librekeys/mbedtls
0
0
Fork 0
mirror of https://github.com/librekeys/mbedtls.git synced 2026-04-14 08:47:42 -07:00
Code Issues Packages Projects Releases Wiki Activity

psa: Move from key handle to key identifier

Browse Source 
Move all the PSA crypto APIs using key handles
to use key identifiers but psa_key_open() and
psa_key_close(). This is done without modifying
any test as key handles and key identifiers are
now the same.

Update the library modules using PSA crypto APIs
to get rid of key handles.

Programs and unit tests are updated to not use
key handles in subsequent commits, not in this
one.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit is contained in:
Ronald Cron
2020-08-04 09:51:30 +02:00
parent e4f6d5c5fe
commit cf56a0a320
20 changed files with 445 additions and 415 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.md
+1 -1
View File
@@ -208,7 +208,7 @@ The design goals of the PSA cryptography API include:
* The API distinguishes caller memory from internal memory, which allows the library to be implemented in an isolated space for additional security. Library calls can be implemented as direct function calls if isolation is not desired, and as remote procedure calls if isolation is desired.
* The structure of internal data is hidden to the application, which allows substituting alternative implementations at build time or run time, for example, in order to take advantage of hardware accelerators.
* All access to the keys happens through handles, which allows support for external cryptoprocessors that is transparent to applications.
* All access to the keys happens through key identifiers, which allows support for external cryptoprocessors that is transparent to applications.
* The interface to algorithms is generic, favoring algorithm agility.
* The interface is designed to be easy to use and hard to accidentally misuse.
docs/architecture/testing/invasive-testing.md
+2 -2
View File
@@ -100,7 +100,7 @@ Resources include:
* Memory.
* Files in storage (PSA API only — in the Mbed TLS API, black-box unit tests are sufficient).
* Key handles (PSA API only).
* Key slots (PSA API only).
* Key slots in a secure element (PSA SE HAL).
* Communication handles (PSA crypto service only).
@@ -116,7 +116,7 @@ When code should clean up resources, how do we know that they have truly been cl
* Zeroization of confidential data after use.
* Freeing memory.
* Closing key handles.
* Freeing key slots.
* Freeing key slots in a secure element.
* Deleting files in storage (PSA API only).
docs/getting_started.md
+32 -32
View File
@@ -64,7 +64,7 @@ To use the Mbed Crypto APIs, call `psa_crypto_init()` before calling any other A
### Importing a key
To use a key for cryptography operations in Mbed Crypto, you need to first
import it. Importing the key creates a handle that refers to the key for use
import it. The import operation returns the identifier of the key for use
with other function calls.
**Prerequisites to importing keys:**
@@ -76,7 +76,7 @@ void import_a_key(const uint8_t *key, size_t key_len)
{
psa_status_t status;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t handle;
psa_key_id_t key;
printf("Import an AES key...\t");
fflush(stdout);
@@ -95,7 +95,7 @@ void import_a_key(const uint8_t *key, size_t key_len)
psa_set_key_bits(&attributes, 128);
/* Import the key */
status = psa_import_key(&attributes, key, key_len, &handle);
status = psa_import_key(&attributes, key, key_len, &key);
if (status != PSA_SUCCESS) {
printf("Failed to import key\n");
return;
@@ -106,7 +106,7 @@ void import_a_key(const uint8_t *key, size_t key_len)
psa_reset_key_attributes(&attributes);
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
}
@@ -135,7 +135,7 @@ void sign_a_message_using_rsa(const uint8_t *key, size_t key_len)
0xa9, 0xe8, 0xcc, 0xac, 0xd0, 0xf6, 0x54, 0x5c};
uint8_t signature[PSA_SIGNATURE_MAX_SIZE] = {0};
size_t signature_length;
psa_key_handle_t handle;
psa_key_id_t key;
printf("Sign a message...\t");
fflush(stdout);
@@ -154,14 +154,14 @@ void sign_a_message_using_rsa(const uint8_t *key, size_t key_len)
psa_set_key_bits(&attributes, 1024);
/* Import the key */
status = psa_import_key(&attributes, key, key_len, &handle);
status = psa_import_key(&attributes, key, key_len, &key);
if (status != PSA_SUCCESS) {
printf("Failed to import key\n");
return;
}
/* Sign message using the key */
status = psa_sign_hash(handle, PSA_ALG_RSA_PKCS1V15_SIGN_RAW,
status = psa_sign_hash(key, PSA_ALG_RSA_PKCS1V15_SIGN_RAW,
hash, sizeof(hash),
signature, sizeof(signature),
&signature_length);
@@ -176,7 +176,7 @@ void sign_a_message_using_rsa(const uint8_t *key, size_t key_len)
psa_reset_key_attributes(&attributes);
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
}
@@ -188,7 +188,7 @@ Mbed Crypto supports encrypting and decrypting messages using various symmetric
**Prerequisites to working with the symmetric cipher API:**
* Initialize the library with a successful call to `psa_crypto_init()`.
* Have a handle to a symmetric key. This key's usage flags must include `PSA_KEY_USAGE_ENCRYPT` to allow encryption or `PSA_KEY_USAGE_DECRYPT` to allow decryption.
* Have a symmetric key. This key's usage flags must include `PSA_KEY_USAGE_ENCRYPT` to allow encryption or `PSA_KEY_USAGE_DECRYPT` to allow decryption.
**To encrypt a message with a symmetric cipher:**
1. Allocate an operation (`psa_cipher_operation_t`) structure to pass to the cipher functions.
@@ -213,7 +213,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
size_t iv_len;
uint8_t output[block_size];
size_t output_len;
psa_key_handle_t handle;
psa_key_id_t key;
psa_cipher_operation_t operation = PSA_CIPHER_OPERATION_INIT;
printf("Encrypt with cipher...\t");
@@ -232,7 +232,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, 128);
status = psa_import_key(&attributes, key, key_len, &handle);
status = psa_import_key(&attributes, key, key_len, &key);
if (status != PSA_SUCCESS) {
printf("Failed to import a key\n");
return;
@@ -240,7 +240,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
psa_reset_key_attributes(&attributes);
/* Encrypt the plaintext */
status = psa_cipher_encrypt_setup(&operation, handle, alg);
status = psa_cipher_encrypt_setup(&operation, key, alg);
if (status != PSA_SUCCESS) {
printf("Failed to begin cipher operation\n");
return;
@@ -268,7 +268,7 @@ void encrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
psa_cipher_abort(&operation);
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
}
@@ -298,7 +298,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
uint8_t iv[block_size] = ENCRYPTED_WITH_IV;
uint8_t output[block_size];
size_t output_len;
psa_key_handle_t handle;
psa_key_id_t key;
printf("Decrypt with cipher...\t");
fflush(stdout);
@@ -316,7 +316,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
psa_set_key_algorithm(&attributes, alg);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, 128);
status = psa_import_key(&attributes, key, key_len, &handle);
status = psa_import_key(&attributes, key, key_len, &key);
if (status != PSA_SUCCESS) {
printf("Failed to import a key\n");
return;
@@ -324,7 +324,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
psa_reset_key_attributes(&attributes);
/* Decrypt the ciphertext */
status = psa_cipher_decrypt_setup(&operation, handle, alg);
status = psa_cipher_decrypt_setup(&operation, key, alg);
if (status != PSA_SUCCESS) {
printf("Failed to begin cipher operation\n");
return;
@@ -352,7 +352,7 @@ void decrypt_with_symmetric_ciphers(const uint8_t *key, size_t key_len)
psa_cipher_abort(&operation);
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
}
@@ -592,8 +592,8 @@ derived from the key, salt and info provided:
PSA_KEY_DERIVATION_OPERATION_INIT;
size_t derived_bits = 128;
size_t capacity = PSA_BITS_TO_BYTES(derived_bits);
psa_key_handle_t base_key;
psa_key_handle_t derived_key;
psa_key_id_t base_key;
psa_key_id_t derived_key;
printf("Derive a key (HKDF)...\t");
fflush(stdout);
@@ -702,7 +702,7 @@ This example shows how to authenticate and encrypt a message:
size_t output_length = 0;
size_t tag_length = 16;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t handle;
psa_key_id_t key;
printf("Authenticate encrypt...\t");
fflush(stdout);
@@ -726,11 +726,11 @@ This example shows how to authenticate and encrypt a message:
psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, 128);
status = psa_import_key(&attributes, key, sizeof(key), &handle);
status = psa_import_key(&attributes, key, sizeof(key), &key);
psa_reset_key_attributes(&attributes);
/* Authenticate and encrypt */
status = psa_aead_encrypt(handle, PSA_ALG_CCM,
status = psa_aead_encrypt(key, PSA_ALG_CCM,
nonce, sizeof(nonce),
additional_data, sizeof(additional_data),
input_data, sizeof(input_data),
@@ -747,7 +747,7 @@ This example shows how to authenticate and encrypt a message:
free(output_data);
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
```
@@ -756,7 +756,7 @@ This example shows how to authenticate and decrypt a message:
```C
psa_status_t status;
static const uint8_t key[] = {
static const uint8_t key_data[] = {
0xC0, 0xC1, 0xC2, 0xC3, 0xC4, 0xC5, 0xC6, 0xC7,
0xC8, 0xC9, 0xCA, 0xCB, 0xCC, 0xCD, 0xCE, 0xCF };
static const uint8_t nonce[] = {
@@ -773,7 +773,7 @@ This example shows how to authenticate and decrypt a message:
size_t output_size = 0;
size_t output_length = 0;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t handle;
psa_key_id_t key;
printf("Authenticate decrypt...\t");
fflush(stdout);
@@ -797,7 +797,7 @@ This example shows how to authenticate and decrypt a message:
psa_set_key_algorithm(&attributes, PSA_ALG_CCM);
psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_bits(&attributes, 128);
status = psa_import_key(&attributes, key, sizeof(key), &handle);
status = psa_import_key(&attributes, key_data, sizeof(key_data), &key);
if (status != PSA_SUCCESS) {
printf("Failed to import a key\n");
return;
@@ -805,7 +805,7 @@ This example shows how to authenticate and decrypt a message:
psa_reset_key_attributes(&attributes);
/* Authenticate and decrypt */
status = psa_aead_decrypt(handle, PSA_ALG_CCM,
status = psa_aead_decrypt(key, PSA_ALG_CCM,
nonce, sizeof(nonce),
additional_data, sizeof(additional_data),
input_data, sizeof(input_data),
@@ -822,7 +822,7 @@ This example shows how to authenticate and decrypt a message:
free(output_data);
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
```
@@ -848,7 +848,7 @@ Mbed Crypto provides a simple way to generate a key or key pair.
size_t exported_length = 0;
static uint8_t exported[PSA_KEY_EXPORT_ECC_PUBLIC_KEY_MAX_SIZE(key_bits)];
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t handle;
psa_key_id_t key;
printf("Generate a key pair...\t");
fflush(stdout);
@@ -867,14 +867,14 @@ Mbed Crypto provides a simple way to generate a key or key pair.
psa_set_key_type(&attributes,
PSA_KEY_TYPE_ECC_KEY_PAIR(PSA_ECC_FAMILY_SECP_R1));
psa_set_key_bits(&attributes, key_bits);
status = psa_generate_key(&attributes, &handle);
status = psa_generate_key(&attributes, &key);
if (status != PSA_SUCCESS) {
printf("Failed to generate key\n");
return;
}
psa_reset_key_attributes(&attributes);
status = psa_export_public_key(handle, exported, sizeof(exported),
status = psa_export_public_key(key, exported, sizeof(exported),
&exported_length);
if (status != PSA_SUCCESS) {
printf("Failed to export public key %ld\n", status);
@@ -884,7 +884,7 @@ Mbed Crypto provides a simple way to generate a key or key pair.
printf("Exported a public key\n");
/* Destroy the key */
psa_destroy_key(handle);
psa_destroy_key(key);
mbedtls_psa_crypto_free();
```
docs/proposed/psa-driver-developer-guide.md
-4
View File
@@ -36,10 +36,6 @@ A driver therefore consists of:
Mbed TLS calls driver entry points [as specified in the PSA Cryptography Driver Interface specification](psa-driver-interface.html#driver-entry-points) except as otherwise indicated in this section.
### Key handles
Mbed TLS currently implements the interface for opening and closing persistent keys from version 1.0 beta 3 of the PSA Crypto specification. As a consequence, functions that operate on an existing key take an argument of type `psa_key_handle_t` instead of `psa_key_id_t`. Functions that create a new key take an argument of type `psa_key_handle_t *` instead of `psa_key_id_t *`.
## Building and testing your driver
<!-- TODO -->
docs/proposed/psa-driver-interface.md
+2 -2
View File
@@ -580,8 +580,8 @@ psa_set_key_type(&attributes, PSA_KEY_TYPE_AES);
psa_set_key_size(&attributes, 128);
psa_set_key_algorithm(&attributes, PSA_ALG_GCM);
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_DECRYPT);
psa_key_handle_t handle = 0;
psa_generate_key(&attributes, &handle);
psa_key_id_t key;
psa_generate_key(&attributes, &key);
```
## Using opaque drivers from an application
include/mbedtls/cipher_internal.h
+1 -1
View File
@@ -134,7 +134,7 @@ typedef enum
typedef struct
{
psa_algorithm_t alg;
psa_key_handle_t slot;
psa_key_id_t slot;
mbedtls_cipher_psa_key_ownership slot_state;
} mbedtls_cipher_context_psa;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
include/mbedtls/pk.h
+6 -5
View File
@@ -331,12 +331,13 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info );
*
* \return \c 0 on success.
* \return #MBEDTLS_ERR_PK_BAD_INPUT_DATA on invalid input
* (context already used, invalid key handle).
* (context already used, invalid key identifier).
* \return #MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE if the key is not an
* ECC key pair.
* \return #MBEDTLS_ERR_PK_ALLOC_FAILED on allocation failure.
*/
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key );
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
const psa_key_id_t key );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
@@ -858,9 +859,9 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
*
* \param pk Input: the EC key to import to a PSA key.
* Output: a PK context wrapping that PSA key.
* \param handle Output: a PSA key handle.
* \param key Output: a PSA key identifier.
* It's the caller's responsibility to call
* psa_destroy_key() on that handle after calling
* psa_destroy_key() on that key identifier after calling
* mbedtls_pk_free() on the PK context.
* \param hash_alg The hash algorithm to allow for use with that key.
*
@@ -868,7 +869,7 @@ int mbedtls_pk_load_file( const char *path, unsigned char **buf, size_t *n );
* \return An Mbed TLS error code otherwise.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
psa_key_handle_t *handle,
psa_key_id_t *key,
psa_algorithm_t hash_alg );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
include/mbedtls/ssl.h
+8 -7
View File
@@ -1063,11 +1063,12 @@ struct mbedtls_ssl_config
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t psk_opaque; /*!< PSA key slot holding opaque PSK.
* This field should only be set via
* mbedtls_ssl_conf_psk_opaque().
* If either no PSK or a raw PSK have
* been configured, this has value \c 0. */
psa_key_id_t psk_opaque; /*!< PSA key slot holding opaque PSK. This field
* should only be set via
* mbedtls_ssl_conf_psk_opaque().
* If either no PSK or a raw PSK have been
* configured, this has value \c 0.
*/
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *psk; /*!< The raw pre-shared key. This field should
@@ -2814,7 +2815,7 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
*/
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
psa_key_handle_t psk,
psa_key_id_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -2860,7 +2861,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
* \return An \c MBEDTLS_ERR_SSL_XXX error code on failure.
*/
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
psa_key_handle_t psk );
psa_key_id_t psk );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/**
include/mbedtls/ssl_internal.h
+6 -6
View File
@@ -443,7 +443,7 @@ struct mbedtls_ssl_handshake_params
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t ecdh_psa_type;
uint16_t ecdh_bits;
psa_key_handle_t ecdh_psa_privkey;
psa_key_id_t ecdh_psa_privkey;
unsigned char ecdh_psa_peerkey[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH];
size_t ecdh_psa_peerkey_len;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -462,7 +462,7 @@ struct mbedtls_ssl_handshake_params
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_handle_t psk_opaque; /*!< Opaque PSK from the callback */
psa_key_id_t psk_opaque; /*!< Opaque PSK from the callback */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char *psk; /*!< PSK from the callback */
size_t psk_len; /*!< Length of PSK from callback */
@@ -1061,16 +1061,16 @@ static inline int mbedtls_ssl_get_psk( const mbedtls_ssl_context *ssl,
* 2. static PSK configured by \c mbedtls_ssl_conf_psk_opaque()
* Return an opaque PSK
*/
static inline psa_key_handle_t mbedtls_ssl_get_opaque_psk(
static inline psa_key_id_t mbedtls_ssl_get_opaque_psk(
const mbedtls_ssl_context *ssl )
{
if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( ssl->handshake->psk_opaque );
if( ! psa_key_handle_is_null( ssl->conf->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( ssl->conf->psk_opaque );
return( PSA_KEY_HANDLE_INIT );
return( MBEDTLS_SVC_KEY_ID_INIT );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
include/psa/crypto.h
+123 -195
View File
File diff suppressed because it is too large Load Diff
include/psa/crypto_compat.h
+135
View File
@@ -34,6 +34,40 @@
extern "C" {
#endif
/*
* To support temporary both openless APIs and psa_open_key(), define
* psa_key_handle_t to be equal to mbedtls_svc_key_id_t. Do not mark the
* type and its utility macros and functions deprecated yet. This will be done
* in a subsequent phase.
*/
typedef mbedtls_svc_key_id_t psa_key_handle_t;
#define PSA_KEY_HANDLE_INIT MBEDTLS_SVC_KEY_ID_INIT
/** Compare two handles.
*
* \param handle1 First handle.
* \param handle2 Second handle.
*
* \return Non-zero if the two handles are equal, zero otherwise.
*/
static inline int psa_key_handle_equal( psa_key_handle_t handle1,
psa_key_handle_t handle2 )
{
return( mbedtls_svc_key_id_equal( handle1, handle2 ) );
}
/** Check wether an handle is null.
*
* \param handle Handle
*
* \return Non-zero if the handle is null, zero otherwise.
*/
static inline int psa_key_handle_is_null( psa_key_handle_t handle )
{
return( mbedtls_svc_key_id_is_null( handle ) );
}
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
/*
@@ -223,6 +257,107 @@ MBEDTLS_PSA_DEPRECATED static inline psa_status_t psa_asymmetric_verify( psa_key
#define PSA_DH_GROUP_CUSTOM \
MBEDTLS_DEPRECATED_CONSTANT( psa_dh_family_t, PSA_DH_FAMILY_CUSTOM )
/** Open a handle to an existing persistent key.
*
* Open a handle to a persistent key. A key is persistent if it was created
* with a lifetime other than #PSA_KEY_LIFETIME_VOLATILE. A persistent key
* always has a nonzero key identifier, set with psa_set_key_id() when
* creating the key. Implementations may provide additional pre-provisioned
* keys that can be opened with psa_open_key(). Such keys have an application
* key identifier in the vendor range, as documented in the description of
* #psa_key_id_t.
*
* The application must eventually close the handle with psa_close_key() or
* psa_destroy_key() to release associated resources. If the application dies
* without calling one of these functions, the implementation should perform
* the equivalent of a call to psa_close_key().
*
* Some implementations permit an application to open the same key multiple
* times. If this is successful, each call to psa_open_key() will return a
* different key handle.
*
* \note This API is not part of the PSA Cryptography API Release 1.0.0
* specification. It was defined in the 1.0 Beta 3 version of the
* specification but was removed in the 1.0.0 released version. This API is
* kept for the time being to not break applications relying on it. It is not
* deprecated yet but will be in the near future.
*
* \note Applications that rely on opening a key multiple times will not be
* portable to implementations that only permit a single key handle to be
* opened. See also :ref:\`key-handles\`.
*
*
* \param key The persistent identifier of the key.
* \param[out] handle On success, a handle to the key.
*
* \retval #PSA_SUCCESS
* Success. The application can now use the value of `*handle`
* to access the key.
* \retval #PSA_ERROR_INSUFFICIENT_MEMORY
* The implementation does not have sufficient resources to open the
* key. This can be due to reaching an implementation limit on the
* number of open keys, the number of open key handles, or available
* memory.
* \retval #PSA_ERROR_DOES_NOT_EXIST
* There is no persistent key with key identifier \p id.
* \retval #PSA_ERROR_INVALID_ARGUMENT
* \p id is not a valid persistent key identifier.
* \retval #PSA_ERROR_NOT_PERMITTED
* The specified key exists, but the application does not have the
* permission to access it. Note that this specification does not
* define any way to create such a key, but it may be possible
* through implementation-specific means.
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_STORAGE_FAILURE
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
psa_status_t psa_open_key( mbedtls_svc_key_id_t key,
psa_key_handle_t *handle );
/** Close a key handle.
*
* If the handle designates a volatile key, this will destroy the key material
* and free all associated resources, just like psa_destroy_key().
*
* If this is the last open handle to a persistent key, then closing the handle
* will free all resources associated with the key in volatile memory. The key
* data in persistent storage is not affected and can be opened again later
* with a call to psa_open_key().
*
* Closing the key handle makes the handle invalid, and the key handle
* must not be used again by the application.
*
* \note This API is not part of the PSA Cryptography API Release 1.0.0
* specification. It was defined in the 1.0 Beta 3 version of the
* specification but was removed in the 1.0.0 released version. This API is
* kept for the time being to not break applications relying on it. It is not
* deprecated yet but will be in the near future.
*
* \note If the key handle was used to set up an active
* :ref:\`multipart operation <multipart-operations>\`, then closing the
* key handle can cause the multipart operation to fail. Applications should
* maintain the key handle until after the multipart operation has finished.
*
* \param handle The key handle to close.
* If this is \c 0, do nothing and return \c PSA_SUCCESS.
*
* \retval #PSA_SUCCESS
* \p handle was a valid handle or \c 0. It is now closed.
* \retval #PSA_ERROR_INVALID_HANDLE
* \p handle is not a valid handle nor \c 0.
* \retval #PSA_ERROR_COMMUNICATION_FAILURE
* \retval #PSA_ERROR_CORRUPTION_DETECTED
* \retval #PSA_ERROR_BAD_STATE
* The library has not been previously initialized by psa_crypto_init().
* It is implementation-dependent whether a failure to initialize
* results in this error code.
*/
psa_status_t psa_close_key(psa_key_handle_t handle);
#ifdef __cplusplus
}
#endif
include/psa/crypto_types.h
+1 -7
View File
@@ -247,12 +247,6 @@ typedef struct
#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
/*
* To support temporary both openless APIs and psa_open_key(), define
* psa_key_handle_t to be equal to mbedtls_svc_key_id_t.
*/
typedef mbedtls_svc_key_id_t psa_key_handle_t;
/**@}*/
/** \defgroup policy Key policies
@@ -358,7 +352,7 @@ typedef uint32_t psa_key_usage_t;
* -# Call a key creation function: psa_import_key(), psa_generate_key(),
* psa_key_derivation_output_key() or psa_copy_key(). This function reads
* the attribute structure, creates a key with these attributes, and
* outputs a handle to the newly created key.
* outputs a key identifier to the newly created key.
* -# The attribute structure is now no longer necessary.
* You may call psa_reset_key_attributes(), although this is optional
* with the workflow presented here because the attributes currently
include/psa/crypto_values.h
+7 -33
View File
@@ -108,7 +108,7 @@
* as applicable.
*
* Implementations shall not return this error code to indicate that a
* key handle is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
* key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
* instead. */
#define PSA_ERROR_BAD_STATE ((psa_status_t)-137)
@@ -118,7 +118,7 @@
* combination of parameters are recognized as invalid.
*
* Implementations shall not return this error code to indicate that a
* key handle is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
* key identifier is invalid, but shall return #PSA_ERROR_INVALID_HANDLE
* instead.
*/
#define PSA_ERROR_INVALID_ARGUMENT ((psa_status_t)-135)
@@ -266,7 +266,7 @@
* to read from a resource. */
#define PSA_ERROR_INSUFFICIENT_DATA ((psa_status_t)-143)
/** The key handle is not valid. See also :ref:\`key-handles\`.
/** The key identifier is not valid. See also :ref:\`key-handles\`.
*/
#define PSA_ERROR_INVALID_HANDLE ((psa_status_t)-136)
@@ -769,9 +769,9 @@
* an algorithm built from `PSA_xxx_SIGNATURE` and a specific hash. Each
* call to sign or verify a message may use a different hash.
* ```
* psa_sign_hash(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
* psa_sign_hash(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
* psa_sign_hash(handle, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
* psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_256), ...);
* psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA_512), ...);
* psa_sign_hash(key, PSA_xxx_SIGNATURE(PSA_ALG_SHA3_256), ...);
* ```
*
* This value may not be used to build other algorithms that are
@@ -1561,7 +1561,7 @@
/** The default lifetime for volatile keys.
*
* A volatile key only exists as long as the handle to it is not closed.
* A volatile key only exists as long as the identifier to it is not destroyed.
* The key material is guaranteed to be erased on a power reset.
*
* A key with this lifetime is typically stored in the RAM area of the
@@ -1756,32 +1756,6 @@ static inline int mbedtls_svc_key_id_is_null( mbedtls_svc_key_id_t key )
#endif /* !MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER */
#define PSA_KEY_HANDLE_INIT MBEDTLS_SVC_KEY_ID_INIT
/** Compare two handles.
*
* \param handle1 First handle.
* \param handle2 Second handle.
*
* \return Non-zero if the two handles are equal, zero otherwise.
*/
static inline int psa_key_handle_equal( psa_key_handle_t handle1,
psa_key_handle_t handle2 )
{
return( mbedtls_svc_key_id_equal( handle1, handle2 ) );
}
/** Check wether an handle is null.
*
* \param handle Handle
*
* \return Non-zero if the handle is null, zero otherwise.
*/
static inline int psa_key_handle_is_null( psa_key_handle_t handle )
{
return( mbedtls_svc_key_id_is_null( handle ) );
}
/**@}*/
/** \defgroup policy Key policies
library/pk.c
+8 -7
View File
@@ -150,11 +150,12 @@ int mbedtls_pk_setup( mbedtls_pk_context *ctx, const mbedtls_pk_info_t *info )
/*
* Initialise a PSA-wrapping context
*/
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key )
int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx,
const psa_key_id_t key )
{
const mbedtls_pk_info_t * const info = &mbedtls_pk_opaque_info;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t *pk_ctx;
psa_key_id_t *pk_ctx;
psa_key_type_t type;
if( ctx == NULL || ctx->pk_info != NULL )
@@ -174,7 +175,7 @@ int mbedtls_pk_setup_opaque( mbedtls_pk_context *ctx, const psa_key_handle_t key
ctx->pk_info = info;
pk_ctx = (psa_key_handle_t *) ctx->pk_ctx;
pk_ctx = (psa_key_id_t *) ctx->pk_ctx;
*pk_ctx = key;
return( 0 );
@@ -587,12 +588,12 @@ mbedtls_pk_type_t mbedtls_pk_get_type( const mbedtls_pk_context *ctx )
* Currently only works for EC private keys.
*/
int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
psa_key_handle_t *handle,
psa_key_id_t *key,
psa_algorithm_t hash_alg )
{
#if !defined(MBEDTLS_ECP_C)
((void) pk);
((void) handle);
((void) key);
((void) hash_alg);
return( MBEDTLS_ERR_PK_TYPE_MISMATCH );
#else
@@ -624,14 +625,14 @@ int mbedtls_pk_wrap_as_opaque( mbedtls_pk_context *pk,
psa_set_key_algorithm( &attributes, PSA_ALG_ECDSA(hash_alg) );
/* import private key into PSA */
if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, handle ) )
if( PSA_SUCCESS != psa_import_key( &attributes, d, d_len, key ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
/* make PK context wrap the key slot */
mbedtls_pk_free( pk );
mbedtls_pk_init( pk );
return( mbedtls_pk_setup_opaque( pk, *handle ) );
return( mbedtls_pk_setup_opaque( pk, *key ) );
#endif /* MBEDTLS_ECP_C */
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
library/pk_wrap.c
+8 -8
View File
@@ -543,7 +543,7 @@ static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
mbedtls_ecdsa_context *ctx = ctx_arg;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_handle_t key_handle = PSA_KEY_HANDLE_INIT;
psa_key_id_t key_id = 0;
psa_status_t status;
mbedtls_pk_context key;
int key_len;
@@ -576,7 +576,7 @@ static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
status = psa_import_key( &attributes,
buf + sizeof( buf ) - key_len, key_len,
&key_handle );
&key_id );
if( status != PSA_SUCCESS )
{
ret = mbedtls_psa_err_translate_pk( status );
@@ -598,7 +598,7 @@ static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
goto cleanup;
}
if( psa_verify_hash( key_handle, psa_sig_md,
if( psa_verify_hash( key_id, psa_sig_md,
hash, hash_len,
buf, 2 * signature_part_size )
!= PSA_SUCCESS )
@@ -615,7 +615,7 @@ static int ecdsa_verify_wrap( void *ctx_arg, mbedtls_md_type_t md_alg,
ret = 0;
cleanup:
psa_destroy_key( key_handle );
psa_destroy_key( key_id );
return( ret );
}
#else /* MBEDTLS_USE_PSA_CRYPTO */
@@ -870,7 +870,7 @@ const mbedtls_pk_info_t mbedtls_rsa_alt_info = {
static void *pk_opaque_alloc_wrap( void )
{
void *ctx = mbedtls_calloc( 1, sizeof( psa_key_handle_t ) );
void *ctx = mbedtls_calloc( 1, sizeof( psa_key_id_t ) );
/* no _init() function to call, an calloc() already zeroized */
@@ -879,13 +879,13 @@ static void *pk_opaque_alloc_wrap( void )
static void pk_opaque_free_wrap( void *ctx )
{
mbedtls_platform_zeroize( ctx, sizeof( psa_key_handle_t ) );
mbedtls_platform_zeroize( ctx, sizeof( psa_key_id_t ) );
mbedtls_free( ctx );
}
static size_t pk_opaque_get_bitlen( const void *ctx )
{
const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
const psa_key_id_t *key = (const psa_key_id_t *) ctx;
size_t bits;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@@ -1008,7 +1008,7 @@ static int pk_opaque_sign_wrap( void *ctx, mbedtls_md_type_t md_alg,
((void) p_rng);
return( MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE );
#else /* !MBEDTLS_ECDSA_C */
const psa_key_handle_t *key = (const psa_key_handle_t *) ctx;
const psa_key_id_t *key = (const psa_key_id_t *) ctx;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg = PSA_ALG_ECDSA( mbedtls_psa_translate_md( md_alg ) );
size_t buf_len;
library/pkwrite.c
+5 -5
View File
@@ -198,13 +198,13 @@ int mbedtls_pk_write_pubkey( unsigned char **p, unsigned char *start,
if( mbedtls_pk_get_type( key ) == MBEDTLS_PK_OPAQUE )
{
size_t buffer_size;
psa_key_handle_t* key_slot = (psa_key_handle_t*) key->pk_ctx;
psa_key_id_t* key_id = (psa_key_id_t*) key->pk_ctx;
if ( *p < start )
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
buffer_size = (size_t)( *p - start );
if ( psa_export_public_key( *key_slot, start, buffer_size, &len )
if ( psa_export_public_key( *key_id, start, buffer_size, &len )
!= PSA_SUCCESS )
{
return( MBEDTLS_ERR_PK_BAD_INPUT_DATA );
@@ -265,12 +265,12 @@ int mbedtls_pk_write_pubkey_der( mbedtls_pk_context *key, unsigned char *buf, si
{
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t key_type;
psa_key_handle_t handle;
psa_key_id_t key_id;
psa_ecc_family_t curve;
size_t bits;
handle = *((psa_key_handle_t*) key->pk_ctx );
if( PSA_SUCCESS != psa_get_key_attributes( handle, &attributes ) )
key_id = *((psa_key_id_t*) key->pk_ctx );
if( PSA_SUCCESS != psa_get_key_attributes( key_id, &attributes ) )
return( MBEDTLS_ERR_PK_HW_ACCEL_FAILED );
key_type = psa_get_key_type( &attributes );
bits = psa_get_key_bits( &attributes );
library/psa_crypto.c
+70 -69
View File
File diff suppressed because it is too large Load Diff
library/ssl_cli.c
+2 -2
View File
@@ -63,7 +63,7 @@ static int ssl_conf_has_static_psk( mbedtls_ssl_config const *conf )
return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! psa_key_handle_is_null( conf->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -3802,7 +3802,7 @@ static int ssl_write_client_key_exchange( mbedtls_ssl_context *ssl )
status = psa_destroy_key( handshake->ecdh_psa_privkey );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
handshake->ecdh_psa_privkey = PSA_KEY_HANDLE_INIT;
handshake->ecdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO &&
library/ssl_srv.c
+3 -3
View File
@@ -157,7 +157,7 @@ static int ssl_conf_has_psk_or_cb( mbedtls_ssl_config const *conf )
return( 1 );
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! psa_key_handle_is_null( conf->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
return( 1 );
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -172,13 +172,13 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
/* If we've used a callback to select the PSK,
* the static configuration is irrelevant. */
if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( 1 );
return( 0 );
}
if( ! psa_key_handle_is_null( ssl->conf->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( 1 );
return( 0 );
library/ssl_tls.c
+25 -26
View File
@@ -446,7 +446,7 @@ exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* derivation,
psa_key_handle_t slot,
psa_key_id_t key,
psa_algorithm_t alg,
const unsigned char* seed, size_t seed_length,
const unsigned char* label, size_t label_length,
@@ -466,7 +466,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
if( status != PSA_SUCCESS )
return( status );
if( psa_key_handle_is_null( slot ) )
if( mbedtls_svc_key_id_is_null( key ) )
{
status = psa_key_derivation_input_bytes(
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
@@ -475,8 +475,7 @@ static psa_status_t setup_psa_key_derivation( psa_key_derivation_operation_t* de
else
{
status = psa_key_derivation_input_key(
derivation, PSA_KEY_DERIVATION_INPUT_SECRET,
slot );
derivation, PSA_KEY_DERIVATION_INPUT_SECRET, key );
}
if( status != PSA_SUCCESS )
return( status );
@@ -507,7 +506,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
{
psa_status_t status;
psa_algorithm_t alg;
psa_key_handle_t master_slot = PSA_KEY_HANDLE_INIT;
psa_key_id_t master_key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
@@ -521,7 +520,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
* this PRF is also used to derive an IV, in particular in EAP-TLS,
* and for this use case it makes sense to have a 0-length "secret".
* Since the key API doesn't allow importing a key of length 0,
* keep master_slot=0, which setup_psa_key_derivation() understands
* keep master_key=0, which setup_psa_key_derivation() understands
* to mean a 0-length "secret" input. */
if( slen != 0 )
{
@@ -530,13 +529,13 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
psa_set_key_algorithm( &key_attributes, alg );
psa_set_key_type( &key_attributes, PSA_KEY_TYPE_DERIVE );
status = psa_import_key( &key_attributes, secret, slen, &master_slot );
status = psa_import_key( &key_attributes, secret, slen, &master_key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = setup_psa_key_derivation( &derivation,
master_slot, alg,
master_key, alg,
random, rlen,
(unsigned char const *) label,
(size_t) strlen( label ),
@@ -544,7 +543,7 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot );
psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
@@ -552,19 +551,19 @@ static int tls_prf_generic( mbedtls_md_type_t md_type,
if( status != PSA_SUCCESS )
{
psa_key_derivation_abort( &derivation );
psa_destroy_key( master_slot );
psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
status = psa_key_derivation_abort( &derivation );
if( status != PSA_SUCCESS )
{
psa_destroy_key( master_slot );
psa_destroy_key( master_key );
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
}
if( ! psa_key_handle_is_null( master_slot ) )
status = psa_destroy_key( master_slot );
if( ! mbedtls_svc_key_id_is_null( master_key ) )
status = psa_destroy_key( master_key );
if( status != PSA_SUCCESS )
return( MBEDTLS_ERR_SSL_HW_ACCEL_FAILED );
@@ -707,13 +706,13 @@ static int ssl_use_opaque_psk( mbedtls_ssl_context const *ssl )
{
/* If we've used a callback to select the PSK,
* the static configuration is irrelevant. */
if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
return( 1 );
return( 0 );
}
if( ! psa_key_handle_is_null( ssl->conf->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->conf->psk_opaque ) )
return( 1 );
return( 0 );
@@ -1514,7 +1513,7 @@ static int ssl_compute_master( mbedtls_ssl_handshake_params *handshake,
/* Perform PSK-to-MS expansion in a single step. */
psa_status_t status;
psa_algorithm_t alg;
psa_key_handle_t psk;
psa_key_id_t psk;
psa_key_derivation_operation_t derivation =
PSA_KEY_DERIVATION_OPERATION_INIT;
mbedtls_md_type_t hash_alg = handshake->ciphersuite_info->mac;
@@ -4344,11 +4343,11 @@ static void ssl_conf_remove_psk( mbedtls_ssl_config *conf )
{
/* Remove reference to existing PSK, if any. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! psa_key_handle_is_null( conf->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( conf->psk_opaque ) )
{
/* The maintenance of the PSK key slot is the
* user's responsibility. */
conf->psk_opaque = PSA_KEY_HANDLE_INIT;
conf->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
/* This and the following branch should never
* be taken simultaenously as we maintain the
@@ -4432,9 +4431,9 @@ int mbedtls_ssl_conf_psk( mbedtls_ssl_config *conf,
static void ssl_remove_psk( mbedtls_ssl_context *ssl )
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if( ! psa_key_handle_is_null( ssl->handshake->psk_opaque ) )
if( ! mbedtls_svc_key_id_is_null( ssl->handshake->psk_opaque ) )
{
ssl->handshake->psk_opaque = PSA_KEY_HANDLE_INIT;
ssl->handshake->psk_opaque = MBEDTLS_SVC_KEY_ID_INIT;
}
else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
@@ -4469,7 +4468,7 @@ int mbedtls_ssl_set_hs_psk( mbedtls_ssl_context *ssl,
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
psa_key_handle_t psk_slot,
psa_key_id_t psk,
const unsigned char *psk_identity,
size_t psk_identity_len )
{
@@ -4478,9 +4477,9 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
ssl_conf_remove_psk( conf );
/* Check and set opaque PSK */
if( psa_key_handle_is_null( psk_slot ) )
if( mbedtls_svc_key_id_is_null( psk ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
conf->psk_opaque = psk_slot;
conf->psk_opaque = psk;
/* Check and set PSK Identity */
ret = ssl_conf_set_psk_identity( conf, psk_identity,
@@ -4492,14 +4491,14 @@ int mbedtls_ssl_conf_psk_opaque( mbedtls_ssl_config *conf,
}
int mbedtls_ssl_set_hs_psk_opaque( mbedtls_ssl_context *ssl,
psa_key_handle_t psk_slot )
psa_key_id_t psk )
{
if( ( psa_key_handle_is_null( psk_slot ) ) ||
if( ( mbedtls_svc_key_id_is_null( psk ) ) ||
( ssl->handshake == NULL ) )
return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
ssl_remove_psk( ssl );
ssl->handshake->psk_opaque = psk_slot;
ssl->handshake->psk_opaque = psk;
return( 0 );
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */