lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-29 11:41:15 +03:00
Code Activity

Define handles as key identifiers

Browse Source 
Define psa_key_handle_t to be equal to
mbedtls_svc_key_id_t. Make the handle of a persistent
key be equal to its key identifier. For volatile keys,
make the key handle equal to the volatile key
identifier of the created volatile key.

The unit tests are modified just to make them compile
not to make them run successfully. They are fixed in
the subsequent commits.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2020-07-31 11:26:37 +02:00
parent 47a85614ed
commit c4d1b514ab
10 changed files with 209 additions and 103 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
library/psa_crypto.c
View File

@ -1861,7 +1861,7 @@ static psa_status_t psa_start_key_creation(
if( status != PSA_SUCCESS )
return( status );
status = psa_get_empty_key_slot( handle, &volatile_key_id, p_slot );
status = psa_get_empty_key_slot( &volatile_key_id, p_slot );
if( status != PSA_SUCCESS )
return( status );
slot = *p_slot;
@ -1870,9 +1870,19 @@ static psa_status_t psa_start_key_creation(
* creation mechanism to verify that this information is correct.
* It's automatically correct for mechanisms that use the bit-size as
* an input (generate, device) but not for those where the bit-size
* is optional (import, copy). */
* is optional (import, copy). In case of a volatile key, assign it the
* volatile key identifier associated to the slot returned to contain its
* definition. */
slot->attr = attributes->core;
if( PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) )
{
#if !defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER)
slot->attr.id = volatile_key_id;
#else
slot->attr.id.key_id = volatile_key_id;
#endif
}
/* Erase external-only flags from the internal copy. To access
* external-only flags, query `attributes`. Thanks to the check
@ -1928,7 +1938,9 @@ static psa_status_t psa_start_key_creation(
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
return( status );
*handle = slot->attr.id;
return( PSA_SUCCESS );
}
/** Finalize the creation of a key once its key material has been set.

118
library/psa_crypto_slot_management.c
View File

@ -64,36 +64,41 @@ psa_status_t psa_validate_key_id( mbedtls_svc_key_id_t key, int vendor_ok )
( key_id <= PSA_KEY_ID_VENDOR_MAX ) )
return( PSA_SUCCESS );
return( PSA_ERROR_INVALID_ARGUMENT );
return( PSA_ERROR_INVALID_HANDLE );
}
/* Access a key slot at the given handle. The handle of a key slot is
* the index of the slot in the global slot array, plus one so that handles
* start at 1 and not 0. */
psa_status_t psa_get_key_slot( psa_key_handle_t handle,
psa_key_slot_t **p_slot )
static psa_key_slot_t* psa_get_slot_from_volatile_key_id(
mbedtls_svc_key_id_t key )
{
psa_key_slot_t *slot = NULL;
psa_key_slot_t *slot;
psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key );
if( ! global_data.key_slots_initialized )
return( PSA_ERROR_BAD_STATE );
if( ( key_id < PSA_KEY_ID_VOLATILE_MIN ) ||
( key_id > PSA_KEY_ID_VOLATILE_MAX ) )
return( NULL );
/* 0 is not a valid handle under any circumstance. This
* implementation provides slots number 1 to N where N is the
* number of available slots. */
if( psa_key_handle_is_null( handle ) ||
( handle > ARRAY_LENGTH( global_data.key_slots ) ) )
return( PSA_ERROR_INVALID_HANDLE );
slot = &global_data.key_slots[handle - 1];
slot = &global_data.key_slots[ key_id - PSA_KEY_ID_VOLATILE_MIN ];
/* If the slot isn't occupied, the handle is invalid. */
if( ! psa_is_key_slot_occupied( slot ) )
return( PSA_ERROR_INVALID_HANDLE );
*p_slot = slot;
return( PSA_SUCCESS );
return( mbedtls_svc_key_id_equal( key, slot->attr.id ) ? slot : NULL );
}
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
static psa_key_slot_t* psa_get_slot_from_key_id(
mbedtls_svc_key_id_t key )
{
psa_key_slot_t *slot = &global_data.key_slots[ PSA_KEY_SLOT_COUNT ];
while( slot > &global_data.key_slots[ 0 ] )
{
slot--;
if( mbedtls_svc_key_id_equal( key, slot->attr.id ) )
return( slot );
}
return( NULL );
}
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
psa_status_t psa_initialize_key_slots( void )
{
/* Nothing to do: program startup and psa_wipe_all_key_slots() both
@ -115,8 +120,7 @@ void psa_wipe_all_key_slots( void )
global_data.key_slots_initialized = 0;
}
psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle,
psa_key_id_t *volatile_key_id,
psa_status_t psa_get_empty_key_slot( psa_key_id_t *volatile_key_id,
psa_key_slot_t **p_slot )
{
size_t slot_idx;
@ -129,7 +133,6 @@ psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle,
*p_slot = &global_data.key_slots[ slot_idx - 1 ];
if( ! psa_is_key_slot_occupied( *p_slot ) )
{
*handle = (psa_key_handle_t)slot_idx;
*volatile_key_id = PSA_KEY_ID_VOLATILE_MIN +
( (psa_key_id_t)slot_idx ) - 1;
@ -177,8 +180,50 @@ exit:
psa_free_persistent_key_data( key_data, key_data_length );
return( status );
}
#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */
psa_status_t psa_get_key_slot( mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot )
{
psa_status_t status = PSA_ERROR_GENERIC_ERROR;
*p_slot = NULL;
if( ! global_data.key_slots_initialized )
return( PSA_ERROR_BAD_STATE );
status = psa_validate_key_id( key, 1 );
if( status != PSA_SUCCESS )
return( status );
*p_slot = psa_get_slot_from_volatile_key_id( key );
if( *p_slot != NULL )
return( PSA_SUCCESS );
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
psa_key_id_t volatile_key_id;
*p_slot = psa_get_slot_from_key_id( key );
if( *p_slot != NULL )
return( PSA_SUCCESS );
status = psa_get_empty_key_slot( &volatile_key_id, p_slot );
if( status != PSA_SUCCESS )
return( status );
(*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
(*p_slot)->attr.id = key;
status = psa_load_persistent_key_into_slot( *p_slot );
if( status != PSA_SUCCESS )
psa_wipe_key_slot( *p_slot );
return( status );
#else
return( PSA_ERROR_DOES_NOT_EXIST );
#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
}
psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime,
psa_se_drv_table_entry_t **p_drv )
{
@ -226,29 +271,18 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
{
#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C)
psa_status_t status;
psa_key_id_t volatile_key_id;
psa_key_slot_t *slot;
*handle = 0;
status = psa_validate_key_id( key, 1 );
if( status != PSA_SUCCESS )
return( status );
status = psa_get_empty_key_slot( handle, &volatile_key_id, &slot );
if( status != PSA_SUCCESS )
return( status );
slot->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT;
slot->attr.id = key;
status = psa_load_persistent_key_into_slot( slot );
status = psa_get_key_slot( key, &slot );
if( status != PSA_SUCCESS )
{
psa_wipe_key_slot( slot );
*handle = PSA_KEY_HANDLE_INIT;
return( status );
}
return( status );
*handle = key;
return( PSA_SUCCESS );
#else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
(void) key;

43
library/psa_crypto_slot_management.h
View File

@ -22,6 +22,7 @@
#define PSA_CRYPTO_SLOT_MANAGEMENT_H
#include "psa/crypto.h"
#include "psa_crypto_core.h"
#include "psa_crypto_se.h"
/* Number of key slots (plus one because 0 is not used).
@ -45,21 +46,38 @@
*/
#define PSA_KEY_ID_VOLATILE_MAX PSA_KEY_ID_VENDOR_MAX
/** Access a key slot at the given handle.
/** Retrieve the description of a key given its identifier.
*
* \param handle Key handle to query.
* The descriptions of volatile keys and loaded persistent keys are
* stored in key slots. This function returns a pointer to the key slot
* containing the description of a key given its identifier.
*
* In case of a persistent key, the function loads the description of the key
* into a key slot if not already done.
*
* \param key Key identifier to query.
* \param[out] p_slot On success, `*p_slot` contains a pointer to the
* key slot in memory designated by \p handle.
* key slot containing the description of the key
* identified by \p key.
*
* \retval PSA_SUCCESS
* Success: \p handle is a handle to `*p_slot`. Note that `*p_slot`
* may be empty or occupied.
* \retval PSA_ERROR_INVALID_HANDLE
* \p handle is out of range or is not in use.
* \retval PSA_ERROR_BAD_STATE
* \retval #PSA_SUCCESS
* The pointer to the key slot containing the description of the key
* identified by \p key was returned.
* \retval #PSA_ERROR_BAD_STATE
* The library has not been initialized.
* \retval #PSA_ERROR_INVALID_HANDLE
* \p key is not a valid key identifier.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \p key is a persistent key identifier. The implementation does not
* have sufficient resources to load the persistent key. This can be
* due to a lack of empty key slot, or available memory.
* \retval #PSA_ERROR_DOES_NOT_EXIST
* There is no key with key identifier \p key.
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_STORAGE_FAILURE
* \retval #PSA_ERROR_DATA_CORRUPT
*/
psa_status_t psa_get_key_slot( psa_key_handle_t handle,
psa_status_t psa_get_key_slot( mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot );
/** Initialize the key slot structures.
@ -79,8 +97,6 @@ void psa_wipe_all_key_slots( void );
* This function returns a key slot that is available for use and is in its
* ground state (all-bits-zero).
*
* \param[out] handle On success, a slot number that can be used
* as a handle to the slot.
* \param[out] volatile_key_id On success, volatile key identifier
* associated to the returned slot.
* \param[out] p_slot On success, a pointer to the slot.
@ -89,8 +105,7 @@ void psa_wipe_all_key_slots( void );
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* \retval #PSA_ERROR_BAD_STATE
*/
psa_status_t psa_get_empty_key_slot( psa_key_handle_t *handle,
psa_key_id_t *volatile_key_id,
psa_status_t psa_get_empty_key_slot( psa_key_id_t *volatile_key_id,
psa_key_slot_t **p_slot );
/** Test whether a lifetime designates a key in an external cryptoprocessor.