made some static functions externally visible
moved accel definitions from other header files to accel header file
diff --git a/include/psa/crypto_accel_driver.h b/include/psa/crypto_accel_driver.h
index 4a540f0..9745198 100644
--- a/include/psa/crypto_accel_driver.h
+++ b/include/psa/crypto_accel_driver.h
@@ -37,6 +37,205 @@
#ifdef __cplusplus
extern "C" {
#endif
+/** Completely wipe vendor allocated items for a slot in memory.
+ *
+ * Persistent storage is not affected.
+ *
+ * \param[in,out] slot The key slot to wipe.
+ *
+ * \retval PSA_SUCCESS
+ * Success. This includes the case of a key slot that was
+ * already fully wiped.
+ * \retval PSA_ERROR_CORRUPTION_DETECTED
+ */
+psa_status_t psa_remove_key_data_from_memory_vendor(psa_key_slot_t * slot);
+
+/** Import vendor defined key data into a slot.
+ *
+ * `slot->type` must have been set previously.
+ * This function assumes that the slot does not contain any key material yet.
+ * On failure, the slot content is unchanged.
+ *
+ * Persistent storage is not affected.
+ *
+ * \param[in,out] slot The key slot to import data into.
+ * Its `type` field must have previously been set to
+ * the desired key type.
+ * It must not contain any key material yet.
+ * \param[in] data Buffer containing the key material to parse and import.
+ * \param data_length Size of \p data in bytes.
+ *
+ * \retval PSA_SUCCESS
+ * \retval PSA_ERROR_INVALID_ARGUMENT
+ * \retval PSA_ERROR_NOT_SUPPORTED
+ * \retval PSA_ERROR_INSUFFICIENT_MEMORY
+ * \retval Implementation dependent
+ */
+psa_status_t psa_import_key_into_slot_vendor( psa_key_slot_t *slot,
+ const uint8_t *data,
+ size_t data_length );
+
+/**
+ * \brief Generate a vendor defined key or key pair.
+ *
+ * \note This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
+ * is defined. Do not use this function directly;
+ * to generate a key, use psa_generate_key() instead.
+ *
+ * \param[in] slot
+ * \param[in] bits
+ * \param[in] domain_parameters
+ * \param[in] domain_parameters_size
+ *
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * If the key is persistent, the key material and the key's metadata
+ * have been saved to persistent storage.
+ *
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval Implementation dependent.
+ */
+psa_status_t psa_generate_key_vendor(psa_key_slot_t * slot,
+ size_t bits,
+ const uint8_t * domain_parameters,
+ size_t domain_parameters_size);
+
+/**
+ * \brief Sign a hash or short message with a vendor defined private key.
+ * This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
+ *is defined.
+ *
+ * Note that to perform a hash-and-sign signature algorithm, you must
+ * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(). Then pass the resulting hash as the \p hash
+ * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
+ * to determine the hash algorithm to use.
+ *
+ * \param slot Key slot to use for the operation.
+ * It must be an asymmetric key pair.
+ * \param alg A signature algorithm that is compatible with
+ * the type of \p handle.
+ * \param[in] hash The hash or message to sign.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[out] signature Buffer where the signature is to be written.
+ * \param signature_size Size of the \p signature buffer in bytes.
+ * \param[out] signature_length On success, the number of bytes
+ * that make up the returned signature value.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_BUFFER_TOO_SMALL
+ * The size of the \p signature buffer is too small. You can
+ * determine a sufficient buffer size by calling
+ * #PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
+ * where \c key_type and \c key_bits are the type and bit-size
+ * respectively of \p handle.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval Implementation dependent
+ */
+psa_status_t psa_asymmetric_sign_vendor(psa_key_slot_t * slot,
+ psa_algorithm_t alg,
+ const uint8_t * hash,
+ size_t hash_length,
+ uint8_t * signature,
+ size_t signature_size,
+ size_t * signature_length);
+
+/**
+ * \brief Verify the signature a hash or short message using a vendor defined public key.
+ * This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
+ * is defined.
+ *
+ * Note that to perform a hash-and-sign signature algorithm, you must
+ * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(). Then pass the resulting hash as the \p hash
+ * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
+ * to determine the hash algorithm to use.
+ *
+ * \param handle Key slot to use for the operation.
+ * It must be a public key or an asymmetric key pair.
+ * \param alg A signature algorithm that is compatible with
+ * the type of \p handle.
+ * \param[in] hash The hash or message whose signature is to be
+ * verified.
+ * \param hash_length Size of the \p hash buffer in bytes.
+ * \param[in] signature Buffer containing the signature to verify.
+ * \param signature_length Size of the \p signature buffer in bytes.
+ *
+ * \retval #PSA_SUCCESS
+ * The signature is valid.
+ * \retval #PSA_ERROR_INVALID_SIGNATURE
+ * \retval Implementation dependent
+ */
+psa_status_t psa_asymmetric_verify_vendor(psa_key_slot_t * slot,
+ psa_algorithm_t alg,
+ const uint8_t * hash,
+ size_t hash_length,
+ const uint8_t * signature,
+ size_t signature_length);
+/**
+ * \brief Generate symmetric key of vendor defined format.
+ *
+ * \warning This function **can** fail! Callers MUST check the return status
+ * and MUST NOT use the content of the output buffer if the return
+ * status is not #PSA_SUCCESS.
+ *
+ * \note This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
+ * is defined.
+ * A weakly linked version is provided by default and returns
+ * PSA_ERROR_NOT_SUPPORTED. Do not use this function directly;
+ * to generate a key, use psa_generate_key() instead.
+ *
+ * \param[in] type Type of symmetric key to be generated.
+ * \param[out] output Output buffer for the generated data.
+ * \param[out] output_size Number of bytes to generate and output.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * \retval Implementation dependent
+ */
+psa_status_t psa_generate_symmetric_vendor(psa_key_type_t type, size_t bits, uint8_t * output, size_t output_size);
+
+/**
+ * \brief Perform vendor specific setup for cipher operations.
+ *
+ *
+ * \note This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
+ * is defined.
+ * A weakly linked version is provided by default and returns
+ * PSA_ERROR_NOT_SUPPORTED. Do not use this function directly;
+ * to generate a key, use psa_generate_key() instead.
+ *
+ * \param[in,out] operation The operation object to set up. It must have
+ * been initialized as per the documentation for
+ * #psa_cipher_operation_t and not yet in use.
+ * \param handle Handle to the key to use for the operation.
+ * It must remain valid until the operation
+ * terminates.
+ * \param alg The cipher algorithm to compute
+ * (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_CIPHER(\p alg) is true).
+ *
+ * \retval #PSA_SUCCESS
+ * Success.
+ * \retval #PSA_ERROR_NOT_SUPPORTED
+ * .
+ */
+psa_status_t psa_cipher_setup_vendor(psa_cipher_operation_t * operation, psa_key_handle_t handle, psa_algorithm_t alg, mbedtls_operation_t cipher_operation);
+
+/** Perform any vendor specific action when aborting a cipher operation.
+ *
+ * This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
+ * is defined. This function is called at the beginning of the psa_cipher_abort function.
+ *
+ * This function must not be called directly.
+ *
+ * \param[in,out] operation Initialized cipher operation.
+ *
+ * \retval #PSA_SUCCESS
+ * \retval Implementation dependent return values.
+ */
+psa_status_t psa_cipher_abort_vendor(psa_cipher_operation_t * operation);
/** \defgroup driver_digest Hardware-Accelerated Message Digests
*
diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h
index 0426ef4..636c881 100644
--- a/include/psa/crypto_extra.h
+++ b/include/psa/crypto_extra.h
@@ -66,70 +66,6 @@
* @{
*/
-/**
- * \brief Generate symmetric key of vendor defined format.
- *
- * \warning This function **can** fail! Callers MUST check the return status
- * and MUST NOT use the content of the output buffer if the return
- * status is not #PSA_SUCCESS.
- *
- * \note This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
- * is defined.
- * A weakly linked version is provided by default and returns
- * PSA_ERROR_NOT_SUPPORTED. Do not use this function directly;
- * to generate a key, use psa_generate_key() instead.
- *
- * \param[in] type Type of symmetric key to be generated.
- * \param[out] output Output buffer for the generated data.
- * \param[out] output_size Number of bytes to generate and output.
- *
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval Implementation dependent
- */
-psa_status_t psa_generate_symmetric_vendor(psa_key_type_t type, size_t bits, uint8_t * output, size_t output_size);
-
-/**
- * \brief Perform vendor specific setup for cipher operations.
- *
- *
- * \note This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
- * is defined.
- * A weakly linked version is provided by default and returns
- * PSA_ERROR_NOT_SUPPORTED. Do not use this function directly;
- * to generate a key, use psa_generate_key() instead.
- *
- * \param[in,out] operation The operation object to set up. It must have
- * been initialized as per the documentation for
- * #psa_cipher_operation_t and not yet in use.
- * \param handle Handle to the key to use for the operation.
- * It must remain valid until the operation
- * terminates.
- * \param alg The cipher algorithm to compute
- * (\c PSA_ALG_XXX value such that
- * #PSA_ALG_IS_CIPHER(\p alg) is true).
- *
- * \retval #PSA_SUCCESS
- * Success.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * .
- */
-psa_status_t psa_cipher_setup_vendor(psa_cipher_operation_t * operation, psa_key_handle_t handle, psa_algorithm_t alg);
-
-/** Perform any vendor specific action when aborting a cipher operation.
- *
- * This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
- * is defined. This function is called at the beginning of the psa_cipher_abort function.
- *
- * This function must not be called directly.
- *
- * \param[in,out] operation Initialized cipher operation.
- *
- * \retval #PSA_SUCCESS
- * \retval Implementation dependent return values.
- */
-psa_status_t psa_cipher_abort_vendor(psa_cipher_operation_t * operation);
-
/** \brief Declare the enrollment algorithm for a key.
*
* An operation on a key may indifferently use the algorithm set with
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index cdc6f5b..f59a68d 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -128,7 +128,7 @@
if( global_data.initialized == 0 ) \
return( PSA_ERROR_BAD_STATE );
-static psa_status_t mbedtls_to_psa_error( int ret )
+psa_status_t mbedtls_to_psa_error( int ret )
{
/* If there's both a high-level code and low-level code, dispatch on
* the high-level code. */
@@ -407,7 +407,7 @@
}
}
-static mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve )
+mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_curve_t curve )
{
switch( curve )
{
@@ -594,7 +594,7 @@
/* Import a public key given as the uncompressed representation defined by SEC1
* 2.3.3 as the content of an ECPoint. */
-static psa_status_t psa_import_ec_public_key( psa_ecc_curve_t curve,
+psa_status_t psa_import_ec_public_key( psa_ecc_curve_t curve,
const uint8_t *data,
size_t data_length,
mbedtls_ecp_keypair **p_ecp )
@@ -953,6 +953,14 @@
/** Wipe key data from a slot. Preserve metadata such as the policy. */
static psa_status_t psa_remove_key_data_from_memory( psa_key_slot_t *slot )
{
+ #if defined (MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C)
+ if (PSA_KEY_LIFETIME_IS_VENDOR_DEFINED(slot->attr.lifetime))
+ {
+ psa_remove_key_data_from_memory_vendor(slot);
+ }
+ else
+#endif /* MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C */
+
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( psa_key_slot_is_external( slot ) )
{
@@ -1638,7 +1646,7 @@
* \return If this function fails, the key slot is an invalid state.
* You must call psa_fail_key_creation() to wipe and free the slot.
*/
-static psa_status_t psa_finish_key_creation(
+psa_status_t psa_finish_key_creation(
psa_key_slot_t *slot,
psa_se_drv_table_entry_t *driver )
{
@@ -1859,6 +1867,14 @@
}
else
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
+#if defined (MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C)
+ if (PSA_KEY_LIFETIME_IS_VENDOR_DEFINED(slot->attr.lifetime))
+ {
+ status = psa_import_key_into_slot_vendor( slot, data, data_length);
+ goto exit;
+ }
+ else
+#endif /* MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C */
{
status = psa_import_key_into_slot( slot, data, data_length );
if( status != PSA_SUCCESS )
@@ -2433,7 +2449,7 @@
/* MAC */
/****************************************************************/
-static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
+const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
psa_algorithm_t alg,
psa_key_type_t key_type,
size_t key_bits,
@@ -3743,6 +3759,14 @@
goto exit;
key_bits = psa_get_key_slot_bits( slot );
+#if defined (MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C)
+ if (PSA_KEY_LIFETIME_IS_VENDOR_DEFINED(slot->attr.lifetime))
+ {
+ status = psa_cipher_setup_vendor(operation, handle, alg, cipher_operation);
+ goto exit;
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C */
+
cipher_info = mbedtls_cipher_info_from_psa( alg, slot->attr.type, key_bits, NULL );
if( cipher_info == NULL )
{
@@ -3754,14 +3778,6 @@
if( ret != 0 )
goto exit;
-#if defined (MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C)
- if (PSA_KEY_LIFETIME_IS_VENDOR_DEFINED(slot->attr.lifetime))
- {
- status = psa_cipher_setup_vendor(operation, handle, alg);
- if( status != PSA_SUCCESS )
- goto exit;
- }
-#endif /* MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C */
#if defined(MBEDTLS_DES_C)
if( slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128 )
{
@@ -4016,8 +4032,9 @@
* always have been initialized to a valid value). */
if( ! PSA_ALG_IS_CIPHER( operation->alg ) )
return( PSA_ERROR_BAD_STATE );
-
+#if defined (MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C)
psa_cipher_abort_vendor(operation);
+#endif //MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
mbedtls_cipher_free( &operation->ctx.cipher );
operation->alg = 0;
@@ -5403,7 +5420,7 @@
#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
-static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
+psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
size_t domain_parameters_size,
int *exponent )
{
@@ -5570,12 +5587,12 @@
attributes->domain_parameters, attributes->domain_parameters_size);
}
else
+#endif /* MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C */
{
status = psa_generate_key_internal(
slot, attributes->core.bits,
attributes->domain_parameters, attributes->domain_parameters_size );
}
-#endif /* MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C */
exit:
if( status == PSA_SUCCESS )
status = psa_finish_key_creation( slot, driver );
diff --git a/library/psa_crypto_core.h b/library/psa_crypto_core.h
index 266b0cc..4601440 100644
--- a/library/psa_crypto_core.h
+++ b/library/psa_crypto_core.h
@@ -23,9 +23,9 @@
#define PSA_CRYPTO_CORE_H
#if !defined(MBEDTLS_CONFIG_FILE)
-#include "mbedtls/config.h"
+ #include "mbedtls/config.h"
#else
-#include MBEDTLS_CONFIG_FILE
+ #include MBEDTLS_CONFIG_FILE
#endif
#include "psa/crypto.h"
@@ -45,32 +45,31 @@
/* Raw-data key (key_type_is_raw_bytes() in psa_crypto.c) */
struct raw_data
{
- uint8_t *data;
- size_t bytes;
+ uint8_t * data;
+ size_t bytes;
} raw;
#if defined(MBEDTLS_RSA_C)
/* RSA public key or key pair */
- mbedtls_rsa_context *rsa;
-#endif /* MBEDTLS_RSA_C */
+ mbedtls_rsa_context * rsa;
+#endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECP_C)
/* EC public key or key pair */
- mbedtls_ecp_keypair *ecp;
-#endif /* MBEDTLS_ECP_C */
+ mbedtls_ecp_keypair * ecp;
+#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
/* Any key type in a secure element */
struct se
{
psa_key_slot_number_t slot_number;
} se;
-#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
- void * vendor_context;
+#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
} data;
} psa_key_slot_t;
/* A mask of key attribute flags used only internally.
* Currently there aren't any. */
-#define PSA_KA_MASK_INTERNAL_ONLY ( \
- 0 )
+#define PSA_KA_MASK_INTERNAL_ONLY ( \
+ 0)
/** Test whether a key slot is occupied.
*
@@ -111,7 +110,7 @@
uint16_t value )
{
slot->attr.flags = ( ( ~mask & slot->attr.flags ) |
- ( mask & value ) );
+ (mask & value));
}
/** Turn on flags in psa_key_slot_t::attr::core::flags.
@@ -173,80 +172,7 @@
* already fully wiped.
* \retval PSA_ERROR_CORRUPTION_DETECTED
*/
-psa_status_t psa_wipe_key_slot( psa_key_slot_t *slot );
-
-/**
- * \brief Sign a hash or short message with a vendor defined private key.
- * This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
- *is defined.
- *
- * Note that to perform a hash-and-sign signature algorithm, you must
- * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
- * and psa_hash_finish(). Then pass the resulting hash as the \p hash
- * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
- * to determine the hash algorithm to use.
- *
- * \param slot Key slot to use for the operation.
- * It must be an asymmetric key pair.
- * \param alg A signature algorithm that is compatible with
- * the type of \p handle.
- * \param[in] hash The hash or message to sign.
- * \param hash_length Size of the \p hash buffer in bytes.
- * \param[out] signature Buffer where the signature is to be written.
- * \param signature_size Size of the \p signature buffer in bytes.
- * \param[out] signature_length On success, the number of bytes
- * that make up the returned signature value.
- *
- * \retval #PSA_SUCCESS
- * \retval #PSA_ERROR_BUFFER_TOO_SMALL
- * The size of the \p signature buffer is too small. You can
- * determine a sufficient buffer size by calling
- * #PSA_ASYMMETRIC_SIGN_OUTPUT_SIZE(\c key_type, \c key_bits, \p alg)
- * where \c key_type and \c key_bits are the type and bit-size
- * respectively of \p handle.
- * \retval #PSA_ERROR_NOT_SUPPORTED
- * \retval Implementation dependent
- */
-psa_status_t psa_asymmetric_sign_vendor(psa_key_slot_t * slot,
- psa_algorithm_t alg,
- const uint8_t * hash,
- size_t hash_length,
- uint8_t * signature,
- size_t signature_size,
- size_t * signature_length);
-
-/**
- * \brief Verify the signature a hash or short message using a vendor defined public key.
- * This function has to be defined by the vendor if MBEDTLS_PSA_CRYPTO_ACCEL_DRV_C
- * is defined.
- *
- * Note that to perform a hash-and-sign signature algorithm, you must
- * first calculate the hash by calling psa_hash_setup(), psa_hash_update()
- * and psa_hash_finish(). Then pass the resulting hash as the \p hash
- * parameter to this function. You can use #PSA_ALG_SIGN_GET_HASH(\p alg)
- * to determine the hash algorithm to use.
- *
- * \param handle Key slot to use for the operation.
- * It must be a public key or an asymmetric key pair.
- * \param alg A signature algorithm that is compatible with
- * the type of \p handle.
- * \param[in] hash The hash or message whose signature is to be
- * verified.
- * \param hash_length Size of the \p hash buffer in bytes.
- * \param[in] signature Buffer containing the signature to verify.
- * \param signature_length Size of the \p signature buffer in bytes.
- *
- * \retval #PSA_SUCCESS
- * The signature is valid.
- * \retval #PSA_ERROR_INVALID_SIGNATURE
- * \retval Implementation dependent
- */
-psa_status_t psa_asymmetric_verify_vendor(psa_key_slot_t * slot,
- psa_algorithm_t alg,
- const uint8_t * hash,
- size_t hash_length,
- const uint8_t * signature,
- size_t signature_length);
+psa_status_t psa_wipe_key_slot(psa_key_slot_t * slot);
/** Import key data into a slot.
*