TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / d6f371b1baca09d51ea6e1a914be921c76fa8bf8^! / . / include
commitd6f371b1baca09d51ea6e1a914be921c76fa8bf8[log] [tgz]
authorGilles Peskine <Gilles.Peskine@arm.com>Fri May 10 19:33:38 2019 +0200
committerGilles Peskine <Gilles.Peskine@arm.com>Tue May 21 17:06:03 2019 +0200
treeebf49d012d4f7ab6ea81055508a2468451c89039
parent8bf196b303eff55e67651c416f782e50f3e3ce56 [diff]
Keys may allow a second algorithm

Add a second permitted algorithm to key policies.

This commit includes smoke tests that do not cover psa_copy_key.

diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index c89c55d..a1a6589 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h

@@ -62,6 +62,45 @@
     MBEDTLS_DEPRECATED_NUMERIC_CONSTANT( PSA_ERROR_INSUFFICIENT_DATA )
 #endif
 
+/** \addtogroup policy
+ * @{
+ */
+
+/** \brief Set the enrollment algorithm in a key policy.
+ *
+ * An operation on a key may indifferently use the algorithm set with
+ * psa_key_policy_set_usage() or with this function.
+ *
+ * \param[in,out] policy The key policy to modify. It must have been
+ *                       initialized as per the documentation for
+ *                       #psa_key_policy_t.
+ * \param alg2           A second algorithm that the key may be used for,
+ *                       in addition to the algorithm set with
+ *                       psa_key_policy_set_usage().
+ *
+ * \warning Setting an enrollment algorithm is not recommended, because
+ *          using the same key with different algorithms can allow some
+ *          attacks based on arithmetic relations between different
+ *          computations made with the same key, or can escalate harmless
+ *          side channels into exploitable ones. Use this function only
+ *          if it is necessary to support a protocol for which is has been
+ *          verified that the usage of the key with multiple algorithms
+ *          is safe.
+ */
+void psa_key_policy_set_enrollment_algorithm(psa_key_policy_t *policy,
+                                             psa_algorithm_t alg2);
+
+/** \brief Retrieve the enrollment algorithm field of a policy structure.
+ *
+ * \param[in] policy    The policy object to query.
+ *
+ * \return The enrollment algorithm for a key with this policy.
+ */
+psa_algorithm_t psa_key_policy_get_enrollment_algorithm(
+    const psa_key_policy_t *policy);
+
+/**@}*/
+
 /**
  * \brief Library deinitialization.
  *

diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index ee3ecd7..8850357 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h

@@ -228,9 +228,10 @@
 {
     psa_key_usage_t usage;
     psa_algorithm_t alg;
+    psa_algorithm_t alg2;
 };
 
-#define PSA_KEY_POLICY_INIT {0, 0}
+#define PSA_KEY_POLICY_INIT {0, 0, 0}
 static inline struct psa_key_policy_s psa_key_policy_init( void )
 {
     const struct psa_key_policy_s v = PSA_KEY_POLICY_INIT;