the generator. * hence we must store it for the lifetime of the operation.
* This is different from HKDF, where the key is only used * This is different from HKDF, where the key is only used
* in the extraction phase, but not during expansion. */ * in the extraction phase, but not during expansion. */
unsigned char *key; unsigned char *key;
@ -219,10 +219,10 @@ typedef struct psa_tls12_prf_generator_s
/* The 1-based number of the block. */ /* The 1-based number of the block. */
uint8_t block_number; uint8_t block_number;
} psa_tls12_prf_generator_t; } psa_tls12_prf_key_derivation_t;
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
struct psa_crypto_generator_s struct psa_key_derivation_s
{ {
psa_algorithm_t alg; psa_algorithm_t alg;
size_t capacity; size_t capacity;
@ -234,16 +234,16 @@ struct psa_crypto_generator_s
size_t size; size_t size;
} buffer; } buffer;
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
psa_hkdf_generator_t hkdf; psa_hkdf_key_derivation_t hkdf;
psa_tls12_prf_generator_t tls12_prf; psa_tls12_prf_key_derivation_t tls12_prf;
#endif #endif
} ctx; } ctx;
}; };
#define PSA_CRYPTO_GENERATOR_INIT {0, 0, {{0, 0}}} #define PSA_KEY_DERIVATION_OPERATION_INIT {0, 0, {{0, 0}}}
static inline struct psa_crypto_generator_s psa_crypto_generator_init( void ) static inline struct psa_key_derivation_s psa_key_derivation_operation_init( void )
{ {
const struct psa_crypto_generator_s v = PSA_CRYPTO_GENERATOR_INIT; const struct psa_key_derivation_s v = PSA_KEY_DERIVATION_OPERATION_INIT;
return( v ); return( v );
} }

View file

@ -1216,12 +1216,12 @@
* For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256. * For example, `PSA_ALG_HKDF(PSA_ALG_SHA256)` is HKDF using HMAC-SHA-256.
* *
* This key derivation algorithm uses the following inputs: * This key derivation algorithm uses the following inputs:
* - #PSA_KDF_STEP_SALT is the salt used in the "extract" step. * - #PSA_KEY_DERIVATION_INPUT_SALT is the salt used in the "extract" step.
* It is optional; if omitted, the derivation uses an empty salt. * It is optional; if omitted, the derivation uses an empty salt.
* - #PSA_KDF_STEP_SECRET is the secret key used in the "extract" step. * - #PSA_KEY_DERIVATION_INPUT_SECRET is the secret key used in the "extract" step.
* - #PSA_KDF_STEP_INFO is the info string used in the "expand" step. * - #PSA_KEY_DERIVATION_INPUT_INFO is the info string used in the "expand" step.
* You must pass #PSA_KDF_STEP_SALT before #PSA_KDF_STEP_SECRET. * You must pass #PSA_KEY_DERIVATION_INPUT_SALT before #PSA_KEY_DERIVATION_INPUT_SECRET.
* You may pass #PSA_KDF_STEP_INFO at any time after steup and before * You may pass #PSA_KEY_DERIVATION_INPUT_INFO at any time after steup and before
* starting to generate output. * starting to generate output.
* *
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
@ -1590,25 +1590,25 @@
* *
* This must be a key of type #PSA_KEY_TYPE_DERIVE. * This must be a key of type #PSA_KEY_TYPE_DERIVE.
*/ */
#define PSA_KDF_STEP_SECRET ((psa_key_derivation_step_t)0x0101) #define PSA_KEY_DERIVATION_INPUT_SECRET ((psa_key_derivation_step_t)0x0101)
/** A label for key derivation. /** A label for key derivation.
* *
* This must be a direct input. * This must be a direct input.
*/ */
#define PSA_KDF_STEP_LABEL ((psa_key_derivation_step_t)0x0201) #define PSA_KEY_DERIVATION_INPUT_LABEL ((psa_key_derivation_step_t)0x0201)
/** A salt for key derivation. /** A salt for key derivation.
* *
* This must be a direct input. * This must be a direct input.
*/ */
#define PSA_KDF_STEP_SALT ((psa_key_derivation_step_t)0x0202) #define PSA_KEY_DERIVATION_INPUT_SALT ((psa_key_derivation_step_t)0x0202)
/** An information string for key derivation. /** An information string for key derivation.
* *
* This must be a direct input. * This must be a direct input.
*/ */
#define PSA_KDF_STEP_INFO ((psa_key_derivation_step_t)0x0203) #define PSA_KEY_DERIVATION_INPUT_INFO ((psa_key_derivation_step_t)0x0203)
/**@}*/ /**@}*/

View file

@ -4065,20 +4065,20 @@ exit:
#define HKDF_STATE_KEYED 2 /* got key */ #define HKDF_STATE_KEYED 2 /* got key */
#define HKDF_STATE_OUTPUT 3 /* output started */ #define HKDF_STATE_OUTPUT 3 /* output started */
static psa_algorithm_t psa_generator_get_kdf_alg( static psa_algorithm_t psa_key_derivation_get_kdf_alg(
const psa_crypto_generator_t *generator ) const psa_key_derivation_operation_t *operation )
{ {
if ( PSA_ALG_IS_KEY_AGREEMENT( generator->alg ) ) if ( PSA_ALG_IS_KEY_AGREEMENT( operation->alg ) )
return( PSA_ALG_KEY_AGREEMENT_GET_KDF( generator->alg ) ); return( PSA_ALG_KEY_AGREEMENT_GET_KDF( operation->alg ) );
else else
return( generator->alg ); return( operation->alg );
} }
psa_status_t psa_generator_abort( psa_crypto_generator_t *generator ) psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation )
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_algorithm_t kdf_alg = psa_generator_get_kdf_alg( generator ); psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
if( kdf_alg == 0 ) if( kdf_alg == 0 )
{ {
/* The object has (apparently) been initialized but it is not /* The object has (apparently) been initialized but it is not
@ -4088,36 +4088,36 @@ psa_status_t psa_generator_abort( psa_crypto_generator_t *generator )
else else
if( kdf_alg == PSA_ALG_SELECT_RAW ) if( kdf_alg == PSA_ALG_SELECT_RAW )
{ {
if( generator->ctx.buffer.data != NULL ) if( operation->ctx.buffer.data != NULL )
{ {
mbedtls_platform_zeroize( generator->ctx.buffer.data, mbedtls_platform_zeroize( operation->ctx.buffer.data,
generator->ctx.buffer.size ); operation->ctx.buffer.size );
mbedtls_free( generator->ctx.buffer.data ); mbedtls_free( operation->ctx.buffer.data );
} }
} }
else else
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
if( PSA_ALG_IS_HKDF( kdf_alg ) ) if( PSA_ALG_IS_HKDF( kdf_alg ) )
{ {
mbedtls_free( generator->ctx.hkdf.info ); mbedtls_free( operation->ctx.hkdf.info );
status = psa_hmac_abort_internal( &generator->ctx.hkdf.hmac ); status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac );
} }
else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
/* TLS-1.2 PSK-to-MS KDF uses the same generator as TLS-1.2 PRF */ /* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
{ {
if( generator->ctx.tls12_prf.key != NULL ) if( operation->ctx.tls12_prf.key != NULL )
{ {
mbedtls_platform_zeroize( generator->ctx.tls12_prf.key, mbedtls_platform_zeroize( operation->ctx.tls12_prf.key,
generator->ctx.tls12_prf.key_len ); operation->ctx.tls12_prf.key_len );
mbedtls_free( generator->ctx.tls12_prf.key ); mbedtls_free( operation->ctx.tls12_prf.key );
} }
if( generator->ctx.tls12_prf.Ai_with_seed != NULL ) if( operation->ctx.tls12_prf.Ai_with_seed != NULL )
{ {
mbedtls_platform_zeroize( generator->ctx.tls12_prf.Ai_with_seed, mbedtls_platform_zeroize( operation->ctx.tls12_prf.Ai_with_seed,
generator->ctx.tls12_prf.Ai_with_seed_len ); operation->ctx.tls12_prf.Ai_with_seed_len );
mbedtls_free( generator->ctx.tls12_prf.Ai_with_seed ); mbedtls_free( operation->ctx.tls12_prf.Ai_with_seed );
} }
} }
else else
@ -4125,38 +4125,38 @@ psa_status_t psa_generator_abort( psa_crypto_generator_t *generator )
{ {
status = PSA_ERROR_BAD_STATE; status = PSA_ERROR_BAD_STATE;
} }
memset( generator, 0, sizeof( *generator ) ); memset( operation, 0, sizeof( *operation ) );
return( status ); return( status );
} }
psa_status_t psa_get_generator_capacity(const psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_get_capacity(const psa_key_derivation_operation_t *operation,
size_t *capacity) size_t *capacity)
{ {
if( generator->alg == 0 ) if( operation->alg == 0 )
{ {
/* This is a blank generator. */ /* This is a blank key derivation operation. */
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
*capacity = generator->capacity; *capacity = operation->capacity;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
psa_status_t psa_set_generator_capacity( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_set_capacity( psa_key_derivation_operation_t *operation,
size_t capacity ) size_t capacity )
{ {
if( generator->alg == 0 ) if( operation->alg == 0 )
return( PSA_ERROR_BAD_STATE ); return( PSA_ERROR_BAD_STATE );
if( capacity > generator->capacity ) if( capacity > operation->capacity )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
generator->capacity = capacity; operation->capacity = capacity;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
/* Read some bytes from an HKDF-based generator. This performs a chunk /* Read some bytes from an HKDF-based operation. This performs a chunk
* of the expand phase of the HKDF algorithm. */ * of the expand phase of the HKDF algorithm. */
static psa_status_t psa_generator_hkdf_read( psa_hkdf_generator_t *hkdf, static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkdf,
psa_algorithm_t hash_alg, psa_algorithm_t hash_alg,
uint8_t *output, uint8_t *output,
size_t output_length ) size_t output_length )
@ -4181,8 +4181,8 @@ static psa_status_t psa_generator_hkdf_read( psa_hkdf_generator_t *hkdf,
if( output_length == 0 ) if( output_length == 0 )
break; break;
/* We can't be wanting more output after block 0xff, otherwise /* We can't be wanting more output after block 0xff, otherwise
* the capacity check in psa_generator_read() would have * the capacity check in psa_key_derivation_output_bytes() would have
* prevented this call. It could happen only if the generator * prevented this call. It could happen only if the operation
* object was corrupted or if this function is called directly * object was corrupted or if this function is called directly
* inside the library. */ * inside the library. */
if( hkdf->block_number == 0xff ) if( hkdf->block_number == 0xff )
@ -4223,8 +4223,8 @@ static psa_status_t psa_generator_hkdf_read( psa_hkdf_generator_t *hkdf,
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
static psa_status_t psa_generator_tls12_prf_generate_next_block( static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
psa_tls12_prf_generator_t *tls12_prf, psa_tls12_prf_key_derivation_t *tls12_prf,
psa_algorithm_t alg ) psa_algorithm_t alg )
{ {
psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg ); psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( alg );
@ -4236,8 +4236,8 @@ static psa_status_t psa_generator_tls12_prf_generate_next_block(
size_t Ai_len; size_t Ai_len;
/* We can't be wanting more output after block 0xff, otherwise /* We can't be wanting more output after block 0xff, otherwise
* the capacity check in psa_generator_read() would have * the capacity check in psa_key_derivation_output_bytes() would have
* prevented this call. It could happen only if the generator * prevented this call. It could happen only if the operation
* object was corrupted or if this function is called directly * object was corrupted or if this function is called directly
* inside the library. */ * inside the library. */
if( tls12_prf->block_number == 0xff ) if( tls12_prf->block_number == 0xff )
@ -4258,7 +4258,7 @@ static psa_status_t psa_generator_tls12_prf_generate_next_block(
* A(0) = seed * A(0) = seed
* A(i) = HMAC_hash( secret, A(i-1) ) * A(i) = HMAC_hash( secret, A(i-1) )
* *
* The `psa_tls12_prf_generator` structures saves the block * The `psa_tls12_prf_key_derivation` structures saves the block
* `HMAC_hash(secret, A(i) + seed)` from which the output * `HMAC_hash(secret, A(i) + seed)` from which the output
* is currently extracted as `output_block`, while * is currently extracted as `output_block`, while
* `A(i) + seed` is stored in `Ai_with_seed`. * `A(i) + seed` is stored in `Ai_with_seed`.
@ -4335,10 +4335,10 @@ cleanup:
return( status ); return( status );
} }
/* Read some bytes from an TLS-1.2-PRF-based generator. /* Read some bytes from an TLS-1.2-PRF-based operation.
* See Section 5 of RFC 5246. */ * See Section 5 of RFC 5246. */
static psa_status_t psa_generator_tls12_prf_read( static psa_status_t psa_key_derivation_tls12_prf_read(
psa_tls12_prf_generator_t *tls12_prf, psa_tls12_prf_key_derivation_t *tls12_prf,
psa_algorithm_t alg, psa_algorithm_t alg,
uint8_t *output, uint8_t *output,
size_t output_length ) size_t output_length )
@ -4355,7 +4355,7 @@ static psa_status_t psa_generator_tls12_prf_read(
/* Check if we have fully processed the current block. */ /* Check if we have fully processed the current block. */
if( n == 0 ) if( n == 0 )
{ {
status = psa_generator_tls12_prf_generate_next_block( tls12_prf, status = psa_key_derivation_tls12_prf_generate_next_block( tls12_prf,
alg ); alg );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
@ -4376,53 +4376,53 @@ static psa_status_t psa_generator_tls12_prf_read(
} }
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
psa_status_t psa_generator_read( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation,
uint8_t *output, uint8_t *output,
size_t output_length ) size_t output_length )
{ {
psa_status_t status; psa_status_t status;
psa_algorithm_t kdf_alg = psa_generator_get_kdf_alg( generator ); psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
if( generator->alg == 0 ) if( operation->alg == 0 )
{ {
/* This is a blank generator. */ /* This is a blank operation. */
return PSA_ERROR_BAD_STATE; return PSA_ERROR_BAD_STATE;
} }
if( output_length > generator->capacity ) if( output_length > operation->capacity )
{ {
generator->capacity = 0; operation->capacity = 0;
/* Go through the error path to wipe all confidential data now /* Go through the error path to wipe all confidential data now
* that the generator object is useless. */ * that the operation object is useless. */
status = PSA_ERROR_INSUFFICIENT_DATA; status = PSA_ERROR_INSUFFICIENT_DATA;
goto exit; goto exit;
} }
if( output_length == 0 && generator->capacity == 0 ) if( output_length == 0 && operation->capacity == 0 )
{ {
/* Edge case: this is a finished generator, and 0 bytes /* Edge case: this is a finished operation, and 0 bytes
* were requested. The right error in this case could * were requested. The right error in this case could
* be either INSUFFICIENT_CAPACITY or BAD_STATE. Return * be either INSUFFICIENT_CAPACITY or BAD_STATE. Return
* INSUFFICIENT_CAPACITY, which is right for a finished * INSUFFICIENT_CAPACITY, which is right for a finished
* generator, for consistency with the case when * operation, for consistency with the case when
* output_length > 0. */ * output_length > 0. */
return( PSA_ERROR_INSUFFICIENT_DATA ); return( PSA_ERROR_INSUFFICIENT_DATA );
} }
generator->capacity -= output_length; operation->capacity -= output_length;
if( kdf_alg == PSA_ALG_SELECT_RAW ) if( kdf_alg == PSA_ALG_SELECT_RAW )
{ {
/* Initially, the capacity of a selection generator is always /* Initially, the capacity of a selection operation is always
* the size of the buffer, i.e. `generator->ctx.buffer.size`, * the size of the buffer, i.e. `operation->ctx.buffer.size`,
* abbreviated in this comment as `size`. When the remaining * abbreviated in this comment as `size`. When the remaining
* capacity is `c`, the next bytes to serve start `c` bytes * capacity is `c`, the next bytes to serve start `c` bytes
* from the end of the buffer, i.e. `size - c` from the * from the end of the buffer, i.e. `size - c` from the
* beginning of the buffer. Since `generator->capacity` was just * beginning of the buffer. Since `operation->capacity` was just
* decremented above, we need to serve the bytes from * decremented above, we need to serve the bytes from
* `size - generator->capacity - output_length` to * `size - operation->capacity - output_length` to
* `size - generator->capacity`. */ * `size - operation->capacity`. */
size_t offset = size_t offset =
generator->ctx.buffer.size - generator->capacity - output_length; operation->ctx.buffer.size - operation->capacity - output_length;
memcpy( output, generator->ctx.buffer.data + offset, output_length ); memcpy( output, operation->ctx.buffer.data + offset, output_length );
status = PSA_SUCCESS; status = PSA_SUCCESS;
} }
else else
@ -4430,13 +4430,13 @@ psa_status_t psa_generator_read( psa_crypto_generator_t *generator,
if( PSA_ALG_IS_HKDF( kdf_alg ) ) if( PSA_ALG_IS_HKDF( kdf_alg ) )
{ {
psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg ); psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
status = psa_generator_hkdf_read( &generator->ctx.hkdf, hash_alg, status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg,
output, output_length ); output, output_length );
} }
else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
{ {
status = psa_generator_tls12_prf_read( &generator->ctx.tls12_prf, status = psa_key_derivation_tls12_prf_read( &operation->ctx.tls12_prf,
kdf_alg, output, kdf_alg, output,
output_length ); output_length );
} }
@ -4450,12 +4450,12 @@ exit:
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
/* Preserve the algorithm upon errors, but clear all sensitive state. /* Preserve the algorithm upon errors, but clear all sensitive state.
* This allows us to differentiate between exhausted generators and * This allows us to differentiate between exhausted operations and
* blank generators, so we can return PSA_ERROR_BAD_STATE on blank * blank operations, so we can return PSA_ERROR_BAD_STATE on blank
* generators. */ * operations. */
psa_algorithm_t alg = generator->alg; psa_algorithm_t alg = operation->alg;
psa_generator_abort( generator ); psa_key_derivation_abort( operation );
generator->alg = alg; operation->alg = alg;
memset( output, '!', output_length ); memset( output, '!', output_length );
} }
return( status ); return( status );
@ -4476,7 +4476,7 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size )
static psa_status_t psa_generate_derived_key_internal( static psa_status_t psa_generate_derived_key_internal(
psa_key_slot_t *slot, psa_key_slot_t *slot,
size_t bits, size_t bits,
psa_crypto_generator_t *generator ) psa_key_derivation_operation_t *operation )
{ {
uint8_t *data = NULL; uint8_t *data = NULL;
size_t bytes = PSA_BITS_TO_BYTES( bits ); size_t bytes = PSA_BITS_TO_BYTES( bits );
@ -4490,7 +4490,7 @@ static psa_status_t psa_generate_derived_key_internal(
if( data == NULL ) if( data == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
status = psa_generator_read( generator, data, bytes ); status = psa_key_derivation_output_bytes( operation, data, bytes );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
#if defined(MBEDTLS_DES_C) #if defined(MBEDTLS_DES_C)
@ -4504,8 +4504,8 @@ exit:
return( status ); return( status );
} }
psa_status_t psa_generate_derived_key( const psa_key_attributes_t *attributes, psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attributes,
psa_crypto_generator_t *generator, psa_key_derivation_operation_t *operation,
psa_key_handle_t *handle ) psa_key_handle_t *handle )
{ {
psa_status_t status; psa_status_t status;
@ -4515,7 +4515,7 @@ psa_status_t psa_generate_derived_key( const psa_key_attributes_t *attributes,
{ {
status = psa_generate_derived_key_internal( slot, status = psa_generate_derived_key_internal( slot,
attributes->bits, attributes->bits,
generator ); operation );
} }
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
status = psa_finish_key_creation( slot ); status = psa_finish_key_creation( slot );
@ -4530,7 +4530,7 @@ psa_status_t psa_generate_derived_key( const psa_key_attributes_t *attributes,
psa_status_t psa_generate_derived_key_to_handle( psa_key_handle_t handle, psa_status_t psa_generate_derived_key_to_handle( psa_key_handle_t handle,
psa_key_type_t type, psa_key_type_t type,
size_t bits, size_t bits,
psa_crypto_generator_t *generator ) psa_key_derivation_operation_t *operation )
{ {
uint8_t *data = NULL; uint8_t *data = NULL;
size_t bytes = PSA_BITS_TO_BYTES( bits ); size_t bytes = PSA_BITS_TO_BYTES( bits );
@ -4544,7 +4544,7 @@ psa_status_t psa_generate_derived_key_to_handle( psa_key_handle_t handle,
if( data == NULL ) if( data == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
status = psa_generator_read( generator, data, bytes ); status = psa_key_derivation_output_bytes( operation, data, bytes );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
goto exit; goto exit;
#if defined(MBEDTLS_DES_C) #if defined(MBEDTLS_DES_C)
@ -4565,20 +4565,20 @@ exit:
/****************************************************************/ /****************************************************************/
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
/* Set up an HKDF-based generator. This is exactly the extract phase /* Set up an HKDF-based operation. This is exactly the extract phase
* of the HKDF algorithm. * of the HKDF algorithm.
* *
* Note that if this function fails, you must call psa_generator_abort() * Note that if this function fails, you must call psa_key_derivation_abort()
* to potentially free embedded data structures and wipe confidential data. * to potentially free embedded data structures and wipe confidential data.
*/ */
static psa_status_t psa_generator_hkdf_setup( psa_hkdf_generator_t *hkdf, static psa_status_t psa_key_derivation_hkdf_setup( psa_hkdf_key_derivation_t *hkdf,
const uint8_t *secret, const uint8_t *secret,
size_t secret_length, size_t secret_length,
psa_algorithm_t hash_alg, psa_algorithm_t hash_alg,
const uint8_t *salt, const uint8_t *salt,
size_t salt_length, size_t salt_length,
const uint8_t *label, const uint8_t *label,
size_t label_length ) size_t label_length )
{ {
psa_status_t status; psa_status_t status;
status = psa_hmac_setup_internal( &hkdf->hmac, status = psa_hmac_setup_internal( &hkdf->hmac,
@ -4611,13 +4611,13 @@ static psa_status_t psa_generator_hkdf_setup( psa_hkdf_generator_t *hkdf,
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
/* Set up a TLS-1.2-prf-based generator (see RFC 5246, Section 5). /* Set up a TLS-1.2-prf-based operation (see RFC 5246, Section 5).
* *
* Note that if this function fails, you must call psa_generator_abort() * Note that if this function fails, you must call psa_key_derivation_abort()
* to potentially free embedded data structures and wipe confidential data. * to potentially free embedded data structures and wipe confidential data.
*/ */
static psa_status_t psa_generator_tls12_prf_setup( static psa_status_t psa_key_derivation_tls12_prf_setup(
psa_tls12_prf_generator_t *tls12_prf, psa_tls12_prf_key_derivation_t *tls12_prf,
const unsigned char *key, const unsigned char *key,
size_t key_len, size_t key_len,
psa_algorithm_t hash_alg, psa_algorithm_t hash_alg,
@ -4637,7 +4637,7 @@ static psa_status_t psa_generator_tls12_prf_setup(
memcpy( tls12_prf->key, key, key_len ); memcpy( tls12_prf->key, key, key_len );
overflow = ( salt_length + label_length < salt_length ) || overflow = ( salt_length + label_length < salt_length ) ||
( salt_length + label_length + hash_length < hash_length ); ( salt_length + label_length + hash_length < hash_length );
if( overflow ) if( overflow )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
@ -4661,16 +4661,16 @@ static psa_status_t psa_generator_tls12_prf_setup(
} }
/* The first block gets generated when /* The first block gets generated when
* psa_generator_read() is called. */ * psa_key_derivation_output_bytes() is called. */
tls12_prf->block_number = 0; tls12_prf->block_number = 0;
tls12_prf->offset_in_block = hash_length; tls12_prf->offset_in_block = hash_length;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
/* Set up a TLS-1.2-PSK-to-MS-based generator. */ /* Set up a TLS-1.2-PSK-to-MS-based operation. */
static psa_status_t psa_generator_tls12_psk_to_ms_setup( static psa_status_t psa_key_derivation_tls12_psk_to_ms_setup(
psa_tls12_prf_generator_t *tls12_prf, psa_tls12_prf_key_derivation_t *tls12_prf,
const unsigned char *psk, const unsigned char *psk,
size_t psk_len, size_t psk_len,
psa_algorithm_t hash_alg, psa_algorithm_t hash_alg,
@ -4699,22 +4699,22 @@ static psa_status_t psa_generator_tls12_psk_to_ms_setup(
pms[2 + psk_len + 1] = pms[1]; pms[2 + psk_len + 1] = pms[1];
memcpy( pms + 4 + psk_len, psk, psk_len ); memcpy( pms + 4 + psk_len, psk, psk_len );
status = psa_generator_tls12_prf_setup( tls12_prf, status = psa_key_derivation_tls12_prf_setup( tls12_prf,
pms, 4 + 2 * psk_len, pms, 4 + 2 * psk_len,
hash_alg, hash_alg,
salt, salt_length, salt, salt_length,
label, label_length ); label, label_length );
mbedtls_platform_zeroize( pms, sizeof( pms ) ); mbedtls_platform_zeroize( pms, sizeof( pms ) );
return( status ); return( status );
} }
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
/* Note that if this function fails, you must call psa_generator_abort() /* Note that if this function fails, you must call psa_key_derivation_abort()
* to potentially free embedded data structures and wipe confidential data. * to potentially free embedded data structures and wipe confidential data.
*/ */
static psa_status_t psa_key_derivation_internal( static psa_status_t psa_key_derivation_internal(
psa_crypto_generator_t *generator, psa_key_derivation_operation_t *operation,
const uint8_t *secret, size_t secret_length, const uint8_t *secret, size_t secret_length,
psa_algorithm_t alg, psa_algorithm_t alg,
const uint8_t *salt, size_t salt_length, const uint8_t *salt, size_t salt_length,
@ -4724,8 +4724,8 @@ static psa_status_t psa_key_derivation_internal(
psa_status_t status; psa_status_t status;
size_t max_capacity; size_t max_capacity;
/* Set generator->alg even on failure so that abort knows what to do. */ /* Set operation->alg even on failure so that abort knows what to do. */
generator->alg = alg; operation->alg = alg;
if( alg == PSA_ALG_SELECT_RAW ) if( alg == PSA_ALG_SELECT_RAW )
{ {
@ -4735,11 +4735,11 @@ static psa_status_t psa_key_derivation_internal(
(void) label; (void) label;
if( label_length != 0 ) if( label_length != 0 )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
generator->ctx.buffer.data = mbedtls_calloc( 1, secret_length ); operation->ctx.buffer.data = mbedtls_calloc( 1, secret_length );
if( generator->ctx.buffer.data == NULL ) if( operation->ctx.buffer.data == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
memcpy( generator->ctx.buffer.data, secret, secret_length ); memcpy( operation->ctx.buffer.data, secret, secret_length );
generator->ctx.buffer.size = secret_length; operation->ctx.buffer.size = secret_length;
max_capacity = secret_length; max_capacity = secret_length;
status = PSA_SUCCESS; status = PSA_SUCCESS;
} }
@ -4752,11 +4752,11 @@ static psa_status_t psa_key_derivation_internal(
if( hash_size == 0 ) if( hash_size == 0 )
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
max_capacity = 255 * hash_size; max_capacity = 255 * hash_size;
status = psa_generator_hkdf_setup( &generator->ctx.hkdf, status = psa_key_derivation_hkdf_setup( &operation->ctx.hkdf,
secret, secret_length, secret, secret_length,
hash_alg, hash_alg,
salt, salt_length, salt, salt_length,
label, label_length ); label, label_length );
} }
/* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */ /* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */
else if( PSA_ALG_IS_TLS12_PRF( alg ) || else if( PSA_ALG_IS_TLS12_PRF( alg ) ||
@ -4776,15 +4776,15 @@ static psa_status_t psa_key_derivation_internal(
if( PSA_ALG_IS_TLS12_PRF( alg ) ) if( PSA_ALG_IS_TLS12_PRF( alg ) )
{ {
status = psa_generator_tls12_prf_setup( &generator->ctx.tls12_prf, status = psa_key_derivation_tls12_prf_setup( &operation->ctx.tls12_prf,
secret, secret_length, secret, secret_length,
hash_alg, salt, salt_length, hash_alg, salt, salt_length,
label, label_length ); label, label_length );
} }
else else
{ {
status = psa_generator_tls12_psk_to_ms_setup( status = psa_key_derivation_tls12_psk_to_ms_setup(
&generator->ctx.tls12_prf, &operation->ctx.tls12_prf,
secret, secret_length, secret, secret_length,
hash_alg, salt, salt_length, hash_alg, salt, salt_length,
label, label_length ); label, label_length );
@ -4800,16 +4800,16 @@ static psa_status_t psa_key_derivation_internal(
return( status ); return( status );
if( capacity <= max_capacity ) if( capacity <= max_capacity )
generator->capacity = capacity; operation->capacity = capacity;
else if( capacity == PSA_GENERATOR_UNBRIDLED_CAPACITY ) else if( capacity == PSA_KEY_DERIVATION_UNLIMITED_CAPACITY )
generator->capacity = max_capacity; operation->capacity = max_capacity;
else else
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
psa_status_t psa_key_derivation( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation( psa_key_derivation_operation_t *operation,
psa_key_handle_t handle, psa_key_handle_t handle,
psa_algorithm_t alg, psa_algorithm_t alg,
const uint8_t *salt, const uint8_t *salt,
@ -4821,7 +4821,7 @@ psa_status_t psa_key_derivation( psa_crypto_generator_t *generator,
psa_key_slot_t *slot; psa_key_slot_t *slot;
psa_status_t status; psa_status_t status;
if( generator->alg != 0 ) if( operation->alg != 0 )
return( PSA_ERROR_BAD_STATE ); return( PSA_ERROR_BAD_STATE );
/* Make sure that alg is a key derivation algorithm. This prevents /* Make sure that alg is a key derivation algorithm. This prevents
@ -4837,7 +4837,7 @@ psa_status_t psa_key_derivation( psa_crypto_generator_t *generator,
if( slot->type != PSA_KEY_TYPE_DERIVE ) if( slot->type != PSA_KEY_TYPE_DERIVE )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_key_derivation_internal( generator, status = psa_key_derivation_internal( operation,
slot->data.raw.data, slot->data.raw.data,
slot->data.raw.bytes, slot->data.raw.bytes,
alg, alg,
@ -4845,12 +4845,12 @@ psa_status_t psa_key_derivation( psa_crypto_generator_t *generator,
label, label_length, label, label_length,
capacity ); capacity );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
psa_generator_abort( generator ); psa_key_derivation_abort( operation );
return( status ); return( status );
} }
static psa_status_t psa_key_derivation_setup_kdf( static psa_status_t psa_key_derivation_setup_kdf(
psa_crypto_generator_t *generator, psa_key_derivation_operation_t *operation,
psa_algorithm_t kdf_alg ) psa_algorithm_t kdf_alg )
{ {
/* Make sure that kdf_alg is a supported key derivation algorithm. */ /* Make sure that kdf_alg is a supported key derivation algorithm. */
@ -4869,7 +4869,7 @@ static psa_status_t psa_key_derivation_setup_kdf(
{ {
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
generator->capacity = 255 * hash_size; operation->capacity = 255 * hash_size;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
} }
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
@ -4877,12 +4877,12 @@ static psa_status_t psa_key_derivation_setup_kdf(
return( PSA_ERROR_NOT_SUPPORTED ); return( PSA_ERROR_NOT_SUPPORTED );
} }
psa_status_t psa_key_derivation_setup( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation,
psa_algorithm_t alg ) psa_algorithm_t alg )
{ {
psa_status_t status; psa_status_t status;
if( generator->alg != 0 ) if( operation->alg != 0 )
return( PSA_ERROR_BAD_STATE ); return( PSA_ERROR_BAD_STATE );
if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) ) if( PSA_ALG_IS_RAW_KEY_AGREEMENT( alg ) )
@ -4890,22 +4890,22 @@ psa_status_t psa_key_derivation_setup( psa_crypto_generator_t *generator,
else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) ) else if( PSA_ALG_IS_KEY_AGREEMENT( alg ) )
{ {
psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ); psa_algorithm_t kdf_alg = PSA_ALG_KEY_AGREEMENT_GET_KDF( alg );
status = psa_key_derivation_setup_kdf( generator, kdf_alg ); status = psa_key_derivation_setup_kdf( operation, kdf_alg );
} }
else if( PSA_ALG_IS_KEY_DERIVATION( alg ) ) else if( PSA_ALG_IS_KEY_DERIVATION( alg ) )
{ {
status = psa_key_derivation_setup_kdf( generator, alg ); status = psa_key_derivation_setup_kdf( operation, alg );
} }
else else
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
generator->alg = alg; operation->alg = alg;
return( status ); return( status );
} }
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
static psa_status_t psa_hkdf_input( psa_hkdf_generator_t *hkdf, static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
psa_algorithm_t hash_alg, psa_algorithm_t hash_alg,
psa_key_derivation_step_t step, psa_key_derivation_step_t step,
const uint8_t *data, const uint8_t *data,
@ -4914,7 +4914,7 @@ static psa_status_t psa_hkdf_input( psa_hkdf_generator_t *hkdf,
psa_status_t status; psa_status_t status;
switch( step ) switch( step )
{ {
case PSA_KDF_STEP_SALT: case PSA_KEY_DERIVATION_INPUT_SALT:
if( hkdf->state != HKDF_STATE_INIT ) if( hkdf->state != HKDF_STATE_INIT )
return( PSA_ERROR_BAD_STATE ); return( PSA_ERROR_BAD_STATE );
status = psa_hmac_setup_internal( &hkdf->hmac, status = psa_hmac_setup_internal( &hkdf->hmac,
@ -4924,7 +4924,7 @@ static psa_status_t psa_hkdf_input( psa_hkdf_generator_t *hkdf,
return( status ); return( status );
hkdf->state = HKDF_STATE_STARTED; hkdf->state = HKDF_STATE_STARTED;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
case PSA_KDF_STEP_SECRET: case PSA_KEY_DERIVATION_INPUT_SECRET:
/* If no salt was provided, use an empty salt. */ /* If no salt was provided, use an empty salt. */
if( hkdf->state == HKDF_STATE_INIT ) if( hkdf->state == HKDF_STATE_INIT )
{ {
@ -4950,7 +4950,7 @@ static psa_status_t psa_hkdf_input( psa_hkdf_generator_t *hkdf,
hkdf->block_number = 0; hkdf->block_number = 0;
hkdf->state = HKDF_STATE_KEYED; hkdf->state = HKDF_STATE_KEYED;
return( PSA_SUCCESS ); return( PSA_SUCCESS );
case PSA_KDF_STEP_INFO: case PSA_KEY_DERIVATION_INPUT_INFO:
if( hkdf->state == HKDF_STATE_OUTPUT ) if( hkdf->state == HKDF_STATE_OUTPUT )
return( PSA_ERROR_BAD_STATE ); return( PSA_ERROR_BAD_STATE );
if( hkdf->info_set ) if( hkdf->info_set )
@ -4972,40 +4972,40 @@ static psa_status_t psa_hkdf_input( psa_hkdf_generator_t *hkdf,
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
static psa_status_t psa_key_derivation_input_raw( static psa_status_t psa_key_derivation_input_raw(
psa_crypto_generator_t *generator, psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step, psa_key_derivation_step_t step,
const uint8_t *data, const uint8_t *data,
size_t data_length ) size_t data_length )
{ {
psa_status_t status; psa_status_t status;
psa_algorithm_t kdf_alg = psa_generator_get_kdf_alg( generator ); psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
if( kdf_alg == PSA_ALG_SELECT_RAW ) if( kdf_alg == PSA_ALG_SELECT_RAW )
{ {
if( generator->capacity != 0 ) if( operation->capacity != 0 )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
generator->ctx.buffer.data = mbedtls_calloc( 1, data_length ); operation->ctx.buffer.data = mbedtls_calloc( 1, data_length );
if( generator->ctx.buffer.data == NULL ) if( operation->ctx.buffer.data == NULL )
return( PSA_ERROR_INSUFFICIENT_MEMORY ); return( PSA_ERROR_INSUFFICIENT_MEMORY );
memcpy( generator->ctx.buffer.data, data, data_length ); memcpy( operation->ctx.buffer.data, data, data_length );
generator->ctx.buffer.size = data_length; operation->ctx.buffer.size = data_length;
generator->capacity = data_length; operation->capacity = data_length;
status = PSA_SUCCESS; status = PSA_SUCCESS;
} }
else else
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
if( PSA_ALG_IS_HKDF( kdf_alg ) ) if( PSA_ALG_IS_HKDF( kdf_alg ) )
{ {
status = psa_hkdf_input( &generator->ctx.hkdf, status = psa_hkdf_input( &operation->ctx.hkdf,
PSA_ALG_HKDF_GET_HASH( kdf_alg ), PSA_ALG_HKDF_GET_HASH( kdf_alg ),
step, data, data_length ); step, data, data_length );
} }
else else
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
#if defined(MBEDTLS_MD_C) #if defined(MBEDTLS_MD_C)
/* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */ /* TLS-1.2 PRF and TLS-1.2 PSK-to-MS are very similar, so share code. */
if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) || if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) ) PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
{ {
// To do: implement this // To do: implement this
status = PSA_ERROR_NOT_SUPPORTED; status = PSA_ERROR_NOT_SUPPORTED;
@ -5013,33 +5013,33 @@ static psa_status_t psa_key_derivation_input_raw(
else else
#endif /* MBEDTLS_MD_C */ #endif /* MBEDTLS_MD_C */
{ {
/* This can't happen unless the generator object was not initialized */ /* This can't happen unless the operation object was not initialized */
return( PSA_ERROR_BAD_STATE ); return( PSA_ERROR_BAD_STATE );
} }
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
psa_generator_abort( generator ); psa_key_derivation_abort( operation );
return( status ); return( status );
} }
psa_status_t psa_key_derivation_input_bytes( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_input_bytes( psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step, psa_key_derivation_step_t step,
const uint8_t *data, const uint8_t *data,
size_t data_length ) size_t data_length )
{ {
switch( step ) switch( step )
{ {
case PSA_KDF_STEP_LABEL: case PSA_KEY_DERIVATION_INPUT_LABEL:
case PSA_KDF_STEP_SALT: case PSA_KEY_DERIVATION_INPUT_SALT:
case PSA_KDF_STEP_INFO: case PSA_KEY_DERIVATION_INPUT_INFO:
return( psa_key_derivation_input_raw( generator, step, return( psa_key_derivation_input_raw( operation, step,
data, data_length ) ); data, data_length ) );
default: default:
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
} }
} }
psa_status_t psa_key_derivation_input_key( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_input_key( psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step, psa_key_derivation_step_t step,
psa_key_handle_t handle ) psa_key_handle_t handle )
{ {
@ -5047,7 +5047,7 @@ psa_status_t psa_key_derivation_input_key( psa_crypto_generator_t *generator,
psa_status_t status; psa_status_t status;
status = psa_get_key_from_slot( handle, &slot, status = psa_get_key_from_slot( handle, &slot,
PSA_KEY_USAGE_DERIVE, PSA_KEY_USAGE_DERIVE,
generator->alg ); operation->alg );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
if( slot->type != PSA_KEY_TYPE_DERIVE ) if( slot->type != PSA_KEY_TYPE_DERIVE )
@ -5058,9 +5058,9 @@ psa_status_t psa_key_derivation_input_key( psa_crypto_generator_t *generator,
* the material should be dedicated to a particular input step, * the material should be dedicated to a particular input step,
* otherwise this may allow the key to be used in an unintended way * otherwise this may allow the key to be used in an unintended way
* and leak values derived from the key. So be conservative. */ * and leak values derived from the key. So be conservative. */
if( step != PSA_KDF_STEP_SECRET ) if( step != PSA_KEY_DERIVATION_INPUT_SECRET )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
return( psa_key_derivation_input_raw( generator, return( psa_key_derivation_input_raw( operation,
step, step,
slot->data.raw.data, slot->data.raw.data,
slot->data.raw.bytes ) ); slot->data.raw.bytes ) );
@ -5148,10 +5148,10 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
} }
} }
/* Note that if this function fails, you must call psa_generator_abort() /* Note that if this function fails, you must call psa_key_derivation_abort()
* to potentially free embedded data structures and wipe confidential data. * to potentially free embedded data structures and wipe confidential data.
*/ */
static psa_status_t psa_key_agreement_internal( psa_crypto_generator_t *generator, static psa_status_t psa_key_agreement_internal( psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step, psa_key_derivation_step_t step,
psa_key_slot_t *private_key, psa_key_slot_t *private_key,
const uint8_t *peer_key, const uint8_t *peer_key,
@ -5160,7 +5160,7 @@ static psa_status_t psa_key_agreement_internal( psa_crypto_generator_t *generato
psa_status_t status; psa_status_t status;
uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE]; uint8_t shared_secret[PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE];
size_t shared_secret_length = 0; size_t shared_secret_length = 0;
psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE( generator->alg ); psa_algorithm_t ka_alg = PSA_ALG_KEY_AGREEMENT_GET_BASE( operation->alg );
/* Step 1: run the secret agreement algorithm to generate the shared /* Step 1: run the secret agreement algorithm to generate the shared
* secret. */ * secret. */
@ -5175,7 +5175,7 @@ static psa_status_t psa_key_agreement_internal( psa_crypto_generator_t *generato
/* Step 2: set up the key derivation to generate key material from /* Step 2: set up the key derivation to generate key material from
* the shared secret. */ * the shared secret. */
status = psa_key_derivation_input_raw( generator, step, status = psa_key_derivation_input_raw( operation, step,
shared_secret, shared_secret_length ); shared_secret, shared_secret_length );
exit: exit:
@ -5183,35 +5183,35 @@ exit:
return( status ); return( status );
} }
psa_status_t psa_key_agreement( psa_crypto_generator_t *generator, psa_status_t psa_key_derivation_key_agreement( psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step, psa_key_derivation_step_t step,
psa_key_handle_t private_key, psa_key_handle_t private_key,
const uint8_t *peer_key, const uint8_t *peer_key,
size_t peer_key_length ) size_t peer_key_length )
{ {
psa_key_slot_t *slot; psa_key_slot_t *slot;
psa_status_t status; psa_status_t status;
if( ! PSA_ALG_IS_KEY_AGREEMENT( generator->alg ) ) if( ! PSA_ALG_IS_KEY_AGREEMENT( operation->alg ) )
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_get_key_from_slot( private_key, &slot, status = psa_get_key_from_slot( private_key, &slot,
PSA_KEY_USAGE_DERIVE, generator->alg ); PSA_KEY_USAGE_DERIVE, operation->alg );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( status ); return( status );
status = psa_key_agreement_internal( generator, step, status = psa_key_agreement_internal( operation, step,
slot, slot,
peer_key, peer_key_length ); peer_key, peer_key_length );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
psa_generator_abort( generator ); psa_key_derivation_abort( operation );
return( status ); return( status );
} }
psa_status_t psa_key_agreement_raw_shared_secret( psa_algorithm_t alg, psa_status_t psa_raw_key_agreement( psa_algorithm_t alg,
psa_key_handle_t private_key, psa_key_handle_t private_key,
const uint8_t *peer_key, const uint8_t *peer_key,
size_t peer_key_length, size_t peer_key_length,
uint8_t *output, uint8_t *output,
size_t output_size, size_t output_size,
size_t *output_length ) size_t *output_length )
{ {
psa_key_slot_t *slot; psa_key_slot_t *slot;
psa_status_t status; psa_status_t status;

View file

@ -3116,7 +3116,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
unsigned char *own_pubkey_ecpoint; unsigned char *own_pubkey_ecpoint;
size_t own_pubkey_ecpoint_len; size_t own_pubkey_ecpoint_len;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
header_len = 4; header_len = 4;
@ -3178,7 +3178,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
content_len = own_pubkey_ecpoint_len + 1; content_len = own_pubkey_ecpoint_len + 1;
/* Compute ECDH shared secret. */ /* Compute ECDH shared secret. */
status = psa_key_agreement( &generator, status = psa_key_derivation_key_agreement( &generator,
handshake->ecdh_psa_privkey, handshake->ecdh_psa_privkey,
handshake->ecdh_psa_peerkey, handshake->ecdh_psa_peerkey,
handshake->ecdh_psa_peerkey_len, handshake->ecdh_psa_peerkey_len,
@ -3191,16 +3191,16 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
ssl->handshake->pmslen = ssl->handshake->pmslen =
MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve ); MBEDTLS_PSA_ECC_KEY_BYTES_OF_CURVE( handshake->ecdh_psa_curve );
status = psa_generator_read( &generator, status = psa_key_derivation_output_bytes( &generator,
ssl->handshake->premaster, ssl->handshake->premaster,
ssl->handshake->pmslen ); ssl->handshake->pmslen );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_abort( &generator ); status = psa_key_derivation_abort( &generator );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );

View file

@ -526,7 +526,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
psa_algorithm_t alg; psa_algorithm_t alg;
psa_key_policy_t policy; psa_key_policy_t policy;
psa_key_handle_t master_slot; psa_key_handle_t master_slot;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS ) if( ( status = psa_allocate_key( &master_slot ) ) != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@ -556,20 +556,20 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
dlen ); dlen );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
psa_destroy_key( master_slot ); psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_read( &generator, dstbuf, dlen ); status = psa_key_derivation_output_bytes( &generator, dstbuf, dlen );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
psa_destroy_key( master_slot ); psa_destroy_key( master_slot );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_abort( &generator ); status = psa_key_derivation_abort( &generator );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_destroy_key( master_slot ); psa_destroy_key( master_slot );
@ -892,7 +892,7 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
/* Perform PSK-to-MS expansion in a single step. */ /* Perform PSK-to-MS expansion in a single step. */
psa_status_t status; psa_status_t status;
psa_algorithm_t alg; psa_algorithm_t alg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_handle_t psk; psa_key_handle_t psk;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) ); MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
@ -913,19 +913,19 @@ int mbedtls_ssl_derive_keys( mbedtls_ssl_context *ssl )
master_secret_len ); master_secret_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_read( &generator, session->master, status = psa_key_derivation_output_bytes( &generator, session->master,
master_secret_len ); master_secret_len );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }
status = psa_generator_abort( &generator ); status = psa_key_derivation_abort( &generator );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED ); return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
} }

View file

@ -279,7 +279,7 @@ static psa_status_t derive_key_ladder( const char *ladder[],
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
size_t i; size_t i;
psa_set_key_usage_flags( &attributes, psa_set_key_usage_flags( &attributes,
@ -306,13 +306,13 @@ static psa_status_t derive_key_ladder( const char *ladder[],
*key_handle = 0; *key_handle = 0;
/* Use the generator obtained from the parent key to create /* Use the generator obtained from the parent key to create
* the next intermediate key. */ * the next intermediate key. */
PSA_CHECK( psa_generate_derived_key( &attributes, &generator, PSA_CHECK( psa_key_derivation_output_key( &attributes, &generator,
key_handle ) ); key_handle ) );
PSA_CHECK( psa_generator_abort( &generator ) ); PSA_CHECK( psa_key_derivation_abort( &generator ) );
} }
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_close_key( *key_handle ); psa_close_key( *key_handle );
@ -328,7 +328,7 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
{ {
psa_status_t status = PSA_SUCCESS; psa_status_t status = PSA_SUCCESS;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t generator = PSA_KEY_DERIVATION_OPERATION_INIT;
*wrapping_key_handle = 0; *wrapping_key_handle = 0;
psa_set_key_usage_flags( &attributes, usage ); psa_set_key_usage_flags( &attributes, usage );
@ -343,11 +343,11 @@ static psa_status_t derive_wrapping_key( psa_key_usage_t usage,
WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH, WRAPPING_KEY_SALT, WRAPPING_KEY_SALT_LENGTH,
NULL, 0, NULL, 0,
PSA_BITS_TO_BYTES( WRAPPING_KEY_BITS ) ) ); PSA_BITS_TO_BYTES( WRAPPING_KEY_BITS ) ) );
PSA_CHECK( psa_generate_derived_key( &attributes, &generator, PSA_CHECK( psa_key_derivation_output_key( &attributes, &generator,
wrapping_key_handle ) ); wrapping_key_handle ) );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &generator );
if( status != PSA_SUCCESS ) if( status != PSA_SUCCESS )
{ {
psa_close_key( *wrapping_key_handle ); psa_close_key( *wrapping_key_handle );

View file

@ -1716,8 +1716,8 @@ PSA decrypt: RSA OAEP-SHA-256, input too large
depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C depends_on:MBEDTLS_PK_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V21:MBEDTLS_SHA256_C
asymmetric_decrypt_fail:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):"0099ffde2fcc00c9cc01972ebfa7779b298dbbaf7f50707a7405296dd2783456fc792002f462e760500e02afa25a859ace8701cb5d3b0262116431c43af8eb08f5a88301057cf1c156a2a5193c143e7a5b03fac132b7e89e6dcd8f4c82c9b28452329c260d30bc39b3816b7c46b41b37b4850d2ae74e729f99c6621fbbe2e46872":"":129:PSA_ERROR_INVALID_ARGUMENT asymmetric_decrypt_fail:PSA_KEY_TYPE_RSA_KEYPAIR:"3082025e02010002818100af057d396ee84fb75fdbb5c2b13c7fe5a654aa8aa2470b541ee1feb0b12d25c79711531249e1129628042dbbb6c120d1443524ef4c0e6e1d8956eeb2077af12349ddeee54483bc06c2c61948cd02b202e796aebd94d3a7cbf859c2c1819c324cb82b9cd34ede263a2abffe4733f077869e8660f7d6834da53d690ef7985f6bc3020301000102818100874bf0ffc2f2a71d14671ddd0171c954d7fdbf50281e4f6d99ea0e1ebcf82faa58e7b595ffb293d1abe17f110b37c48cc0f36c37e84d876621d327f64bbe08457d3ec4098ba2fa0a319fba411c2841ed7be83196a8cdf9daa5d00694bc335fc4c32217fe0488bce9cb7202e59468b1ead119000477db2ca797fac19eda3f58c1024100e2ab760841bb9d30a81d222de1eb7381d82214407f1b975cbbfe4e1a9467fd98adbd78f607836ca5be1928b9d160d97fd45c12d6b52e2c9871a174c66b488113024100c5ab27602159ae7d6f20c3c2ee851e46dc112e689e28d5fcbbf990a99ef8a90b8bb44fd36467e7fc1789ceb663abda338652c3c73f111774902e840565927091024100b6cdbd354f7df579a63b48b3643e353b84898777b48b15f94e0bfc0567a6ae5911d57ad6409cf7647bf96264e9bd87eb95e263b7110b9a1f9f94acced0fafa4d024071195eec37e8d257decfc672b07ae639f10cbb9b0c739d0c809968d644a94e3fd6ed9287077a14583f379058f76a8aecd43c62dc8c0f41766650d725275ac4a1024100bb32d133edc2e048d463388b7be9cb4be29f4b6250be603e70e3647501c97ddde20a4e71be95fd5e71784e25aca4baf25be5738aae59bbfe1c997781447a2b24":PSA_ALG_RSA_OAEP(PSA_ALG_SHA_256):"0099ffde2fcc00c9cc01972ebfa7779b298dbbaf7f50707a7405296dd2783456fc792002f462e760500e02afa25a859ace8701cb5d3b0262116431c43af8eb08f5a88301057cf1c156a2a5193c143e7a5b03fac132b7e89e6dcd8f4c82c9b28452329c260d30bc39b3816b7c46b41b37b4850d2ae74e729f99c6621fbbe2e46872":"":129:PSA_ERROR_INVALID_ARGUMENT
Crypto generator initializers zero properly Crypto derivation operation object initializers zero properly
crypto_generator_init: key_derivation_init:
PSA key derivation: HKDF-SHA-256, good case PSA key derivation: HKDF-SHA-256, good case
depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
@ -1755,13 +1755,13 @@ PSA key derivation: unsupported key derivation algorithm
depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_CATEGORY_KEY_DERIVATION:"":"":42:PSA_ERROR_NOT_SUPPORTED derive_setup:PSA_KEY_TYPE_DERIVE:"0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b0b":PSA_ALG_CATEGORY_KEY_DERIVATION:"":"":42:PSA_ERROR_NOT_SUPPORTED
PSA key derivation: invalid generator state ( double generate + read past capacity ) PSA key derivation: invalid state (double generate + read past capacity)
depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
test_derive_invalid_generator_state: test_derive_invalid_key_derivation_state:
PSA key derivation: invalid generator state ( call read/get_capacity after init and abort ) PSA key derivation: invalid state (call read/get_capacity after init and abort)
depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C
test_derive_invalid_generator_tests: test_derive_invalid_key_derivation_tests:
PSA key derivation: HKDF SHA-256, RFC5869 #1, output 42+0 PSA key derivation: HKDF SHA-256, RFC5869 #1, output 42+0
depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C depends_on:MBEDTLS_MD_C:MBEDTLS_SHA256_C

View file

@ -525,7 +525,7 @@ static int exercise_key_derivation_key( psa_key_handle_t handle,
psa_key_usage_t usage, psa_key_usage_t usage,
psa_algorithm_t alg ) psa_algorithm_t alg )
{ {
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
unsigned char label[16] = "This is a label."; unsigned char label[16] = "This is a label.";
size_t label_length = sizeof( label ); size_t label_length = sizeof( label );
unsigned char seed[16] = "abcdefghijklmnop"; unsigned char seed[16] = "abcdefghijklmnop";
@ -536,32 +536,32 @@ static int exercise_key_derivation_key( psa_key_handle_t handle,
{ {
if( PSA_ALG_IS_HKDF( alg ) ) if( PSA_ALG_IS_HKDF( alg ) )
{ {
PSA_ASSERT( psa_key_derivation_setup( &generator, alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_SALT, PSA_KEY_DERIVATION_INPUT_SALT,
label, label,
label_length ) ); label_length ) );
PSA_ASSERT( psa_key_derivation_input_key( &generator, PSA_ASSERT( psa_key_derivation_input_key( &operation,
PSA_KDF_STEP_SECRET, PSA_KEY_DERIVATION_INPUT_SECRET,
handle ) ); handle ) );
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_INFO, PSA_KEY_DERIVATION_INPUT_INFO,
seed, seed,
seed_length ) ); seed_length ) );
} }
else else
{ {
// legacy // legacy
PSA_ASSERT( psa_key_derivation( &generator, PSA_ASSERT( psa_key_derivation( &operation,
handle, alg, handle, alg,
label, label_length, label, label_length,
seed, seed_length, seed, seed_length,
sizeof( output ) ) ); sizeof( output ) ) );
} }
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output, output,
sizeof( output ) ) ); sizeof( output ) ) );
PSA_ASSERT( psa_generator_abort( &generator ) ); PSA_ASSERT( psa_key_derivation_abort( &operation ) );
} }
return( 1 ); return( 1 );
@ -572,8 +572,9 @@ exit:
/* We need two keys to exercise key agreement. Exercise the /* We need two keys to exercise key agreement. Exercise the
* private key against its own public key. */ * private key against its own public key. */
static psa_status_t key_agreement_with_self( psa_crypto_generator_t *generator, static psa_status_t key_agreement_with_self(
psa_key_handle_t handle ) psa_key_derivation_operation_t *operation,
psa_key_handle_t handle )
{ {
psa_key_type_t private_key_type; psa_key_type_t private_key_type;
psa_key_type_t public_key_type; psa_key_type_t public_key_type;
@ -581,8 +582,8 @@ static psa_status_t key_agreement_with_self( psa_crypto_generator_t *generator,
uint8_t *public_key = NULL; uint8_t *public_key = NULL;
size_t public_key_length; size_t public_key_length;
/* Return GENERIC_ERROR if something other than the final call to /* Return GENERIC_ERROR if something other than the final call to
* psa_key_agreement fails. This isn't fully satisfactory, but it's * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
* good enough: callers will report it as a failed test anyway. */ * but it's good enough: callers will report it as a failed test anyway. */
psa_status_t status = PSA_ERROR_GENERIC_ERROR; psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -596,8 +597,9 @@ static psa_status_t key_agreement_with_self( psa_crypto_generator_t *generator,
public_key, public_key_length, public_key, public_key_length,
&public_key_length ) ); &public_key_length ) );
status = psa_key_agreement( generator, PSA_KDF_STEP_SECRET, handle, status = psa_key_derivation_key_agreement(
public_key, public_key_length ); operation, PSA_KEY_DERIVATION_INPUT_SECRET, handle,
public_key, public_key_length );
exit: exit:
mbedtls_free( public_key ); mbedtls_free( public_key );
psa_reset_key_attributes( &attributes ); psa_reset_key_attributes( &attributes );
@ -617,8 +619,8 @@ static psa_status_t raw_key_agreement_with_self( psa_algorithm_t alg,
uint8_t output[1024]; uint8_t output[1024];
size_t output_length; size_t output_length;
/* Return GENERIC_ERROR if something other than the final call to /* Return GENERIC_ERROR if something other than the final call to
* psa_key_agreement fails. This isn't fully satisfactory, but it's * psa_key_derivation_key_agreement fails. This isn't fully satisfactory,
* good enough: callers will report it as a failed test anyway. */ * but it's good enough: callers will report it as a failed test anyway. */
psa_status_t status = PSA_ERROR_GENERIC_ERROR; psa_status_t status = PSA_ERROR_GENERIC_ERROR;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -632,10 +634,9 @@ static psa_status_t raw_key_agreement_with_self( psa_algorithm_t alg,
public_key, public_key_length, public_key, public_key_length,
&public_key_length ) ); &public_key_length ) );
status = psa_key_agreement_raw_shared_secret( status = psa_raw_key_agreement( alg, handle,
alg, handle, public_key, public_key_length,
public_key, public_key_length, output, sizeof( output ), &output_length );
output, sizeof( output ), &output_length );
exit: exit:
mbedtls_free( public_key ); mbedtls_free( public_key );
psa_reset_key_attributes( &attributes ); psa_reset_key_attributes( &attributes );
@ -664,7 +665,7 @@ static int exercise_key_agreement_key( psa_key_handle_t handle,
psa_key_usage_t usage, psa_key_usage_t usage,
psa_algorithm_t alg ) psa_algorithm_t alg )
{ {
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
unsigned char output[1]; unsigned char output[1];
int ok = 0; int ok = 0;
@ -672,12 +673,12 @@ static int exercise_key_agreement_key( psa_key_handle_t handle,
{ {
/* We need two keys to exercise key agreement. Exercise the /* We need two keys to exercise key agreement. Exercise the
* private key against its own public key. */ * private key against its own public key. */
PSA_ASSERT( psa_key_derivation_setup( &generator, alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
PSA_ASSERT( key_agreement_with_self( &generator, handle ) ); PSA_ASSERT( key_agreement_with_self( &operation, handle ) );
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output, output,
sizeof( output ) ) ); sizeof( output ) ) );
PSA_ASSERT( psa_generator_abort( &generator ) ); PSA_ASSERT( psa_key_derivation_abort( &operation ) );
} }
ok = 1; ok = 1;
@ -1844,7 +1845,7 @@ void derive_key_policy( int policy_usage,
{ {
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_status_t status; psa_status_t status;
PSA_ASSERT( psa_crypto_init( ) ); PSA_ASSERT( psa_crypto_init( ) );
@ -1856,7 +1857,7 @@ void derive_key_policy( int policy_usage,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&handle ) ); &handle ) );
status = psa_key_derivation( &generator, handle, status = psa_key_derivation( &operation, handle,
exercise_alg, exercise_alg,
NULL, 0, NULL, 0,
NULL, 0, NULL, 0,
@ -1868,7 +1869,7 @@ void derive_key_policy( int policy_usage,
TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -1884,7 +1885,7 @@ void agreement_key_policy( int policy_usage,
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type = key_type_arg; psa_key_type_t key_type = key_type_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_status_t status; psa_status_t status;
PSA_ASSERT( psa_crypto_init( ) ); PSA_ASSERT( psa_crypto_init( ) );
@ -1896,8 +1897,8 @@ void agreement_key_policy( int policy_usage,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&handle ) ); &handle ) );
PSA_ASSERT( psa_key_derivation_setup( &generator, exercise_alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, exercise_alg ) );
status = key_agreement_with_self( &generator, handle ); status = key_agreement_with_self( &operation, handle );
if( policy_alg == exercise_alg && if( policy_alg == exercise_alg &&
( policy_usage & PSA_KEY_USAGE_DERIVE ) != 0 ) ( policy_usage & PSA_KEY_USAGE_DERIVE ) != 0 )
@ -1906,7 +1907,7 @@ void agreement_key_policy( int policy_usage,
TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -1922,7 +1923,7 @@ void raw_agreement_key_policy( int policy_usage,
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type = key_type_arg; psa_key_type_t key_type = key_type_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_status_t status; psa_status_t status;
PSA_ASSERT( psa_crypto_init( ) ); PSA_ASSERT( psa_crypto_init( ) );
@ -1943,7 +1944,7 @@ void raw_agreement_key_policy( int policy_usage,
TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED ); TEST_EQUAL( status, PSA_ERROR_NOT_PERMITTED );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -2488,7 +2489,7 @@ void mac_bad_order( )
/* Call update after verify finish. */ /* Call update after verify finish. */
PSA_ASSERT( psa_mac_verify_setup( &operation, PSA_ASSERT( psa_mac_verify_setup( &operation,
handle, alg ) ); handle, alg ) );
PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) );
PSA_ASSERT( psa_mac_verify_finish( &operation, PSA_ASSERT( psa_mac_verify_finish( &operation,
verify_mac, sizeof( verify_mac ) ) ); verify_mac, sizeof( verify_mac ) ) );
@ -2511,7 +2512,7 @@ void mac_bad_order( )
/* Call verify finish twice in a row. */ /* Call verify finish twice in a row. */
PSA_ASSERT( psa_mac_verify_setup( &operation, PSA_ASSERT( psa_mac_verify_setup( &operation,
handle, alg ) ); handle, alg ) );
PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) );
PSA_ASSERT( psa_mac_verify_finish( &operation, PSA_ASSERT( psa_mac_verify_finish( &operation,
verify_mac, sizeof( verify_mac ) ) ); verify_mac, sizeof( verify_mac ) ) );
@ -2531,7 +2532,7 @@ void mac_bad_order( )
/* Setup verify but try sign. */ /* Setup verify but try sign. */
PSA_ASSERT( psa_mac_verify_setup( &operation, PSA_ASSERT( psa_mac_verify_setup( &operation,
handle, alg ) ); handle, alg ) );
PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) ); PSA_ASSERT( psa_mac_update( &operation, input, sizeof( input ) ) );
TEST_EQUAL( psa_mac_sign_finish( &operation, TEST_EQUAL( psa_mac_sign_finish( &operation,
sign_mac, sizeof( sign_mac ), sign_mac, sizeof( sign_mac ),
@ -3996,31 +3997,31 @@ exit:
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void crypto_generator_init( ) void key_derivation_init( )
{ {
/* Test each valid way of initializing the object, except for `= {0}`, as /* Test each valid way of initializing the object, except for `= {0}`, as
* Clang 5 complains when `-Wmissing-field-initializers` is used, even * Clang 5 complains when `-Wmissing-field-initializers` is used, even
* though it's OK by the C standard. We could test for this, but we'd need * though it's OK by the C standard. We could test for this, but we'd need
* to supress the Clang warning for the test. */ * to supress the Clang warning for the test. */
size_t capacity; size_t capacity;
psa_crypto_generator_t func = psa_crypto_generator_init( ); psa_key_derivation_operation_t func = psa_key_derivation_operation_init( );
psa_crypto_generator_t init = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t init = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_crypto_generator_t zero; psa_key_derivation_operation_t zero;
memset( &zero, 0, sizeof( zero ) ); memset( &zero, 0, sizeof( zero ) );
/* A default generator should not be able to report its capacity. */ /* A default operation should not be able to report its capacity. */
TEST_EQUAL( psa_get_generator_capacity( &func, &capacity ), TEST_EQUAL( psa_key_derivation_get_capacity( &func, &capacity ),
PSA_ERROR_BAD_STATE ); PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_get_generator_capacity( &init, &capacity ), TEST_EQUAL( psa_key_derivation_get_capacity( &init, &capacity ),
PSA_ERROR_BAD_STATE ); PSA_ERROR_BAD_STATE );
TEST_EQUAL( psa_get_generator_capacity( &zero, &capacity ), TEST_EQUAL( psa_key_derivation_get_capacity( &zero, &capacity ),
PSA_ERROR_BAD_STATE ); PSA_ERROR_BAD_STATE );
/* A default generator should be abortable without error. */ /* A default operation should be abortable without error. */
PSA_ASSERT( psa_generator_abort(&func) ); PSA_ASSERT( psa_key_derivation_abort(&func) );
PSA_ASSERT( psa_generator_abort(&init) ); PSA_ASSERT( psa_key_derivation_abort(&init) );
PSA_ASSERT( psa_generator_abort(&zero) ); PSA_ASSERT( psa_key_derivation_abort(&zero) );
} }
/* END_CASE */ /* END_CASE */
@ -4038,7 +4039,7 @@ void derive_setup( int key_type_arg,
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
size_t requested_capacity = requested_capacity_arg; size_t requested_capacity = requested_capacity_arg;
psa_status_t expected_status = expected_status_arg; psa_status_t expected_status = expected_status_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
PSA_ASSERT( psa_crypto_init( ) ); PSA_ASSERT( psa_crypto_init( ) );
@ -4050,25 +4051,25 @@ void derive_setup( int key_type_arg,
PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len, PSA_ASSERT( psa_import_key( &attributes, key_data->x, key_data->len,
&handle ) ); &handle ) );
TEST_EQUAL( psa_key_derivation( &generator, handle, alg, TEST_EQUAL( psa_key_derivation( &operation, handle, alg,
salt->x, salt->len, salt->x, salt->len,
label->x, label->len, label->x, label->len,
requested_capacity ), requested_capacity ),
expected_status ); expected_status );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void test_derive_invalid_generator_state( ) void test_derive_invalid_key_derivation_state( )
{ {
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
size_t key_type = PSA_KEY_TYPE_DERIVE; size_t key_type = PSA_KEY_TYPE_DERIVE;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_algorithm_t alg = PSA_ALG_HKDF( PSA_ALG_SHA_256 ); psa_algorithm_t alg = PSA_ALG_HKDF( PSA_ALG_SHA_256 );
uint8_t buffer[42]; uint8_t buffer[42];
size_t capacity = sizeof( buffer ); size_t capacity = sizeof( buffer );
@ -4088,54 +4089,56 @@ void test_derive_invalid_generator_state( )
&handle ) ); &handle ) );
/* valid key derivation */ /* valid key derivation */
PSA_ASSERT( psa_key_derivation( &generator, handle, alg, PSA_ASSERT( psa_key_derivation( &operation, handle, alg,
NULL, 0, NULL, 0,
NULL, 0, NULL, 0,
capacity ) ); capacity ) );
/* state of generator shouldn't allow additional generation */ /* state of operation shouldn't allow additional generation */
TEST_EQUAL( psa_key_derivation( &generator, handle, alg, TEST_EQUAL( psa_key_derivation( &operation, handle, alg,
NULL, 0, NULL, 0,
NULL, 0, NULL, 0,
capacity ), capacity ),
PSA_ERROR_BAD_STATE ); PSA_ERROR_BAD_STATE );
PSA_ASSERT( psa_generator_read( &generator, buffer, capacity ) ); PSA_ASSERT( psa_key_derivation_output_bytes( &operation, buffer, capacity ) );
TEST_EQUAL( psa_generator_read( &generator, buffer, capacity ), TEST_EQUAL( psa_key_derivation_output_bytes( &operation, buffer, capacity ),
PSA_ERROR_INSUFFICIENT_DATA ); PSA_ERROR_INSUFFICIENT_DATA );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
/* END_CASE */ /* END_CASE */
/* BEGIN_CASE */ /* BEGIN_CASE */
void test_derive_invalid_generator_tests( ) void test_derive_invalid_key_derivation_tests( )
{ {
uint8_t output_buffer[16]; uint8_t output_buffer[16];
size_t buffer_size = 16; size_t buffer_size = 16;
size_t capacity = 0; size_t capacity = 0;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
TEST_ASSERT( psa_generator_read( &generator, output_buffer, buffer_size ) TEST_ASSERT( psa_key_derivation_output_bytes( &operation,
output_buffer, buffer_size )
== PSA_ERROR_BAD_STATE ); == PSA_ERROR_BAD_STATE );
TEST_ASSERT( psa_get_generator_capacity( &generator, &capacity ) TEST_ASSERT( psa_key_derivation_get_capacity( &operation, &capacity )
== PSA_ERROR_BAD_STATE ); == PSA_ERROR_BAD_STATE );
PSA_ASSERT( psa_generator_abort( &generator ) ); PSA_ASSERT( psa_key_derivation_abort( &operation ) );
TEST_ASSERT( psa_generator_read( &generator, output_buffer, buffer_size ) TEST_ASSERT( psa_key_derivation_output_bytes( &operation,
output_buffer, buffer_size )
== PSA_ERROR_BAD_STATE ); == PSA_ERROR_BAD_STATE );
TEST_ASSERT( psa_get_generator_capacity( &generator, &capacity ) TEST_ASSERT( psa_key_derivation_get_capacity( &operation, &capacity )
== PSA_ERROR_BAD_STATE ); == PSA_ERROR_BAD_STATE );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
} }
/* END_CASE */ /* END_CASE */
@ -4151,7 +4154,7 @@ void derive_output( int alg_arg,
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
size_t requested_capacity = requested_capacity_arg; size_t requested_capacity = requested_capacity_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
uint8_t *expected_outputs[2] = uint8_t *expected_outputs[2] =
{expected_output1->x, expected_output2->x}; {expected_output1->x, expected_output2->x};
size_t output_sizes[2] = size_t output_sizes[2] =
@ -4184,29 +4187,29 @@ void derive_output( int alg_arg,
/* Extraction phase. */ /* Extraction phase. */
if( PSA_ALG_IS_HKDF( alg ) ) if( PSA_ALG_IS_HKDF( alg ) )
{ {
PSA_ASSERT( psa_key_derivation_setup( &generator, alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
PSA_ASSERT( psa_set_generator_capacity( &generator, PSA_ASSERT( psa_key_derivation_set_capacity( &operation,
requested_capacity ) ); requested_capacity ) );
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_SALT, PSA_KEY_DERIVATION_INPUT_SALT,
salt->x, salt->len ) ); salt->x, salt->len ) );
PSA_ASSERT( psa_key_derivation_input_key( &generator, PSA_ASSERT( psa_key_derivation_input_key( &operation,
PSA_KDF_STEP_SECRET, PSA_KEY_DERIVATION_INPUT_SECRET,
handle ) ); handle ) );
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_INFO, PSA_KEY_DERIVATION_INPUT_INFO,
label->x, label->len ) ); label->x, label->len ) );
} }
else else
{ {
// legacy // legacy
PSA_ASSERT( psa_key_derivation( &generator, handle, alg, PSA_ASSERT( psa_key_derivation( &operation, handle, alg,
salt->x, salt->len, salt->x, salt->len,
label->x, label->len, label->x, label->len,
requested_capacity ) ); requested_capacity ) );
} }
PSA_ASSERT( psa_get_generator_capacity( &generator, PSA_ASSERT( psa_key_derivation_get_capacity( &operation,
&current_capacity ) ); &current_capacity ) );
TEST_EQUAL( current_capacity, requested_capacity ); TEST_EQUAL( current_capacity, requested_capacity );
expected_capacity = requested_capacity; expected_capacity = requested_capacity;
@ -4214,8 +4217,8 @@ void derive_output( int alg_arg,
for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ ) for( i = 0; i < ARRAY_LENGTH( expected_outputs ); i++ )
{ {
/* Read some bytes. */ /* Read some bytes. */
status = psa_generator_read( &generator, status = psa_key_derivation_output_bytes( &operation,
output_buffer, output_sizes[i] ); output_buffer, output_sizes[i] );
if( expected_capacity == 0 && output_sizes[i] == 0 ) if( expected_capacity == 0 && output_sizes[i] == 0 )
{ {
/* Reading 0 bytes when 0 bytes are available can go either way. */ /* Reading 0 bytes when 0 bytes are available can go either way. */
@ -4236,17 +4239,17 @@ void derive_output( int alg_arg,
if( output_sizes[i] != 0 ) if( output_sizes[i] != 0 )
ASSERT_COMPARE( output_buffer, output_sizes[i], ASSERT_COMPARE( output_buffer, output_sizes[i],
expected_outputs[i], output_sizes[i] ); expected_outputs[i], output_sizes[i] );
/* Check the generator status. */ /* Check the operation status. */
expected_capacity -= output_sizes[i]; expected_capacity -= output_sizes[i];
PSA_ASSERT( psa_get_generator_capacity( &generator, PSA_ASSERT( psa_key_derivation_get_capacity( &operation,
&current_capacity ) ); &current_capacity ) );
TEST_EQUAL( expected_capacity, current_capacity ); TEST_EQUAL( expected_capacity, current_capacity );
} }
PSA_ASSERT( psa_generator_abort( &generator ) ); PSA_ASSERT( psa_key_derivation_abort( &operation ) );
exit: exit:
mbedtls_free( output_buffer ); mbedtls_free( output_buffer );
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -4262,7 +4265,7 @@ void derive_full( int alg_arg,
psa_key_handle_t handle = 0; psa_key_handle_t handle = 0;
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
size_t requested_capacity = requested_capacity_arg; size_t requested_capacity = requested_capacity_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
unsigned char output_buffer[16]; unsigned char output_buffer[16];
size_t expected_capacity = requested_capacity; size_t expected_capacity = requested_capacity;
size_t current_capacity; size_t current_capacity;
@ -4280,29 +4283,29 @@ void derive_full( int alg_arg,
/* Extraction phase. */ /* Extraction phase. */
if( PSA_ALG_IS_HKDF( alg ) ) if( PSA_ALG_IS_HKDF( alg ) )
{ {
PSA_ASSERT( psa_key_derivation_setup( &generator, alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
PSA_ASSERT( psa_set_generator_capacity( &generator, PSA_ASSERT( psa_key_derivation_set_capacity( &operation,
requested_capacity ) ); requested_capacity ) );
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_SALT, PSA_KEY_DERIVATION_INPUT_SALT,
salt->x, salt->len ) ); salt->x, salt->len ) );
PSA_ASSERT( psa_key_derivation_input_key( &generator, PSA_ASSERT( psa_key_derivation_input_key( &operation,
PSA_KDF_STEP_SECRET, PSA_KEY_DERIVATION_INPUT_SECRET,
handle ) ); handle ) );
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_INFO, PSA_KEY_DERIVATION_INPUT_INFO,
label->x, label->len ) ); label->x, label->len ) );
} }
else else
{ {
// legacy // legacy
PSA_ASSERT( psa_key_derivation( &generator, handle, alg, PSA_ASSERT( psa_key_derivation( &operation, handle, alg,
salt->x, salt->len, salt->x, salt->len,
label->x, label->len, label->x, label->len,
requested_capacity ) ); requested_capacity ) );
} }
PSA_ASSERT( psa_get_generator_capacity( &generator, PSA_ASSERT( psa_key_derivation_get_capacity( &operation,
&current_capacity ) ); &current_capacity ) );
TEST_EQUAL( current_capacity, expected_capacity ); TEST_EQUAL( current_capacity, expected_capacity );
/* Expansion phase. */ /* Expansion phase. */
@ -4311,23 +4314,23 @@ void derive_full( int alg_arg,
size_t read_size = sizeof( output_buffer ); size_t read_size = sizeof( output_buffer );
if( read_size > current_capacity ) if( read_size > current_capacity )
read_size = current_capacity; read_size = current_capacity;
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output_buffer, output_buffer,
read_size ) ); read_size ) );
expected_capacity -= read_size; expected_capacity -= read_size;
PSA_ASSERT( psa_get_generator_capacity( &generator, PSA_ASSERT( psa_key_derivation_get_capacity( &operation,
&current_capacity ) ); &current_capacity ) );
TEST_EQUAL( current_capacity, expected_capacity ); TEST_EQUAL( current_capacity, expected_capacity );
} }
/* Check that the generator refuses to go over capacity. */ /* Check that the operation refuses to go over capacity. */
TEST_EQUAL( psa_generator_read( &generator, output_buffer, 1 ), TEST_EQUAL( psa_key_derivation_output_bytes( &operation, output_buffer, 1 ),
PSA_ERROR_INSUFFICIENT_DATA ); PSA_ERROR_INSUFFICIENT_DATA );
PSA_ASSERT( psa_generator_abort( &generator ) ); PSA_ASSERT( psa_key_derivation_abort( &operation ) );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( handle ); psa_destroy_key( handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -4351,7 +4354,7 @@ void derive_key_exercise( int alg_arg,
psa_key_usage_t derived_usage = derived_usage_arg; psa_key_usage_t derived_usage = derived_usage_arg;
psa_algorithm_t derived_alg = derived_alg_arg; psa_algorithm_t derived_alg = derived_alg_arg;
size_t capacity = PSA_BITS_TO_BYTES( derived_bits ); size_t capacity = PSA_BITS_TO_BYTES( derived_bits );
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t got_attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -4364,7 +4367,7 @@ void derive_key_exercise( int alg_arg,
&base_handle ) ); &base_handle ) );
/* Derive a key. */ /* Derive a key. */
PSA_ASSERT( psa_key_derivation( &generator, base_handle, alg, PSA_ASSERT( psa_key_derivation( &operation, base_handle, alg,
salt->x, salt->len, salt->x, salt->len,
label->x, label->len, label->x, label->len,
capacity ) ); capacity ) );
@ -4372,8 +4375,8 @@ void derive_key_exercise( int alg_arg,
psa_set_key_algorithm( &attributes, derived_alg ); psa_set_key_algorithm( &attributes, derived_alg );
psa_set_key_type( &attributes, derived_type ); psa_set_key_type( &attributes, derived_type );
psa_set_key_bits( &attributes, derived_bits ); psa_set_key_bits( &attributes, derived_bits );
PSA_ASSERT( psa_generate_derived_key( &attributes, &generator, PSA_ASSERT( psa_key_derivation_output_key( &attributes, &operation,
&derived_handle ) ); &derived_handle ) );
/* Test the key information */ /* Test the key information */
PSA_ASSERT( psa_get_key_attributes( derived_handle, &got_attributes ) ); PSA_ASSERT( psa_get_key_attributes( derived_handle, &got_attributes ) );
@ -4385,7 +4388,7 @@ void derive_key_exercise( int alg_arg,
goto exit; goto exit;
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_reset_key_attributes( &got_attributes ); psa_reset_key_attributes( &got_attributes );
psa_destroy_key( base_handle ); psa_destroy_key( base_handle );
psa_destroy_key( derived_handle ); psa_destroy_key( derived_handle );
@ -4407,7 +4410,7 @@ void derive_key_export( int alg_arg,
size_t bytes1 = bytes1_arg; size_t bytes1 = bytes1_arg;
size_t bytes2 = bytes2_arg; size_t bytes2 = bytes2_arg;
size_t capacity = bytes1 + bytes2; size_t capacity = bytes1 + bytes2;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
uint8_t *output_buffer = NULL; uint8_t *output_buffer = NULL;
uint8_t *export_buffer = NULL; uint8_t *export_buffer = NULL;
psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t base_attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -4425,17 +4428,17 @@ void derive_key_export( int alg_arg,
&base_handle ) ); &base_handle ) );
/* Derive some material and output it. */ /* Derive some material and output it. */
PSA_ASSERT( psa_key_derivation( &generator, base_handle, alg, PSA_ASSERT( psa_key_derivation( &operation, base_handle, alg,
salt->x, salt->len, salt->x, salt->len,
label->x, label->len, label->x, label->len,
capacity ) ); capacity ) );
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output_buffer, output_buffer,
capacity ) ); capacity ) );
PSA_ASSERT( psa_generator_abort( &generator ) ); PSA_ASSERT( psa_key_derivation_abort( &operation ) );
/* Derive the same output again, but this time store it in key objects. */ /* Derive the same output again, but this time store it in key objects. */
PSA_ASSERT( psa_key_derivation( &generator, base_handle, alg, PSA_ASSERT( psa_key_derivation( &operation, base_handle, alg,
salt->x, salt->len, salt->x, salt->len,
label->x, label->len, label->x, label->len,
capacity ) ); capacity ) );
@ -4443,16 +4446,16 @@ void derive_key_export( int alg_arg,
psa_set_key_algorithm( &derived_attributes, 0 ); psa_set_key_algorithm( &derived_attributes, 0 );
psa_set_key_type( &derived_attributes, PSA_KEY_TYPE_RAW_DATA ); psa_set_key_type( &derived_attributes, PSA_KEY_TYPE_RAW_DATA );
psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes1 ) ); psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes1 ) );
PSA_ASSERT( psa_generate_derived_key( &derived_attributes, &generator, PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation,
&derived_handle ) ); &derived_handle ) );
PSA_ASSERT( psa_export_key( derived_handle, PSA_ASSERT( psa_export_key( derived_handle,
export_buffer, bytes1, export_buffer, bytes1,
&length ) ); &length ) );
TEST_EQUAL( length, bytes1 ); TEST_EQUAL( length, bytes1 );
PSA_ASSERT( psa_destroy_key( derived_handle ) ); PSA_ASSERT( psa_destroy_key( derived_handle ) );
psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes2 ) ); psa_set_key_bits( &derived_attributes, PSA_BYTES_TO_BITS( bytes2 ) );
PSA_ASSERT( psa_generate_derived_key( &derived_attributes, &generator, PSA_ASSERT( psa_key_derivation_output_key( &derived_attributes, &operation,
&derived_handle ) ); &derived_handle ) );
PSA_ASSERT( psa_export_key( derived_handle, PSA_ASSERT( psa_export_key( derived_handle,
export_buffer + bytes1, bytes2, export_buffer + bytes1, bytes2,
&length ) ); &length ) );
@ -4465,7 +4468,7 @@ void derive_key_export( int alg_arg,
exit: exit:
mbedtls_free( output_buffer ); mbedtls_free( output_buffer );
mbedtls_free( export_buffer ); mbedtls_free( export_buffer );
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( base_handle ); psa_destroy_key( base_handle );
psa_destroy_key( derived_handle ); psa_destroy_key( derived_handle );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
@ -4481,7 +4484,7 @@ void key_agreement_setup( int alg_arg,
psa_key_handle_t our_key = 0; psa_key_handle_t our_key = 0;
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
psa_key_type_t our_key_type = our_key_type_arg; psa_key_type_t our_key_type = our_key_type_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_status_t expected_status = expected_status_arg; psa_status_t expected_status = expected_status_arg;
psa_status_t status; psa_status_t status;
@ -4499,12 +4502,13 @@ void key_agreement_setup( int alg_arg,
* Test cases that fail at the setup step should be changed to call * Test cases that fail at the setup step should be changed to call
* key_derivation_setup instead, and this function should be renamed * key_derivation_setup instead, and this function should be renamed
* to key_agreement_fail. */ * to key_agreement_fail. */
status = psa_key_derivation_setup( &generator, alg ); status = psa_key_derivation_setup( &operation, alg );
if( status == PSA_SUCCESS ) if( status == PSA_SUCCESS )
{ {
TEST_EQUAL( psa_key_agreement( &generator, PSA_KDF_STEP_SECRET, TEST_EQUAL( psa_key_derivation_key_agreement(
our_key, &operation, PSA_KEY_DERIVATION_INPUT_SECRET,
peer_key_data->x, peer_key_data->len ), our_key,
peer_key_data->x, peer_key_data->len ),
expected_status ); expected_status );
} }
else else
@ -4513,7 +4517,7 @@ void key_agreement_setup( int alg_arg,
} }
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( our_key ); psa_destroy_key( our_key );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -4542,10 +4546,10 @@ void raw_key_agreement( int alg_arg,
our_key_data->x, our_key_data->len, our_key_data->x, our_key_data->len,
&our_key ) ); &our_key ) );
PSA_ASSERT( psa_key_agreement_raw_shared_secret( PSA_ASSERT( psa_raw_key_agreement( alg, our_key,
alg, our_key, peer_key_data->x, peer_key_data->len,
peer_key_data->x, peer_key_data->len, output, expected_output->len,
output, expected_output->len, &output_length ) ); &output_length ) );
ASSERT_COMPARE( output, output_length, ASSERT_COMPARE( output, output_length,
expected_output->x, expected_output->len ); expected_output->x, expected_output->len );
@ -4565,7 +4569,7 @@ void key_agreement_capacity( int alg_arg,
psa_key_handle_t our_key = 0; psa_key_handle_t our_key = 0;
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
psa_key_type_t our_key_type = our_key_type_arg; psa_key_type_t our_key_type = our_key_type_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
size_t actual_capacity; size_t actual_capacity;
unsigned char output[16]; unsigned char output[16];
@ -4579,37 +4583,38 @@ void key_agreement_capacity( int alg_arg,
our_key_data->x, our_key_data->len, our_key_data->x, our_key_data->len,
&our_key ) ); &our_key ) );
PSA_ASSERT( psa_key_derivation_setup( &generator, alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
PSA_ASSERT( psa_key_agreement( &generator, PSA_KDF_STEP_SECRET, PSA_ASSERT( psa_key_derivation_key_agreement(
our_key, &operation,
peer_key_data->x, peer_key_data->len ) ); PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
peer_key_data->x, peer_key_data->len ) );
if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) ) if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) )
{ {
/* The test data is for info="" */ /* The test data is for info="" */
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_INFO, PSA_KEY_DERIVATION_INPUT_INFO,
NULL, 0 ) ); NULL, 0 ) );
} }
/* Test the advertized capacity. */ /* Test the advertized capacity. */
PSA_ASSERT( psa_get_generator_capacity( PSA_ASSERT( psa_key_derivation_get_capacity(
&generator, &actual_capacity ) ); &operation, &actual_capacity ) );
TEST_EQUAL( actual_capacity, (size_t) expected_capacity_arg ); TEST_EQUAL( actual_capacity, (size_t) expected_capacity_arg );
/* Test the actual capacity by reading the output. */ /* Test the actual capacity by reading the output. */
while( actual_capacity > sizeof( output ) ) while( actual_capacity > sizeof( output ) )
{ {
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output, sizeof( output ) ) ); output, sizeof( output ) ) );
actual_capacity -= sizeof( output ); actual_capacity -= sizeof( output );
} }
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
output, actual_capacity ) ); output, actual_capacity ) );
TEST_EQUAL( psa_generator_read( &generator, output, 1 ), TEST_EQUAL( psa_key_derivation_output_bytes( &operation, output, 1 ),
PSA_ERROR_INSUFFICIENT_DATA ); PSA_ERROR_INSUFFICIENT_DATA );
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( our_key ); psa_destroy_key( our_key );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
} }
@ -4624,7 +4629,7 @@ void key_agreement_output( int alg_arg,
psa_key_handle_t our_key = 0; psa_key_handle_t our_key = 0;
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
psa_key_type_t our_key_type = our_key_type_arg; psa_key_type_t our_key_type = our_key_type_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
uint8_t *actual_output = NULL; uint8_t *actual_output = NULL;
@ -4640,34 +4645,35 @@ void key_agreement_output( int alg_arg,
our_key_data->x, our_key_data->len, our_key_data->x, our_key_data->len,
&our_key ) ); &our_key ) );
PSA_ASSERT( psa_key_derivation_setup( &generator, alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, alg ) );
PSA_ASSERT( psa_key_agreement( &generator, PSA_KDF_STEP_SECRET, PSA_ASSERT( psa_key_derivation_key_agreement(
our_key, &operation,
peer_key_data->x, peer_key_data->len ) ); PSA_KEY_DERIVATION_INPUT_SECRET, our_key,
peer_key_data->x, peer_key_data->len ) );
if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) ) if( PSA_ALG_IS_HKDF( PSA_ALG_KEY_AGREEMENT_GET_KDF( alg ) ) )
{ {
/* The test data is for info="" */ /* The test data is for info="" */
PSA_ASSERT( psa_key_derivation_input_bytes( &generator, PSA_ASSERT( psa_key_derivation_input_bytes( &operation,
PSA_KDF_STEP_INFO, PSA_KEY_DERIVATION_INPUT_INFO,
NULL, 0 ) ); NULL, 0 ) );
} }
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
actual_output, actual_output,
expected_output1->len ) ); expected_output1->len ) );
ASSERT_COMPARE( actual_output, expected_output1->len, ASSERT_COMPARE( actual_output, expected_output1->len,
expected_output1->x, expected_output1->len ); expected_output1->x, expected_output1->len );
if( expected_output2->len != 0 ) if( expected_output2->len != 0 )
{ {
PSA_ASSERT( psa_generator_read( &generator, PSA_ASSERT( psa_key_derivation_output_bytes( &operation,
actual_output, actual_output,
expected_output2->len ) ); expected_output2->len ) );
ASSERT_COMPARE( actual_output, expected_output2->len, ASSERT_COMPARE( actual_output, expected_output2->len,
expected_output2->x, expected_output2->len ); expected_output2->x, expected_output2->len );
} }
exit: exit:
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( our_key ); psa_destroy_key( our_key );
mbedtls_psa_crypto_free( ); mbedtls_psa_crypto_free( );
mbedtls_free( actual_output ); mbedtls_free( actual_output );
@ -4842,8 +4848,8 @@ void generate_key_rsa( int bits_arg,
* publicExponent INTEGER } -- e * publicExponent INTEGER } -- e
*/ */
TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len, TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_SEQUENCE | MBEDTLS_ASN1_SEQUENCE |
MBEDTLS_ASN1_CONSTRUCTED ) ); MBEDTLS_ASN1_CONSTRUCTED ) );
TEST_ASSERT( asn1_skip_integer( &p, end, bits, bits, 1 ) ); TEST_ASSERT( asn1_skip_integer( &p, end, bits, bits, 1 ) );
TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len, TEST_EQUAL( 0, mbedtls_asn1_get_tag( &p, end, &len,
MBEDTLS_ASN1_INTEGER ) ); MBEDTLS_ASN1_INTEGER ) );
@ -4886,7 +4892,7 @@ void persistent_key_load_key_from_storage( data_t *data,
size_t bits = bits_arg; size_t bits = bits_arg;
psa_key_usage_t usage_flags = usage_flags_arg; psa_key_usage_t usage_flags = usage_flags_arg;
psa_algorithm_t alg = alg_arg; psa_algorithm_t alg = alg_arg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT; psa_key_derivation_operation_t operation = PSA_KEY_DERIVATION_OPERATION_INIT;
unsigned char *first_export = NULL; unsigned char *first_export = NULL;
unsigned char *second_export = NULL; unsigned char *second_export = NULL;
size_t export_size = PSA_KEY_EXPORT_MAX_SIZE( type, bits ); size_t export_size = PSA_KEY_EXPORT_MAX_SIZE( type, bits );
@ -4933,20 +4939,21 @@ void persistent_key_load_key_from_storage( data_t *data,
data->x, data->len, data->x, data->len,
&base_key ) ); &base_key ) );
/* Derive a key. */ /* Derive a key. */
PSA_ASSERT( psa_key_derivation_setup( &generator, derive_alg ) ); PSA_ASSERT( psa_key_derivation_setup( &operation, derive_alg ) );
PSA_ASSERT( psa_key_derivation_input_key( &generator, PSA_ASSERT( psa_key_derivation_input_key(
PSA_KDF_STEP_SECRET, &operation,
base_key ) ); PSA_KEY_DERIVATION_INPUT_SECRET, base_key ) );
PSA_ASSERT( psa_key_derivation_input_bytes( PSA_ASSERT( psa_key_derivation_input_bytes(
&generator, PSA_KDF_STEP_INFO, &operation, PSA_KEY_DERIVATION_INPUT_INFO,
NULL, 0 ) ); NULL, 0 ) );
PSA_ASSERT( psa_generate_derived_key( &attributes, &generator, PSA_ASSERT( psa_key_derivation_output_key( &attributes,
&handle ) ); &operation,
PSA_ASSERT( psa_generator_abort( &generator ) ); &handle ) );
PSA_ASSERT( psa_key_derivation_abort( &operation ) );
PSA_ASSERT( psa_destroy_key( base_key ) ); PSA_ASSERT( psa_destroy_key( base_key ) );
base_key = 0; base_key = 0;
} }
break; break;
} }
psa_reset_key_attributes( &attributes ); psa_reset_key_attributes( &attributes );
@ -4994,7 +5001,7 @@ exit:
psa_reset_key_attributes( &attributes ); psa_reset_key_attributes( &attributes );
mbedtls_free( first_export ); mbedtls_free( first_export );
mbedtls_free( second_export ); mbedtls_free( second_export );
psa_generator_abort( &generator ); psa_key_derivation_abort( &operation );
psa_destroy_key( base_key ); psa_destroy_key( base_key );
if( handle == 0 ) if( handle == 0 )
{ {