ARMmbed
/
mbed-os
mirror of https://github.com/ARMmbed/mbed-os.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

crypto: Update to Mbed Crypto 1.0.0d2

pull/9529/head
Jaeden Amero 2019-01-28 13:52:29 +00:00 committed by Oren Cohen
parent 99b8eafc35
commit 84ec1f7f1f
5 changed files with 129 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
features/mbedtls/mbed-crypto/VERSION.txt
View File

@ -1 +1 @@
mbedcrypto-1.0.0d1
mbedcrypto-1.0.0d2

2
features/mbedtls/mbed-crypto/importer/Makefile
View File

@ -29,7 +29,7 @@
# Set the Mbed Crypto release to import (this can/should be edited before
# import)
CRYPTO_RELEASE ?= mbedcrypto-1.0.0d1
CRYPTO_RELEASE ?= mbedcrypto-1.0.0d2
CRYPTO_REPO_URL ?= git@github.com:ARMmbed/mbed-crypto.git
# Translate between Mbed Crypto namespace and Mbed OS namespace

87
features/mbedtls/mbed-crypto/inc/psa/crypto_values.h
View File

@ -641,6 +641,7 @@
(((alg) & PSA_ALG_CATEGORY_MASK) == PSA_ALG_CATEGORY_KEY_SELECTION)
#define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
#define PSA_ALG_MD2 ((psa_algorithm_t)0x01000001)
#define PSA_ALG_MD4 ((psa_algorithm_t)0x01000002)
#define PSA_ALG_MD5 ((psa_algorithm_t)0x01000003)
@ -667,6 +668,44 @@
/** SHA3-512 */
#define PSA_ALG_SHA3_512 ((psa_algorithm_t)0x01000013)
/** In a hash-and-sign algorithm policy, allow any hash algorithm.
*
* This value may be used to form the algorithm usage field of a policy
* for a signature algorithm that is parametrized by a hash. The key
* may then be used to perform operations using the same signature
* algorithm parametrized with any supported hash.
*
* That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
* - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS,
* - #PSA_ALG_DSA, #PSA_ALG_DETERMINISTIC_DSA,
* - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
* Then you may create and use a key as follows:
* - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
* ```
* psa_key_policy_set_usage(&policy,
* PSA_KEY_USAGE_SIGN, //or PSA_KEY_USAGE_VERIFY
* PSA_xxx_SIGNATURE(PSA_ALG_ANY_HASH));
* psa_set_key_policy(handle, &policy);
* ```
* - Import or generate key material.
* - Call psa_asymmetric_sign() or psa_asymmetric_verify(), passing
* an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
* call to sign or verify a message may use a different hash.
* ```
* psa_asymmetric_sign(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
* psa_asymmetric_sign(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
* psa_asymmetric_sign(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
* ```
*
* This value may not be used to build other algorithms that are
* parametrized over a hash. For any valid use of this macro to build
* an algorithm `\p alg`, #PSA_ALG_IS_HASH_AND_SIGN(\p alg) is true.
*
* This value may not be used to build an algorithm specification to
* perform an operation. It is only valid to build policies.
*/
#define PSA_ALG_ANY_HASH ((psa_algorithm_t)0x010000ff)
#define PSA_ALG_MAC_SUBCATEGORY_MASK ((psa_algorithm_t)0x00c00000)
#define PSA_ALG_HMAC_BASE ((psa_algorithm_t)0x02800000)
/** Macro to build an HMAC algorithm.
@ -914,6 +953,8 @@
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
* This includes #PSA_ALG_ANY_HASH
* when specifying the algorithm in a usage policy.
*
* \return The corresponding RSA PKCS#1 v1.5 signature algorithm.
* \return Unspecified if \p alg is not a supported
@ -943,6 +984,8 @@
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
* This includes #PSA_ALG_ANY_HASH
* when specifying the algorithm in a usage policy.
*
* \return The corresponding RSA PSS signature algorithm.
* \return Unspecified if \p alg is not a supported
@ -961,6 +1004,8 @@
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
* This includes #PSA_ALG_ANY_HASH
* when specifying the algorithm in a usage policy.
*
* \return The corresponding DSA signature algorithm.
* \return Unspecified if \p alg is not a supported
@ -996,6 +1041,8 @@
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
* This includes #PSA_ALG_ANY_HASH
* when specifying the algorithm in a usage policy.
*
* \return The corresponding ECDSA signature algorithm.
* \return Unspecified if \p alg is not a supported
@ -1028,6 +1075,8 @@
*
* \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
* #PSA_ALG_IS_HASH(\p hash_alg) is true).
* This includes #PSA_ALG_ANY_HASH
* when specifying the algorithm in a usage policy.
*
* \return The corresponding deterministic ECDSA signature
* algorithm.
@ -1046,6 +1095,23 @@
#define PSA_ALG_IS_RANDOMIZED_ECDSA(alg) \
(PSA_ALG_IS_ECDSA(alg) && !PSA_ALG_ECDSA_IS_DETERMINISTIC(alg))
/** Whether the specified algorithm is a hash-and-sign algorithm.
*
* Hash-and-sign algorithms are public-key signature algorithms structured
* in two parts: first the calculation of a hash in a way that does not
* depend on the key, then the calculation of a signature from the
* hash value and the key.
*
* \param alg An algorithm identifier (value of type #psa_algorithm_t).
*
* \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
* This macro may return either 0 or 1 if \p alg is not a supported
* algorithm identifier.
*/
#define PSA_ALG_IS_HASH_AND_SIGN(alg) \
(PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \
PSA_ALG_IS_DSA(alg) || PSA_ALG_IS_ECDSA(alg))
/** Get the hash used by a hash-and-sign signature algorithm.
*
* A hash-and-sign algorithm is a signature algorithm which is
@ -1065,8 +1131,7 @@
* if it is not supported by the implementation.
*/
#define PSA_ALG_SIGN_GET_HASH(alg) \
(PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \
PSA_ALG_IS_DSA(alg) || PSA_ALG_IS_ECDSA(alg) ? \
(PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 : \
((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
0)
@ -1325,6 +1390,24 @@
#define PSA_ALG_IS_ECDH(alg) \
(PSA_ALG_KEY_AGREEMENT_GET_BASE(alg) == PSA_ALG_ECDH_BASE)
/** Whether the specified algorithm encoding is a wildcard.
*
* Wildcard values may only be used to set the usage algorithm field in
* a policy, not to perform an operation.
*
* \param alg An algorithm identifier (value of type #psa_algorithm_t).
*
* \return 1 if \c alg is a wildcard algorithm encoding.
* \return 0 if \c alg is a non-wildcard algorithm encoding (suitable for
* an operation).
* \return This macro may return either 0 or 1 if \c alg is not a supported
* algorithm identifier.
*/
#define PSA_ALG_IS_WILDCARD(alg) \
(PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
PSA_ALG_SIGN_GET_HASH(alg) == PSA_ALG_ANY_HASH : \
(alg) == PSA_ALG_ANY_HASH)
/**@}*/
/** \defgroup key_lifetimes Key lifetimes

36
features/mbedtls/mbed-crypto/platform/TARGET_PSA/COMPONENT_PSA_SRV_IMPL/psa_crypto.c
View File

@ -93,7 +93,7 @@
#include "mbedtls/xtea.h"
#if ( defined(MBEDTLS_ENTROPY_NV_SEED) && defined(MBEDTLS_PSA_HAS_ITS_IO) )
#include "psa_prot_internal_storage.h"
#include "psa/internal_trusted_storage.h"
#endif
#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) )
@ -748,6 +748,29 @@ static psa_status_t psa_get_empty_key_slot( psa_key_handle_t handle,
return( status );
}
/** Test whether a policy permits an algorithm.
*
* The caller must test usage flags separately.
*/
static int psa_key_policy_permits( const psa_key_policy_t *policy,
psa_algorithm_t alg )
{
/* Common case: the policy only allows alg. */
if( alg == policy->alg )
return( 1 );
/* If policy->alg is a hash-and-sign with a wildcard for the hash,
* and alg is the same hash-and-sign family with any hash,
* then alg is compliant with policy->alg. */
if( PSA_ALG_IS_HASH_AND_SIGN( alg ) &&
PSA_ALG_SIGN_GET_HASH( policy->alg ) == PSA_ALG_ANY_HASH )
{
return( ( policy->alg & ~PSA_ALG_HASH_MASK ) ==
( alg & ~PSA_ALG_HASH_MASK ) );
}
/* If it isn't permitted, it's forbidden. */
return( 0 );
}
/** Retrieve a slot which must contain a key. The key must have allow all the
* usage flags set in \p usage. If \p alg is nonzero, the key must allow
* operations with this algorithm. */
@ -775,7 +798,9 @@ static psa_status_t psa_get_key_from_slot( psa_key_handle_t handle,
usage &= ~PSA_KEY_USAGE_EXPORT;
if( ( slot->policy.usage & usage ) != usage )
return( PSA_ERROR_NOT_PERMITTED );
if( alg != 0 && ( alg != slot->policy.alg ) )
/* Enforce that the usage policy permits the requested algortihm. */
if( alg != 0 && ! psa_key_policy_permits( &slot->policy, alg ) )
return( PSA_ERROR_NOT_PERMITTED );
*p_slot = slot;
@ -4264,7 +4289,7 @@ static psa_status_t its_to_psa_error( psa_its_status_t ret )
case PSA_ITS_SUCCESS:
return( PSA_SUCCESS );
case PSA_ITS_ERROR_KEY_NOT_FOUND:
case PSA_ITS_ERROR_UID_NOT_FOUND:
return( PSA_ERROR_EMPTY_SLOT );
case PSA_ITS_ERROR_STORAGE_FAILURE:
@ -4273,10 +4298,9 @@ static psa_status_t its_to_psa_error( psa_its_status_t ret )
case PSA_ITS_ERROR_INSUFFICIENT_SPACE:
return( PSA_ERROR_INSUFFICIENT_STORAGE );
case PSA_ITS_ERROR_INVALID_KEY:
case PSA_ITS_ERROR_OFFSET_INVALID:
case PSA_ITS_ERROR_INCORRECT_SIZE:
case PSA_ITS_ERROR_BAD_POINTER:
case PSA_ITS_ERROR_INVALID_ARGUMENTS:
return( PSA_ERROR_INVALID_ARGUMENT );
case PSA_ITS_ERROR_FLAGS_NOT_SUPPORTED:
@ -4307,7 +4331,7 @@ psa_status_t mbedtls_psa_inject_entropy( const unsigned char *seed,
its_status = psa_its_get_info( PSA_CRYPTO_ITS_RANDOM_SEED_UID, &p_info );
status = its_to_psa_error( its_status );
if( PSA_ITS_ERROR_KEY_NOT_FOUND == its_status ) /* No seed exists */
if( PSA_ITS_ERROR_UID_NOT_FOUND == its_status ) /* No seed exists */
{
its_status = psa_its_set( PSA_CRYPTO_ITS_RANDOM_SEED_UID, seed_size, seed, 0 );
status = its_to_psa_error( its_status );

25
features/mbedtls/mbed-crypto/platform/TARGET_PSA/COMPONENT_PSA_SRV_IMPL/psa_crypto_storage_its.c
View File

@ -29,7 +29,7 @@
#include "psa/crypto.h"
#include "psa_crypto_storage_backend.h"
#include "psa_prot_internal_storage.h"
#include "psa/internal_trusted_storage.h"
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
@ -42,7 +42,7 @@ static psa_status_t its_to_psa_error( psa_its_status_t ret )
case PSA_ITS_SUCCESS:
return( PSA_SUCCESS );
case PSA_ITS_ERROR_KEY_NOT_FOUND:
case PSA_ITS_ERROR_UID_NOT_FOUND:
return( PSA_ERROR_EMPTY_SLOT );
case PSA_ITS_ERROR_STORAGE_FAILURE:
@ -51,10 +51,9 @@ static psa_status_t its_to_psa_error( psa_its_status_t ret )
case PSA_ITS_ERROR_INSUFFICIENT_SPACE:
return( PSA_ERROR_INSUFFICIENT_STORAGE );
case PSA_ITS_ERROR_INVALID_KEY:
case PSA_ITS_ERROR_OFFSET_INVALID:
case PSA_ITS_ERROR_INCORRECT_SIZE:
case PSA_ITS_ERROR_BAD_POINTER:
case PSA_ITS_ERROR_INVALID_ARGUMENTS:
return( PSA_ERROR_INVALID_ARGUMENT );
case PSA_ITS_ERROR_FLAGS_NOT_SUPPORTED:
@ -68,7 +67,7 @@ static psa_status_t its_to_psa_error( psa_its_status_t ret )
}
}
static uint32_t psa_its_identifier_of_slot( psa_key_id_t key )
static psa_its_uid_t psa_its_identifier_of_slot( psa_key_id_t key )
{
return( key );
}
@ -78,7 +77,7 @@ psa_status_t psa_crypto_storage_load( const psa_key_id_t key, uint8_t *data,
{
psa_its_status_t ret;
psa_status_t status;
uint32_t data_identifier = psa_its_identifier_of_slot( key );
psa_its_uid_t data_identifier = psa_its_identifier_of_slot( key );
struct psa_its_info_t data_identifier_info;
ret = psa_its_get_info( data_identifier, &data_identifier_info );
@ -95,12 +94,12 @@ psa_status_t psa_crypto_storage_load( const psa_key_id_t key, uint8_t *data,
int psa_is_key_present_in_storage( const psa_key_id_t key )
{
psa_its_status_t ret;
uint32_t data_identifier = psa_its_identifier_of_slot( key );
psa_its_uid_t data_identifier = psa_its_identifier_of_slot( key );
struct psa_its_info_t data_identifier_info;
ret = psa_its_get_info( data_identifier, &data_identifier_info );
if( ret == PSA_ITS_ERROR_KEY_NOT_FOUND )
if( ret == PSA_ITS_ERROR_UID_NOT_FOUND )
return( 0 );
return( 1 );
}
@ -111,7 +110,7 @@ psa_status_t psa_crypto_storage_store( const psa_key_id_t key,
{
psa_its_status_t ret;
psa_status_t status;
uint32_t data_identifier = psa_its_identifier_of_slot( key );
psa_its_uid_t data_identifier = psa_its_identifier_of_slot( key );
struct psa_its_info_t data_identifier_info;
if( psa_is_key_present_in_storage( key ) == 1 )
@ -146,18 +145,18 @@ exit:
psa_status_t psa_destroy_persistent_key( const psa_key_id_t key )
{
psa_its_status_t ret;
uint32_t data_identifier = psa_its_identifier_of_slot( key );
psa_its_uid_t data_identifier = psa_its_identifier_of_slot( key );
struct psa_its_info_t data_identifier_info;
ret = psa_its_get_info( data_identifier, &data_identifier_info );
if( ret == PSA_ITS_ERROR_KEY_NOT_FOUND )
if( ret == PSA_ITS_ERROR_UID_NOT_FOUND )
return( PSA_SUCCESS );
if( psa_its_remove( data_identifier ) != PSA_ITS_SUCCESS )
return( PSA_ERROR_STORAGE_FAILURE );
ret = psa_its_get_info( data_identifier, &data_identifier_info );
if( ret != PSA_ITS_ERROR_KEY_NOT_FOUND )
if( ret != PSA_ITS_ERROR_UID_NOT_FOUND )
return( PSA_ERROR_STORAGE_FAILURE );
return( PSA_SUCCESS );
@ -168,7 +167,7 @@ psa_status_t psa_crypto_storage_get_data_length( const psa_key_id_t key,
{
psa_its_status_t ret;
psa_status_t status;
uint32_t data_identifier = psa_its_identifier_of_slot( key );
psa_its_uid_t data_identifier = psa_its_identifier_of_slot( key );
struct psa_its_info_t data_identifier_info;
ret = psa_its_get_info( data_identifier, &data_identifier_info );