From 088b77f39c4ba71b6a941ca7d30959c5ae257a48 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 24 Feb 2019 17:00:27 +0100 Subject: [PATCH] Merge psa_crypto_storage_its into psa_crypto_storage Since the ITS API has stabilized and we don't plan to make use of more than ITS, we don't need an abstraction layer between key storage and key storage over ITS. Merge the ITS code into the generic storage module. --- configs/config-psa-crypto.h | 19 +--- include/mbedtls/check_config.h | 8 +- include/mbedtls/config.h | 19 +--- library/CMakeLists.txt | 1 - library/Makefile | 1 - library/psa_crypto_storage.c | 132 ++++++++++++++++++++++++ library/psa_crypto_storage_its.c | 169 ------------------------------- library/version_features.c | 3 - programs/test/query_config.c | 8 -- visualc/VS2010/mbedTLS.vcxproj | 1 - 10 files changed, 139 insertions(+), 222 deletions(-) delete mode 100644 library/psa_crypto_storage_its.c diff --git a/configs/config-psa-crypto.h b/configs/config-psa-crypto.h index 420f62485..0b57d1c7f 100644 --- a/configs/config-psa-crypto.h +++ b/configs/config-psa-crypto.h @@ -2719,25 +2719,12 @@ * * Module: library/psa_crypto_storage.c * - * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C - * + * Requires: MBEDTLS_PSA_CRYPTO_C, + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface */ #define MBEDTLS_PSA_CRYPTO_STORAGE_C -/** - * \def MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C - * - * Enable persistent key storage over PSA ITS for the - * Platform Security Architecture cryptography API. - * - * Module: library/psa_crypto_storage_its.c - * - * Requires: MBEDTLS_PSA_CRYPTO_C, - * either MBEDTLS_PSA_HAS_ITS_IO or MBEDTLS_PSA_ITS_FILE_C - * - */ -#define MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C - /** * \def MBEDTLS_PSA_ITS_FILE_C * diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 7d6c0c98d..607deb96f 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -526,16 +526,10 @@ #endif #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) && \ - !( defined(MBEDTLS_PSA_CRYPTO_C) && \ - defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) ) + ! defined(MBEDTLS_PSA_CRYPTO_C) #error "MBEDTLS_PSA_CRYPTO_STORAGE_C defined, but not all prerequisites" #endif -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) && \ - ! defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) -#error "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_PSA_ITS_FILE_C) && \ !defined(MBEDTLS_FS_IO) #error "MBEDTLS_PSA_ITS_FILE_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index f8585c7cb..f27b50e5a 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2761,25 +2761,12 @@ * * Module: library/psa_crypto_storage.c * - * Requires: MBEDTLS_PSA_CRYPTO_C, MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C - * + * Requires: MBEDTLS_PSA_CRYPTO_C, + * either MBEDTLS_PSA_ITS_FILE_C or a native implementation of + * the PSA ITS interface */ #define MBEDTLS_PSA_CRYPTO_STORAGE_C -/** - * \def MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C - * - * Enable persistent key storage over PSA ITS for the - * Platform Security Architecture cryptography API. - * - * Module: library/psa_crypto_storage_its.c - * - * Requires: MBEDTLS_PSA_CRYPTO_C, - * either MBEDTLS_PSA_HAS_ITS_IO or MBEDTLS_PSA_ITS_FILE_C - * - */ -#define MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C - /** * \def MBEDTLS_PSA_ITS_FILE_C * diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 70b1a136d..72378da78 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -56,7 +56,6 @@ set(src_crypto psa_crypto.c psa_crypto_slot_management.c psa_crypto_storage.c - psa_crypto_storage_its.c psa_its_file.c ripemd160.c rsa.c diff --git a/library/Makefile b/library/Makefile index 0a128380a..6ed5e6861 100644 --- a/library/Makefile +++ b/library/Makefile @@ -85,7 +85,6 @@ OBJS_CRYPTO= aes.o aesni.o arc4.o \ psa_crypto.o \ psa_crypto_slot_management.o \ psa_crypto_storage.o \ - psa_crypto_storage_its.o \ psa_its_file.o \ ripemd160.o rsa_internal.o rsa.o \ sha1.o sha256.o sha512.o \ diff --git a/library/psa_crypto_storage.c b/library/psa_crypto_storage.c index 84a6ed558..8af3d081f 100644 --- a/library/psa_crypto_storage.c +++ b/library/psa_crypto_storage.c @@ -44,6 +44,138 @@ #define mbedtls_free free #endif +#if defined(MBEDTLS_PSA_ITS_FILE_C) +#include "psa_crypto_its.h" +#else /* Native ITS implementation */ +#include "psa/error.h" +#include "psa_crypto_service_integration.h" +#include "psa/internal_trusted_storage.h" +#endif + +/* Determine a file name (ITS file identifier) for the given key file + * identifier. The file name must be distinct from any file that is used + * for a purpose other than storing a key. Currently, the only such file + * is the random seed file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID + * and whose value is 0xFFFFFF52. */ +static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id ) +{ +#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) && \ + defined(PSA_CRYPTO_SECURE) + /* Encode the owner in the upper 32 bits. This means that if + * owner values are nonzero (as they are on a PSA platform), + * no key file will ever have a value less than 0x100000000, so + * the whole range 0..0xffffffff is available for non-key files. */ + uint32_t unsigned_owner = (uint32_t) file_id.owner; + return( (uint64_t) unsigned_owner << 32 | file_id.key_id ); +#else + /* Use the key id directly as a file name. + * psa_is_key_file_id_valid() in psa_crypto_slot_management.c + * is responsible for ensuring that key identifiers do not have a + * value that is reserved for non-key files. */ + return( file_id ); +#endif +} + +psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, uint8_t *data, + size_t data_size ) +{ + psa_status_t status; + psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); + struct psa_storage_info_t data_identifier_info; + + status = psa_its_get_info( data_identifier, &data_identifier_info ); + if( status != PSA_SUCCESS ) + return( status ); + + status = psa_its_get( data_identifier, 0, data_size, data ); + + return( status ); +} + +int psa_is_key_present_in_storage( const psa_key_file_id_t key ) +{ + psa_status_t ret; + psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); + struct psa_storage_info_t data_identifier_info; + + ret = psa_its_get_info( data_identifier, &data_identifier_info ); + + if( ret == PSA_ERROR_DOES_NOT_EXIST ) + return( 0 ); + return( 1 ); +} + +psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key, + const uint8_t *data, + size_t data_length ) +{ + psa_status_t status; + psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); + struct psa_storage_info_t data_identifier_info; + + if( psa_is_key_present_in_storage( key ) == 1 ) + return( PSA_ERROR_ALREADY_EXISTS ); + + status = psa_its_set( data_identifier, data_length, data, 0 ); + if( status != PSA_SUCCESS ) + { + return( PSA_ERROR_STORAGE_FAILURE ); + } + + status = psa_its_get_info( data_identifier, &data_identifier_info ); + if( status != PSA_SUCCESS ) + { + goto exit; + } + + if( data_identifier_info.size != data_length ) + { + status = PSA_ERROR_STORAGE_FAILURE; + goto exit; + } + +exit: + if( status != PSA_SUCCESS ) + psa_its_remove( data_identifier ); + return( status ); +} + +psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key ) +{ + psa_status_t ret; + psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); + struct psa_storage_info_t data_identifier_info; + + ret = psa_its_get_info( data_identifier, &data_identifier_info ); + if( ret == PSA_ERROR_DOES_NOT_EXIST ) + return( PSA_SUCCESS ); + + if( psa_its_remove( data_identifier ) != PSA_SUCCESS ) + return( PSA_ERROR_STORAGE_FAILURE ); + + ret = psa_its_get_info( data_identifier, &data_identifier_info ); + if( ret != PSA_ERROR_DOES_NOT_EXIST ) + return( PSA_ERROR_STORAGE_FAILURE ); + + return( PSA_SUCCESS ); +} + +psa_status_t psa_crypto_storage_get_data_length( const psa_key_file_id_t key, + size_t *data_length ) +{ + psa_status_t status; + psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); + struct psa_storage_info_t data_identifier_info; + + status = psa_its_get_info( data_identifier, &data_identifier_info ); + if( status != PSA_SUCCESS ) + return( status ); + + *data_length = (size_t) data_identifier_info.size; + + return( PSA_SUCCESS ); +} + /* * 32-bit integer manipulation macros (little endian) */ diff --git a/library/psa_crypto_storage_its.c b/library/psa_crypto_storage_its.c deleted file mode 100644 index 8291f1fc3..000000000 --- a/library/psa_crypto_storage_its.c +++ /dev/null @@ -1,169 +0,0 @@ -/* - * PSA storage backend for persistent keys using psa_its APIs. - */ -/* Copyright (C) 2018, ARM Limited, All Rights Reserved - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - * - * This file is part of mbed TLS (https://tls.mbed.org) - */ - -#if defined(MBEDTLS_CONFIG_FILE) -#include MBEDTLS_CONFIG_FILE -#else -#include "mbedtls/config.h" -#endif - -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) - -#if defined(MBEDTLS_PSA_ITS_FILE_C) -#include "psa_crypto_its.h" -#else /* Native ITS implementation */ -#include "psa/error.h" -#include "psa_crypto_service_integration.h" -#include "psa/internal_trusted_storage.h" -#endif - -#include "psa/crypto.h" -#include "psa_crypto_storage_backend.h" - -#if defined(MBEDTLS_PLATFORM_C) -#include "mbedtls/platform.h" -#endif - -/* Determine a file name (ITS file identifier) for the given key file - * identifier. The file name must be distinct from any file that is used - * for a purpose other than storing a key. Currently, the only such file - * is the random seed file whose name is PSA_CRYPTO_ITS_RANDOM_SEED_UID - * and whose value is 0xFFFFFF52. */ -static psa_storage_uid_t psa_its_identifier_of_slot( psa_key_file_id_t file_id ) -{ -#if defined(MBEDTLS_PSA_CRYPTO_KEY_FILE_ID_ENCODES_OWNER) && \ - defined(PSA_CRYPTO_SECURE) - /* Encode the owner in the upper 32 bits. This means that if - * owner values are nonzero (as they are on a PSA platform), - * no key file will ever have a value less than 0x100000000, so - * the whole range 0..0xffffffff is available for non-key files. */ - uint32_t unsigned_owner = (uint32_t) file_id.owner; - return( (uint64_t) unsigned_owner << 32 | file_id.key_id ); -#else - /* Use the key id directly as a file name. - * psa_is_key_file_id_valid() in psa_crypto_slot_management.c - * is responsible for ensuring that key identifiers do not have a - * value that is reserved for non-key files. */ - return( file_id ); -#endif -} - -psa_status_t psa_crypto_storage_load( const psa_key_file_id_t key, uint8_t *data, - size_t data_size ) -{ - psa_status_t status; - psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); - struct psa_storage_info_t data_identifier_info; - - status = psa_its_get_info( data_identifier, &data_identifier_info ); - if( status != PSA_SUCCESS ) - return( status ); - - status = psa_its_get( data_identifier, 0, data_size, data ); - - return( status ); -} - -int psa_is_key_present_in_storage( const psa_key_file_id_t key ) -{ - psa_status_t ret; - psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); - struct psa_storage_info_t data_identifier_info; - - ret = psa_its_get_info( data_identifier, &data_identifier_info ); - - if( ret == PSA_ERROR_DOES_NOT_EXIST ) - return( 0 ); - return( 1 ); -} - -psa_status_t psa_crypto_storage_store( const psa_key_file_id_t key, - const uint8_t *data, - size_t data_length ) -{ - psa_status_t status; - psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); - struct psa_storage_info_t data_identifier_info; - - if( psa_is_key_present_in_storage( key ) == 1 ) - return( PSA_ERROR_ALREADY_EXISTS ); - - status = psa_its_set( data_identifier, data_length, data, 0 ); - if( status != PSA_SUCCESS ) - { - return( PSA_ERROR_STORAGE_FAILURE ); - } - - status = psa_its_get_info( data_identifier, &data_identifier_info ); - if( status != PSA_SUCCESS ) - { - goto exit; - } - - if( data_identifier_info.size != data_length ) - { - status = PSA_ERROR_STORAGE_FAILURE; - goto exit; - } - -exit: - if( status != PSA_SUCCESS ) - psa_its_remove( data_identifier ); - return( status ); -} - -psa_status_t psa_destroy_persistent_key( const psa_key_file_id_t key ) -{ - psa_status_t ret; - psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); - struct psa_storage_info_t data_identifier_info; - - ret = psa_its_get_info( data_identifier, &data_identifier_info ); - if( ret == PSA_ERROR_DOES_NOT_EXIST ) - return( PSA_SUCCESS ); - - if( psa_its_remove( data_identifier ) != PSA_SUCCESS ) - return( PSA_ERROR_STORAGE_FAILURE ); - - ret = psa_its_get_info( data_identifier, &data_identifier_info ); - if( ret != PSA_ERROR_DOES_NOT_EXIST ) - return( PSA_ERROR_STORAGE_FAILURE ); - - return( PSA_SUCCESS ); -} - -psa_status_t psa_crypto_storage_get_data_length( const psa_key_file_id_t key, - size_t *data_length ) -{ - psa_status_t status; - psa_storage_uid_t data_identifier = psa_its_identifier_of_slot( key ); - struct psa_storage_info_t data_identifier_info; - - status = psa_its_get_info( data_identifier, &data_identifier_info ); - if( status != PSA_SUCCESS ) - return( status ); - - *data_length = (size_t) data_identifier_info.size; - - return( PSA_SUCCESS ); -} - -#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C */ diff --git a/library/version_features.c b/library/version_features.c index 6ad9988d7..61a662c1e 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -714,9 +714,6 @@ static const char *features[] = { #if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) "MBEDTLS_PSA_CRYPTO_STORAGE_C", #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) - "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C", -#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C */ #if defined(MBEDTLS_PSA_ITS_FILE_C) "MBEDTLS_PSA_ITS_FILE_C", #endif /* MBEDTLS_PSA_ITS_FILE_C */ diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 7c1f8b4e8..3e847e5d9 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1946,14 +1946,6 @@ int query_config( const char *config ) } #endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C) - if( strcmp( "MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C", config ) == 0 ) - { - MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C ); - return( 0 ); - } -#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C */ - #if defined(MBEDTLS_PSA_ITS_FILE_C) if( strcmp( "MBEDTLS_PSA_ITS_FILE_C", config ) == 0 ) { diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index 99f0f2768..41357eea4 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -302,7 +302,6 @@ -