Merge remote-tracking branch 'origin/development' into sha3-updated
diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h
index 5c2c843..e7f3131 100644
--- a/include/mbedtls/bignum.h
+++ b/include/mbedtls/bignum.h
@@ -594,6 +594,8 @@
* \brief Perform a left-shift on an MPI: X <<= count
*
* \param X The MPI to shift. This must point to an initialized MPI.
+ * The MPI pointed by \p X may be resized to fit
+ * the resulting number.
* \param count The number of bits to shift by.
*
* \return \c 0 if successful.
diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h
index ba5844f..c2c9dc9 100644
--- a/include/mbedtls/build_info.h
+++ b/include/mbedtls/build_info.h
@@ -87,6 +87,18 @@
#define MBEDTLS_MD_C
#endif
+/* PSA crypto specific configuration options
+ * - If config_psa.h reads a configuration option in preprocessor directive,
+ * this symbol should be set before its inclusion. (e.g. MBEDTLS_MD_C)
+ * - If config_psa.h writes a configuration option in conditional directive,
+ * this symbol should be consulted after its inclusion.
+ * (e.g. MBEDTLS_MD_LIGHT)
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
+ defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */
+#include "mbedtls/config_psa.h"
+#endif
+
/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
* This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
*/
@@ -100,8 +112,12 @@
#if defined(MBEDTLS_ECJPAKE_C) || \
defined(MBEDTLS_PEM_PARSE_C) || \
defined(MBEDTLS_ENTROPY_C) || \
+ defined(MBEDTLS_PK_C) || \
defined(MBEDTLS_PKCS12_C) || \
- defined(MBEDTLS_RSA_C)
+ defined(MBEDTLS_RSA_C) || \
+ defined(MBEDTLS_SSL_TLS_C) || \
+ defined(MBEDTLS_X509_USE_C) || \
+ defined(MBEDTLS_X509_CREATE_C)
#define MBEDTLS_MD_LIGHT
#endif
@@ -185,11 +201,6 @@
/* Make sure all configuration symbols are set before including check_config.h,
* even the ones that are calculated programmatically. */
-#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /* PSA_WANT_xxx influences MBEDTLS_xxx */ || \
- defined(MBEDTLS_PSA_CRYPTO_C) /* MBEDTLS_xxx influences PSA_WANT_xxx */
-#include "mbedtls/config_psa.h"
-#endif
-
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_BUILD_INFO_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
index 20d4358..3a2f06e 100644
--- a/include/mbedtls/config_psa.h
+++ b/include/mbedtls/config_psa.h
@@ -148,6 +148,13 @@
#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */
#endif /* PSA_WANT_ALG_ECDSA */
+#if defined(PSA_WANT_ALG_FFDH)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
+#endif /* PSA_WANT_ALG_FFDH */
+
#if defined(PSA_WANT_ALG_HKDF)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
@@ -261,6 +268,15 @@
#define MBEDTLS_SHA512_C
#endif
+#if defined(PSA_WANT_ALG_PBKDF2_HMAC)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
+#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */
+#endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
+#endif /* PSA_WANT_ALG_PBKDF2_HMAC */
+
#if defined(PSA_WANT_ALG_TLS12_PRF)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)
#define MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF 1
@@ -287,6 +303,13 @@
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR */
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR */
+#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR */
+#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR */
+
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
@@ -295,6 +318,13 @@
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY */
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
+#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
+#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#define MBEDTLS_BIGNUM_C
+#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
+#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
+
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR)
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR)
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR 1
@@ -651,6 +681,16 @@
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
#endif /* MBEDTLS_ECP_C */
+#if defined(MBEDTLS_DHM_C)
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
+#define PSA_WANT_ALG_FFDH 1
+#define PSA_WANT_DH_FAMILY_RFC7919 1
+#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR 1
+#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
+#endif /* MBEDTLS_DHM_C */
+
#if defined(MBEDTLS_GCM_C)
#define MBEDTLS_PSA_BUILTIN_ALG_GCM 1
#define PSA_WANT_ALG_GCM 1
@@ -877,6 +917,10 @@
#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+#if defined(PSA_WANT_ALG_JPAKE)
+#define PSA_WANT_ALG_SOME_PAKE 1
+#endif
+
/* These features are always enabled. */
#define PSA_WANT_KEY_TYPE_DERIVE 1
#define PSA_WANT_KEY_TYPE_PASSWORD 1
diff --git a/include/mbedtls/md.h b/include/mbedtls/md.h
index a142903..d72b7fc 100644
--- a/include/mbedtls/md.h
+++ b/include/mbedtls/md.h
@@ -112,6 +112,9 @@
#define MBEDTLS_MD_CAN_SHA512
#define MBEDTLS_MD_SOME_LEGACY
#endif
+#if defined(MBEDTLS_SHA3_C)
+#define MBEDTLS_MD_CAN_SHA3
+#endif
#if defined(MBEDTLS_RIPEMD160_C)
#define MBEDTLS_MD_CAN_RIPEMD160
#define MBEDTLS_MD_SOME_LEGACY
@@ -155,6 +158,16 @@
MBEDTLS_MD_SHA3_512, /**< The SHA3-512 message digest. */
} mbedtls_md_type_t;
+/* Note: this should always be >= PSA_HASH_MAX_SIZE
+ * in all builds with both CRYPTO_C and MD_LIGHT.
+ *
+ * This is to make things easier for modules such as TLS that may define a
+ * buffer size using MD_MAX_SIZE in a part of the code that's common to PSA
+ * and legacy, then assume the buffer's size is PSA_HASH_MAX_SIZE in another
+ * part of the code based on PSA.
+ *
+ * Currently both macros have the same value, avoiding such issues.
+ */
#if defined(MBEDTLS_MD_CAN_SHA512) || defined(MBEDTLS_SHA3_C)
#define MBEDTLS_MD_MAX_SIZE 64 /* longest known is SHA512 */
#elif defined(MBEDTLS_MD_CAN_SHA384)
@@ -168,7 +181,7 @@
or smaller (MD5 and earlier) */
#endif
-#if defined(MBEDTLS_SHA3_C)
+#if defined(MBEDTLS_MD_CAN_SHA3)
#define MBEDTLS_MD_MAX_BLOCK_SIZE 144 /* the longest known is SHA3-224 */
#elif defined(MBEDTLS_MD_CAN_SHA512)
#define MBEDTLS_MD_MAX_BLOCK_SIZE 128
@@ -317,6 +330,20 @@
unsigned char mbedtls_md_get_size(const mbedtls_md_info_t *md_info);
/**
+ * \brief This function gives the message-digest size associated to
+ * message-digest type.
+ *
+ * \param md_type The message-digest type.
+ *
+ * \return The size of the message-digest output in Bytes,
+ * or 0 if the message-digest type is not known.
+ */
+static inline unsigned char mbedtls_md_get_size_from_type(mbedtls_md_type_t md_type)
+{
+ return mbedtls_md_get_size(mbedtls_md_info_from_type(md_type));
+}
+
+/**
* \brief This function extracts the message-digest type from the
* message-digest information structure.
*
diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h
index 1cbf968..ec36748 100644
--- a/include/mbedtls/oid.h
+++ b/include/mbedtls/oid.h
@@ -64,6 +64,11 @@
#define MBEDTLS_OID_X509_EXT_NS_CERT_TYPE (1 << 16)
/*
+ * Maximum number of OID components allowed
+ */
+#define MBEDTLS_OID_MAX_COMPONENTS 128
+
+/*
* Top level OID tuples
*/
#define MBEDTLS_OID_ISO_MEMBER_BODIES "\x2a" /* {iso(1) member-body(2)} */
@@ -479,6 +484,25 @@
int mbedtls_oid_get_numeric_string(char *buf, size_t size, const mbedtls_asn1_buf *oid);
/**
+ * \brief Translate a string containing a dotted-decimal
+ * representation of an ASN.1 OID into its encoded form
+ * (e.g. "1.2.840.113549" into "\x2A\x86\x48\x86\xF7\x0D").
+ * On success, this function allocates oid->buf from the
+ * heap. It must be freed by the caller using mbedtls_free().
+ *
+ * \param oid #mbedtls_asn1_buf to populate with the DER-encoded OID
+ * \param oid_str string representation of the OID to parse
+ * \param size length of the OID string, not including any null terminator
+ *
+ * \return 0 if successful
+ * \return #MBEDTLS_ERR_ASN1_INVALID_DATA if \p oid_str does not
+ * represent a valid OID
+ * \return #MBEDTLS_ERR_ASN1_ALLOC_FAILED if the function fails to
+ * allocate oid->buf
+ */
+int mbedtls_oid_from_numeric_string(mbedtls_asn1_buf *oid, const char *oid_str, size_t size);
+
+/**
* \brief Translate an X.509 extension OID into local values
*
* \param oid OID to use
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index c579661..ec99c84 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -40,7 +40,7 @@
#include "mbedtls/ecdsa.h"
#endif
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa/crypto.h"
#endif
@@ -202,6 +202,27 @@
#define MBEDTLS_PK_CAN_ECDH
#endif
+/* Internal helper to define which fields in the pk_context structure below
+ * should be used for EC keys: legacy ecp_keypair or the raw (PSA friendly)
+ * format. It should be noticed that this only affect how data is stored, not
+ * which functions are used for various operations. The overall picture looks
+ * like this:
+ * - if ECP_C is defined then use legacy functions
+ * - if USE_PSA is defined and
+ * - if ECP_C then use ecp_keypair structure, convert data to a PSA friendly
+ * format and use PSA functions
+ * - if !ECP_C then use new raw data and PSA functions directly.
+ *
+ * The main reason for the "intermediate" (USE_PSA + ECP_C) above is that as long
+ * as ECP_C is defined mbedtls_pk_ec() gives the user a read/write access to the
+ * ecp_keypair structure inside the pk_context so he/she can modify it using
+ * ECP functions which are not under PK module's control.
+ */
+#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_ECP_C) && \
+ defined(MBEDTLS_ECP_LIGHT)
+#define MBEDTLS_PK_USE_PSA_EC_DATA
+#endif /* MBEDTLS_USE_PSA_CRYPTO && !MBEDTLS_ECP_C */
+
/**
* \brief Types for interfacing with the debug module
*/
@@ -209,6 +230,7 @@
MBEDTLS_PK_DEBUG_NONE = 0,
MBEDTLS_PK_DEBUG_MPI,
MBEDTLS_PK_DEBUG_ECP,
+ MBEDTLS_PK_DEBUG_PSA_EC,
} mbedtls_pk_debug_type;
/**
@@ -232,12 +254,59 @@
*/
typedef struct mbedtls_pk_info_t mbedtls_pk_info_t;
+#define MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN \
+ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)
/**
* \brief Public key container
*/
typedef struct mbedtls_pk_context {
const mbedtls_pk_info_t *MBEDTLS_PRIVATE(pk_info); /**< Public key information */
void *MBEDTLS_PRIVATE(pk_ctx); /**< Underlying public key context */
+ /* The following field is used to store the ID of a private key in the
+ * following cases:
+ * - opaque key when MBEDTLS_PSA_CRYPTO_C is defined
+ * - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
+ * - the pk_ctx above is not not used to store the private key anymore.
+ * Actually that field not populated at all in this case because also
+ * the public key will be stored in raw format as explained below
+ * - this ID is used for all private key operations (ex: sign, check
+ * key pair, key write, etc) using PSA functions
+ *
+ * Note: this private key storing solution only affects EC keys, not the
+ * other ones. The latters still use the pk_ctx to store their own
+ * context.
+ *
+ * Note: this priv_id is guarded by MBEDTLS_PSA_CRYPTO_C and not by
+ * MBEDTLS_PK_USE_PSA_EC_DATA (as the public counterpart below) because,
+ * when working with opaque keys, it can be used also in
+ * mbedtls_pk_sign_ext for RSA keys. */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id); /**< Key ID for opaque keys */
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+ /* The following fields are meant for storing the public key in raw format
+ * which is handy for:
+ * - easily importing it into the PSA context
+ * - reducing the ECP module dependencies in the PK one.
+ *
+ * When MBEDTLS_PK_USE_PSA_EC_DATA is enabled:
+ * - the pk_ctx above is not used anymore for storing the public key
+ * inside the ecp_keypair structure
+ * - the following fields are used for all public key operations: signature
+ * verify, key pair check and key write.
+ * Of course, when MBEDTLS_PK_USE_PSA_EC_DATA is not enabled, the legacy
+ * ecp_keypair structure is used for storing the public key and performing
+ * all the operations.
+ *
+ * Note: This new public key storing solution only works for EC keys, not
+ * other ones. The latters still use pk_ctx to store their own
+ * context.
+ */
+#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
+ uint8_t MBEDTLS_PRIVATE(pub_raw)[MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN]; /**< Raw public key */
+ size_t MBEDTLS_PRIVATE(pub_raw_len); /**< Valid bytes in "pub_raw" */
+ psa_ecc_family_t MBEDTLS_PRIVATE(ec_family); /**< EC family of pk */
+ size_t MBEDTLS_PRIVATE(ec_bits); /**< Curve's bits of pk */
+#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */
} mbedtls_pk_context;
#if defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECP_RESTARTABLE)
@@ -771,7 +840,7 @@
}
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECP_LIGHT)
+#if defined(MBEDTLS_ECP_C)
/**
* Quick access to an EC context inside a PK context.
*
@@ -794,7 +863,7 @@
return NULL;
}
}
-#endif /* MBEDTLS_ECP_LIGHT */
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_PK_PARSE_C)
/** \ingroup pk_module */
diff --git a/include/mbedtls/platform.h b/include/mbedtls/platform.h
index f651587..768c756 100644
--- a/include/mbedtls/platform.h
+++ b/include/mbedtls/platform.h
@@ -139,6 +139,8 @@
#if defined(MBEDTLS_PLATFORM_MEMORY)
#if defined(MBEDTLS_PLATFORM_FREE_MACRO) && \
defined(MBEDTLS_PLATFORM_CALLOC_MACRO)
+#undef mbedtls_free
+#undef mbedtls_calloc
#define mbedtls_free MBEDTLS_PLATFORM_FREE_MACRO
#define mbedtls_calloc MBEDTLS_PLATFORM_CALLOC_MACRO
#else
@@ -160,6 +162,8 @@
void (*free_func)(void *));
#endif /* MBEDTLS_PLATFORM_FREE_MACRO && MBEDTLS_PLATFORM_CALLOC_MACRO */
#else /* !MBEDTLS_PLATFORM_MEMORY */
+#undef mbedtls_free
+#undef mbedtls_calloc
#define mbedtls_free free
#define mbedtls_calloc calloc
#endif /* MBEDTLS_PLATFORM_MEMORY && !MBEDTLS_PLATFORM_{FREE,CALLOC}_MACRO */
@@ -184,6 +188,7 @@
int mbedtls_platform_set_fprintf(int (*fprintf_func)(FILE *stream, const char *,
...));
#else
+#undef mbedtls_fprintf
#if defined(MBEDTLS_PLATFORM_FPRINTF_MACRO)
#define mbedtls_fprintf MBEDTLS_PLATFORM_FPRINTF_MACRO
#else
@@ -208,6 +213,7 @@
*/
int mbedtls_platform_set_printf(int (*printf_func)(const char *, ...));
#else /* !MBEDTLS_PLATFORM_PRINTF_ALT */
+#undef mbedtls_printf
#if defined(MBEDTLS_PLATFORM_PRINTF_MACRO)
#define mbedtls_printf MBEDTLS_PLATFORM_PRINTF_MACRO
#else
@@ -243,6 +249,7 @@
int mbedtls_platform_set_snprintf(int (*snprintf_func)(char *s, size_t n,
const char *format, ...));
#else /* MBEDTLS_PLATFORM_SNPRINTF_ALT */
+#undef mbedtls_snprintf
#if defined(MBEDTLS_PLATFORM_SNPRINTF_MACRO)
#define mbedtls_snprintf MBEDTLS_PLATFORM_SNPRINTF_MACRO
#else
@@ -279,6 +286,7 @@
int mbedtls_platform_set_vsnprintf(int (*vsnprintf_func)(char *s, size_t n,
const char *format, va_list arg));
#else /* MBEDTLS_PLATFORM_VSNPRINTF_ALT */
+#undef mbedtls_vsnprintf
#if defined(MBEDTLS_PLATFORM_VSNPRINTF_MACRO)
#define mbedtls_vsnprintf MBEDTLS_PLATFORM_VSNPRINTF_MACRO
#else
@@ -320,7 +328,9 @@
*/
int mbedtls_platform_set_setbuf(void (*setbuf_func)(
FILE *stream, char *buf));
-#elif defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
+#else
+#undef mbedtls_setbuf
+#if defined(MBEDTLS_PLATFORM_SETBUF_MACRO)
/**
* \brief Macro defining the function for the library to
* call for `setbuf` functionality (changing the
@@ -334,7 +344,8 @@
#define mbedtls_setbuf MBEDTLS_PLATFORM_SETBUF_MACRO
#else
#define mbedtls_setbuf setbuf
-#endif /* MBEDTLS_PLATFORM_SETBUF_ALT / MBEDTLS_PLATFORM_SETBUF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SETBUF_MACRO */
+#endif /* MBEDTLS_PLATFORM_SETBUF_ALT */
/*
* The function pointers for exit
@@ -353,6 +364,7 @@
*/
int mbedtls_platform_set_exit(void (*exit_func)(int status));
#else
+#undef mbedtls_exit
#if defined(MBEDTLS_PLATFORM_EXIT_MACRO)
#define mbedtls_exit MBEDTLS_PLATFORM_EXIT_MACRO
#else
@@ -405,6 +417,8 @@
int (*nv_seed_write_func)(unsigned char *buf, size_t buf_len)
);
#else
+#undef mbedtls_nv_seed_read
+#undef mbedtls_nv_seed_write
#if defined(MBEDTLS_PLATFORM_NV_SEED_READ_MACRO) && \
defined(MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO)
#define mbedtls_nv_seed_read MBEDTLS_PLATFORM_NV_SEED_READ_MACRO
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index b750716..528c0ab 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -29,6 +29,8 @@
#include "mbedtls/build_info.h"
+#include "mbedtls/platform_util.h"
+
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa/crypto.h"
@@ -120,49 +122,6 @@
}
}
-/* Translations for hashing. */
-
-/* Note: this function should not be used from inside the library, use
- * mbedtls_hash_info_psa_from_md() from the internal hash_info.h instead.
- * It is kept only for compatibility in case applications were using it. */
-static inline psa_algorithm_t mbedtls_psa_translate_md(mbedtls_md_type_t md_alg)
-{
- switch (md_alg) {
-#if defined(MBEDTLS_MD5_C) || defined(PSA_WANT_ALG_MD5)
- case MBEDTLS_MD_MD5:
- return PSA_ALG_MD5;
-#endif
-#if defined(MBEDTLS_SHA1_C) || defined(PSA_WANT_ALG_SHA_1)
- case MBEDTLS_MD_SHA1:
- return PSA_ALG_SHA_1;
-#endif
-#if defined(MBEDTLS_SHA224_C) || defined(PSA_WANT_ALG_SHA_224)
- case MBEDTLS_MD_SHA224:
- return PSA_ALG_SHA_224;
-#endif
-#if defined(MBEDTLS_SHA256_C) || defined(PSA_WANT_ALG_SHA_256)
- case MBEDTLS_MD_SHA256:
- return PSA_ALG_SHA_256;
-#endif
-#if defined(MBEDTLS_SHA384_C) || defined(PSA_WANT_ALG_SHA_384)
- case MBEDTLS_MD_SHA384:
- return PSA_ALG_SHA_384;
-#endif
-#if defined(MBEDTLS_SHA512_C) || defined(PSA_WANT_ALG_SHA_512)
- case MBEDTLS_MD_SHA512:
- return PSA_ALG_SHA_512;
-#endif
-#if defined(MBEDTLS_RIPEMD160_C) || defined(PSA_WANT_ALG_RIPEMD160)
- case MBEDTLS_MD_RIPEMD160:
- return PSA_ALG_RIPEMD160;
-#endif
- case MBEDTLS_MD_NONE:
- return 0;
- default:
- return 0;
- }
-}
-
/* Translations for ECC. */
static inline int mbedtls_psa_get_ecc_oid_from_id(
@@ -248,6 +207,22 @@
#endif /* MBEDTLS_ECP_DP_BP512R1_ENABLED */
}
break;
+ case PSA_ECC_FAMILY_MONTGOMERY:
+ switch (bits) {
+#if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED)
+ case 255:
+ *oid = MBEDTLS_OID_X25519;
+ *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_X25519);
+ return 0;
+#endif /* MBEDTLS_ECP_DP_CURVE25519_ENABLED */
+#if defined(MBEDTLS_ECP_DP_CURVE448_ENABLED)
+ case 448:
+ *oid = MBEDTLS_OID_X448;
+ *oid_len = MBEDTLS_OID_SIZE(MBEDTLS_OID_X448);
+ return 0;
+#endif /* MBEDTLS_ECP_DP_CURVE448_ENABLED */
+ }
+ break;
}
(void) oid;
(void) oid_len;
@@ -345,11 +320,15 @@
#endif /* !defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) */
typedef struct {
- psa_status_t psa_status;
+ /* Error codes used by PSA crypto are in -255..-128, fitting in 16 bits. */
+ int16_t psa_status;
+ /* Error codes used by Mbed TLS are in one of the ranges
+ * -127..-1 (low-level) or -32767..-4096 (high-level with a low-level
+ * code optionally added), fitting in 16 bits. */
int16_t mbedtls_error;
} mbedtls_error_pair_t;
-#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_MD5_C) || defined(MBEDTLS_USE_PSA_CRYPTO)
+#if defined(MBEDTLS_MD_LIGHT)
extern const mbedtls_error_pair_t psa_to_md_errors[4];
#endif
diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h
index 8dfd1f3..df6d762 100644
--- a/include/mbedtls/x509.h
+++ b/include/mbedtls/x509.h
@@ -243,6 +243,17 @@
*/
typedef mbedtls_asn1_sequence mbedtls_x509_sequence;
+/*
+ * Container for the fields of the Authority Key Identifier object
+ */
+typedef struct mbedtls_x509_authority {
+ mbedtls_x509_buf keyIdentifier;
+ mbedtls_x509_sequence authorityCertIssuer;
+ mbedtls_x509_buf authorityCertSerialNumber;
+ mbedtls_x509_buf raw;
+}
+mbedtls_x509_authority;
+
/** Container for date and time (precision in seconds). */
typedef struct mbedtls_x509_time {
int year, mon, day; /**< Date. */
@@ -293,7 +304,7 @@
typedef struct mbedtls_x509_subject_alternative_name {
int type; /**< The SAN type, value of MBEDTLS_X509_SAN_XXX. */
union {
- mbedtls_x509_san_other_name other_name; /**< The otherName supported type. */
+ mbedtls_x509_san_other_name other_name;
mbedtls_x509_name directory_name;
mbedtls_x509_buf unstructured_name; /**< The buffer for the unstructured types. rfc822Name, dnsName and uniformResourceIdentifier are currently supported. */
}
@@ -301,6 +312,12 @@
}
mbedtls_x509_subject_alternative_name;
+typedef struct mbedtls_x509_san_list {
+ mbedtls_x509_subject_alternative_name node;
+ struct mbedtls_x509_san_list *next;
+}
+mbedtls_x509_san_list;
+
/** \} name Structures for parsing X.509 certificates, CRLs and CSRs */
/**
@@ -390,7 +407,8 @@
* of the subject alternative name encoded in \p san_raw.
*
* \note Supported GeneralName types, as defined in RFC 5280:
- * "rfc822Name", "dnsName", "uniformResourceIdentifier" and "hardware_module_name"
+ * "rfc822Name", "dnsName", "directoryName",
+ * "uniformResourceIdentifier" and "hardware_module_name"
* of type "otherName", as defined in RFC 4108.
*
* \note This function should be called on a single raw data of
@@ -470,6 +488,9 @@
int mbedtls_x509_get_subject_alt_name(unsigned char **p,
const unsigned char *end,
mbedtls_x509_sequence *subject_alt_name);
+int mbedtls_x509_get_subject_alt_name_ext(unsigned char **p,
+ const unsigned char *end,
+ mbedtls_x509_sequence *subject_alt_name);
int mbedtls_x509_info_subject_alt_name(char **buf, size_t *size,
const mbedtls_x509_sequence
*subject_alt_name,
diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h
index a795183..078781c 100644
--- a/include/mbedtls/x509_crt.h
+++ b/include/mbedtls/x509_crt.h
@@ -75,7 +75,9 @@
mbedtls_x509_buf issuer_id; /**< Optional X.509 v2/v3 issuer unique identifier. */
mbedtls_x509_buf subject_id; /**< Optional X.509 v2/v3 subject unique identifier. */
mbedtls_x509_buf v3_ext; /**< Optional X.509 v3 extensions. */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName, uniformResourceIdentifier, DirectoryName and OtherName are listed). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */
+ mbedtls_x509_buf subject_key_id; /**< Optional X.509 v3 extension subject key identifier. */
+ mbedtls_x509_authority authority_key_id; /**< Optional X.509 v3 extension authority key identifier. */
mbedtls_x509_sequence certificate_policies; /**< Optional list of certificate policies (Only anyPolicy is printed and enforced, however the rest of the policies are still listed). */
@@ -240,6 +242,21 @@
mbedtls_x509write_cert;
/**
+ * \brief Set Subject Alternative Name
+ *
+ * \param ctx Certificate context to use
+ * \param san_list List of SAN values
+ *
+ * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED
+ *
+ * \note "dnsName", "uniformResourceIdentifier", "IP address",
+ * "otherName", and "DirectoryName", as defined in RFC 5280,
+ * are supported.
+ */
+int mbedtls_x509write_crt_set_subject_alternative_name(mbedtls_x509write_cert *ctx,
+ const mbedtls_x509_san_list *san_list);
+
+/**
* Item in a verification chain: cert and flags for it
*/
typedef struct {
@@ -559,6 +576,7 @@
int mbedtls_x509_crt_parse_path(mbedtls_x509_crt *chain, const char *path);
#endif /* MBEDTLS_FS_IO */
+
#if !defined(MBEDTLS_X509_REMOVE_INFO)
/**
* \brief Returns an informational string about the
@@ -638,8 +656,12 @@
* \param cn The expected Common Name. This will be checked to be
* present in the certificate's subjectAltNames extension or,
* if this extension is absent, as a CN component in its
- * Subject name. DNS names and IP addresses are supported. This
- * may be \c NULL if the CN need not be verified.
+ * Subject name. DNS names and IP addresses are fully
+ * supported, while the URI subtype is partially supported:
+ * only exact matching, without any normalization procedures
+ * described in 7.4 of RFC5280, will result in a positive
+ * URI verification.
+ * This may be \c NULL if the CN need not be verified.
* \param flags The address at which to store the result of the verification.
* If the verification couldn't be completed, the flag value is
* set to (uint32_t) -1.
diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h
index f3f9e13..80adb19 100644
--- a/include/mbedtls/x509_csr.h
+++ b/include/mbedtls/x509_csr.h
@@ -60,7 +60,7 @@
unsigned int key_usage; /**< Optional key usage extension value: See the values in x509.h */
unsigned char ns_cert_type; /**< Optional Netscape certificate type extension value: See the values in x509.h */
- mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension (currently only dNSName and OtherName are listed). */
+ mbedtls_x509_sequence subject_alt_names; /**< Optional list of raw entries of Subject Alternative Names extension. These can be later parsed by mbedtls_x509_parse_subject_alt_name. */
int MBEDTLS_PRIVATE(ext_types); /**< Bit string containing detected and parsed extensions */
@@ -83,12 +83,6 @@
}
mbedtls_x509write_csr;
-typedef struct mbedtls_x509_san_list {
- mbedtls_x509_subject_alternative_name node;
- struct mbedtls_x509_san_list *next;
-}
-mbedtls_x509_san_list;
-
#if defined(MBEDTLS_X509_CSR_PARSE_C)
/**
* \brief Load a Certificate Signing Request (CSR) in DER format
diff --git a/include/psa/crypto_builtin_key_derivation.h b/include/psa/crypto_builtin_key_derivation.h
index 1913a9b..d54291f 100644
--- a/include/psa/crypto_builtin_key_derivation.h
+++ b/include/psa/crypto_builtin_key_derivation.h
@@ -105,5 +105,23 @@
} psa_tls12_prf_key_derivation_t;
#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) ||
* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+typedef enum {
+ PSA_PBKDF2_STATE_INIT, /* no input provided */
+ PSA_PBKDF2_STATE_INPUT_COST_SET, /* input cost has been set */
+ PSA_PBKDF2_STATE_SALT_SET, /* salt has been set */
+ PSA_PBKDF2_STATE_PASSWORD_SET, /* password has been set */
+ PSA_PBKDF2_STATE_OUTPUT /* output has been started */
+} psa_pbkdf2_key_derivation_state_t;
+
+typedef struct {
+ psa_pbkdf2_key_derivation_state_t MBEDTLS_PRIVATE(state);
+ uint64_t MBEDTLS_PRIVATE(input_cost);
+ uint8_t *MBEDTLS_PRIVATE(salt);
+ size_t MBEDTLS_PRIVATE(salt_length);
+ uint8_t MBEDTLS_PRIVATE(password)[PSA_HMAC_MAX_HASH_BLOCK_SIZE];
+ size_t MBEDTLS_PRIVATE(password_length);
+} psa_pbkdf2_key_derivation_t;
+#endif /* MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */
#endif /* PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H */
diff --git a/include/psa/crypto_compat.h b/include/psa/crypto_compat.h
index 3544f96..70fa14e 100644
--- a/include/psa/crypto_compat.h
+++ b/include/psa/crypto_compat.h
@@ -5,7 +5,7 @@
*
* This header declares alternative names for macro and functions.
* New application code should not use these names.
- * These names may be removed in a future version of Mbed Crypto.
+ * These names may be removed in a future version of Mbed TLS.
*
* \note This file may not be included directly. Applications must
* include psa/crypto.h.
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
index e68fac8..48e20c2 100644
--- a/include/psa/crypto_config.h
+++ b/include/psa/crypto_config.h
@@ -65,6 +65,7 @@
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
#define PSA_WANT_ALG_ECB_NO_PADDING 1
#define PSA_WANT_ALG_ECDH 1
+#define PSA_WANT_ALG_FFDH 1
#define PSA_WANT_ALG_ECDSA 1
#define PSA_WANT_ALG_JPAKE 1
#define PSA_WANT_ALG_GCM 1
@@ -74,9 +75,7 @@
#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_MD5 1
#define PSA_WANT_ALG_OFB 1
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
-//#define PSA_WANT_ALG_PBKDF2_HMAC 1
+#define PSA_WANT_ALG_PBKDF2_HMAC 1
#define PSA_WANT_ALG_RIPEMD160 1
#define PSA_WANT_ALG_RSA_OAEP 1
#define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1
@@ -92,8 +91,7 @@
#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1
#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1
-/* PBKDF2-HMAC is not yet supported via the PSA API in Mbed TLS.
- * Note: when adding support, also adjust include/mbedtls/config_psa.h */
+/* Note: when adding support, also adjust include/mbedtls/config_psa.h */
//#define PSA_WANT_ALG_XTS 1
#define PSA_WANT_ECC_BRAINPOOL_P_R1_256 1
@@ -126,6 +124,8 @@
#define PSA_WANT_KEY_TYPE_DES 1
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
+#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR 1
+#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
diff --git a/include/psa/crypto_driver_contexts_key_derivation.h b/include/psa/crypto_driver_contexts_key_derivation.h
index 39754cc..5b4e474 100644
--- a/include/psa/crypto_driver_contexts_key_derivation.h
+++ b/include/psa/crypto_driver_contexts_key_derivation.h
@@ -55,6 +55,9 @@
#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS)
psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms);
#endif
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC)
+ psa_pbkdf2_key_derivation_t MBEDTLS_PRIVATE(pbkdf2);
+#endif
} psa_driver_key_derivation_context_t;
#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H */
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 232a839..cc70e6f 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -106,7 +106,7 @@
* indicates the slot number that contains it.
* \retval #PSA_ERROR_NOT_PERMITTED
* The caller is not permitted to query the slot number.
- * Mbed Crypto currently does not return this error.
+ * Mbed TLS currently does not return this error.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* The key is not located in a secure element.
*/
@@ -219,7 +219,7 @@
* resource consumption related to the PSA keystore.
*
* \note The content of this structure is not part of the stable API and ABI
- * of Mbed Crypto and may change arbitrarily from version to version.
+ * of Mbed TLS and may change arbitrarily from version to version.
*/
typedef struct mbedtls_psa_stats_s {
/** Number of slots containing key material for a volatile key. */
@@ -248,7 +248,7 @@
/** \brief Get statistics about
* resource consumption related to the PSA keystore.
*
- * \note When Mbed Crypto is built as part of a service, with isolation
+ * \note When Mbed TLS is built as part of a service, with isolation
* between the application and the keystore, the service may or
* may not expose this function.
*/
@@ -956,7 +956,7 @@
* the official PSA Crypto API yet.
*
* \note The content of this section is not part of the stable API and ABI
- * of Mbed Crypto and may change arbitrarily from version to version.
+ * of Mbed TLS and may change arbitrarily from version to version.
* Same holds for the corresponding macros #PSA_ALG_CATEGORY_PAKE and
* #PSA_ALG_JPAKE.
* @{
diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h
index ee41c89..35a42f8 100644
--- a/include/psa/crypto_platform.h
+++ b/include/psa/crypto_platform.h
@@ -83,7 +83,7 @@
*/
#if defined(MBEDTLS_PSA_CRYPTO_SPM)
#define PSA_CRYPTO_SECURE 1
-#include "crypto_spe.h"
+#include "../tests/include/spe/crypto_spe.h"
#endif // MBEDTLS_PSA_CRYPTO_SPM
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
diff --git a/include/psa/crypto_se_driver.h b/include/psa/crypto_se_driver.h
index 9ae631f..f39e229 100644
--- a/include/psa/crypto_se_driver.h
+++ b/include/psa/crypto_se_driver.h
@@ -138,7 +138,7 @@
psa_key_location_t location);
#if defined(__DOXYGEN_ONLY__) || !defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/* Mbed Crypto with secure element support enabled defines this type in
+/* Mbed TLS with secure element support enabled defines this type in
* crypto_types.h because it is also visible to applications through an
* implementation-specific extension.
* For the PSA Cryptography specification, this type is only visible
@@ -837,7 +837,7 @@
* and #PSA_ERROR_DOES_NOT_EXIST if the driver can determine that there
* is no key with the specified slot number.
*
- * This is an Mbed Crypto extension.
+ * This is an Mbed TLS extension.
*/
PSA_KEY_CREATION_REGISTER,
#endif
diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h
index 37f7205..8cc965b 100644
--- a/include/psa/crypto_sizes.h
+++ b/include/psa/crypto_sizes.h
@@ -51,6 +51,8 @@
#define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8)
#define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8)
+#define PSA_MAX_OF_THREE(a, b, c) ((a) <= (b) ? (b) <= (c) ? \
+ (c) : (b) : (a) <= (c) ? (c) : (a))
#define PSA_ROUND_UP_TO_MULTIPLE(block_size, length) \
(((length) + (block_size) - 1) / (block_size) * (block_size))
@@ -126,12 +128,23 @@
/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
* 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
* HMAC-SHA3-512. */
-#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384)
+/* Note: PSA_HASH_MAX_SIZE should be kept in sync with MBEDTLS_MD_MAX_SIZE,
+ * see the note on MBEDTLS_MD_MAX_SIZE for details. */
+#if defined(PSA_WANT_ALG_SHA_512)
#define PSA_HASH_MAX_SIZE 64
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
-#else
+#elif defined(PSA_WANT_ALG_SHA_384)
+#define PSA_HASH_MAX_SIZE 48
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
+#elif defined(PSA_WANT_ALG_SHA_256)
#define PSA_HASH_MAX_SIZE 32
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
+#elif defined(PSA_WANT_ALG_SHA_224)
+#define PSA_HASH_MAX_SIZE 28
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
+#else /* SHA-1 or smaller */
+#define PSA_HASH_MAX_SIZE 20
+#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 64
#endif
/** \def PSA_MAC_MAX_SIZE
@@ -195,6 +208,12 @@
* operations, and does not need to accept all key sizes up to the limit. */
#define PSA_VENDOR_RSA_MAX_KEY_BITS 4096
+/* The maximum size of an DH key on this implementation, in bits.
+ *
+ * Note that an implementation may set different size limits for different
+ * operations, and does not need to accept all key sizes up to the limit. */
+#define PSA_VENDOR_FFDH_MAX_KEY_BITS 8192
+
/* The maximum size of an ECC key on this implementation, in bits.
* This is a vendor-specific macro. */
#if defined(PSA_WANT_ECC_SECP_R1_521)
@@ -253,6 +272,10 @@
* curve. */
#define PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE 32
+/* The maximum number of iterations for PBKDF2 on this implementation, in bits.
+ * This is a vendor-specific macro. This can be configured if necessary */
+#define PSA_VENDOR_PBKDF2_MAX_ITERATIONS 0xffffffff
+
/** The maximum size of a block cipher. */
#define PSA_BLOCK_CIPHER_BLOCK_MAX_SIZE 16
@@ -804,6 +827,18 @@
#define PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(key_bits) \
(PSA_BITS_TO_BYTES(key_bits))
+/* Maximum size of the export encoding of an DH key pair.
+ *
+ * An DH key pair is represented by the secret value.
+ */
+#define PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(key_bits) \
+ (PSA_BITS_TO_BYTES(key_bits))
+
+/* Maximum size of the export encoding of an DH public key.
+ */
+#define PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(key_bits) \
+ (PSA_BITS_TO_BYTES(key_bits))
+
/** Sufficient output buffer size for psa_export_key() or
* psa_export_public_key().
*
@@ -845,6 +880,7 @@
*/
#define PSA_EXPORT_KEY_OUTPUT_SIZE(key_type, key_bits) \
(PSA_KEY_TYPE_IS_UNSTRUCTURED(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
+ PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
(key_type) == PSA_KEY_TYPE_RSA_KEY_PAIR ? PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(key_bits) : \
(key_type) == PSA_KEY_TYPE_RSA_PUBLIC_KEY ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
(key_type) == PSA_KEY_TYPE_DSA_KEY_PAIR ? PSA_KEY_EXPORT_DSA_KEY_PAIR_MAX_SIZE(key_bits) : \
@@ -901,6 +937,7 @@
#define PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(key_type, key_bits) \
(PSA_KEY_TYPE_IS_RSA(key_type) ? PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(key_bits) : \
PSA_KEY_TYPE_IS_ECC(key_type) ? PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits) : \
+ PSA_KEY_TYPE_IS_DH(key_type) ? PSA_BITS_TO_BYTES(key_bits) : \
0)
/** Sufficient buffer size for exporting any asymmetric key pair.
@@ -911,11 +948,10 @@
*
* See also #PSA_EXPORT_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
*/
-#define PSA_EXPORT_KEY_PAIR_MAX_SIZE \
- (PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
- PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ? \
- PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) : \
- PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
+#define PSA_EXPORT_KEY_PAIR_MAX_SIZE \
+ PSA_MAX_OF_THREE(PSA_KEY_EXPORT_RSA_KEY_PAIR_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS), \
+ PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS), \
+ PSA_KEY_EXPORT_FFDH_KEY_PAIR_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS))
/** Sufficient buffer size for exporting any asymmetric public key.
*
@@ -926,11 +962,11 @@
*
* See also #PSA_EXPORT_PUBLIC_KEY_OUTPUT_SIZE(\p key_type, \p key_bits).
*/
-#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE \
- (PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) > \
- PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS) ? \
- PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS) : \
- PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS))
+#define PSA_EXPORT_PUBLIC_KEY_MAX_SIZE \
+ PSA_MAX_OF_THREE(PSA_KEY_EXPORT_RSA_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_RSA_MAX_KEY_BITS), \
+ PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS), \
+ PSA_KEY_EXPORT_FFDH_PUBLIC_KEY_MAX_SIZE(PSA_VENDOR_FFDH_MAX_KEY_BITS))
+
/** Sufficient output buffer size for psa_raw_key_agreement().
*
@@ -955,11 +991,9 @@
* If the parameters are not valid,
* the return value is unspecified.
*/
-/* FFDH is not yet supported in PSA. */
#define PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(key_type, key_bits) \
- (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) ? \
- PSA_BITS_TO_BYTES(key_bits) : \
- 0)
+ ((PSA_KEY_TYPE_IS_ECC_KEY_PAIR(key_type) || \
+ PSA_KEY_TYPE_IS_DH_KEY_PAIR(key_type)) ? PSA_BITS_TO_BYTES(key_bits) : 0)
/** Maximum size of the output from psa_raw_key_agreement().
*
@@ -968,8 +1002,11 @@
*
* See also #PSA_RAW_KEY_AGREEMENT_OUTPUT_SIZE(\p key_type, \p key_bits).
*/
-#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE \
- (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS))
+#define PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE \
+ (PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) > \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS) ? \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_ECC_MAX_CURVE_BITS) : \
+ PSA_BITS_TO_BYTES(PSA_VENDOR_FFDH_MAX_KEY_BITS))
/** The default IV size for a cipher algorithm, in bytes.
*
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 125a73d..b309bc8 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -35,8 +35,8 @@
* GCC and Clang initialize the whole structure to 0 (at the time of writing),
* but MSVC and CompCert don't.
*
- * In Mbed Crypto, multipart operation structures live independently from
- * the key. This allows Mbed Crypto to free the key objects when destroying
+ * In Mbed TLS, multipart operation structures live independently from
+ * the key. This allows Mbed TLS to free the key objects when destroying
* a key slot. If a multipart operation needs to remember the key after
* the setup function returns, the operation structure needs to contain a
* copy of the key.
diff --git a/include/psa/crypto_types.h b/include/psa/crypto_types.h
index a5154fc..445657e 100644
--- a/include/psa/crypto_types.h
+++ b/include/psa/crypto_types.h
@@ -297,7 +297,7 @@
typedef psa_key_id_t mbedtls_svc_key_id_t;
#else /* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
-/* Implementation-specific: The Mbed Cryptography library can be built as
+/* Implementation-specific: The Mbed TLS library can be built as
* part of a multi-client service that exposes the PSA Cryptography API in each
* client and encodes the client identity in the key identifier argument of
* functions such as psa_open_key().
@@ -439,7 +439,7 @@
#ifndef __DOXYGEN_ONLY__
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-/* Mbed Crypto defines this type in crypto_types.h because it is also
+/* Mbed TLS defines this type in crypto_types.h because it is also
* visible to applications through an implementation-specific extension.
* For the PSA Cryptography specification, this type is only visible
* via crypto_se_driver.h. */
diff --git a/include/psa/crypto_values.h b/include/psa/crypto_values.h
index 39acd96..580e3ae 100644
--- a/include/psa/crypto_values.h
+++ b/include/psa/crypto_values.h
@@ -2102,7 +2102,8 @@
*/
#define PSA_ALG_IS_PBKDF2_HMAC(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_PBKDF2_HMAC_BASE)
-
+#define PSA_ALG_PBKDF2_HMAC_GET_HASH(pbkdf2_alg) \
+ (PSA_ALG_CATEGORY_HASH | ((pbkdf2_alg) & PSA_ALG_HASH_MASK))
/** The PBKDF2-AES-CMAC-PRF-128 password hashing / key stretching algorithm.
*
* PBKDF2 is defined by PKCS#5, republished as RFC 8018 (section 5.2).