Add new psa_tls12_prf_key_derivation_t
As part of adapting TLS 1.2 key derivation to the PSA 1.0 API we need to
change the context structure.
diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h
index 0e0ecb2..e6197cb 100644
--- a/include/psa/crypto_struct.h
+++ b/include/psa/crypto_struct.h
@@ -203,6 +203,7 @@
#define PSA_PRE_1_0_KEY_DERIVATION
#if defined(MBEDTLS_MD_C)
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
typedef struct psa_tls12_prf_key_derivation_s
{
/* The TLS 1.2 PRF uses the key for each HMAC iteration,
@@ -231,6 +232,43 @@
uint8_t block_number;
} psa_tls12_prf_key_derivation_t;
+#else
+
+typedef enum
+{
+ TLS12_PRF_STATE_INIT, /* no input provided */
+ TLS12_PRF_STATE_SEED_SET, /* seed has been set */
+ TLS12_PRF_STATE_KEY_SET, /* key has been set */
+ TLS12_PRF_STATE_LABEL_SET, /* label has been set */
+ TLS12_PRF_STATE_OUTPUT /* output has been started */
+} psa_tls12_prf_key_derivation_state_t;
+
+typedef struct psa_tls12_prf_key_derivation_s
+{
+#if PSA_HASH_MAX_SIZE > 0xff
+#error "PSA_HASH_MAX_SIZE does not fit in uint8_t"
+#endif
+
+ /* Indicates how many bytes in the current HMAC block have
+ * already been read by the user. */
+ uint8_t offset_in_block;
+
+ /* The 1-based number of the block. */
+ uint8_t block_number;
+
+ psa_tls12_prf_key_derivation_state_t state;
+
+ uint8_t *seed;
+ size_t seed_length;
+ uint8_t *label;
+ size_t label_length;
+ psa_hmac_internal_data hmac;
+ uint8_t Ai[PSA_HASH_MAX_SIZE];
+
+ /* `HMAC_hash( prk, A(i) + seed )` in the notation of RFC 5246, Sect. 5. */
+ uint8_t output_block[PSA_HASH_MAX_SIZE];
+} psa_tls12_prf_key_derivation_t;
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
#endif /* MBEDTLS_MD_C */
struct psa_key_derivation_s
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index 924b291..f4e94bf 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2122,11 +2122,13 @@
return( psa_hash_abort( &hmac->hash_ctx ) );
}
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
static void psa_hmac_init_internal( psa_hmac_internal_data *hmac )
{
/* Instances of psa_hash_operation_s can be initialized by zeroization. */
memset( hmac, 0, sizeof( *hmac ) );
}
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
#endif /* MBEDTLS_MD_C */
psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
@@ -3879,6 +3881,7 @@
mbedtls_free( operation->ctx.hkdf.info );
status = psa_hmac_abort_internal( &operation->ctx.hkdf.hmac );
}
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
/* TLS-1.2 PSK-to-MS KDF uses the same core as TLS-1.2 PRF */
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
@@ -3897,6 +3900,7 @@
mbedtls_free( operation->ctx.tls12_prf.Ai_with_seed );
}
}
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
else
#endif /* MBEDTLS_MD_C */
{
@@ -4000,6 +4004,7 @@
return( PSA_SUCCESS );
}
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
static psa_status_t psa_key_derivation_tls12_prf_generate_next_block(
psa_tls12_prf_key_derivation_t *tls12_prf,
psa_algorithm_t alg )
@@ -4111,7 +4116,9 @@
return( status );
}
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
/* Read some bytes from an TLS-1.2-PRF-based operation.
* See Section 5 of RFC 5246. */
static psa_status_t psa_key_derivation_tls12_prf_read(
@@ -4151,6 +4158,7 @@
return( PSA_SUCCESS );
}
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
#endif /* MBEDTLS_MD_C */
psa_status_t psa_key_derivation_output_bytes( psa_key_derivation_operation_t *operation,
@@ -4210,6 +4218,7 @@
status = psa_key_derivation_hkdf_read( &operation->ctx.hkdf, hash_alg,
output, output_length );
}
+#if defined(PSA_PRE_1_0_KEY_DERIVATION)
else if( PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
{
@@ -4217,6 +4226,7 @@
kdf_alg, output,
output_length );
}
+#endif /* PSA_PRE_1_0_KEY_DERIVATION */
else
#endif /* MBEDTLS_MD_C */
{