generate/derive key ext: pass method_data_length rather than method_length

Instead of passing the size of the whole structure, just pass the data length and let the implementation worry about adding the size of the structure. The intent with passing the structure size was to allow the client code in a client-server implementation to know nothing about the structure and just copy the bytes to the server. But that was not really a useful consideration since the application has to know the structure layout, so it has to be available in the client implementation's headers. Passing the method data length makes life simpler for everyone by not having to worry about possible padding at the end of the structure, and removes a potential error condition (method_length < sizeof(psa_key_generation_method_t)). Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-07-29 11:41:15 +03:00 · 2024-02-14 20:51:28 +01:00
parent 7a18f9645c
commit c81393b2ed
7 changed files with 56 additions and 95 deletions
--- a/include/psa/crypto.h
+++ b/include/psa/crypto.h
@ -3704,8 +3704,7 @@ psa_status_t psa_key_derivation_output_bytes(
 * \note This function is equivalent to calling
 *       psa_key_derivation_output_key_ext()
 *       with the method #PSA_KEY_GENERATION_METHOD_INIT and
- *       `method_length == sizeof(psa_key_generation_method_t)`
- *       (i.e. `method->flags == 0` and `method->data` is empty).
+ *       `method_data_length == 0` (i.e. `method->data` is empty).
 *
 * \param[in] attributes    The attributes for the new key.
 *                          If the key type to be created is
@ -3777,17 +3776,14 @@ psa_status_t psa_key_derivation_output_key(
 * \param[in,out] operation The key derivation operation object to read from.
 * \param[in] method        Customization parameters for the key generation.
 *                          When this is #PSA_KEY_GENERATION_METHOD_INIT
- *                          with \p method_length =
- *                          `sizeof(psa_key_generation_method_t)`,
+ *                          with \p method_data_length = 0,
 *                          this function is equivalent to
 *                          psa_key_derivation_output_key().
 *                          Mbed TLS currently only supports the default
 *                          method, i.e. #PSA_KEY_GENERATION_METHOD_INIT,
 *                          for all key types.
- * \param method_length     Length of \p method in bytes.
- *                          This must be
- *                          `sizeof(psa_key_generation_method_t) + n`
- *                          where `n` is the size of `method->data` in bytes.
+ * \param method_data_length
+ *                          Length of `method.data` in bytes.
 * \param[out] key          On success, an identifier for the newly created
 *                          key. For persistent keys, this is the key
 *                          identifier defined in \p attributes.
@ -3834,7 +3830,7 @@ psa_status_t psa_key_derivation_output_key_ext(
    const psa_key_attributes_t *attributes,
    psa_key_derivation_operation_t *operation,
    const psa_key_generation_method_t *method,
-    size_t method_length,
+    size_t method_data_length,
    mbedtls_svc_key_id_t *key);

 /** Compare output data from a key derivation operation to an expected value.
@ -4093,8 +4089,7 @@ psa_status_t psa_generate_random(uint8_t *output,
 *
 * \note This function is equivalent to calling psa_generate_key_ext()
 *       with the method #PSA_KEY_GENERATION_METHOD_INIT and
- *       `method_length == sizeof(psa_key_generation_method_t)`
- *       (i.e. `method->flags == 0` and `method->data` is empty).
+ *       `method_data_length == 0` (i.e. `method->data` is empty).
 *
 * \param[in] attributes    The attributes for the new key.
 * \param[out] key          On success, an identifier for the newly created
@ -4144,14 +4139,11 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
 * \param[in] attributes    The attributes for the new key.
 * \param[in] method        Customization parameters for the key generation.
 *                          When this is #PSA_KEY_GENERATION_METHOD_INIT
- *                          with \p method_length =
- *                          `sizeof(psa_key_generation_method_t)`,
+ *                          with \p method_data_length = 0,
 *                          this function is equivalent to
 *                          psa_key_derivation_output_key().
- * \param method_length     Length of \p method in bytes.
- *                          This must be
- *                          `sizeof(psa_key_generation_method_t) + n`
- *                          where `n` is the size of `method->data` in bytes.
+ * \param method_data_length
+ *                          Length of `method.data` in bytes.
 * \param[out] key          On success, an identifier for the newly created
 *                          key. For persistent keys, this is the key
 *                          identifier defined in \p attributes.
@ -4182,7 +4174,7 @@ psa_status_t psa_generate_key(const psa_key_attributes_t *attributes,
 */
 psa_status_t psa_generate_key_ext(const psa_key_attributes_t *attributes,
                                  const psa_key_generation_method_t *method,
-                                  size_t method_length,
+                                  size_t method_data_length,
                                  mbedtls_svc_key_id_t *key);

 /**@}*/
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@ -233,7 +233,7 @@ struct psa_key_generation_method_s {
 *
 * Calling psa_generate_key_ext() or psa_key_derivation_output_key_ext()
 * with `method=PSA_KEY_GENERATION_METHOD_INIT` and
- * `method_length=sizeof(psa_key_generation_method_t)` is equivalent to
+ * `method_data_length == 0` is equivalent to
 * calling psa_generate_key() or psa_key_derivation_output_key()
 * respectively.
 */