psa: Move from key handle to key identifier
Move all the PSA crypto APIs using key handles
to use key identifiers but psa_key_open() and
psa_key_close(). This is done without modifying
any test as key handles and key identifiers are
now the same.
Update the library modules using PSA crypto APIs
to get rid of key handles.
Programs and unit tests are updated to not use
key handles in subsequent commits, not in this
one.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
diff --git a/library/pk.c b/library/pk.c
index 9a3bcb0..ecf002d 100644
--- a/library/pk.c
+++ b/library/pk.c
@@ -150,11 +150,12 @@
/*
* Initialise a PSA-wrapping context
*/
-int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key )
+int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
+ const psa_key_id_t key )
{
const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_handle_t *pk_ctx;
+ psa_key_id_t *pk_ctx;
psa_key_type_t type;
if( ctx == NULL || ctx->pk_info != NULL )
@@ -174,7 +175,7 @@
ctx->pk_info = info;
- pk_ctx = (psa_key_handle_t *) ctx->pk_ctx;
+ pk_ctx = (psa_key_id_t *) ctx->pk_ctx;
*pk_ctx = key;
return( 0 );
@@ -587,12 +588,12 @@
* Currently only works for EC private keys.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
- psa_key_handle_t *handle,
+ psa_key_id_t *key,
psa_algorithm_t hash_alg )
{
#if !defined(MBEDTLS_ECP_C)
((void) pk);
- ((void) handle);
+ ((void) key);
((void) hash_alg);
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
#else
@@ -624,14 +625,14 @@
psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA(hash_alg) );
/* import private key into PSA */
- if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, handle ) )
+ if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, key ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
/* make PK context wrap the key slot */
mbedtls_pk_free( pk );
mbedtls_pk_init( pk );
- return( mbedtls_pk_setup_opaque( pk, *handle ) );
+ return( mbedtls_pk_setup_opaque( pk, *key ) );
#endif /* MBEDTLS_ECP_C */
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
diff --git a/library/pk_wrap.c b/library/pk_wrap.c
index a40734b..107e912 100644
--- a/library/pk_wrap.c
+++ b/library/pk_wrap.c
@@ -543,7 +543,7 @@
mbedtls_ecdsa_context *ctx = ctx_arg;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
- psa_key_handle_t key_handle = PSA_KEY_HANDLE_INIT;
+ psa_key_id_t key_id = 0;
psa_status_t status;
mbedtls_pk_context key;
int key_len;
@@ -576,7 +576,7 @@
status = psa_import_key( &attributes,
buf + sizeof( buf ) - key_len, key_len,
- &key_handle );
+ &key_id );
if( status != PSA_SUCCESS )
{
ret = mbedtls_psa_err_translate_pk( status );
@@ -598,7 +598,7 @@
goto cleanup;
}
- if( psa_verify_hash( key_handle, psa_sig_md,
+ if( psa_verify_hash( key_id, psa_sig_md,
hash, hash_len,
buf, 2 * signature_part_size )
!= PSA_SUCCESS )
@@ -615,7 +615,7 @@
ret = 0;
cleanup:
- psa_destroy_key( key_handle );
+ psa_destroy_key( key_id );
return( ret );
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
@@ -870,7 +870,7 @@
static void *pk_opaque_alloc_wrap( void )
{
- void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) );
+ void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) );
/* no _init() function to call, an calloc() already zeroized */
@@ -879,13 +879,13 @@
static void pk_opaque_free_wrap( void *ctx )
{
- mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) );
+ mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) );
mbedtls_free( ctx );
}
static size_t pk_opaque_get_bitlen( const void *ctx )
{
- const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
+ const psa_key_id_t *key = (const psa_key_id_t *) ctx;
size_t bits;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -1008,7 +1008,7 @@
((void) p_rng);
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
#else /* !MBEDTLS_ECDSA_C */
- const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
+ const psa_key_id_t *key = (const psa_key_id_t *) ctx;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
size_t buf_len;
diff --git a/library/pkwrite.c b/library/pkwrite.c
index b317ccf..0da3698 100644
--- a/library/pkwrite.c
+++ b/library/pkwrite.c
@@ -198,13 +198,13 @@
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE )
{
size_t buffer_size;
- psa_key_handle_t* key_slot = (psa_key_handle_t*) key->pk_ctx;
+ psa_key_id_t* key_id = (psa_key_id_t*) key->pk_ctx;
if ( *p < start )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
buffer_size = (size_t)( *p - start );
- if ( psa_export_public_key( *key_slot, start, buffer_size, &len )
+ if ( psa_export_public_key( *key_id, start, buffer_size, &len )
!= PSA_SUCCESS )
{
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -265,12 +265,12 @@
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
- psa_key_handle_t handle;
+ psa_key_id_t key_id;
psa_ecc_family_t curve;
size_t bits;
- handle = *((psa_key_handle_t*) key->pk_ctx );
- if( PSA_SUCCESS != psa_get_key_attributes( handle, &attributes ) )
+ key_id = *((psa_key_id_t*) key->pk_ctx );
+ if( PSA_SUCCESS != psa_get_key_attributes( key_id, &attributes ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
key_type = psa_get_key_type( &attributes );
bits = psa_get_key_bits( &attributes );
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index f8a8c0a..a437aee 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -1190,7 +1190,7 @@
/** Retrieve a slot which must contain a key. The key must have allow all the
* usage flags set in \p usage. If \p alg is nonzero, the key must allow
* operations with this algorithm. */
-static psa_status_t psa_get_key_from_slot( psa_key_handle_t handle,
+static psa_status_t psa_get_key_from_slot( mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot,
psa_key_usage_t usage,
psa_algorithm_t alg )
@@ -1200,7 +1200,7 @@
*p_slot = NULL;
- status = psa_get_key_slot( handle, &slot );
+ status = psa_get_key_slot( key, &slot );
if( status != PSA_SUCCESS )
return( status );
@@ -1230,12 +1230,12 @@
* until secure element support is fully implemented.
*/
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
-static psa_status_t psa_get_transparent_key( psa_key_handle_t handle,
+static psa_status_t psa_get_transparent_key( mbedtls_svc_key_id_t key,
psa_key_slot_t **p_slot,
psa_key_usage_t usage,
psa_algorithm_t alg )
{
- psa_status_t status = psa_get_key_from_slot( handle, p_slot, usage, alg );
+ psa_status_t status = psa_get_key_from_slot( key, p_slot, usage, alg );
if( status != PSA_SUCCESS )
return( status );
if( psa_key_slot_is_external( *p_slot ) )
@@ -1247,8 +1247,8 @@
}
#else /* MBEDTLS_PSA_CRYPTO_SE_C */
/* With no secure element support, all keys are transparent. */
-#define psa_get_transparent_key( handle, p_slot, usage, alg ) \
- psa_get_key_from_slot( handle, p_slot, usage, alg )
+#define psa_get_transparent_key( key, p_slot, usage, alg ) \
+ psa_get_key_from_slot( key, p_slot, usage, alg )
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/** Wipe key data from a slot. Preserve metadata such as the policy. */
@@ -1291,7 +1291,7 @@
return( status );
}
-psa_status_t psa_destroy_key( psa_key_handle_t handle )
+psa_status_t psa_destroy_key( mbedtls_svc_key_id_t key )
{
psa_key_slot_t *slot;
psa_status_t status; /* status of the last operation */
@@ -1300,10 +1300,10 @@
psa_se_drv_table_entry_t *driver;
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
- if( psa_key_handle_is_null( handle ) )
+ if( mbedtls_svc_key_id_is_null( key ) )
return( PSA_SUCCESS );
- status = psa_get_key_slot( handle, &slot );
+ status = psa_get_key_slot( key, &slot );
if( status != PSA_SUCCESS )
return( status );
@@ -1470,7 +1470,7 @@
/** Retrieve all the publicly-accessible attributes of a key.
*/
-psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
+psa_status_t psa_get_key_attributes( mbedtls_svc_key_id_t key,
psa_key_attributes_t *attributes )
{
psa_key_slot_t *slot;
@@ -1478,7 +1478,7 @@
psa_reset_key_attributes( attributes );
- status = psa_get_key_from_slot( handle, &slot, 0, 0 );
+ status = psa_get_key_from_slot( key, &slot, 0, 0 );
if( status != PSA_SUCCESS )
return( status );
@@ -1683,7 +1683,7 @@
}
}
-psa_status_t psa_export_key( psa_key_handle_t handle,
+psa_status_t psa_export_key( mbedtls_svc_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length )
@@ -1700,14 +1700,14 @@
/* Export requires the EXPORT flag. There is an exception for public keys,
* which don't require any flag, but psa_get_key_from_slot takes
* care of this. */
- status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_EXPORT, 0 );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_EXPORT, 0 );
if( status != PSA_SUCCESS )
return( status );
return( psa_internal_export_key( slot, data, data_size,
data_length, 0 ) );
}
-psa_status_t psa_export_public_key( psa_key_handle_t handle,
+psa_status_t psa_export_public_key( mbedtls_svc_key_id_t key,
uint8_t *data,
size_t data_size,
size_t *data_length )
@@ -1722,7 +1722,7 @@
*data_length = 0;
/* Exporting a public key doesn't require a usage flag. */
- status = psa_get_key_from_slot( handle, &slot, 0, 0 );
+ status = psa_get_key_from_slot( key, &slot, 0, 0 );
if( status != PSA_SUCCESS )
return( status );
return( psa_internal_export_key( slot, data, data_size,
@@ -1825,7 +1825,8 @@
*
* This function is intended to be used as follows:
* -# Call psa_start_key_creation() to allocate a key slot, prepare
- * it with the specified attributes, and assign it a handle.
+ * it with the specified attributes, and in case of a volatile key assign it
+ * a volatile key identifier.
* -# Populate the slot with the key material.
* -# Call psa_finish_key_creation() to finalize the creation of the slot.
* In case of failure at any step, stop the sequence and call
@@ -1833,7 +1834,7 @@
*
* \param method An identification of the calling function.
* \param[in] attributes Key attributes for the new key.
- * \param[out] handle On success, a handle for the allocated slot.
+ * \param[out] key On success, identifier of the key.
* \param[out] p_slot On success, a pointer to the prepared slot.
* \param[out] p_drv On any return, the driver for the key, if any.
* NULL for a transparent key.
@@ -1846,7 +1847,7 @@
static psa_status_t psa_start_key_creation(
psa_key_creation_method_t method,
const psa_key_attributes_t *attributes,
- psa_key_handle_t *handle,
+ mbedtls_svc_key_id_t *key,
psa_key_slot_t **p_slot,
psa_se_drv_table_entry_t **p_drv )
{
@@ -1938,7 +1939,7 @@
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
- *handle = slot->attr.id;
+ *key = slot->attr.id;
return( PSA_SUCCESS );
}
@@ -1956,7 +1957,7 @@
* or NULL for a transparent key.
*
* \retval #PSA_SUCCESS
- * The key was successfully created. The handle is now valid.
+ * The key was successfully created.
* \return If this function fails, the key slot is an invalid state.
* You must call psa_fail_key_creation() to wipe and free the slot.
*/
@@ -2138,7 +2139,7 @@
psa_status_t psa_import_key( const psa_key_attributes_t *attributes,
const uint8_t *data,
size_t data_length,
- psa_key_handle_t *handle )
+ mbedtls_svc_key_id_t *key )
{
psa_status_t status;
psa_key_slot_t *slot = NULL;
@@ -2151,7 +2152,7 @@
return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_start_key_creation( PSA_KEY_CREATION_IMPORT, attributes,
- handle, &slot, &driver );
+ key, &slot, &driver );
if( status != PSA_SUCCESS )
goto exit;
@@ -2197,7 +2198,7 @@
if( status != PSA_SUCCESS )
{
psa_fail_key_creation( slot, driver );
- *handle = PSA_KEY_HANDLE_INIT;
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
}
return( status );
}
@@ -2209,7 +2210,7 @@
psa_status_t status;
psa_key_slot_t *slot = NULL;
psa_se_drv_table_entry_t *driver = NULL;
- psa_key_handle_t handle = PSA_KEY_HANDLE_INIT;
+ mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
/* Leaving attributes unspecified is not currently supported.
* It could make sense to query the key type and size from the
@@ -2221,7 +2222,7 @@
return( PSA_ERROR_NOT_SUPPORTED );
status = psa_start_key_creation( PSA_KEY_CREATION_REGISTER, attributes,
- &handle, &slot, &driver );
+ &key, &slot, &driver );
if( status != PSA_SUCCESS )
goto exit;
@@ -2233,7 +2234,7 @@
psa_fail_key_creation( slot, driver );
}
/* Registration doesn't keep the key in RAM. */
- psa_close_key( handle );
+ psa_close_key( key );
return( status );
}
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
@@ -2253,9 +2254,9 @@
return( PSA_SUCCESS );
}
-psa_status_t psa_copy_key( psa_key_handle_t source_handle,
+psa_status_t psa_copy_key( mbedtls_svc_key_id_t source_key,
const psa_key_attributes_t *specified_attributes,
- psa_key_handle_t *target_handle )
+ mbedtls_svc_key_id_t *target_key )
{
psa_status_t status;
psa_key_slot_t *source_slot = NULL;
@@ -2263,7 +2264,7 @@
psa_key_attributes_t actual_attributes = *specified_attributes;
psa_se_drv_table_entry_t *driver = NULL;
- status = psa_get_transparent_key( source_handle, &source_slot,
+ status = psa_get_transparent_key( source_key, &source_slot,
PSA_KEY_USAGE_COPY, 0 );
if( status != PSA_SUCCESS )
goto exit;
@@ -2280,7 +2281,7 @@
status = psa_start_key_creation( PSA_KEY_CREATION_COPY,
&actual_attributes,
- target_handle, &target_slot, &driver );
+ target_key, &target_slot, &driver );
if( status != PSA_SUCCESS )
goto exit;
@@ -2302,7 +2303,7 @@
if( status != PSA_SUCCESS )
{
psa_fail_key_creation( target_slot, driver );
- *target_handle = PSA_KEY_HANDLE_INIT;
+ *target_key = MBEDTLS_SVC_KEY_ID_INIT;
}
return( status );
}
@@ -3086,7 +3087,7 @@
#endif /* MBEDTLS_MD_C */
static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
int is_sign )
{
@@ -3110,7 +3111,7 @@
if( is_sign )
operation->is_sign = 1;
- status = psa_get_transparent_key( handle, &slot, usage, alg );
+ status = psa_get_transparent_key( key, &slot, usage, alg );
if( status != PSA_SUCCESS )
goto exit;
key_bits = psa_get_key_slot_bits( slot );
@@ -3203,17 +3204,17 @@
}
psa_status_t psa_mac_sign_setup( psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_algorithm_t alg )
{
- return( psa_mac_setup( operation, handle, alg, 1 ) );
+ return( psa_mac_setup( operation, key, alg, 1 ) );
}
psa_status_t psa_mac_verify_setup( psa_mac_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_algorithm_t alg )
{
- return( psa_mac_setup( operation, handle, alg, 0 ) );
+ return( psa_mac_setup( operation, key, alg, 0 ) );
}
psa_status_t psa_mac_update( psa_mac_operation_t *operation,
@@ -3688,7 +3689,7 @@
}
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
-psa_status_t psa_sign_hash( psa_key_handle_t handle,
+psa_status_t psa_sign_hash( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -3707,7 +3708,7 @@
if( signature_size == 0 )
return( PSA_ERROR_BUFFER_TOO_SMALL );
- status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_SIGN_HASH, alg );
+ status = psa_get_key_from_slot( key, &slot, PSA_KEY_USAGE_SIGN_HASH, alg );
if( status != PSA_SUCCESS )
goto exit;
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
@@ -3806,7 +3807,7 @@
return( status );
}
-psa_status_t psa_verify_hash( psa_key_handle_t handle,
+psa_status_t psa_verify_hash( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *hash,
size_t hash_length,
@@ -3816,7 +3817,8 @@
psa_key_slot_t *slot;
psa_status_t status;
- status = psa_get_key_from_slot( handle, &slot, PSA_KEY_USAGE_VERIFY_HASH, alg );
+ status = psa_get_key_from_slot( key, &slot,
+ PSA_KEY_USAGE_VERIFY_HASH, alg );
if( status != PSA_SUCCESS )
return( status );
@@ -3897,7 +3899,7 @@
}
#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) */
-psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
+psa_status_t psa_asymmetric_encrypt( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -3921,7 +3923,7 @@
if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
- status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
+ status = psa_get_transparent_key( key, &slot, PSA_KEY_USAGE_ENCRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
if( ! ( PSA_KEY_TYPE_IS_PUBLIC_KEY( slot->attr.type ) ||
@@ -3993,7 +3995,7 @@
}
}
-psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
+psa_status_t psa_asymmetric_decrypt( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *input,
size_t input_length,
@@ -4017,7 +4019,7 @@
if( ! PSA_ALG_IS_RSA_OAEP( alg ) && salt_length != 0 )
return( PSA_ERROR_INVALID_ARGUMENT );
- status = psa_get_transparent_key( handle, &slot, PSA_KEY_USAGE_DECRYPT, alg );
+ status = psa_get_transparent_key( key, &slot, PSA_KEY_USAGE_DECRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
@@ -4095,7 +4097,7 @@
/****************************************************************/
static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
mbedtls_operation_t cipher_operation )
{
@@ -4117,7 +4119,7 @@
return( PSA_ERROR_INVALID_ARGUMENT );
/* Fetch key material from key storage. */
- status = psa_get_key_from_slot( handle, &slot, usage, alg );
+ status = psa_get_key_from_slot( key, &slot, usage, alg );
if( status != PSA_SUCCESS )
goto exit;
@@ -4248,17 +4250,17 @@
}
psa_status_t psa_cipher_encrypt_setup( psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_algorithm_t alg )
{
- return( psa_cipher_setup( operation, handle, alg, MBEDTLS_ENCRYPT ) );
+ return( psa_cipher_setup( operation, key, alg, MBEDTLS_ENCRYPT ) );
}
psa_status_t psa_cipher_decrypt_setup( psa_cipher_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_algorithm_t alg )
{
- return( psa_cipher_setup( operation, handle, alg, MBEDTLS_DECRYPT ) );
+ return( psa_cipher_setup( operation, key, alg, MBEDTLS_DECRYPT ) );
}
psa_status_t psa_cipher_generate_iv( psa_cipher_operation_t *operation,
@@ -4643,7 +4645,7 @@
}
static psa_status_t psa_aead_setup( aead_operation_t *operation,
- psa_key_handle_t handle,
+ mbedtls_svc_key_id_t key,
psa_key_usage_t usage,
psa_algorithm_t alg )
{
@@ -4651,7 +4653,7 @@
size_t key_bits;
mbedtls_cipher_id_t cipher_id;
- status = psa_get_transparent_key( handle, &operation->slot, usage, alg );
+ status = psa_get_transparent_key( key, &operation->slot, usage, alg );
if( status != PSA_SUCCESS )
return( status );
@@ -4737,7 +4739,7 @@
return( status );
}
-psa_status_t psa_aead_encrypt( psa_key_handle_t handle,
+psa_status_t psa_aead_encrypt( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -4755,7 +4757,7 @@
*ciphertext_length = 0;
- status = psa_aead_setup( &operation, handle, PSA_KEY_USAGE_ENCRYPT, alg );
+ status = psa_aead_setup( &operation, key, PSA_KEY_USAGE_ENCRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
@@ -4851,7 +4853,7 @@
return( PSA_SUCCESS );
}
-psa_status_t psa_aead_decrypt( psa_key_handle_t handle,
+psa_status_t psa_aead_decrypt( mbedtls_svc_key_id_t key,
psa_algorithm_t alg,
const uint8_t *nonce,
size_t nonce_length,
@@ -4869,7 +4871,7 @@
*plaintext_length = 0;
- status = psa_aead_setup( &operation, handle, PSA_KEY_USAGE_DECRYPT, alg );
+ status = psa_aead_setup( &operation, key, PSA_KEY_USAGE_DECRYPT, alg );
if( status != PSA_SUCCESS )
return( status );
@@ -5368,7 +5370,7 @@
psa_status_t psa_key_derivation_output_key( const psa_key_attributes_t *attributes,
psa_key_derivation_operation_t *operation,
- psa_key_handle_t *handle )
+ mbedtls_svc_key_id_t *key )
{
psa_status_t status;
psa_key_slot_t *slot = NULL;
@@ -5383,7 +5385,7 @@
return( PSA_ERROR_NOT_PERMITTED );
status = psa_start_key_creation( PSA_KEY_CREATION_DERIVE,
- attributes, handle, &slot, &driver );
+ attributes, key, &slot, &driver );
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
if( driver != NULL )
{
@@ -5402,7 +5404,7 @@
if( status != PSA_SUCCESS )
{
psa_fail_key_creation( slot, driver );
- *handle = PSA_KEY_HANDLE_INIT;
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
}
return( status );
}
@@ -5765,14 +5767,13 @@
psa_status_t psa_key_derivation_input_key(
psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t handle )
+ mbedtls_svc_key_id_t key )
{
psa_key_slot_t *slot;
psa_status_t status;
- status = psa_get_transparent_key( handle, &slot,
- PSA_KEY_USAGE_DERIVE,
- operation->alg );
+ status = psa_get_transparent_key( key, &slot,
+ PSA_KEY_USAGE_DERIVE, operation->alg );
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( operation );
@@ -5931,7 +5932,7 @@
psa_status_t psa_key_derivation_key_agreement( psa_key_derivation_operation_t *operation,
psa_key_derivation_step_t step,
- psa_key_handle_t private_key,
+ mbedtls_svc_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length )
{
@@ -5959,7 +5960,7 @@
}
psa_status_t psa_raw_key_agreement( psa_algorithm_t alg,
- psa_key_handle_t private_key,
+ mbedtls_svc_key_id_t private_key,
const uint8_t *peer_key,
size_t peer_key_length,
uint8_t *output,
@@ -6212,7 +6213,7 @@
}
psa_status_t psa_generate_key( const psa_key_attributes_t *attributes,
- psa_key_handle_t *handle )
+ mbedtls_svc_key_id_t *key )
{
psa_status_t status;
psa_key_slot_t *slot = NULL;
@@ -6224,7 +6225,7 @@
return( PSA_ERROR_INVALID_ARGUMENT );
status = psa_start_key_creation( PSA_KEY_CREATION_GENERATE,
- attributes, handle, &slot, &driver );
+ attributes, key, &slot, &driver );
if( status != PSA_SUCCESS )
goto exit;
@@ -6244,7 +6245,7 @@
if( status != PSA_SUCCESS )
{
psa_fail_key_creation( slot, driver );
- *handle = PSA_KEY_HANDLE_INIT;
+ *key = MBEDTLS_SVC_KEY_ID_INIT;
}
return( status );
}
diff --git a/library/ssl_cli.c b/library/ssl_cli.c
index 391e93c..a8331d9 100644
--- a/library/ssl_cli.c
+++ b/library/ssl_cli.c
@@ -63,7 +63,7 @@
return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( ! psa_key_handle_is_null( conf->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -3802,7 +3802,7 @@
status = psa_destroy_key( handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
- handshake->ecdh_psa_privkey = PSA_KEY_HANDLE_INIT;
+ handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
diff --git a/library/ssl_srv.c b/library/ssl_srv.c
index 03dc2d4..2bb3487 100644
--- a/library/ssl_srv.c
+++ b/library/ssl_srv.c
@@ -157,7 +157,7 @@
return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( ! psa_key_handle_is_null( conf->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -172,13 +172,13 @@
/* If we've used a callback to select the PSK,
* the static configuration is irrelevant. */
- if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( 1 );
return( 0 );
}
- if( ! psa_key_handle_is_null( ssl->conf->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( 1 );
return( 0 );
diff --git a/library/ssl_tls.c b/library/ssl_tls.c
index d74e40c..041578e 100644
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@@ -446,7 +446,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
- psa_key_handle_t slot,
+ psa_key_id_t key,
psa_algorithm_t alg,
const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length,
@@ -466,7 +466,7 @@
if( status != PSA_SUCCESS )
return( status );
- if( psa_key_handle_is_null( slot ) )
+ if( mbedtls_svc_key_id_is_null( key ) )
{
status = psa_key_derivation_input_bytes(
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
@@ -475,8 +475,7 @@
else
{
status = psa_key_derivation_input_key(
- derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
- slot );
+ derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
}
if( status != PSA_SUCCESS )
return( status );
@@ -507,7 +506,7 @@
{
psa_status_t status;
psa_algorithm_t alg;
- psa_key_handle_t master_slot = PSA_KEY_HANDLE_INIT;
+ psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
@@ -521,7 +520,7 @@
* this PRF is also used to derive an IV, in particular in EAP-TLS,
* and for this use case it makes sense to have a 0-length "secret".
* Since the key API doesn't allow importing a key of length 0,
- * keep master_slot=0, which setup_psa_key_derivation() understands
+ * keep master_key=0, which setup_psa_key_derivation() understands
* to mean a 0-length "secret" input. */
if( slen != 0 )
{
@@ -530,13 +529,13 @@
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
- status = psa_import_key( &key_attributes, secret, slen, &master_slot );
+ status = psa_import_key( &key_attributes, secret, slen, &master_key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = setup_psa_key_derivation( &derivation,
- master_slot, alg,
+ master_key, alg,
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
@@ -544,7 +543,7 @@
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
- psa_destroy_key( master_slot );
+ psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
@@ -552,19 +551,19 @@
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
- psa_destroy_key( master_slot );
+ psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
{
- psa_destroy_key( master_slot );
+ psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
- if( ! psa_key_handle_is_null( master_slot ) )
- status = psa_destroy_key( master_slot );
+ if( ! mbedtls_svc_key_id_is_null( master_key ) )
+ status = psa_destroy_key( master_key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@@ -707,13 +706,13 @@
{
/* If we've used a callback to select the PSK,
* the static configuration is irrelevant. */
- if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( 1 );
return( 0 );
}
- if( ! psa_key_handle_is_null( ssl->conf->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( 1 );
return( 0 );
@@ -1514,7 +1513,7 @@
/* Perform PSK-to-MS expansion in a single step. */
psa_status_t status;
psa_algorithm_t alg;
- psa_key_handle_t psk;
+ psa_key_id_t psk;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
@@ -4344,11 +4343,11 @@
{
/* Remove reference to existing PSK, if any. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( ! psa_key_handle_is_null( conf->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{
/* The maintenance of the PSK key slot is the
* user's responsibility. */
- conf->psk_opaque = PSA_KEY_HANDLE_INIT;
+ conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
/* This and the following branch should never
* be taken simultaenously as we maintain the
@@ -4432,9 +4431,9 @@
static void ssl_remove_psk( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
- if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
+ if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
{
- ssl->handshake->psk_opaque = PSA_KEY_HANDLE_INIT;
+ ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -4469,7 +4468,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
- psa_key_handle_t psk_slot,
+ psa_key_id_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len )
{
@@ -4478,9 +4477,9 @@
ssl_conf_remove_psk( conf );
/* Check and set opaque PSK */
- if( psa_key_handle_is_null( psk_slot ) )
+ if( mbedtls_svc_key_id_is_null( psk ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
- conf->psk_opaque = psk_slot;
+ conf->psk_opaque = psk;
/* Check and set PSK Identity */
ret = ssl_conf_set_psk_identity( conf, psk_identity,
@@ -4492,14 +4491,14 @@
}
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
- psa_key_handle_t psk_slot )
+ psa_key_id_t psk )
{
- if( ( psa_key_handle_is_null( psk_slot ) ) ||
+ if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
( ssl->handshake == NULL ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
ssl_remove_psk( ssl );
- ssl->handshake->psk_opaque = psk_slot;
+ ssl->handshake->psk_opaque = psk;
return( 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
