Add PSA crypto module
New module psa_crypto.c (MBEDTLS_PSA_CRYPTO_C):
Platform Security Architecture compatibility layer on top of
libmedcrypto.
Implement psa_crypto_init function which sets up a RNG.
Add a mbedtls_psa_crypto_free function which deinitializes the
library.
Define a first batch of error codes.
diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt
index 6a280fe..07811f9 100644
--- a/library/CMakeLists.txt
+++ b/library/CMakeLists.txt
@@ -53,6 +53,7 @@
platform.c
platform_util.c
poly1305.c
+ psa_crypto.c
ripemd160.c
rsa.c
rsa_internal.c
diff --git a/library/Makefile b/library/Makefile
index 430c598..f4b39bd 100644
--- a/library/Makefile
+++ b/library/Makefile
@@ -81,6 +81,7 @@
pk.o pk_wrap.o pkcs12.o \
pkcs5.o pkparse.o pkwrite.o \
platform.o platform_util.o poly1305.o \
+ psa_crypto.o \
ripemd160.o rsa_internal.o rsa.o \
sha1.o sha256.o sha512.o \
threading.o timing.o version.o \
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
new file mode 100644
index 0000000..ca25bb4
--- /dev/null
+++ b/library/psa_crypto.c
@@ -0,0 +1,97 @@
+/*
+ * PSA crypto layer on top of Mbed TLS crypto
+ */
+/* Copyright (C) 2018, ARM Limited, All Rights Reserved
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ *
+ * This file is part of mbed TLS (https://tls.mbed.org)
+ */
+
+#if !defined(MBEDTLS_CONFIG_FILE)
+#include "mbedtls/config.h"
+#else
+#include MBEDTLS_CONFIG_FILE
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+
+#include "psa/crypto.h"
+
+#include "mbedtls/ctr_drbg.h"
+#include "mbedtls/entropy.h"
+
+
+/* Implementation that should never be optimized out by the compiler */
+static void mbedtls_zeroize( void *v, size_t n )
+{
+ volatile unsigned char *p = v; while( n-- ) *p++ = 0;
+}
+
+typedef struct {
+ int initialized;
+ mbedtls_entropy_context entropy;
+ mbedtls_ctr_drbg_context ctr_drbg;
+} psa_global_data_t;
+
+static psa_global_data_t global_data;
+
+static psa_status_t mbedtls_to_psa_error( int ret )
+{
+ switch( ret )
+ {
+ case 0:
+ return( PSA_SUCCESS );
+ case MBEDTLS_ERR_ENTROPY_NO_SOURCES_DEFINED:
+ case MBEDTLS_ERR_ENTROPY_NO_STRONG_SOURCE:
+ case MBEDTLS_ERR_ENTROPY_SOURCE_FAILED:
+ return( PSA_ERROR_INSUFFICIENT_ENTROPY );
+ default:
+ return( PSA_ERROR_UNKNOWN_ERROR );
+ }
+}
+
+void mbedtls_psa_crypto_free( void )
+{
+ mbedtls_ctr_drbg_free( &global_data.ctr_drbg );
+ mbedtls_entropy_free( &global_data.entropy );
+ mbedtls_zeroize( &global_data, sizeof( global_data ) );
+}
+
+psa_status_t psa_crypto_init( void )
+{
+ int ret;
+ const unsigned char drbg_seed[] = "PSA";
+
+ if( global_data.initialized != 0 )
+ return( PSA_SUCCESS );
+
+ mbedtls_zeroize( &global_data, sizeof( global_data ) );
+ mbedtls_entropy_init( &global_data.entropy );
+ mbedtls_ctr_drbg_init( &global_data.ctr_drbg );
+
+ ret = mbedtls_ctr_drbg_seed( &global_data.ctr_drbg,
+ mbedtls_entropy_func,
+ &global_data.entropy,
+ drbg_seed, sizeof( drbg_seed ) - 1 );
+ if( ret != 0 )
+ goto exit;
+
+exit:
+ if( ret != 0 )
+ mbedtls_psa_crypto_free( );
+ return( mbedtls_to_psa_error( ret ) );
+}
+
+#endif /* MBEDTLS_PSA_CRYPTO_C */
diff --git a/library/version_features.c b/library/version_features.c
index 777b603..b77bf26 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -678,6 +678,9 @@
#if defined(MBEDTLS_POLY1305_C)
"MBEDTLS_POLY1305_C",
#endif /* MBEDTLS_POLY1305_C */
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+ "MBEDTLS_PSA_CRYPTO_C",
+#endif /* MBEDTLS_PSA_CRYPTO_C */
#if defined(MBEDTLS_RIPEMD160_C)
"MBEDTLS_RIPEMD160_C",
#endif /* MBEDTLS_RIPEMD160_C */