diff options
Diffstat (limited to 'lib/mbedtls-2.27.0/library/psa_crypto_slot_management.c')
| -rw-r--r-- | lib/mbedtls-2.27.0/library/psa_crypto_slot_management.c | 585 |
1 files changed, 0 insertions, 585 deletions
diff --git a/lib/mbedtls-2.27.0/library/psa_crypto_slot_management.c b/lib/mbedtls-2.27.0/library/psa_crypto_slot_management.c deleted file mode 100644 index 76d7a07..0000000 --- a/lib/mbedtls-2.27.0/library/psa_crypto_slot_management.c +++ /dev/null @@ -1,585 +0,0 @@ -/* - * PSA crypto layer on top of Mbed TLS crypto - */ -/* - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 - * - * Licensed under the Apache License, Version 2.0 (the "License"); you may - * not use this file except in compliance with the License. - * You may obtain a copy of the License at - * - * http://www.apache.org/licenses/LICENSE-2.0 - * - * Unless required by applicable law or agreed to in writing, software - * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT - * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. - * See the License for the specific language governing permissions and - * limitations under the License. - */ - -#include "common.h" - -#if defined(MBEDTLS_PSA_CRYPTO_C) - -#include "psa/crypto.h" - -#include "psa_crypto_core.h" -#include "psa_crypto_driver_wrappers.h" -#include "psa_crypto_slot_management.h" -#include "psa_crypto_storage.h" -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) -#include "psa_crypto_se.h" -#endif - -#include <stdlib.h> -#include <string.h> -#if defined(MBEDTLS_PLATFORM_C) -#include "mbedtls/platform.h" -#else -#define mbedtls_calloc calloc -#define mbedtls_free free -#endif - -#define ARRAY_LENGTH( array ) ( sizeof( array ) / sizeof( *( array ) ) ) - -typedef struct -{ - psa_key_slot_t key_slots[MBEDTLS_PSA_KEY_SLOT_COUNT]; - unsigned key_slots_initialized : 1; -} psa_global_data_t; - -static psa_global_data_t global_data; - -int psa_is_valid_key_id( mbedtls_svc_key_id_t key, int vendor_ok ) -{ - psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ); - - if( ( PSA_KEY_ID_USER_MIN <= key_id ) && - ( key_id <= PSA_KEY_ID_USER_MAX ) ) - return( 1 ); - - if( vendor_ok && - ( PSA_KEY_ID_VENDOR_MIN <= key_id ) && - ( key_id <= PSA_KEY_ID_VENDOR_MAX ) ) - return( 1 ); - - return( 0 ); -} - -/** Get the description in memory of a key given its identifier and lock it. - * - * The descriptions of volatile keys and loaded persistent keys are - * stored in key slots. This function returns a pointer to the key slot - * containing the description of a key given its identifier. - * - * The function searches the key slots containing the description of the key - * with \p key identifier. The function does only read accesses to the key - * slots. The function does not load any persistent key thus does not access - * any storage. - * - * For volatile key identifiers, only one key slot is queried as a volatile - * key with identifier key_id can only be stored in slot of index - * ( key_id - #PSA_KEY_ID_VOLATILE_MIN ). - * - * On success, the function locks the key slot. It is the responsibility of - * the caller to unlock the key slot when it does not access it anymore. - * - * \param key Key identifier to query. - * \param[out] p_slot On success, `*p_slot` contains a pointer to the - * key slot containing the description of the key - * identified by \p key. - * - * \retval #PSA_SUCCESS - * The pointer to the key slot containing the description of the key - * identified by \p key was returned. - * \retval #PSA_ERROR_INVALID_HANDLE - * \p key is not a valid key identifier. - * \retval #PSA_ERROR_DOES_NOT_EXIST - * There is no key with key identifier \p key in the key slots. - */ -static psa_status_t psa_get_and_lock_key_slot_in_memory( - mbedtls_svc_key_id_t key, psa_key_slot_t **p_slot ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_id_t key_id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( key ); - size_t slot_idx; - psa_key_slot_t *slot = NULL; - - if( psa_key_id_is_volatile( key_id ) ) - { - slot = &global_data.key_slots[ key_id - PSA_KEY_ID_VOLATILE_MIN ]; - - /* - * Check if both the PSA key identifier key_id and the owner - * identifier of key match those of the key slot. - * - * Note that, if the key slot is not occupied, its PSA key identifier - * is equal to zero. This is an invalid value for a PSA key identifier - * and thus cannot be equal to the valid PSA key identifier key_id. - */ - status = mbedtls_svc_key_id_equal( key, slot->attr.id ) ? - PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST; - } - else - { - if ( !psa_is_valid_key_id( key, 1 ) ) - return( PSA_ERROR_INVALID_HANDLE ); - - for( slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++ ) - { - slot = &global_data.key_slots[ slot_idx ]; - if( mbedtls_svc_key_id_equal( key, slot->attr.id ) ) - break; - } - status = ( slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT ) ? - PSA_SUCCESS : PSA_ERROR_DOES_NOT_EXIST; - } - - if( status == PSA_SUCCESS ) - { - status = psa_lock_key_slot( slot ); - if( status == PSA_SUCCESS ) - *p_slot = slot; - } - - return( status ); -} - -psa_status_t psa_initialize_key_slots( void ) -{ - /* Nothing to do: program startup and psa_wipe_all_key_slots() both - * guarantee that the key slots are initialized to all-zero, which - * means that all the key slots are in a valid, empty state. */ - global_data.key_slots_initialized = 1; - return( PSA_SUCCESS ); -} - -void psa_wipe_all_key_slots( void ) -{ - size_t slot_idx; - - for( slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++ ) - { - psa_key_slot_t *slot = &global_data.key_slots[ slot_idx ]; - slot->lock_count = 1; - (void) psa_wipe_key_slot( slot ); - } - global_data.key_slots_initialized = 0; -} - -psa_status_t psa_get_empty_key_slot( psa_key_id_t *volatile_key_id, - psa_key_slot_t **p_slot ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t slot_idx; - psa_key_slot_t *selected_slot, *unlocked_persistent_key_slot; - - if( ! global_data.key_slots_initialized ) - { - status = PSA_ERROR_BAD_STATE; - goto error; - } - - selected_slot = unlocked_persistent_key_slot = NULL; - for( slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++ ) - { - psa_key_slot_t *slot = &global_data.key_slots[ slot_idx ]; - if( ! psa_is_key_slot_occupied( slot ) ) - { - selected_slot = slot; - break; - } - - if( ( unlocked_persistent_key_slot == NULL ) && - ( ! PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) ) && - ( ! psa_is_key_slot_locked( slot ) ) ) - unlocked_persistent_key_slot = slot; - } - - /* - * If there is no unused key slot and there is at least one unlocked key - * slot containing the description of a persistent key, recycle the first - * such key slot we encountered. If we later need to operate on the - * persistent key we are evicting now, we will reload its description from - * storage. - */ - if( ( selected_slot == NULL ) && - ( unlocked_persistent_key_slot != NULL ) ) - { - selected_slot = unlocked_persistent_key_slot; - selected_slot->lock_count = 1; - psa_wipe_key_slot( selected_slot ); - } - - if( selected_slot != NULL ) - { - status = psa_lock_key_slot( selected_slot ); - if( status != PSA_SUCCESS ) - goto error; - - *volatile_key_id = PSA_KEY_ID_VOLATILE_MIN + - ( (psa_key_id_t)( selected_slot - global_data.key_slots ) ); - *p_slot = selected_slot; - - return( PSA_SUCCESS ); - } - status = PSA_ERROR_INSUFFICIENT_MEMORY; - -error: - *p_slot = NULL; - *volatile_key_id = 0; - - return( status ); -} - -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) -static psa_status_t psa_load_persistent_key_into_slot( psa_key_slot_t *slot ) -{ - psa_status_t status = PSA_SUCCESS; - uint8_t *key_data = NULL; - size_t key_data_length = 0; - - status = psa_load_persistent_key( &slot->attr, - &key_data, &key_data_length ); - if( status != PSA_SUCCESS ) - goto exit; - -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - /* Special handling is required for loading keys associated with a - * dynamically registered SE interface. */ - const psa_drv_se_t *drv; - psa_drv_se_context_t *drv_context; - if( psa_get_se_driver( slot->attr.lifetime, &drv, &drv_context ) ) - { - psa_se_key_data_storage_t *data; - - if( key_data_length != sizeof( *data ) ) - { - status = PSA_ERROR_DATA_INVALID; - goto exit; - } - data = (psa_se_key_data_storage_t *) key_data; - status = psa_copy_key_material_into_slot( - slot, data->slot_number, sizeof( data->slot_number ) ); - goto exit; - } -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - - status = psa_copy_key_material_into_slot( slot, key_data, key_data_length ); - -exit: - psa_free_persistent_key_data( key_data, key_data_length ); - return( status ); -} -#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ - -#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) - -static psa_status_t psa_load_builtin_key_into_slot( psa_key_slot_t *slot ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_lifetime_t lifetime = PSA_KEY_LIFETIME_VOLATILE; - psa_drv_slot_number_t slot_number = 0; - size_t key_buffer_size = 0; - size_t key_buffer_length = 0; - - if( ! psa_key_id_is_builtin( - MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id ) ) ) - { - return( PSA_ERROR_DOES_NOT_EXIST ); - } - - /* Check the platform function to see whether this key actually exists */ - status = mbedtls_psa_platform_get_builtin_key( - slot->attr.id, &lifetime, &slot_number ); - if( status != PSA_SUCCESS ) - return( status ); - - /* Set required key attributes to ensure get_builtin_key can retrieve the - * full attributes. */ - psa_set_key_id( &attributes, slot->attr.id ); - psa_set_key_lifetime( &attributes, lifetime ); - - /* Get the full key attributes from the driver in order to be able to - * calculate the required buffer size. */ - status = psa_driver_wrapper_get_builtin_key( - slot_number, &attributes, - NULL, 0, NULL ); - if( status != PSA_ERROR_BUFFER_TOO_SMALL ) - { - /* Builtin keys cannot be defined by the attributes alone */ - if( status == PSA_SUCCESS ) - status = PSA_ERROR_CORRUPTION_DETECTED; - return( status ); - } - - /* If the key should exist according to the platform, then ask the driver - * what its expected size is. */ - status = psa_driver_wrapper_get_key_buffer_size( &attributes, - &key_buffer_size ); - if( status != PSA_SUCCESS ) - return( status ); - - /* Allocate a buffer of the required size and load the builtin key directly - * into the (now properly sized) slot buffer. */ - status = psa_allocate_buffer_to_slot( slot, key_buffer_size ); - if( status != PSA_SUCCESS ) - return( status ); - - status = psa_driver_wrapper_get_builtin_key( - slot_number, &attributes, - slot->key.data, slot->key.bytes, &key_buffer_length ); - if( status != PSA_SUCCESS ) - goto exit; - - /* Copy actual key length and core attributes into the slot on success */ - slot->key.bytes = key_buffer_length; - slot->attr = attributes.core; - -exit: - if( status != PSA_SUCCESS ) - psa_remove_key_data_from_memory( slot ); - return( status ); -} -#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ - -psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key, - psa_key_slot_t **p_slot ) -{ - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - - *p_slot = NULL; - if( ! global_data.key_slots_initialized ) - return( PSA_ERROR_BAD_STATE ); - - /* - * On success, the pointer to the slot is passed directly to the caller - * thus no need to unlock the key slot here. - */ - status = psa_get_and_lock_key_slot_in_memory( key, p_slot ); - if( status != PSA_ERROR_DOES_NOT_EXIST ) - return( status ); - - /* Loading keys from storage requires support for such a mechanism */ -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) || \ - defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) - psa_key_id_t volatile_key_id; - - status = psa_get_empty_key_slot( &volatile_key_id, p_slot ); - if( status != PSA_SUCCESS ) - return( status ); - - (*p_slot)->attr.id = key; - (*p_slot)->attr.lifetime = PSA_KEY_LIFETIME_PERSISTENT; - - status = PSA_ERROR_DOES_NOT_EXIST; -#if defined(MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS) - /* Load keys in the 'builtin' range through their own interface */ - status = psa_load_builtin_key_into_slot( *p_slot ); -#endif /* MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ - -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - if( status == PSA_ERROR_DOES_NOT_EXIST ) - status = psa_load_persistent_key_into_slot( *p_slot ); -#endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ - - if( status != PSA_SUCCESS ) - { - psa_wipe_key_slot( *p_slot ); - if( status == PSA_ERROR_DOES_NOT_EXIST ) - status = PSA_ERROR_INVALID_HANDLE; - } - else - /* Add implicit usage flags. */ - psa_extend_key_usage_flags( &(*p_slot)->attr.policy.usage ); - - return( status ); -#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ - return( PSA_ERROR_INVALID_HANDLE ); -#endif /* MBEDTLS_PSA_CRYPTO_STORAGE_C || MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ -} - -psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot ) -{ - if( slot == NULL ) - return( PSA_SUCCESS ); - - if( slot->lock_count > 0 ) - { - slot->lock_count--; - return( PSA_SUCCESS ); - } - - /* - * As the return error code may not be handled in case of multiple errors, - * do our best to report if the lock counter is equal to zero: if - * available call MBEDTLS_PARAM_FAILED that may terminate execution (if - * called as part of the execution of a unit test suite this will stop the - * test suite execution). - */ -#ifdef MBEDTLS_CHECK_PARAMS - MBEDTLS_PARAM_FAILED( slot->lock_count > 0 ); -#endif - - return( PSA_ERROR_CORRUPTION_DETECTED ); -} - -psa_status_t psa_validate_key_location( psa_key_lifetime_t lifetime, - psa_se_drv_table_entry_t **p_drv ) -{ - if ( psa_key_lifetime_is_external( lifetime ) ) - { -#if defined(MBEDTLS_PSA_CRYPTO_SE_C) - /* Check whether a driver is registered against this lifetime */ - psa_se_drv_table_entry_t *driver = psa_get_se_driver_entry( lifetime ); - if( driver != NULL ) - { - if (p_drv != NULL) - *p_drv = driver; - return( PSA_SUCCESS ); - } -#else /* MBEDTLS_PSA_CRYPTO_SE_C */ - (void) p_drv; -#endif /* MBEDTLS_PSA_CRYPTO_SE_C */ - -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) - /* Key location for external keys gets checked by the wrapper */ - return( PSA_SUCCESS ); -#else /* MBEDTLS_PSA_CRYPTO_DRIVERS */ - /* No support for external lifetimes at all, or dynamic interface - * did not find driver for requested lifetime. */ - return( PSA_ERROR_INVALID_ARGUMENT ); -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ - } - else - /* Local/internal keys are always valid */ - return( PSA_SUCCESS ); -} - -psa_status_t psa_validate_key_persistence( psa_key_lifetime_t lifetime ) -{ - if ( PSA_KEY_LIFETIME_IS_VOLATILE( lifetime ) ) - { - /* Volatile keys are always supported */ - return( PSA_SUCCESS ); - } - else - { - /* Persistent keys require storage support */ -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - if( PSA_KEY_LIFETIME_IS_READ_ONLY( lifetime ) ) - return( PSA_ERROR_INVALID_ARGUMENT ); - else - return( PSA_SUCCESS ); -#else /* MBEDTLS_PSA_CRYPTO_STORAGE_C */ - return( PSA_ERROR_NOT_SUPPORTED ); -#endif /* !MBEDTLS_PSA_CRYPTO_STORAGE_C */ - } -} - -psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle ) -{ -#if defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) - psa_status_t status; - psa_key_slot_t *slot; - - status = psa_get_and_lock_key_slot( key, &slot ); - if( status != PSA_SUCCESS ) - { - *handle = PSA_KEY_HANDLE_INIT; - if( status == PSA_ERROR_INVALID_HANDLE ) - status = PSA_ERROR_DOES_NOT_EXIST; - - return( status ); - } - - *handle = key; - - return( psa_unlock_key_slot( slot ) ); - -#else /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ - (void) key; - *handle = PSA_KEY_HANDLE_INIT; - return( PSA_ERROR_NOT_SUPPORTED ); -#endif /* !defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */ -} - -psa_status_t psa_close_key( psa_key_handle_t handle ) -{ - psa_status_t status; - psa_key_slot_t *slot; - - if( psa_key_handle_is_null( handle ) ) - return( PSA_SUCCESS ); - - status = psa_get_and_lock_key_slot_in_memory( handle, &slot ); - if( status != PSA_SUCCESS ) - { - if( status == PSA_ERROR_DOES_NOT_EXIST ) - status = PSA_ERROR_INVALID_HANDLE; - - return( status ); - } - if( slot->lock_count <= 1 ) - return( psa_wipe_key_slot( slot ) ); - else - return( psa_unlock_key_slot( slot ) ); -} - -psa_status_t psa_purge_key( mbedtls_svc_key_id_t key ) -{ - psa_status_t status; - psa_key_slot_t *slot; - - status = psa_get_and_lock_key_slot_in_memory( key, &slot ); - if( status != PSA_SUCCESS ) - return( status ); - - if( ( ! PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) ) && - ( slot->lock_count <= 1 ) ) - return( psa_wipe_key_slot( slot ) ); - else - return( psa_unlock_key_slot( slot ) ); -} - -void mbedtls_psa_get_stats( mbedtls_psa_stats_t *stats ) -{ - size_t slot_idx; - - memset( stats, 0, sizeof( *stats ) ); - - for( slot_idx = 0; slot_idx < MBEDTLS_PSA_KEY_SLOT_COUNT; slot_idx++ ) - { - const psa_key_slot_t *slot = &global_data.key_slots[ slot_idx ]; - if( psa_is_key_slot_locked( slot ) ) - { - ++stats->locked_slots; - } - if( ! psa_is_key_slot_occupied( slot ) ) - { - ++stats->empty_slots; - continue; - } - if( PSA_KEY_LIFETIME_IS_VOLATILE( slot->attr.lifetime ) ) - ++stats->volatile_slots; - else - { - psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id ); - ++stats->persistent_slots; - if( id > stats->max_open_internal_key_id ) - stats->max_open_internal_key_id = id; - } - if( PSA_KEY_LIFETIME_GET_LOCATION( slot->attr.lifetime ) != - PSA_KEY_LOCATION_LOCAL_STORAGE ) - { - psa_key_id_t id = MBEDTLS_SVC_KEY_ID_GET_KEY_ID( slot->attr.id ); - ++stats->external_slots; - if( id > stats->max_open_external_key_id ) - stats->max_open_external_key_id = id; - } - } -} - -#endif /* MBEDTLS_PSA_CRYPTO_C */ |