Adapt to the new key allocation mechanism
diff --git a/include/mbedtls/cipher_internal.h b/include/mbedtls/cipher_internal.h
index 6687b36..d711339 100644
--- a/include/mbedtls/cipher_internal.h
+++ b/include/mbedtls/cipher_internal.h
@@ -137,7 +137,7 @@
typedef struct
{
psa_algorithm_t alg;
- psa_key_slot_t slot;
+ psa_key_handle_t slot;
mbedtls_cipher_psa_key_ownership slot_state;
} mbedtls_cipher_context_psa;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/include/mbedtls/pk.h b/include/mbedtls/pk.h
index 862065e..4f1b06f 100644
--- a/include/mbedtls/pk.h
+++ b/include/mbedtls/pk.h
@@ -273,7 +273,7 @@
* ECC key pair.
* \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
*/
-int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_slot_t key );
+int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
@@ -761,7 +761,7 @@
* \return An Mbed TLS error code otherwise.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
- psa_key_slot_t *slot,
+ psa_key_handle_t *slot,
psa_algorithm_t hash_alg );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/include/mbedtls/psa_util.h b/include/mbedtls/psa_util.h
index 5766133..f17e6af 100644
--- a/include/mbedtls/psa_util.h
+++ b/include/mbedtls/psa_util.h
@@ -42,21 +42,6 @@
#include "md.h"
#include "pk.h"
-/* Slot allocation */
-
-static inline psa_status_t mbedtls_psa_get_free_key_slot( psa_key_slot_t *key )
-{
- for( psa_key_slot_t slot = 1; slot <= 32; slot++ )
- {
- if( psa_get_key_information( slot, NULL, NULL ) == PSA_ERROR_EMPTY_SLOT )
- {
- *key = slot;
- return( PSA_SUCCESS );
- }
- }
- return( PSA_ERROR_INSUFFICIENT_MEMORY );
-}
-
/* Translations for symmetric crypto. */
static inline psa_key_type_t mbedtls_psa_translate_cipher_type(
diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h
index f7c9d93..e6bdafe 100644
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@@ -929,11 +929,11 @@
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_slot_t psk_opaque; /*!< PSA key slot holding opaque PSK.
- * This field should only be set via
- * mbedtls_ssl_conf_psk_opaque().
- * If either no PSK or a raw PSK have
- * been configured, this has value \c 0. */
+ psa_key_handle_t psk_opaque; /*!< PSA key slot holding opaque PSK.
+ * This field should only be set via
+ * mbedtls_ssl_conf_psk_opaque().
+ * If either no PSK or a raw PSK have
+ * been configured, this has value \c 0. */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *psk; /*!< The raw pre-shared key. This field should
@@ -2144,7 +2144,7 @@
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
*/
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
- psa_key_slot_t psk,
+ psa_key_handle_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -2184,7 +2184,7 @@
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
*/
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
- psa_key_slot_t psk );
+ psa_key_handle_t psk );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/**
diff --git a/include/mbedtls/ssl_internal.h b/include/mbedtls/ssl_internal.h
index 318d13f..fced2cb 100644
--- a/include/mbedtls/ssl_internal.h
+++ b/include/mbedtls/ssl_internal.h
@@ -284,7 +284,7 @@
#endif
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_slot_t psk_opaque; /*!< Opaque PSK from the callback */
+ psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *psk; /*!< PSK from the callback */
size_t psk_len; /*!< Length of PSK from callback */
diff --git a/library/cipher.c b/library/cipher.c
index 1cc0beb..e479b9c 100644
--- a/library/cipher.c
+++ b/library/cipher.c
@@ -302,38 +302,39 @@
if( cipher_psa->slot_state != MBEDTLS_CIPHER_PSA_KEY_UNSET )
return( MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA );
- /* Find a fresh key slot to use. */
- status = mbedtls_psa_get_free_key_slot( &cipher_psa->slot );
+ key_type = mbedtls_psa_translate_cipher_type(
+ ctx->cipher_info->type );
+ if( key_type == 0 )
+ return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
+
+ /* Allocate a key slot to use. */
+ status = psa_allocate_key( key_type, key_bitlen, &cipher_psa->slot );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
- /* Indicate that we own the key slot and need to
- * destroy it in mbedtls_cipher_free(). */
- cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
-
- /* From that point on, the responsibility for destroying the
- * key slot is on mbedtls_cipher_free(). This includes the case
- * where the policy setup or key import below fail, as
- * mbedtls_cipher_free() needs to be called in any case. */
/* Setup policy for the new key slot. */
psa_key_policy_init( &key_policy );
/* Mbed TLS' cipher layer doesn't enforce the mode of operation
- * (encrypt vs. decrypt): it is possible to setup a key for encryption
- * and use it for AEAD decryption. Until tests relying on this
- * are changed, allow any usage in PSA. */
+ * (encrypt vs. decrypt): it is possible to setup a key for encryption
+ * and use it for AEAD decryption. Until tests relying on this
+ * are changed, allow any usage in PSA. */
/* key_usage = mbedtls_psa_translate_cipher_operation( operation ); */
key_usage = PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT;
psa_key_policy_set_usage( &key_policy, key_usage, cipher_psa->alg );
status = psa_set_key_policy( cipher_psa->slot, &key_policy );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_CIPHER_HW_ACCEL_FAILED );
+ /* Indicate that we own the key slot and need to
+ * destroy it in mbedtls_cipher_free(). */
+ cipher_psa->slot_state = MBEDTLS_CIPHER_PSA_KEY_OWNED;
+
+ /* From that point on, the responsibility for destroying the
+ * key slot is on mbedtls_cipher_free(). This includes the case
+ * where the policy setup or key import below fail, as
+ * mbedtls_cipher_free() needs to be called in any case. */
/* Populate new key slot. */
- key_type = mbedtls_psa_translate_cipher_type(
- ctx->cipher_info->type );
- if( key_type == 0 )
- return( MBEDTLS_ERR_CIPHER_FEATURE_UNAVAILABLE );
status = psa_import_key( cipher_psa->slot,
key_type, key, key_bytelen );
if( status != PSA_SUCCESS )
diff --git a/library/pk.c b/library/pk.c
index 989ed09..8f649f9 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -147,10 +147,10 @@
/*
* Initialise a PSA-wrapping context
*/
-int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_slot_t key )
+int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key )
{
const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info;
- psa_key_slot_t *pk_ctx;
+ psa_key_handle_t *pk_ctx;
psa_key_type_t type;
if( ctx == NULL || ctx->pk_info != NULL )
@@ -168,7 +168,7 @@
ctx->pk_info = info;
- pk_ctx = (psa_key_slot_t *) ctx->pk_ctx;
+ pk_ctx = (psa_key_handle_t *) ctx->pk_ctx;
*pk_ctx = key;
return( 0 );
@@ -547,13 +547,13 @@
* Currently only works for EC private keys.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
- psa_key_slot_t *slot,
+ psa_key_handle_t *slot,
psa_algorithm_t hash_alg )
{
#if !defined(MBEDTLS_ECP_C)
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
#else
- psa_key_slot_t key;
+ psa_key_handle_t key;
const mbedtls_ecp_keypair *ec;
unsigned char d[MBEDTLS_ECP_MAX_BYTES];
size_t d_len;
@@ -572,9 +572,10 @@
return( ret );
curve_id = mbedtls_ecp_curve_info_from_grp_id( ec->grp.id )->tls_id;
+ key_type = PSA_KEY_TYPE_ECC_KEYPAIR(curve_id);
- /* find a free key slot */
- if( PSA_SUCCESS != mbedtls_psa_get_free_key_slot( &key ) )
+ /* allocate a key slot */
+ if( PSA_SUCCESS != psa_allocate_key( key_type, d_len * 8, &key ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
/* set policy */
@@ -585,7 +586,6 @@
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
/* import private key in slot */
- key_type = PSA_KEY_TYPE_ECC_KEYPAIR(curve_id);
if( PSA_SUCCESS != psa_import_key( key, key_type, d, d_len ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index 6aacba8..9023457 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -546,7 +546,7 @@
const unsigned char *sig, size_t sig_len )
{
int ret;
- psa_key_slot_t key_slot;
+ psa_key_handle_t key_slot;
psa_key_policy_t policy;
psa_key_type_t psa_type;
mbedtls_pk_context key;
@@ -571,15 +571,15 @@
if( key_len <= 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
- if( ( ret = mbedtls_psa_get_free_key_slot( &key_slot ) ) != PSA_SUCCESS )
- return( mbedtls_psa_err_translate_pk( ret ) );
-
psa_md = mbedtls_psa_translate_md( md_alg );
if( psa_md == 0 )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
psa_sig_md = PSA_ALG_ECDSA( psa_md );
psa_type = PSA_KEY_TYPE_ECC_PUBLIC_KEY( curve );
+ if( ( ret = psa_allocate_key( psa_type, key_len * 8, &key_slot ) ) != PSA_SUCCESS )
+ return( mbedtls_psa_err_translate_pk( ret ) );
+
psa_key_policy_init( &policy );
psa_key_policy_set_usage( &policy, PSA_KEY_USAGE_VERIFY, psa_sig_md );
if( ( ret = psa_set_key_policy( key_slot, &policy ) ) != PSA_SUCCESS )
@@ -879,7 +879,7 @@
static void *pk_opaque_alloc_wrap( void )
{
- void *ctx = mbedtls_calloc( 1, sizeof( psa_key_slot_t ) );
+ void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) );
/* no _init() function to call, an calloc() already zeroized */
@@ -888,13 +888,13 @@
static void pk_opaque_free_wrap( void *ctx )
{
- mbedtls_platform_zeroize( ctx, sizeof( psa_key_slot_t ) );
+ mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) );
mbedtls_free( ctx );
}
static size_t pk_opaque_get_bitlen( const void *ctx )
{
- const psa_key_slot_t *key = (const psa_key_slot_t *) ctx;
+ const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
size_t bits;
if( PSA_SUCCESS != psa_get_key_information( *key, NULL, &bits ) )
@@ -999,7 +999,7 @@
unsigned char *sig, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng )
{
- const psa_key_slot_t *key = (const psa_key_slot_t *) ctx;
+ const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
size_t bits, buf_len;
psa_status_t status;
diff --git a/library/pkwrite.c b/library/pkwrite.c
index d34714b..11a2a61 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -168,7 +168,7 @@
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE )
{
size_t buffer_size;
- psa_key_slot_t* key_slot = (psa_key_slot_t*) key->pk_ctx;
+ psa_key_handle_t* key_slot = (psa_key_handle_t*) key->pk_ctx;
if ( *p < start )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d14434a..8fe9314 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -798,7 +798,7 @@
psa_status_t status;
psa_algorithm_t alg;
psa_crypto_generator_t generator = PSA_CRYPTO_GENERATOR_INIT;
- psa_key_slot_t psk;
+ psa_key_handle_t psk;
MBEDTLS_SSL_DEBUG_MSG( 2, ( "perform PSA-based PSK-to-MS expansion" ) );
@@ -7617,7 +7617,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
- psa_key_slot_t psk_slot,
+ psa_key_handle_t psk_slot,
const unsigned char *psk_identity,
size_t psk_identity_len )
{
@@ -7640,7 +7640,7 @@
}
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
- psa_key_slot_t psk_slot )
+ psa_key_handle_t psk_slot )
{
if( psk_slot == 0 || ssl->handshake == NULL )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c
index a98a3a2..a8c16dc 100644
--- a/programs/ssl/ssl_client2.c
+++ b/programs/ssl/ssl_client2.c
@@ -571,7 +571,7 @@
const char *pers = "ssl_client2";
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_slot_t slot = 0;
+ psa_key_handle_t slot = 0;
psa_algorithm_t alg = 0;
psa_key_policy_t policy;
psa_status_t status;
@@ -594,7 +594,7 @@
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_slot_t key_slot = 0; /* invalid key slot */
+ psa_key_handle_t key_slot = 0; /* invalid key slot */
#endif
#endif
char *p, *q;
@@ -1594,7 +1594,7 @@
if( opt.psk_opaque != 0 )
{
/* The algorithm has already been determined earlier. */
- status = mbedtls_psa_get_free_key_slot( &slot );
+ status = psa_allocate_key( PSA_KEY_TYPE_DERIVE, psk_len * 8, &slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c
index 534a3f3..8b3b9cd 100644
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@@ -806,7 +806,7 @@
size_t key_len;
unsigned char key[MBEDTLS_PSK_MAX_LEN];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- psa_key_slot_t slot;
+ psa_key_handle_t slot;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
psk_entry *next;
};
@@ -822,7 +822,7 @@
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status;
- psa_key_slot_t const slot = head->slot;
+ psa_key_handle_t const slot = head->slot;
if( slot != 0 )
{
@@ -1231,7 +1231,7 @@
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
-static psa_status_t psa_setup_psk_key_slot( psa_key_slot_t slot,
+static psa_status_t psa_setup_psk_key_slot( psa_key_handle_t slot,
psa_algorithm_t alg,
unsigned char *psk,
size_t psk_len )
@@ -1268,7 +1268,7 @@
#if defined(MBEDTLS_KEY_EXCHANGE__SOME__PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg = 0;
- psa_key_slot_t psk_slot = 0;
+ psa_key_handle_t psk_slot = 0;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = 0;
@@ -2667,7 +2667,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( opt.psk_opaque != 0 )
{
- status = mbedtls_psa_get_free_key_slot( &psk_slot );
+ status = psa_allocate_key( PSA_KEY_TYPE_DERIVE, psk_len * 8, &psk_slot );
if( status != PSA_SUCCESS )
{
fprintf( stderr, "ALLOC FAIL\n" );
@@ -2711,7 +2711,7 @@
psk_entry *cur_psk;
for( cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next )
{
- status = mbedtls_psa_get_free_key_slot( &cur_psk->slot );
+ status = psa_allocate_key( PSA_KEY_TYPE_DERIVE, cur_psk->key_len * 8, &cur_psk->slot );
if( status != PSA_SUCCESS )
{
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function
index 9168b1d..47d72d0 100644
--- a/tests/suites/test_suite_pk.function
+++ b/tests/suites/test_suite_pk.function
@@ -74,17 +74,17 @@
* or PK_PSA_INVALID_SLOT if no slot was available.
* The key uses NIST P-256 and is usable for signing with SHA-256.
*/
-psa_key_slot_t pk_psa_genkey( void )
+psa_key_handle_t pk_psa_genkey( void )
{
- psa_key_slot_t key;
+ psa_key_handle_t key;
const int curve = PSA_ECC_CURVE_SECP256R1;
const psa_key_type_t type = PSA_KEY_TYPE_ECC_KEYPAIR(curve);
const size_t bits = 256;
psa_key_policy_t policy;
- /* find a free key slot */
- if( PSA_SUCCESS != mbedtls_psa_get_free_key_slot( &key ) )
+ /* Allocate a key slot */
+ if( PSA_SUCCESS != psa_allocate_key( type, bits, &key ) )
return( PK_PSA_INVALID_SLOT );
/* set up policy on key slot */
@@ -112,7 +112,7 @@
void pk_psa_utils( )
{
mbedtls_pk_context pk, pk2;
- psa_key_slot_t key;
+ psa_key_handle_t key;
const char * const name = "Opaque";
const size_t bitlen = 256; /* harcoded in genkey() */
@@ -778,7 +778,7 @@
void pk_psa_sign( )
{
mbedtls_pk_context pk;
- psa_key_slot_t key;
+ psa_key_handle_t key;
unsigned char hash[50], sig[100], pkey[100];
size_t sig_len, klen = 0;
diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function
index bf43a80..268b4bb 100644
--- a/tests/suites/test_suite_x509write.function
+++ b/tests/suites/test_suite_x509write.function
@@ -133,7 +133,7 @@
int cert_type )
{
mbedtls_pk_context key;
- psa_key_slot_t slot;
+ psa_key_handle_t slot;
psa_algorithm_t md_alg_psa;
mbedtls_x509write_csr req;
unsigned char buf[4096];