From 949330827cad4da897c30d37b75309ec65d85c09 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 5 Jan 2021 12:03:25 -0700 Subject: [PATCH 01/37] Add feature support for AES for PSA crypto config Basic support for enabling AES through PSA_WANT_KEY_TYPE_AES. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 69a6a31ce..d011c383b 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -220,6 +220,12 @@ extern "C" { #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */ #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ +#if defined(PSA_WANT_KEY_TYPE_AES) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#define MBEDTLS_AES_C +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */ +#endif /* PSA_WANT_KEY_TYPE_AES */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -328,6 +334,10 @@ extern "C" { #define PSA_WANT_ALG_SHA_512 1 #endif +#if defined(MBEDTLS_AES_C) +#define PSA_WANT_KEY_TYPE_AES 1 +#endif + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus From ec258cfae1fc71c85205aa46ac1914b8c3fad5fa Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 5 Jan 2021 12:03:25 -0700 Subject: [PATCH 02/37] Add feature support for ARC4 for PSA crypto config Basic support for enabling ARC4 through PSA_WANT_KEY_TYPE_ARC4. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index d011c383b..8d1072c3e 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -226,6 +226,12 @@ extern "C" { #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */ #endif /* PSA_WANT_KEY_TYPE_AES */ +#if defined(PSA_WANT_KEY_TYPE_ARC4) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4) +#define MBEDTLS_ARC4_C +#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4 */ +#endif /* PSA_WANT_KEY_TYPE_ARC4 */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -338,6 +344,10 @@ extern "C" { #define PSA_WANT_KEY_TYPE_AES 1 #endif +#if defined(MBEDTLS_ARC4_C) +#define PSA_WANT_KEY_TYPE_ARC4 1 +#endif + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus From 686e6e83d36eb43c0512ea408ca11cb66c4fbc16 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 5 Jan 2021 12:03:25 -0700 Subject: [PATCH 03/37] Add feature support for Camelia for PSA crypto config Basic support for enabling Camelia through PSA_WANT_KEY_TYPE_CAMELIA. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 8d1072c3e..a4b4f913f 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -232,6 +232,12 @@ extern "C" { #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4 */ #endif /* PSA_WANT_KEY_TYPE_ARC4 */ +#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#define MBEDTLS_CAMELLIA_C +#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */ +#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -348,6 +354,10 @@ extern "C" { #define PSA_WANT_KEY_TYPE_ARC4 1 #endif +#if defined(MBEDTLS_CAMELLIA_C) +#define PSA_WANT_KEY_TYPE_CAMELLIA 1 +#endif + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus From b65a7f7b52d755083063c9b740165377764ef1d2 Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 15 Jan 2021 12:04:09 -0700 Subject: [PATCH 04/37] Add feature support for DES for PSA crypto config Basic support for enabling DES through PSA_WANT_KEY_TYPE_DES. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index a4b4f913f..e80a8e6e2 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -238,6 +238,12 @@ extern "C" { #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */ #endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ +#if defined(PSA_WANT_KEY_TYPE_DES) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) +#define MBEDTLS_DES_C +#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */ +#endif /* PSA_WANT_KEY_TYPE_DES */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -358,6 +364,10 @@ extern "C" { #define PSA_WANT_KEY_TYPE_CAMELLIA 1 #endif +#if defined(MBEDTLS_DES_C) +#define PSA_WANT_KEY_TYPE_DES 1 +#endif + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus From a9f1d83d315153faef04bec0fb1f3468a668b05a Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 15 Jan 2021 11:40:25 -0700 Subject: [PATCH 05/37] Add symmetric ciphers and block modes Update the psa/crypto_config.h with the newly defined PSA_WANT_ definitions for symmetric ciphers and block modes. Signed-off-by: David Brown --- include/psa/crypto_config.h | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index a4d11c950..0fa1b1305 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -50,7 +50,12 @@ #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H +#define PSA_WANT_ALG_CBC 1 +#define PSA_WANT_ALG_CBC_NO_PADDING 1 +#define PSA_WANT_ALG_CBC_PKCS7 1 +#define PSA_WANT_ALG_CFB 1 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 #define PSA_WANT_ALG_HKDF 1 @@ -58,6 +63,7 @@ #define PSA_WANT_ALG_MD2 1 #define PSA_WANT_ALG_MD4 1 #define PSA_WANT_ALG_MD5 1 +#define PSA_WANT_ALG_OFB 1 #define PSA_WANT_ALG_RIPEMD160 1 #define PSA_WANT_ALG_RSA_OAEP 1 #define PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 @@ -68,10 +74,16 @@ #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 +#define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_HMAC 1 +#define PSA_WANT_ALG_XTS 1 +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_ARC4 1 +#define PSA_WANT_KEY_TYPE_CAMELLIA 1 +#define PSA_WANT_KEY_TYPE_DES 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 #define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 From 9984427b4a036f552536e7be14ce69f370c3f17a Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 15 Jan 2021 12:04:47 -0700 Subject: [PATCH 06/37] Add feature support for block modes to PSA crypto config Add support for supported block modes using the PSA crypto config. These are mapped to Mbed TLS config options as best as possible. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 60 ++++++++++++++++++++++++++++++++++++ 1 file changed, 60 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index e80a8e6e2..756991a0e 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -244,6 +244,37 @@ extern "C" { #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */ #endif /* PSA_WANT_KEY_TYPE_DES */ +#if defined(PSA_WANT_ALG_STREAM_CIPHER) + /* Nothing to define */ +#endif /* PSA_WANT_ALG_STREAM_CIPHER */ + +#if defined(PSA_WANT_ALG_CTR) +#define MBEDTLS_CIPHER_MODE_CTR +#endif /* PSA_WANT_ALG_CTR */ + +#if defined(PSA_WANT_ALG_CFB) +#define MBEDTLS_CIPHER_MODE_CFB +#endif /* PSA_WANT_ALG_CFB */ + +#if defined(PSA_WANT_ALG_OFB) +#define MBEDTLS_CIPHER_MODE_OFB +#endif /* PSA_WANT_ALG_OFB */ + +#if defined(PSA_WANT_ALG_XTS) +#define MBEDTLS_CIPHER_MODE_XTS +#endif /* PSA_WANT_ALG_XTS */ + +#if defined(PSA_WANT_ALG_ECB_NO_PADDING) + /* Nothing to define. */ +#endif + +#if defined(PSA_WANT_ALG_CBC_NO_PADDING) || defined(PSA_WANT_ALG_CBC_PKCS7) +#define MBEDTLS_CIPHER_MODE_CBC +#if defined(PSA_WANT_ALG_CBC_PKCS7) +#define MBEDTLS_CIPHER_PADDING_PKCS7 +#endif /* PSA_WANT_ALG_CBC_PKCS7 */ +#endif /* PSA_WANT_ALG_CBC_NO_PADDING or PSA_WANT_ALG_CBC_PKCS7 */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -358,6 +389,7 @@ extern "C" { #if defined(MBEDTLS_ARC4_C) #define PSA_WANT_KEY_TYPE_ARC4 1 +#define PSA_WANT_ALG_STREAM_CIPHER 1 #endif #if defined(MBEDTLS_CAMELLIA_C) @@ -368,6 +400,34 @@ extern "C" { #define PSA_WANT_KEY_TYPE_DES 1 #endif +#if defined(MBEDTLS_CIPHER_MODE_CBC) +#define PSA_WANT_ALG_CBC_NO_PADDING 1 +#if defined(MBEDTLS_CIPHER_PADDING_PKCS7) +#define PSA_WANT_ALG_CBC_PKCS7 1 +#endif +#endif + +#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \ + defined(MBEDTLS_CAMELLIA_C) +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#endif + +#if defined(MBEDTLS_CIPHER_MODE_CFB) +#define PSA_WANT_ALG_CFB 1 +#endif + +#if defined(MBEDTLS_CIPHER_MODE_CTR) +#define PSA_WANT_ALG_CTR 1 +#endif + +#if defined(MBEDTLS_CIPHER_MODE_OFB) +#define PSA_WANT_ALG_OFB 1 +#endif + +#if defined(MBEDTLS_CIPHER_MODE_XTS) +#define PSA_WANT_ALG_XTS 1 +#endif + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus From 78a429b89a5b72bcba038e5bbec1337c06da8a8e Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 21 Jan 2021 09:48:57 -0700 Subject: [PATCH 07/37] Add _BUILTIN defines for new features For the new features conditionalized on MBEDTLS_PSA_ACCEL_..., define a correlated MBEDTLS_PSA_BUILTIN_... if it is not defined. This prevents check_names from considering these new defines as typos. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 756991a0e..60ed72c39 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -222,24 +222,28 @@ extern "C" { #if defined(PSA_WANT_KEY_TYPE_AES) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 #define MBEDTLS_AES_C #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */ #endif /* PSA_WANT_KEY_TYPE_AES */ #if defined(PSA_WANT_KEY_TYPE_ARC4) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4 1 #define MBEDTLS_ARC4_C #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_ARC4 */ #endif /* PSA_WANT_KEY_TYPE_ARC4 */ #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1 #define MBEDTLS_CAMELLIA_C #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */ #endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ #if defined(PSA_WANT_KEY_TYPE_DES) #if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #define MBEDTLS_DES_C #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */ #endif /* PSA_WANT_KEY_TYPE_DES */ From db003f31fcc94b1e9263d09f299cb3ed598e7922 Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 21 Jan 2021 09:50:19 -0700 Subject: [PATCH 08/37] Remove unused definition PSA defines CBC with no padding, and CBC with PKCS7 padding. The bare "ALG_CBC" is not defined, so remove this definition. Signed-off-by: David Brown --- include/psa/crypto_config.h | 1 - 1 file changed, 1 deletion(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 0fa1b1305..a6cc07a22 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -50,7 +50,6 @@ #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H -#define PSA_WANT_ALG_CBC 1 #define PSA_WANT_ALG_CBC_NO_PADDING 1 #define PSA_WANT_ALG_CBC_PKCS7 1 #define PSA_WANT_ALG_CFB 1 From bc1731b24e05b02dd643b6482b9381ca2889a7b0 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 26 Jan 2021 11:38:24 -0700 Subject: [PATCH 09/37] Fix small error in a comment Use '||' instead of 'or' for consistency. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 60ed72c39..39069aa98 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -277,7 +277,7 @@ extern "C" { #if defined(PSA_WANT_ALG_CBC_PKCS7) #define MBEDTLS_CIPHER_PADDING_PKCS7 #endif /* PSA_WANT_ALG_CBC_PKCS7 */ -#endif /* PSA_WANT_ALG_CBC_NO_PADDING or PSA_WANT_ALG_CBC_PKCS7 */ +#endif /* PSA_WANT_ALG_CBC_NO_PADDING || PSA_WANT_ALG_CBC_PKCS7 */ #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ From e04acc271cccd3d18904bb3b206e35444f380647 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 26 Jan 2021 11:39:16 -0700 Subject: [PATCH 10/37] Use PSA definitions in PSA file This file will always be used with the PSA configurations, so use the MBEDTLS_PSA_BUILTIN... definitions for the symmetric cyphers. Signed-off-by: David Brown --- library/psa_crypto.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f304950e0..40d28d9d6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -495,25 +495,25 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type, case PSA_KEY_TYPE_HMAC: case PSA_KEY_TYPE_DERIVE: break; -#if defined(MBEDTLS_AES_C) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES) case PSA_KEY_TYPE_AES: if( bits != 128 && bits != 192 && bits != 256 ) return( PSA_ERROR_INVALID_ARGUMENT ); break; #endif -#if defined(MBEDTLS_CAMELLIA_C) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA) case PSA_KEY_TYPE_CAMELLIA: if( bits != 128 && bits != 192 && bits != 256 ) return( PSA_ERROR_INVALID_ARGUMENT ); break; #endif -#if defined(MBEDTLS_DES_C) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) case PSA_KEY_TYPE_DES: if( bits != 64 && bits != 128 && bits != 192 ) return( PSA_ERROR_INVALID_ARGUMENT ); break; #endif -#if defined(MBEDTLS_ARC4_C) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4) case PSA_KEY_TYPE_ARC4: if( bits < 8 || bits > 2048 ) return( PSA_ERROR_INVALID_ARGUMENT ); From da7dbb72eda518a1c35aaf24476b8d4aed8abf0b Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 26 Jan 2021 11:44:15 -0700 Subject: [PATCH 11/37] Add building definitions for non-crypto-config case Ensure that the builtin definitions are defined when selected by the traditional configuration options. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 39069aa98..67ab54d58 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -389,19 +389,23 @@ extern "C" { #if defined(MBEDTLS_AES_C) #define PSA_WANT_KEY_TYPE_AES 1 +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 #endif #if defined(MBEDTLS_ARC4_C) #define PSA_WANT_KEY_TYPE_ARC4 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4 1 #endif #if defined(MBEDTLS_CAMELLIA_C) #define PSA_WANT_KEY_TYPE_CAMELLIA 1 +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1 #endif #if defined(MBEDTLS_DES_C) #define PSA_WANT_KEY_TYPE_DES 1 +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) From 12f45f99da22e4f04414358bea195ff22e9a7fbb Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 26 Jan 2021 11:50:36 -0700 Subject: [PATCH 12/37] Add definitions for builtins for cipher modes Create these definitions for the various cipher modes. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 23 +++++++++++++++++++++-- 1 file changed, 21 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 67ab54d58..df457bed8 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -249,27 +249,31 @@ extern "C" { #endif /* PSA_WANT_KEY_TYPE_DES */ #if defined(PSA_WANT_ALG_STREAM_CIPHER) - /* Nothing to define */ +#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #endif /* PSA_WANT_ALG_STREAM_CIPHER */ #if defined(PSA_WANT_ALG_CTR) +#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1 #define MBEDTLS_CIPHER_MODE_CTR #endif /* PSA_WANT_ALG_CTR */ #if defined(PSA_WANT_ALG_CFB) +#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1 #define MBEDTLS_CIPHER_MODE_CFB #endif /* PSA_WANT_ALG_CFB */ #if defined(PSA_WANT_ALG_OFB) +#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1 #define MBEDTLS_CIPHER_MODE_OFB #endif /* PSA_WANT_ALG_OFB */ #if defined(PSA_WANT_ALG_XTS) +#define MBEDTLS_PSA_BUILTIN_ALG_XTS 1 #define MBEDTLS_CIPHER_MODE_XTS #endif /* PSA_WANT_ALG_XTS */ #if defined(PSA_WANT_ALG_ECB_NO_PADDING) - /* Nothing to define. */ +#define MBEDTLS_PSA_BUILTIN_ALG_ECB 1 #endif #if defined(PSA_WANT_ALG_CBC_NO_PADDING) || defined(PSA_WANT_ALG_CBC_PKCS7) @@ -279,6 +283,14 @@ extern "C" { #endif /* PSA_WANT_ALG_CBC_PKCS7 */ #endif /* PSA_WANT_ALG_CBC_NO_PADDING || PSA_WANT_ALG_CBC_PKCS7 */ +#if defined(PSA_WANT_ALG_CBC_NO_PADDING) +#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1 +#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ + +#if defined(PSA_WANT_ALG_CBC_PKCS7) +#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 +#endif /* PSA_WANT_ALG_CBC_PKCS7 */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -396,6 +408,7 @@ extern "C" { #define PSA_WANT_KEY_TYPE_ARC4 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARC4 1 +#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #endif #if defined(MBEDTLS_CAMELLIA_C) @@ -411,28 +424,34 @@ extern "C" { #if defined(MBEDTLS_CIPHER_MODE_CBC) #define PSA_WANT_ALG_CBC_NO_PADDING 1 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) +#define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 #define PSA_WANT_ALG_CBC_PKCS7 1 #endif #endif #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \ defined(MBEDTLS_CAMELLIA_C) +#define MBEDTLS_PSA_BUILTIN_ALG_ECB 1 #define PSA_WANT_ALG_ECB_NO_PADDING 1 #endif #if defined(MBEDTLS_CIPHER_MODE_CFB) +#define MBEDTLS_PSA_BUILTIN_ALG_CFB 1 #define PSA_WANT_ALG_CFB 1 #endif #if defined(MBEDTLS_CIPHER_MODE_CTR) +#define MBEDTLS_PSA_BUILTIN_ALG_CTR 1 #define PSA_WANT_ALG_CTR 1 #endif #if defined(MBEDTLS_CIPHER_MODE_OFB) +#define MBEDTLS_PSA_BUILTIN_ALG_OFB 1 #define PSA_WANT_ALG_OFB 1 #endif #if defined(MBEDTLS_CIPHER_MODE_XTS) +#define MBEDTLS_PSA_BUILTIN_ALG_XTS 1 #define PSA_WANT_ALG_XTS 1 #endif From 63ca260827c6ab0c6706a97ed22f0135d37032f1 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 26 Jan 2021 11:51:12 -0700 Subject: [PATCH 13/37] Change psa_crypto.c ifdefs for cipher modes Change to use the MBEDTLS_PSA_BUILTIN... macros defined by the cipher modes. Signed-off-by: David Brown --- library/psa_crypto.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 40d28d9d6..c48b2f928 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3896,7 +3896,8 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation, if( ret != 0 ) goto exit; -#if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) switch( alg ) { case PSA_ALG_CBC_NO_PADDING: @@ -3914,7 +3915,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation, } if( ret != 0 ) goto exit; -#endif //MBEDTLS_CIPHER_MODE_WITH_PADDING +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || MBEDTLS_PADDING_PKCS7 */ operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 : PSA_BLOCK_CIPHER_BLOCK_LENGTH( slot->attr.type ) ); From 4b9ec7a598549a503871c1ec344144a297c4bbce Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 5 Feb 2021 12:47:08 -0700 Subject: [PATCH 14/37] Add checks for HW acceleration of ciphers and padding Add additional ifdef checks in the PSA config to detect when an algorithm is entirely implemented in hardware. If there is any combination of cipher and padding type that is not supported by the HW acceleration, enable the SW acceleration. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 44 ++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index df457bed8..f744e12cd 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -252,24 +252,58 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #endif /* PSA_WANT_ALG_STREAM_CIPHER */ +/* The MBEDTLS_PSA_HAVE_SOFT_KEY_TYPE_* are defined if a key type is selected, + * but we are configured to accelerate this key type. */ +#if defined(PSA_WANT_KEY_TYPE_AES) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#define PSA_HAVE_SOFT_KEY_TYPE_AES 1 +#endif + +#if defined(PSA_WANT_KEY_TYPE_DES) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) +#define PSA_HAVE_SOFT_KEY_TYPE_DES 1 +#endif + +#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1 +#endif + #if defined(PSA_WANT_ALG_CTR) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_CTR 1 #define MBEDTLS_CIPHER_MODE_CTR +#endif #endif /* PSA_WANT_ALG_CTR */ #if defined(PSA_WANT_ALG_CFB) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_CFB) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_CFB 1 #define MBEDTLS_CIPHER_MODE_CFB +#endif #endif /* PSA_WANT_ALG_CFB */ #if defined(PSA_WANT_ALG_OFB) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_OFB) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_OFB 1 #define MBEDTLS_CIPHER_MODE_OFB +#endif #endif /* PSA_WANT_ALG_OFB */ #if defined(PSA_WANT_ALG_XTS) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_XTS) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_XTS 1 #define MBEDTLS_CIPHER_MODE_XTS +#endif #endif /* PSA_WANT_ALG_XTS */ #if defined(PSA_WANT_ALG_ECB_NO_PADDING) @@ -284,11 +318,21 @@ extern "C" { #endif /* PSA_WANT_ALG_CBC_NO_PADDING || PSA_WANT_ALG_CBC_PKCS7 */ #if defined(PSA_WANT_ALG_CBC_NO_PADDING) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1 +#endif #endif /* PSA_WANT_ALG_CBC_NO_PADDING */ #if defined(PSA_WANT_ALG_CBC_PKCS7) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) #define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 +#endif #endif /* PSA_WANT_ALG_CBC_PKCS7 */ #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ From 0baa7b5e988ac89dab711136815453ff6c9884ac Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 5 Feb 2021 12:51:07 -0700 Subject: [PATCH 15/37] Change ifdefs in psa_crypto.c to new WANT macros There are a few instances of MBEDTLS_*_C (specifically for DES) in psa_crypto.c. Change to the PSA_WANT_KEY_TYPE_DES macros to reflect the new PSA crypto config. Signed-off-by: David Brown --- library/psa_crypto.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index c48b2f928..7f201f6c6 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3875,7 +3875,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation, if( ret != 0 ) goto exit; -#if defined(MBEDTLS_DES_C) +#if defined(PSA_WANT_KEY_TYPE_DES) if( slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128 ) { /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ @@ -5063,7 +5063,7 @@ exit: return( status ); } -#if defined(MBEDTLS_DES_C) +#if defined(PSA_WANT_KEY_TYPE_DES) static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) { if( data_size >= 8 ) @@ -5073,7 +5073,7 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) if( data_size >= 24 ) mbedtls_des_key_set_parity( data + 16 ); } -#endif /* MBEDTLS_DES_C */ +#endif /* PSA_WANT_KEY_TYPE_DES */ static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, @@ -5095,10 +5095,10 @@ static psa_status_t psa_generate_derived_key_internal( status = psa_key_derivation_output_bytes( operation, data, bytes ); if( status != PSA_SUCCESS ) goto exit; -#if defined(MBEDTLS_DES_C) +#if defined(PSA_WANT_KEY_TYPE_DES) if( slot->attr.type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( data, bytes ); -#endif /* MBEDTLS_DES_C */ +#endif /* PSA_WANT_KEY_TYPE_DES */ status = psa_allocate_buffer_to_slot( slot, bytes ); if( status != PSA_SUCCESS ) @@ -6029,7 +6029,7 @@ psa_status_t psa_generate_key_internal( if( status != PSA_SUCCESS ) return( status ); -#if defined(MBEDTLS_DES_C) +#if defined(PSA_WANT_KEY_TYPE_DES) if( type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( key_buffer, key_buffer_size ); #endif /* MBEDTLS_DES_C */ From 4869dcdc90b3c9940fb9556e9a72d1a06a68038d Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 5 Feb 2021 12:56:10 -0700 Subject: [PATCH 16/37] Change some examples to use new PSA crypto config Change a few instances of MBEDTLS_AES_C to PSA_WANT_KEY_TYPE_AES for PSA-specific demos. Signed-off-by: David Brown --- programs/psa/crypto_examples.c | 6 +++--- programs/psa/key_ladder_demo.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/programs/psa/crypto_examples.c b/programs/psa/crypto_examples.c index 935d657af..e9323a5b2 100644 --- a/programs/psa/crypto_examples.c +++ b/programs/psa/crypto_examples.c @@ -43,13 +43,13 @@ } \ } while ( 0 ) -#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_AES_C) || \ +#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(PSA_WANT_KEY_TYPE_AES) || \ !defined(MBEDTLS_CIPHER_MODE_CBC) || !defined(MBEDTLS_CIPHER_MODE_CTR) || \ !defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) || \ defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) int main( void ) { - printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or " + printf( "MBEDTLS_PSA_CRYPTO_C and/or PSA_WANT_KEY_TYPE_AES and/or " "MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR " "and/or MBEDTLS_CIPHER_MODE_WITH_PADDING " "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER" @@ -327,5 +327,5 @@ exit: mbedtls_psa_crypto_free( ); return( 0 ); } -#endif /* MBEDTLS_PSA_CRYPTO_C && MBEDTLS_AES_C && MBEDTLS_CIPHER_MODE_CBC && +#endif /* MBEDTLS_PSA_CRYPTO_C && PSA_WANT_KEY_TYPE_AES && MBEDTLS_CIPHER_MODE_CBC && MBEDTLS_CIPHER_MODE_CTR && MBEDTLS_CIPHER_MODE_WITH_PADDING */ diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c index 47d5de642..2abb1b89f 100644 --- a/programs/psa/key_ladder_demo.c +++ b/programs/psa/key_ladder_demo.c @@ -66,13 +66,13 @@ /* If the build options we need are not enabled, compile a placeholder. */ #if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \ - !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \ + !defined(PSA_WANT_KEY_TYPE_AES) || !defined(MBEDTLS_CCM_C) || \ !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) || \ defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) int main( void ) { printf( "MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or " - "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or " + "PSA_WANT_KEY_TYPE_AES and/or MBEDTLS_CCM_C and/or " "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO " "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER " "defined.\n" ); @@ -695,4 +695,4 @@ usage_failure: usage( ); return( EXIT_FAILURE ); } -#endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C && MBEDTLS_AES_C && MBEDTLS_CCM_C && MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */ +#endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C && PSA_WANT_KEY_TYPE_AES && MBEDTLS_CCM_C && MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */ From 5256e69cda692c2ccf0d532087e9850ca175e80d Mon Sep 17 00:00:00 2001 From: David Brown Date: Mon, 8 Feb 2021 15:44:11 -0700 Subject: [PATCH 17/37] Fix typo in psa config comment Change "are" to "aren't" to avoid making the comment misleading. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index f744e12cd..96f6f4a21 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -253,7 +253,7 @@ extern "C" { #endif /* PSA_WANT_ALG_STREAM_CIPHER */ /* The MBEDTLS_PSA_HAVE_SOFT_KEY_TYPE_* are defined if a key type is selected, - * but we are configured to accelerate this key type. */ + * but we aren't configured to accelerate this key type. */ #if defined(PSA_WANT_KEY_TYPE_AES) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) #define PSA_HAVE_SOFT_KEY_TYPE_AES 1 #endif From b781f75401ca98d25d6d06ea7531b0c87f61d2bf Mon Sep 17 00:00:00 2001 From: David Brown Date: Mon, 8 Feb 2021 15:44:52 -0700 Subject: [PATCH 18/37] Define SW crypto algorithms if block modes need it Even if there is an accelerated version of a (block) key type, enable the SW implementation if there are block modes that don't have acceleration. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 96f6f4a21..b6bc6f3e0 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -220,11 +220,27 @@ extern "C" { #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */ #endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY */ +/* If any of the block modes are requested that don't have an + * associated HW assist, define PSA_HAVE_SOFT_BLOCK_MODE for checking + * in the block cipher key types. */ +#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \ + (defined(PSA_WANT_ALG_CBF) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \ + (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \ + (defined(PSA_WANT_ALG_XTS) && !defined(MBEDTLS_PSA_ACCEL_ALG_XTS)) || \ + defined(PSA_WANT_ALG_ECB_NO_PADDING) || \ + (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \ + (defined(PSA_WANT_ALG_CBC_PKCS7) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) +#define PSA_HAVE_SOFT_BLOCK_MODE 1 +#endif + #if defined(PSA_WANT_KEY_TYPE_AES) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_BLOCK_MODE) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 #define MBEDTLS_AES_C -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */ +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_AES */ #if defined(PSA_WANT_KEY_TYPE_ARC4) @@ -235,17 +251,19 @@ extern "C" { #endif /* PSA_WANT_KEY_TYPE_ARC4 */ #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) || \ + defined(PSA_HAVE_SOFT_BLOCK_MODE) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1 #define MBEDTLS_CAMELLIA_C -#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */ +#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ #if defined(PSA_WANT_KEY_TYPE_DES) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_BLOCK_MODE) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #define MBEDTLS_DES_C -#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */ +#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_DES */ #if defined(PSA_WANT_ALG_STREAM_CIPHER) From b16727a603d09a7a6722e63d589d9a2addfa3ca0 Mon Sep 17 00:00:00 2001 From: David Brown Date: Mon, 8 Feb 2021 16:31:46 -0700 Subject: [PATCH 19/37] Add PSA config for ChaCha20 Add checks for PSA_WANT_KEY_TYPE_CHACHA20, both with and without MBEDTLS_PSA_CRYPTO_CONFIG. This only adds support for the ciphers itself, presumably as a stream cipher (and not yet AEAD). Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index b6bc6f3e0..76db6c713 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -266,6 +266,13 @@ extern "C" { #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_DES */ +#if defined(PSA_WANT_KEY_TYPE_CHACHA20) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 +#define MBEDTLS_CHACHA20_C +#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */ +#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ + #if defined(PSA_WANT_ALG_STREAM_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #endif /* PSA_WANT_ALG_STREAM_CIPHER */ @@ -483,6 +490,13 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #endif +#if defined(MBEDTLS_CHACHA20_C) +#define PSA_WANT_KEY_TYPE_CHACHA20 1 +#define PSA_WANT_ALG_STREAM_CIPHER 1 +#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 +#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 +#endif + #if defined(MBEDTLS_CIPHER_MODE_CBC) #define PSA_WANT_ALG_CBC_NO_PADDING 1 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) From ac4fa07fa3d00480855d593d10ca251a29f89a7c Mon Sep 17 00:00:00 2001 From: David Brown Date: Mon, 8 Feb 2021 16:47:35 -0700 Subject: [PATCH 20/37] Add PSA config support for ChaCha20+Poly1305 Add checks for PSA_WANT_ALG_CHACHA20_POLY1305. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 76db6c713..0ef1c954f 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -360,6 +360,14 @@ extern "C" { #endif #endif /* PSA_WANT_ALG_CBC_PKCS7 */ +#if defined(PSA_WANT_ALG_CHACHA20_POLY1305) +#if defined(PSA_WANT_KEY_TYPE_CHACHA20) +#define MBEDTLS_CHACHAPOLY_C +#else /* not PSA_WANT_KEY_TYPE_CHACHA20 */ +#error "PSA_WANT_ALG_CHACHA20_POLY1305 requires PSA_WANT_KEY_TYPE_CHACHA20" +#endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ +#endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ + #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ /* @@ -495,6 +503,9 @@ extern "C" { #define PSA_WANT_ALG_STREAM_CIPHER 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 +#if defined(MBEDTLS_CHACHAPOLY_C) +#define PSA_WANT_ALG_CHACHA20_POLY1305 1 +#endif #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) From 18658a78969dd9e9aece3d4f06521c95a18f8501 Mon Sep 17 00:00:00 2001 From: David Brown Date: Mon, 8 Feb 2021 19:37:40 -0700 Subject: [PATCH 21/37] Disable error on CHACHAPOLY misconfiguration As the test tries this in multiple configurations, an #error here will fail CI. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 0ef1c954f..6612a108b 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -364,7 +364,7 @@ extern "C" { #if defined(PSA_WANT_KEY_TYPE_CHACHA20) #define MBEDTLS_CHACHAPOLY_C #else /* not PSA_WANT_KEY_TYPE_CHACHA20 */ -#error "PSA_WANT_ALG_CHACHA20_POLY1305 requires PSA_WANT_KEY_TYPE_CHACHA20" +// #error "PSA_WANT_ALG_CHACHA20_POLY1305 requires PSA_WANT_KEY_TYPE_CHACHA20" #endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ From e1f91f07cd55cc083ff7c30f4435484e53f40fa9 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 15:56:22 -0700 Subject: [PATCH 22/37] Consolidate PSA ifdefs for block ciphers Combine some separate ifdef blocks to make it clearer when various internal values are defined. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 35 +++++++++++++++-------------------- 1 file changed, 15 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 6612a108b..93e3b5f34 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -236,11 +236,14 @@ extern "C" { #endif #if defined(PSA_WANT_KEY_TYPE_AES) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) || \ +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) +#define PSA_HAVE_SOFT_KEY_TYPE_AES 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */ +#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ defined(PSA_HAVE_SOFT_BLOCK_MODE) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 #define MBEDTLS_AES_C -#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */ +#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_AES */ #if defined(PSA_WANT_KEY_TYPE_ARC4) @@ -251,19 +254,25 @@ extern "C" { #endif /* PSA_WANT_KEY_TYPE_ARC4 */ #if defined(PSA_WANT_KEY_TYPE_CAMELLIA) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) || \ +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) +#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */ +#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \ defined(PSA_HAVE_SOFT_BLOCK_MODE) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1 #define MBEDTLS_CAMELLIA_C -#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */ +#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ #if defined(PSA_WANT_KEY_TYPE_DES) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) || \ +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) +#define PSA_HAVE_SOFT_KEY_TYPE_DES 1 +#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DES */ +#if defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ defined(PSA_HAVE_SOFT_BLOCK_MODE) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES 1 #define MBEDTLS_DES_C -#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */ +#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_DES */ #if defined(PSA_WANT_KEY_TYPE_CHACHA20) @@ -277,20 +286,6 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #endif /* PSA_WANT_ALG_STREAM_CIPHER */ -/* The MBEDTLS_PSA_HAVE_SOFT_KEY_TYPE_* are defined if a key type is selected, - * but we aren't configured to accelerate this key type. */ -#if defined(PSA_WANT_KEY_TYPE_AES) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES) -#define PSA_HAVE_SOFT_KEY_TYPE_AES 1 -#endif - -#if defined(PSA_WANT_KEY_TYPE_DES) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) -#define PSA_HAVE_SOFT_KEY_TYPE_DES 1 -#endif - -#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) && !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA) -#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1 -#endif - #if defined(PSA_WANT_ALG_CTR) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \ defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ From f84a0f691efdea579866be40fbf04c8e07856c6e Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 15:59:41 -0700 Subject: [PATCH 23/37] Simplify block cipher PSA definitions If any of the software block ciphers are selected, define an internal macro to indicate this. This eliminates some redundancy that needs to check for this. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 25 +++++++++++++------------ 1 file changed, 13 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 93e3b5f34..9515f05ed 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -282,15 +282,22 @@ extern "C" { #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */ #endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ +/* If any of the software block ciphers are selected, define + * PSA_HAVE_SOFT_BLOCK_CIPHER, which can be used in any of these + * situations. */ +#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ + defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) +#define PSA_HAVE_SOFT_BLOCK_CIPHER 1 +#endif + #if defined(PSA_WANT_ALG_STREAM_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #endif /* PSA_WANT_ALG_STREAM_CIPHER */ #if defined(PSA_WANT_ALG_CTR) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CTR) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_CTR 1 #define MBEDTLS_CIPHER_MODE_CTR #endif @@ -298,9 +305,7 @@ extern "C" { #if defined(PSA_WANT_ALG_CFB) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CFB) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_CFB 1 #define MBEDTLS_CIPHER_MODE_CFB #endif @@ -308,9 +313,7 @@ extern "C" { #if defined(PSA_WANT_ALG_OFB) #if !defined(MBEDTLS_PSA_ACCEL_ALG_OFB) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_OFB 1 #define MBEDTLS_CIPHER_MODE_OFB #endif @@ -318,9 +321,7 @@ extern "C" { #if defined(PSA_WANT_ALG_XTS) #if !defined(MBEDTLS_PSA_ACCEL_ALG_XTS) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_XTS 1 #define MBEDTLS_CIPHER_MODE_XTS #endif From 10cb81c0a000d9c37556ffa2a638f435dfde0538 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 16:10:29 -0700 Subject: [PATCH 24/37] Add some missing MBEDTLS_PSA_BUILTIN_ definitions Add a few instances where the builtin macros for these algorithms were missed. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 9515f05ed..a12b52a85 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -505,6 +505,7 @@ extern "C" { #endif #if defined(MBEDTLS_CIPHER_MODE_CBC) +#define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1 #define PSA_WANT_ALG_CBC_NO_PADDING 1 #if defined(MBEDTLS_CIPHER_PADDING_PKCS7) #define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 @@ -515,6 +516,7 @@ extern "C" { #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \ defined(MBEDTLS_CAMELLIA_C) #define MBEDTLS_PSA_BUILTIN_ALG_ECB 1 +#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECB_NO_PADDING 1 #endif From fc46818eebd1ad98bde040a5bbc548b419b5c930 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 16:23:34 -0700 Subject: [PATCH 25/37] Cleanup PSA ifdefs for CBC block mode Try to make these definitions clearer given the complexity of the mapping between the PSA config options and the MBEDTLS ones. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index a12b52a85..b085500bb 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -333,26 +333,20 @@ extern "C" { #if defined(PSA_WANT_ALG_CBC_NO_PADDING) || defined(PSA_WANT_ALG_CBC_PKCS7) #define MBEDTLS_CIPHER_MODE_CBC -#if defined(PSA_WANT_ALG_CBC_PKCS7) -#define MBEDTLS_CIPHER_PADDING_PKCS7 -#endif /* PSA_WANT_ALG_CBC_PKCS7 */ #endif /* PSA_WANT_ALG_CBC_NO_PADDING || PSA_WANT_ALG_CBC_PKCS7 */ #if defined(PSA_WANT_ALG_CBC_NO_PADDING) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1 #endif #endif /* PSA_WANT_ALG_CBC_NO_PADDING */ #if defined(PSA_WANT_ALG_CBC_PKCS7) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_DES) || \ - defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 +#define MBEDTLS_CIPHER_PADDING_PKCS7 #endif #endif /* PSA_WANT_ALG_CBC_PKCS7 */ From 86730a8d50f3b823dd2953218f6c2cbe4d65b100 Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 16:24:11 -0700 Subject: [PATCH 26/37] Add missing MBEDTLS_PSA_BUILTIN for ChaCha20-Poly1305 Add these missing definitions when this configration is chosen. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index b085500bb..1e63872e2 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -353,6 +353,7 @@ extern "C" { #if defined(PSA_WANT_ALG_CHACHA20_POLY1305) #if defined(PSA_WANT_KEY_TYPE_CHACHA20) #define MBEDTLS_CHACHAPOLY_C +#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 #else /* not PSA_WANT_KEY_TYPE_CHACHA20 */ // #error "PSA_WANT_ALG_CHACHA20_POLY1305 requires PSA_WANT_KEY_TYPE_CHACHA20" #endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ @@ -495,6 +496,7 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 #if defined(MBEDTLS_CHACHAPOLY_C) #define PSA_WANT_ALG_CHACHA20_POLY1305 1 +#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 #endif #endif From 9f3e7749d9e4bd9be36319c51e7e113ad2a60dff Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 16:27:19 -0700 Subject: [PATCH 27/37] Revert "Change some examples to use new PSA crypto config" This reverts commit 4192e9a90c210005f6b558ec51c6a694c902b51d. Converting conditional compliation for PSA configuration will come later. Signed-off-by: David Brown --- programs/psa/crypto_examples.c | 6 +++--- programs/psa/key_ladder_demo.c | 6 +++--- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/programs/psa/crypto_examples.c b/programs/psa/crypto_examples.c index e9323a5b2..935d657af 100644 --- a/programs/psa/crypto_examples.c +++ b/programs/psa/crypto_examples.c @@ -43,13 +43,13 @@ } \ } while ( 0 ) -#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(PSA_WANT_KEY_TYPE_AES) || \ +#if !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_AES_C) || \ !defined(MBEDTLS_CIPHER_MODE_CBC) || !defined(MBEDTLS_CIPHER_MODE_CTR) || \ !defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) || \ defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) int main( void ) { - printf( "MBEDTLS_PSA_CRYPTO_C and/or PSA_WANT_KEY_TYPE_AES and/or " + printf( "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_AES_C and/or " "MBEDTLS_CIPHER_MODE_CBC and/or MBEDTLS_CIPHER_MODE_CTR " "and/or MBEDTLS_CIPHER_MODE_WITH_PADDING " "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER" @@ -327,5 +327,5 @@ exit: mbedtls_psa_crypto_free( ); return( 0 ); } -#endif /* MBEDTLS_PSA_CRYPTO_C && PSA_WANT_KEY_TYPE_AES && MBEDTLS_CIPHER_MODE_CBC && +#endif /* MBEDTLS_PSA_CRYPTO_C && MBEDTLS_AES_C && MBEDTLS_CIPHER_MODE_CBC && MBEDTLS_CIPHER_MODE_CTR && MBEDTLS_CIPHER_MODE_WITH_PADDING */ diff --git a/programs/psa/key_ladder_demo.c b/programs/psa/key_ladder_demo.c index 2abb1b89f..47d5de642 100644 --- a/programs/psa/key_ladder_demo.c +++ b/programs/psa/key_ladder_demo.c @@ -66,13 +66,13 @@ /* If the build options we need are not enabled, compile a placeholder. */ #if !defined(MBEDTLS_SHA256_C) || !defined(MBEDTLS_MD_C) || \ - !defined(PSA_WANT_KEY_TYPE_AES) || !defined(MBEDTLS_CCM_C) || \ + !defined(MBEDTLS_AES_C) || !defined(MBEDTLS_CCM_C) || \ !defined(MBEDTLS_PSA_CRYPTO_C) || !defined(MBEDTLS_FS_IO) || \ defined(MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER) int main( void ) { printf( "MBEDTLS_SHA256_C and/or MBEDTLS_MD_C and/or " - "PSA_WANT_KEY_TYPE_AES and/or MBEDTLS_CCM_C and/or " + "MBEDTLS_AES_C and/or MBEDTLS_CCM_C and/or " "MBEDTLS_PSA_CRYPTO_C and/or MBEDTLS_FS_IO " "not defined and/or MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER " "defined.\n" ); @@ -695,4 +695,4 @@ usage_failure: usage( ); return( EXIT_FAILURE ); } -#endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C && PSA_WANT_KEY_TYPE_AES && MBEDTLS_CCM_C && MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */ +#endif /* MBEDTLS_SHA256_C && MBEDTLS_MD_C && MBEDTLS_AES_C && MBEDTLS_CCM_C && MBEDTLS_PSA_CRYPTO_C && MBEDTLS_FS_IO */ From 288a96e16951f05d06f0fabdba65522bf597bb0b Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 16:27:55 -0700 Subject: [PATCH 28/37] Fix mistyped endif comment Correct the endif comment to match the condition used in the ifdef. Signed-off-by: David Brown --- library/psa_crypto.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 7f201f6c6..18f98c036 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3915,7 +3915,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation, } if( ret != 0 ) goto exit; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || MBEDTLS_PADDING_PKCS7 */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */ operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 : PSA_BLOCK_CIPHER_BLOCK_LENGTH( slot->attr.type ) ); From 7807bf740499fb785d687879c6ee85f0af80373a Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 9 Feb 2021 16:28:23 -0700 Subject: [PATCH 29/37] Use proper conditional for software DES When converting definitions to use the new PSA defines, one erroneously was conditionalized on the WANT macro instead of on the BUILTIN macro. Signed-off-by: David Brown --- library/psa_crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 18f98c036..9b3305f55 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5063,7 +5063,7 @@ exit: return( status ); } -#if defined(PSA_WANT_KEY_TYPE_DES) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) { if( data_size >= 8 ) @@ -5073,7 +5073,7 @@ static void psa_des_set_key_parity( uint8_t *data, size_t data_size ) if( data_size >= 24 ) mbedtls_des_key_set_parity( data + 16 ); } -#endif /* PSA_WANT_KEY_TYPE_DES */ +#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ static psa_status_t psa_generate_derived_key_internal( psa_key_slot_t *slot, From 8de6437bb630387d79cb8b71dda5aefbc6c7b48d Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 11 Feb 2021 10:53:23 -0700 Subject: [PATCH 30/37] Cleanup PSA CBC padding defines Only define MBEDTLS_CIPHER_MODE_CBC if one of the CBC modes is requested and everything isn't covered by an accelerated version. This keeps this from being defined in cases where everything needed would be accelerated. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 1e63872e2..20eda77e1 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -331,13 +331,10 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_ECB 1 #endif -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) || defined(PSA_WANT_ALG_CBC_PKCS7) -#define MBEDTLS_CIPHER_MODE_CBC -#endif /* PSA_WANT_ALG_CBC_NO_PADDING || PSA_WANT_ALG_CBC_PKCS7 */ - #if defined(PSA_WANT_ALG_CBC_NO_PADDING) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) || \ defined(PSA_HAVE_SOFT_BLOCK_CIPHER) +#define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING 1 #endif #endif /* PSA_WANT_ALG_CBC_NO_PADDING */ @@ -345,6 +342,7 @@ extern "C" { #if defined(PSA_WANT_ALG_CBC_PKCS7) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) || \ defined(PSA_HAVE_SOFT_BLOCK_CIPHER) +#define MBEDTLS_CIPHER_MODE_CBC #define MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 1 #define MBEDTLS_CIPHER_PADDING_PKCS7 #endif From be380c1e0f3bb4e6d95f15936a021c42fbcc18cf Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 11 Feb 2021 10:55:48 -0700 Subject: [PATCH 31/37] Remove incorrect PSA ECB definition There is no PSA ALG_ECB, only ALG_ECB_NO_PADDING. Fix one incorrect declaration, and remove another that is just redundant. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 20eda77e1..edf1755be 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -328,7 +328,7 @@ extern "C" { #endif /* PSA_WANT_ALG_XTS */ #if defined(PSA_WANT_ALG_ECB_NO_PADDING) -#define MBEDTLS_PSA_BUILTIN_ALG_ECB 1 +#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1 #endif #if defined(PSA_WANT_ALG_CBC_NO_PADDING) @@ -509,7 +509,6 @@ extern "C" { #if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \ defined(MBEDTLS_CAMELLIA_C) -#define MBEDTLS_PSA_BUILTIN_ALG_ECB 1 #define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECB_NO_PADDING 1 #endif From db01e0271f12f135d3ad1aa1df36c36cf64294ce Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 11 Feb 2021 10:56:37 -0700 Subject: [PATCH 32/37] Remove an unnecessary #else and commented line With the else branch commented out, both lines are unnecessary. We could check for the invalid configuration in the future, once tests were made to exclude this combination. Signed-off-by: David Brown --- include/mbedtls/config_psa.h | 2 -- 1 file changed, 2 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index edf1755be..703a03321 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -352,8 +352,6 @@ extern "C" { #if defined(PSA_WANT_KEY_TYPE_CHACHA20) #define MBEDTLS_CHACHAPOLY_C #define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 -#else /* not PSA_WANT_KEY_TYPE_CHACHA20 */ -// #error "PSA_WANT_ALG_CHACHA20_POLY1305 requires PSA_WANT_KEY_TYPE_CHACHA20" #endif /* PSA_WANT_KEY_TYPE_CHACHA20 */ #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ From 12ca50307f0335416fd445688a3ea58495f4fad9 Mon Sep 17 00:00:00 2001 From: David Brown Date: Thu, 11 Feb 2021 11:02:00 -0700 Subject: [PATCH 33/37] Change some conditionals of PSA to use BUILTIN Change a few conditionals in the psa library to be based on the MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES instead of the WANT macros. Future additions of HW acceleration will need to be mindful of these definitions if any of this code is needed in those instances. Signed-off-by: David Brown --- library/psa_crypto.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9b3305f55..d7a14d3a4 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3875,7 +3875,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation, if( ret != 0 ) goto exit; -#if defined(PSA_WANT_KEY_TYPE_DES) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( slot->attr.type == PSA_KEY_TYPE_DES && key_bits == 128 ) { /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ @@ -5095,7 +5095,7 @@ static psa_status_t psa_generate_derived_key_internal( status = psa_key_derivation_output_bytes( operation, data, bytes ); if( status != PSA_SUCCESS ) goto exit; -#if defined(PSA_WANT_KEY_TYPE_DES) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( slot->attr.type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( data, bytes ); #endif /* PSA_WANT_KEY_TYPE_DES */ @@ -6029,7 +6029,7 @@ psa_status_t psa_generate_key_internal( if( status != PSA_SUCCESS ) return( status ); -#if defined(PSA_WANT_KEY_TYPE_DES) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( key_buffer, key_buffer_size ); #endif /* MBEDTLS_DES_C */ From 8107e31b74db65b13d130b98dd9c159c0212bbb4 Mon Sep 17 00:00:00 2001 From: David Brown Date: Fri, 12 Feb 2021 08:08:46 -0700 Subject: [PATCH 34/37] Fix 2 endif comments Two endif comments didn't match the ifdef. Fix these to match. Signed-off-by: David Brown --- library/psa_crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index d7a14d3a4..9a51f00a9 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -5098,7 +5098,7 @@ static psa_status_t psa_generate_derived_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( slot->attr.type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( data, bytes ); -#endif /* PSA_WANT_KEY_TYPE_DES */ +#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ status = psa_allocate_buffer_to_slot( slot, bytes ); if( status != PSA_SUCCESS ) @@ -6032,7 +6032,7 @@ psa_status_t psa_generate_key_internal( #if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) if( type == PSA_KEY_TYPE_DES ) psa_des_set_key_parity( key_buffer, key_buffer_size ); -#endif /* MBEDTLS_DES_C */ +#endif /* MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES */ } else From 1bfe4d7fcafbe9b816e815283b682b507009a9ed Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 16 Feb 2021 12:54:35 -0700 Subject: [PATCH 35/37] Use new PSA builtin defines for CHACHA20 Change the psa_crypto use of the CHACHA20 cipher to also use the new MBEDTLS_PSA_BUILTIN_KE_TYPE_CHACHA20. Signed-off-by: David Brown --- library/psa_crypto.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 9a51f00a9..2eeb215aa 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -519,7 +519,7 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type, return( PSA_ERROR_INVALID_ARGUMENT ); break; #endif -#if defined(MBEDTLS_CHACHA20_C) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20) case PSA_KEY_TYPE_CHACHA20: if( bits != 256 ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -3924,7 +3924,7 @@ static psa_status_t psa_cipher_setup( psa_cipher_operation_t *operation, { operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( slot->attr.type ); } -#if defined(MBEDTLS_CHACHA20_C) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20) else if( alg == PSA_ALG_STREAM_CIPHER && slot->attr.type == PSA_KEY_TYPE_CHACHA20 ) operation->iv_size = 12; From 9a594e8023076dfee6c79bd5af52ed90e0d0f66a Mon Sep 17 00:00:00 2001 From: David Brown Date: Tue, 16 Feb 2021 12:57:27 -0700 Subject: [PATCH 36/37] Update psa crypto_config to include recent configs Update with CHACHA20_POLY1305, CHACHA20. Add in CTR, which was missing, and move ALG_XTS to its proper location alphabetically. Signed-off-by: David Brown --- include/psa/crypto_config.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index a6cc07a22..9453e81c7 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -53,6 +53,8 @@ #define PSA_WANT_ALG_CBC_NO_PADDING 1 #define PSA_WANT_ALG_CBC_PKCS7 1 #define PSA_WANT_ALG_CFB 1 +#define PSA_WANT_ALG_CHACHA20_POLY1305 1 +#define PSA_WANT_ALG_CTR 1 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 #define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 @@ -76,12 +78,13 @@ #define PSA_WANT_ALG_STREAM_CIPHER 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_XTS 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 #define PSA_WANT_KEY_TYPE_HMAC 1 -#define PSA_WANT_ALG_XTS 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_ARC4 1 #define PSA_WANT_KEY_TYPE_CAMELLIA 1 +#define PSA_WANT_KEY_TYPE_CHACHA20 1 #define PSA_WANT_KEY_TYPE_DES 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 #define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 From 7921cceec8cd9733f2c5bc648e5ab7fdcaa5010e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Bence=20Sz=C3=A9pk=C3=BAti?= Date: Wed, 17 Feb 2021 11:46:50 +0100 Subject: [PATCH 37/37] Fix typo in config_psa.h MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The correct macro is PSA_WANT_ALG_CFB Signed-off-by: Bence Szépkúti --- include/mbedtls/config_psa.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 703a03321..4ad390d7a 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -224,7 +224,7 @@ extern "C" { * associated HW assist, define PSA_HAVE_SOFT_BLOCK_MODE for checking * in the block cipher key types. */ #if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \ - (defined(PSA_WANT_ALG_CBF) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \ + (defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \ (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \ (defined(PSA_WANT_ALG_XTS) && !defined(MBEDTLS_PSA_ACCEL_ALG_XTS)) || \ defined(PSA_WANT_ALG_ECB_NO_PADDING) || \