Merge remote-tracking branch 'upstream/development' into pkcs5_aes_new
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
This commit is contained in:
commit
791fc2e24c
679 changed files with 24422 additions and 17402 deletions
7
.github/pull_request_template.md
vendored
7
.github/pull_request_template.md
vendored
|
@ -18,3 +18,10 @@ Please tick as appropriate and edit the reasons (e.g.: "backport: not needed bec
|
||||||
|
|
||||||
Please refer to the [contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md), especially the
|
Please refer to the [contributing guidelines](https://github.com/Mbed-TLS/mbedtls/blob/development/CONTRIBUTING.md), especially the
|
||||||
checklist for PR contributors.
|
checklist for PR contributors.
|
||||||
|
|
||||||
|
Help make review efficient:
|
||||||
|
* Multiple simple commits
|
||||||
|
- please structure your PR into a series of small commits, each of which does one thing
|
||||||
|
* Avoid force-push
|
||||||
|
- please do not force-push to update your PR - just add new commit(s)
|
||||||
|
* See our [Guidelines for Contributors](https://mbed-tls.readthedocs.io/en/latest/reviews/review-for-contributors/) for more details about the review process.
|
||||||
|
|
4
.gitignore
vendored
4
.gitignore
vendored
|
@ -63,5 +63,7 @@ massif-*
|
||||||
/cscope*.out
|
/cscope*.out
|
||||||
/tags
|
/tags
|
||||||
|
|
||||||
# Clangd compilation database
|
# clangd compilation database
|
||||||
compile_commands.json
|
compile_commands.json
|
||||||
|
# clangd index files
|
||||||
|
/.cache/clangd/index/
|
||||||
|
|
|
@ -4,19 +4,7 @@
|
||||||
# to Mbed TLS.
|
# to Mbed TLS.
|
||||||
#
|
#
|
||||||
# Copyright The Mbed TLS Contributors
|
# Copyright The Mbed TLS Contributors
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
|
|
||||||
|
|
||||||
# Wrap lines at 100 characters
|
# Wrap lines at 100 characters
|
||||||
|
|
2
3rdparty/Makefile.inc
vendored
2
3rdparty/Makefile.inc
vendored
|
@ -1,3 +1,3 @@
|
||||||
THIRDPARTY_DIR = $(dir $(word 2, $(MAKEFILE_LIST)))
|
THIRDPARTY_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
|
||||||
include $(THIRDPARTY_DIR)/everest/Makefile.inc
|
include $(THIRDPARTY_DIR)/everest/Makefile.inc
|
||||||
include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
|
include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
|
||||||
|
|
4
3rdparty/p256-m/README.md
vendored
4
3rdparty/p256-m/README.md
vendored
|
@ -1,4 +1,4 @@
|
||||||
The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m), which is distributed under the Apache 2.0 license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS. It should be noted that p256-m files in the Mbed TLS repo will not be updated regularly, so they may not have fixes and improvements present in the upstream project.
|
The files within the `p256-m/` subdirectory originate from the [p256-m GitHub repository](https://github.com/mpg/p256-m). They are distributed here under a dual Apache-2.0 OR GPL-2.0-or-later license. They are authored by Manuel Pégourié-Gonnard. p256-m is a minimalistic implementation of ECDH and ECDSA on NIST P-256, especially suited to constrained 32-bit environments. Mbed TLS documentation for integrating drivers uses p256-m as an example of a software accelerator, and describes how it can be integrated alongside Mbed TLS. It should be noted that p256-m files in the Mbed TLS repo will not be updated regularly, so they may not have fixes and improvements present in the upstream project.
|
||||||
|
|
||||||
The files `p256-m.c` and `.h`, along with the license, have been taken from the `p256-m` repository.
|
The files `p256-m.c`, `p256-m.h` and `README.md` have been taken from the `p256-m` repository.
|
||||||
It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, the PSA RNG is used, with `p256_generate_random()` wrapping `psa_generate_random()`.
|
It should be noted that p256-m deliberately does not supply its own cryptographically secure RNG function. As a result, the PSA RNG is used, with `p256_generate_random()` wrapping `psa_generate_random()`.
|
||||||
|
|
202
3rdparty/p256-m/p256-m/LICENSE
vendored
202
3rdparty/p256-m/p256-m/LICENSE
vendored
|
@ -1,202 +0,0 @@
|
||||||
|
|
||||||
Apache License
|
|
||||||
Version 2.0, January 2004
|
|
||||||
http://www.apache.org/licenses/
|
|
||||||
|
|
||||||
TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
|
|
||||||
|
|
||||||
1. Definitions.
|
|
||||||
|
|
||||||
"License" shall mean the terms and conditions for use, reproduction,
|
|
||||||
and distribution as defined by Sections 1 through 9 of this document.
|
|
||||||
|
|
||||||
"Licensor" shall mean the copyright owner or entity authorized by
|
|
||||||
the copyright owner that is granting the License.
|
|
||||||
|
|
||||||
"Legal Entity" shall mean the union of the acting entity and all
|
|
||||||
other entities that control, are controlled by, or are under common
|
|
||||||
control with that entity. For the purposes of this definition,
|
|
||||||
"control" means (i) the power, direct or indirect, to cause the
|
|
||||||
direction or management of such entity, whether by contract or
|
|
||||||
otherwise, or (ii) ownership of fifty percent (50%) or more of the
|
|
||||||
outstanding shares, or (iii) beneficial ownership of such entity.
|
|
||||||
|
|
||||||
"You" (or "Your") shall mean an individual or Legal Entity
|
|
||||||
exercising permissions granted by this License.
|
|
||||||
|
|
||||||
"Source" form shall mean the preferred form for making modifications,
|
|
||||||
including but not limited to software source code, documentation
|
|
||||||
source, and configuration files.
|
|
||||||
|
|
||||||
"Object" form shall mean any form resulting from mechanical
|
|
||||||
transformation or translation of a Source form, including but
|
|
||||||
not limited to compiled object code, generated documentation,
|
|
||||||
and conversions to other media types.
|
|
||||||
|
|
||||||
"Work" shall mean the work of authorship, whether in Source or
|
|
||||||
Object form, made available under the License, as indicated by a
|
|
||||||
copyright notice that is included in or attached to the work
|
|
||||||
(an example is provided in the Appendix below).
|
|
||||||
|
|
||||||
"Derivative Works" shall mean any work, whether in Source or Object
|
|
||||||
form, that is based on (or derived from) the Work and for which the
|
|
||||||
editorial revisions, annotations, elaborations, or other modifications
|
|
||||||
represent, as a whole, an original work of authorship. For the purposes
|
|
||||||
of this License, Derivative Works shall not include works that remain
|
|
||||||
separable from, or merely link (or bind by name) to the interfaces of,
|
|
||||||
the Work and Derivative Works thereof.
|
|
||||||
|
|
||||||
"Contribution" shall mean any work of authorship, including
|
|
||||||
the original version of the Work and any modifications or additions
|
|
||||||
to that Work or Derivative Works thereof, that is intentionally
|
|
||||||
submitted to Licensor for inclusion in the Work by the copyright owner
|
|
||||||
or by an individual or Legal Entity authorized to submit on behalf of
|
|
||||||
the copyright owner. For the purposes of this definition, "submitted"
|
|
||||||
means any form of electronic, verbal, or written communication sent
|
|
||||||
to the Licensor or its representatives, including but not limited to
|
|
||||||
communication on electronic mailing lists, source code control systems,
|
|
||||||
and issue tracking systems that are managed by, or on behalf of, the
|
|
||||||
Licensor for the purpose of discussing and improving the Work, but
|
|
||||||
excluding communication that is conspicuously marked or otherwise
|
|
||||||
designated in writing by the copyright owner as "Not a Contribution."
|
|
||||||
|
|
||||||
"Contributor" shall mean Licensor and any individual or Legal Entity
|
|
||||||
on behalf of whom a Contribution has been received by Licensor and
|
|
||||||
subsequently incorporated within the Work.
|
|
||||||
|
|
||||||
2. Grant of Copyright License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
copyright license to reproduce, prepare Derivative Works of,
|
|
||||||
publicly display, publicly perform, sublicense, and distribute the
|
|
||||||
Work and such Derivative Works in Source or Object form.
|
|
||||||
|
|
||||||
3. Grant of Patent License. Subject to the terms and conditions of
|
|
||||||
this License, each Contributor hereby grants to You a perpetual,
|
|
||||||
worldwide, non-exclusive, no-charge, royalty-free, irrevocable
|
|
||||||
(except as stated in this section) patent license to make, have made,
|
|
||||||
use, offer to sell, sell, import, and otherwise transfer the Work,
|
|
||||||
where such license applies only to those patent claims licensable
|
|
||||||
by such Contributor that are necessarily infringed by their
|
|
||||||
Contribution(s) alone or by combination of their Contribution(s)
|
|
||||||
with the Work to which such Contribution(s) was submitted. If You
|
|
||||||
institute patent litigation against any entity (including a
|
|
||||||
cross-claim or counterclaim in a lawsuit) alleging that the Work
|
|
||||||
or a Contribution incorporated within the Work constitutes direct
|
|
||||||
or contributory patent infringement, then any patent licenses
|
|
||||||
granted to You under this License for that Work shall terminate
|
|
||||||
as of the date such litigation is filed.
|
|
||||||
|
|
||||||
4. Redistribution. You may reproduce and distribute copies of the
|
|
||||||
Work or Derivative Works thereof in any medium, with or without
|
|
||||||
modifications, and in Source or Object form, provided that You
|
|
||||||
meet the following conditions:
|
|
||||||
|
|
||||||
(a) You must give any other recipients of the Work or
|
|
||||||
Derivative Works a copy of this License; and
|
|
||||||
|
|
||||||
(b) You must cause any modified files to carry prominent notices
|
|
||||||
stating that You changed the files; and
|
|
||||||
|
|
||||||
(c) You must retain, in the Source form of any Derivative Works
|
|
||||||
that You distribute, all copyright, patent, trademark, and
|
|
||||||
attribution notices from the Source form of the Work,
|
|
||||||
excluding those notices that do not pertain to any part of
|
|
||||||
the Derivative Works; and
|
|
||||||
|
|
||||||
(d) If the Work includes a "NOTICE" text file as part of its
|
|
||||||
distribution, then any Derivative Works that You distribute must
|
|
||||||
include a readable copy of the attribution notices contained
|
|
||||||
within such NOTICE file, excluding those notices that do not
|
|
||||||
pertain to any part of the Derivative Works, in at least one
|
|
||||||
of the following places: within a NOTICE text file distributed
|
|
||||||
as part of the Derivative Works; within the Source form or
|
|
||||||
documentation, if provided along with the Derivative Works; or,
|
|
||||||
within a display generated by the Derivative Works, if and
|
|
||||||
wherever such third-party notices normally appear. The contents
|
|
||||||
of the NOTICE file are for informational purposes only and
|
|
||||||
do not modify the License. You may add Your own attribution
|
|
||||||
notices within Derivative Works that You distribute, alongside
|
|
||||||
or as an addendum to the NOTICE text from the Work, provided
|
|
||||||
that such additional attribution notices cannot be construed
|
|
||||||
as modifying the License.
|
|
||||||
|
|
||||||
You may add Your own copyright statement to Your modifications and
|
|
||||||
may provide additional or different license terms and conditions
|
|
||||||
for use, reproduction, or distribution of Your modifications, or
|
|
||||||
for any such Derivative Works as a whole, provided Your use,
|
|
||||||
reproduction, and distribution of the Work otherwise complies with
|
|
||||||
the conditions stated in this License.
|
|
||||||
|
|
||||||
5. Submission of Contributions. Unless You explicitly state otherwise,
|
|
||||||
any Contribution intentionally submitted for inclusion in the Work
|
|
||||||
by You to the Licensor shall be under the terms and conditions of
|
|
||||||
this License, without any additional terms or conditions.
|
|
||||||
Notwithstanding the above, nothing herein shall supersede or modify
|
|
||||||
the terms of any separate license agreement you may have executed
|
|
||||||
with Licensor regarding such Contributions.
|
|
||||||
|
|
||||||
6. Trademarks. This License does not grant permission to use the trade
|
|
||||||
names, trademarks, service marks, or product names of the Licensor,
|
|
||||||
except as required for reasonable and customary use in describing the
|
|
||||||
origin of the Work and reproducing the content of the NOTICE file.
|
|
||||||
|
|
||||||
7. Disclaimer of Warranty. Unless required by applicable law or
|
|
||||||
agreed to in writing, Licensor provides the Work (and each
|
|
||||||
Contributor provides its Contributions) on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
|
|
||||||
implied, including, without limitation, any warranties or conditions
|
|
||||||
of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
|
|
||||||
PARTICULAR PURPOSE. You are solely responsible for determining the
|
|
||||||
appropriateness of using or redistributing the Work and assume any
|
|
||||||
risks associated with Your exercise of permissions under this License.
|
|
||||||
|
|
||||||
8. Limitation of Liability. In no event and under no legal theory,
|
|
||||||
whether in tort (including negligence), contract, or otherwise,
|
|
||||||
unless required by applicable law (such as deliberate and grossly
|
|
||||||
negligent acts) or agreed to in writing, shall any Contributor be
|
|
||||||
liable to You for damages, including any direct, indirect, special,
|
|
||||||
incidental, or consequential damages of any character arising as a
|
|
||||||
result of this License or out of the use or inability to use the
|
|
||||||
Work (including but not limited to damages for loss of goodwill,
|
|
||||||
work stoppage, computer failure or malfunction, or any and all
|
|
||||||
other commercial damages or losses), even if such Contributor
|
|
||||||
has been advised of the possibility of such damages.
|
|
||||||
|
|
||||||
9. Accepting Warranty or Additional Liability. While redistributing
|
|
||||||
the Work or Derivative Works thereof, You may choose to offer,
|
|
||||||
and charge a fee for, acceptance of support, warranty, indemnity,
|
|
||||||
or other liability obligations and/or rights consistent with this
|
|
||||||
License. However, in accepting such obligations, You may act only
|
|
||||||
on Your own behalf and on Your sole responsibility, not on behalf
|
|
||||||
of any other Contributor, and only if You agree to indemnify,
|
|
||||||
defend, and hold each Contributor harmless for any liability
|
|
||||||
incurred by, or claims asserted against, such Contributor by reason
|
|
||||||
of your accepting any such warranty or additional liability.
|
|
||||||
|
|
||||||
END OF TERMS AND CONDITIONS
|
|
||||||
|
|
||||||
APPENDIX: How to apply the Apache License to your work.
|
|
||||||
|
|
||||||
To apply the Apache License to your work, attach the following
|
|
||||||
boilerplate notice, with the fields enclosed by brackets "[]"
|
|
||||||
replaced with your own identifying information. (Don't include
|
|
||||||
the brackets!) The text should be enclosed in the appropriate
|
|
||||||
comment syntax for the file format. We also recommend that a
|
|
||||||
file or class name and description of purpose be included on the
|
|
||||||
same "printed page" as the copyright notice for easier
|
|
||||||
identification within third-party archives.
|
|
||||||
|
|
||||||
Copyright [yyyy] [name of copyright owner]
|
|
||||||
|
|
||||||
Licensed under the Apache License, Version 2.0 (the "License");
|
|
||||||
you may not use this file except in compliance with the License.
|
|
||||||
You may obtain a copy of the License at
|
|
||||||
|
|
||||||
http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
|
|
||||||
Unless required by applicable law or agreed to in writing, software
|
|
||||||
distributed under the License is distributed on an "AS IS" BASIS,
|
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
See the License for the specific language governing permissions and
|
|
||||||
limitations under the License.
|
|
2
3rdparty/p256-m/p256-m/p256-m.c
vendored
2
3rdparty/p256-m/p256-m/p256-m.c
vendored
|
@ -3,7 +3,7 @@
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* Author: Manuel Pégourié-Gonnard.
|
* Author: Manuel Pégourié-Gonnard.
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "p256-m.h"
|
#include "p256-m.h"
|
||||||
|
|
2
3rdparty/p256-m/p256-m/p256-m.h
vendored
2
3rdparty/p256-m/p256-m/p256-m.h
vendored
|
@ -3,7 +3,7 @@
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* Author: Manuel Pégourié-Gonnard.
|
* Author: Manuel Pégourié-Gonnard.
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*/
|
*/
|
||||||
#ifndef P256_M_H
|
#ifndef P256_M_H
|
||||||
#define P256_M_H
|
#define P256_M_H
|
||||||
|
|
14
3rdparty/p256-m/p256-m_driver_entrypoints.c
vendored
14
3rdparty/p256-m/p256-m_driver_entrypoints.c
vendored
|
@ -3,19 +3,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "mbedtls/platform.h"
|
#include "mbedtls/platform.h"
|
||||||
|
|
14
3rdparty/p256-m/p256-m_driver_entrypoints.h
vendored
14
3rdparty/p256-m/p256-m_driver_entrypoints.h
vendored
|
@ -3,19 +3,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef P256M_DRIVER_ENTRYPOINTS_H
|
#ifndef P256M_DRIVER_ENTRYPOINTS_H
|
||||||
|
|
|
@ -106,6 +106,6 @@ The following branches are currently maintained:
|
||||||
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
|
- [`development`](https://github.com/Mbed-TLS/mbedtls/)
|
||||||
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
|
- [`mbedtls-2.28`](https://github.com/Mbed-TLS/mbedtls/tree/mbedtls-2.28)
|
||||||
maintained until at least the end of 2024, see
|
maintained until at least the end of 2024, see
|
||||||
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.5>.
|
<https://github.com/Mbed-TLS/mbedtls/releases/tag/v2.28.7>.
|
||||||
|
|
||||||
Users are urged to always use the latest version of a maintained branch.
|
Users are urged to always use the latest version of a maintained branch.
|
||||||
|
|
|
@ -117,7 +117,7 @@ endif()
|
||||||
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
|
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
|
||||||
if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
|
if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
|
||||||
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
|
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
|
||||||
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
|
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
|
||||||
FORCE)
|
FORCE)
|
||||||
endif()
|
endif()
|
||||||
|
|
||||||
|
@ -212,6 +212,8 @@ if(CMAKE_COMPILER_IS_GNU)
|
||||||
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
|
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
|
||||||
set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
|
set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
|
||||||
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
||||||
|
set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
|
||||||
|
set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
||||||
set(CMAKE_C_FLAGS_CHECK "-Os")
|
set(CMAKE_C_FLAGS_CHECK "-Os")
|
||||||
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
|
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
|
||||||
endif(CMAKE_COMPILER_IS_GNU)
|
endif(CMAKE_COMPILER_IS_GNU)
|
||||||
|
@ -225,6 +227,8 @@ if(CMAKE_COMPILER_IS_CLANG)
|
||||||
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
||||||
set(CMAKE_C_FLAGS_MEMSAN "-fsanitize=memory -O3")
|
set(CMAKE_C_FLAGS_MEMSAN "-fsanitize=memory -O3")
|
||||||
set(CMAKE_C_FLAGS_MEMSANDBG "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
|
set(CMAKE_C_FLAGS_MEMSANDBG "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
|
||||||
|
set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
|
||||||
|
set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
|
||||||
set(CMAKE_C_FLAGS_CHECK "-Os")
|
set(CMAKE_C_FLAGS_CHECK "-Os")
|
||||||
endif(CMAKE_COMPILER_IS_CLANG)
|
endif(CMAKE_COMPILER_IS_CLANG)
|
||||||
|
|
||||||
|
@ -377,7 +381,7 @@ if(NOT DISABLE_PACKAGE_CONFIG_AND_INSTALL)
|
||||||
write_basic_package_version_file(
|
write_basic_package_version_file(
|
||||||
"cmake/MbedTLSConfigVersion.cmake"
|
"cmake/MbedTLSConfigVersion.cmake"
|
||||||
COMPATIBILITY SameMajorVersion
|
COMPATIBILITY SameMajorVersion
|
||||||
VERSION 3.5.0)
|
VERSION 3.5.2)
|
||||||
|
|
||||||
install(
|
install(
|
||||||
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
|
FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
|
||||||
|
|
|
@ -84,11 +84,11 @@ Mbed TLS is well documented, but if you think documentation is needed, speak out
|
||||||
License and Copyright
|
License and Copyright
|
||||||
---------------------
|
---------------------
|
||||||
|
|
||||||
Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license.
|
Unless specifically indicated otherwise in a file, Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses. This means that users may choose which of these licenses they take the code under.
|
||||||
|
|
||||||
Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses. This enables LTS (Long Term Support) branches of the software to be provided under either the Apache-2.0 or GPL-2.0-or-later licenses.
|
Contributors must accept that their contributions are made under both the Apache-2.0 AND [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) licenses.
|
||||||
|
|
||||||
All new files should include the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) standard license header where possible.
|
All new files should include the standard SPDX license identifier where possible, i.e. "SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later".
|
||||||
|
|
||||||
The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors".
|
The copyright on contributions is retained by the original authors of the code. Where possible for new files, this should be noted in a comment at the top of the file in the form: "Copyright The Mbed TLS Contributors".
|
||||||
|
|
||||||
|
|
29
ChangeLog
29
ChangeLog
|
@ -1,12 +1,37 @@
|
||||||
Mbed TLS ChangeLog (Sorted per branch, date)
|
Mbed TLS ChangeLog (Sorted per branch, date)
|
||||||
|
|
||||||
|
= Mbed TLS 3.5.2 branch released 2024-01-26
|
||||||
|
|
||||||
|
Security
|
||||||
|
* Fix a timing side channel in private key RSA operations. This side channel
|
||||||
|
could be sufficient for an attacker to recover the plaintext. A local
|
||||||
|
attacker or a remote attacker who is close to the victim on the network
|
||||||
|
might have precise enough timing measurements to exploit this. It requires
|
||||||
|
the attacker to send a large number of messages for decryption. For
|
||||||
|
details, see "Everlasting ROBOT: the Marvin Attack", Hubert Kario. Reported
|
||||||
|
by Hubert Kario, Red Hat.
|
||||||
|
* Fix a failure to validate input when writing x509 extensions lengths which
|
||||||
|
could result in an integer overflow, causing a zero-length buffer to be
|
||||||
|
allocated to hold the extension. The extension would then be copied into
|
||||||
|
the buffer, causing a heap buffer overflow.
|
||||||
|
|
||||||
|
= Mbed TLS 3.5.1 branch released 2023-11-06
|
||||||
|
|
||||||
|
Changes
|
||||||
|
* Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later
|
||||||
|
license. Users may choose which license they take the code under.
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
|
||||||
|
in CMake.
|
||||||
|
|
||||||
= Mbed TLS 3.5.0 branch released 2023-10-05
|
= Mbed TLS 3.5.0 branch released 2023-10-05
|
||||||
|
|
||||||
API changes
|
API changes
|
||||||
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
* Mbed TLS 3.4 introduced support for omitting the built-in implementation
|
||||||
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
of ECDSA and/or EC J-PAKE when those are provided by a driver. However,
|
||||||
their was a flaw in the logic checking if the built-in implementation, in
|
there was a flaw in the logic checking if the built-in implementation, in
|
||||||
that if failed to check if all the relevant curves were supported by the
|
that it failed to check if all the relevant curves were supported by the
|
||||||
accelerator. As a result, it was possible to declare no curves as
|
accelerator. As a result, it was possible to declare no curves as
|
||||||
accelerated and still have the built-in implementation compiled out.
|
accelerated and still have the built-in implementation compiled out.
|
||||||
Starting with this release, it is necessary to declare which curves are
|
Starting with this release, it is necessary to declare which curves are
|
||||||
|
|
3
ChangeLog.d/7764.txt
Normal file
3
ChangeLog.d/7764.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Features
|
||||||
|
* Add functions mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_from_psa()
|
||||||
|
to convert between Mbed TLS and PSA curve identifiers.
|
3
ChangeLog.d/7765.txt
Normal file
3
ChangeLog.d/7765.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Features
|
||||||
|
* Add functions mbedtls_ecdsa_raw_to_der() and mbedtls_ecdsa_der_to_raw() to
|
||||||
|
convert ECDSA signatures between raw and DER (ASN.1) formats.
|
7
ChangeLog.d/8030.txt
Normal file
7
ChangeLog.d/8030.txt
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
Changes
|
||||||
|
* Extended PSA Crypto configurations options for FFDH by making it possible
|
||||||
|
to select only some of the parameters / groups, with the macros
|
||||||
|
PSA_WANT_DH_RFC7919_XXXX. You now need to defined the corresponding macro
|
||||||
|
for each size you want to support. Also, if you have an FFDH accelerator,
|
||||||
|
you'll need to define the appropriate MBEDTLS_PSA_ACCEL macros to signal
|
||||||
|
support for these domain parameters.
|
4
ChangeLog.d/8340.txt
Normal file
4
ChangeLog.d/8340.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
Features
|
||||||
|
* Add functions mbedtls_md_psa_alg_from_type() and
|
||||||
|
mbedtls_md_type_from_psa_alg() to convert between mbedtls_md_type_t and
|
||||||
|
psa_algorithm_t.
|
3
ChangeLog.d/8372.txt
Normal file
3
ChangeLog.d/8372.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Features
|
||||||
|
* AES-NI is now supported in Windows builds with clang and clang-cl.
|
||||||
|
Resolves #8372.
|
4
ChangeLog.d/8461.txt
Normal file
4
ChangeLog.d/8461.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix unsupported PSA asymmetric encryption and decryption
|
||||||
|
(psa_asymmetric_[en|de]crypt) with opaque keys.
|
||||||
|
Resolves #8461.
|
6
ChangeLog.d/8482.txt
Normal file
6
ChangeLog.d/8482.txt
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
Changes
|
||||||
|
* PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
|
||||||
|
they are now treated separately. This means that they should be
|
||||||
|
individually enabled in order to enable respective support; also the
|
||||||
|
corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
|
||||||
|
acceleration is required.
|
10
ChangeLog.d/8647.txt
Normal file
10
ChangeLog.d/8647.txt
Normal file
|
@ -0,0 +1,10 @@
|
||||||
|
Default behavior changes
|
||||||
|
* psa_import_key() now only accepts RSA keys in the PSA standard formats.
|
||||||
|
The undocumented ability to import other formats (PKCS#8, SubjectPublicKey,
|
||||||
|
PEM) accepted by the pkparse module has been removed. Applications that
|
||||||
|
need these formats can call mbedtls_pk_parse_{public,}key() followed by
|
||||||
|
mbedtls_pk_import_into_psa().
|
||||||
|
|
||||||
|
Changes
|
||||||
|
* RSA support in PSA no longer auto-enables the pkparse and pkwrite modules,
|
||||||
|
saving code size when those are not otherwise enabled.
|
2
ChangeLog.d/8726.txt
Normal file
2
ChangeLog.d/8726.txt
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
Features
|
||||||
|
* Add partial platform support for z/OS.
|
6
ChangeLog.d/add-block-cipher-no-decrypt.txt
Normal file
6
ChangeLog.d/add-block-cipher-no-decrypt.txt
Normal file
|
@ -0,0 +1,6 @@
|
||||||
|
Features
|
||||||
|
* Enable the new option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to omit
|
||||||
|
the decryption direction of block ciphers (AES, ARIA, Camellia).
|
||||||
|
This affects both the low-level modules and the high-level APIs
|
||||||
|
(the cipher and PSA interfaces). This option is incompatible with modes
|
||||||
|
that use the decryption direction (ECB in PSA, CBC, XTS, KW) and with DES.
|
2
ChangeLog.d/add-psa-example-program-hash.txt
Normal file
2
ChangeLog.d/add-psa-example-program-hash.txt
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
Features
|
||||||
|
* Added an example program showing how to hash with the PSA API.
|
5
ChangeLog.d/add-record-size-limit-extension-support.txt
Normal file
5
ChangeLog.d/add-record-size-limit-extension-support.txt
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
Features
|
||||||
|
* Add support for record size limit extension as defined by RFC 8449
|
||||||
|
and configured with MBEDTLS_SSL_RECORD_SIZE_LIMIT.
|
||||||
|
Application data sent and received will be fragmented according to
|
||||||
|
Record size limits negotiated during handshake.
|
3
ChangeLog.d/armv8-aesce.txt
Normal file
3
ChangeLog.d/armv8-aesce.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Features
|
||||||
|
* Support use of Armv8-A Cryptographic Extensions for hardware acclerated
|
||||||
|
AES when compiling for Thumb (T32) or 32-bit Arm (A32).
|
3
ChangeLog.d/ctr-perf.txt
Normal file
3
ChangeLog.d/ctr-perf.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Features
|
||||||
|
* Improve performance of AES-GCM, AES-CTR and CTR-DRBG when
|
||||||
|
hardware accelerated AES is not present (around 13-23% on 64-bit Arm).
|
11
ChangeLog.d/driver-only-cipher.txt
Normal file
11
ChangeLog.d/driver-only-cipher.txt
Normal file
|
@ -0,0 +1,11 @@
|
||||||
|
Features
|
||||||
|
* If a cipher or AEAD mechanism has a PSA driver, you can now build the
|
||||||
|
library without the corresponding built-in implementation. Generally
|
||||||
|
speaking that requires both the key type and algorithm to be accelerated
|
||||||
|
or they'll both be built in. However, for CCM and GCM the built-in
|
||||||
|
implementation is able to take advantage of a driver that only
|
||||||
|
accelerates the key type (that is, the block cipher primitive). See
|
||||||
|
docs/driver-only-builds.md for full details and current limitations.
|
||||||
|
* The CTR_DRBG module will now use AES from a PSA driver if MBEDTLS_AES_C is
|
||||||
|
disabled. This requires PSA_WANT_ALG_ECB_NO_PADDING in addition to
|
||||||
|
MBEDTLS_PSA_CRYPTO_C and PSA_WANT_KEY_TYPE_AES.
|
5
ChangeLog.d/ecp-keypair-utilities.txt
Normal file
5
ChangeLog.d/ecp-keypair-utilities.txt
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
Features
|
||||||
|
* Add utility functions to manipulate mbedtls_ecp_keypair objects, filling
|
||||||
|
gaps made by making its fields private: mbedtls_ecp_set_public_key(),
|
||||||
|
mbedtls_ecp_write_public_key(), mbedtls_ecp_keypair_calc_public(),
|
||||||
|
mbedtls_ecp_keypair_get_group_id(). Fixes #5017, #5441, #8367, #8652.
|
|
@ -1,3 +0,0 @@
|
||||||
Bugfix
|
|
||||||
* Fix accidental omission of MBEDTLS_TARGET_PREFIX in 3rdparty modules
|
|
||||||
in CMake.
|
|
|
@ -0,0 +1,6 @@
|
||||||
|
Features
|
||||||
|
* Add new mbedtls_x509_csr_parse_der_with_ext_cb() routine which allows
|
||||||
|
parsing unsupported certificate extensions via user provided callback.
|
||||||
|
|
||||||
|
Bugfix
|
||||||
|
* Fix parsing of CSRs with critical extensions.
|
3
ChangeLog.d/fix-issue-x509-cert_req.txt
Normal file
3
ChangeLog.d/fix-issue-x509-cert_req.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix possible NULL dereference issue in X509 cert_req program if an entry
|
||||||
|
in the san parameter is not separated by a colon.
|
3
ChangeLog.d/fix-issue-x509-cert_write.txt
Normal file
3
ChangeLog.d/fix-issue-x509-cert_write.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix possible NULL dereference issue in X509 cert_write program if an entry
|
||||||
|
in the san parameter is not separated by a colon.
|
2
ChangeLog.d/fix-linux-builds-in-conda-forge.txt
Normal file
2
ChangeLog.d/fix-linux-builds-in-conda-forge.txt
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix build failure in conda-forge. Fixes #8422.
|
4
ChangeLog.d/fix-mingw32-build.txt
Normal file
4
ChangeLog.d/fix-mingw32-build.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix an inconsistency between implementations and usages of `__cpuid`,
|
||||||
|
which mainly causes failures when building Windows target using
|
||||||
|
mingw or clang. Fixes #8334 & #8332.
|
3
ChangeLog.d/fix-tls-SuiteB.txt
Normal file
3
ChangeLog.d/fix-tls-SuiteB.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Bugfix
|
||||||
|
* Remove accidental introduction of RSA signature algorithms
|
||||||
|
in TLS Suite B Profile. Fixes #8221.
|
3
ChangeLog.d/fix-tls13-server-min-version-check.txt
Normal file
3
ChangeLog.d/fix-tls13-server-min-version-check.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Bugfix
|
||||||
|
* Fix TLS server accepting TLS 1.2 handshake while TLS 1.2
|
||||||
|
is disabled at runtime. Fixes #8593.
|
3
ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt
Normal file
3
ChangeLog.d/fix_kdf_incorrect_initial_capacity.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Bugfix
|
||||||
|
* Correct initial capacities for key derivation algorithms:TLS12_PRF,
|
||||||
|
TLS12_PSK_TO_MS, PBKDF2-HMAC, PBKDF2-CMAC
|
5
ChangeLog.d/gnutls_anti_replay_fail.txt
Normal file
5
ChangeLog.d/gnutls_anti_replay_fail.txt
Normal file
|
@ -0,0 +1,5 @@
|
||||||
|
Bugfix
|
||||||
|
* Switch to milliseconds as the unit for ticket creation and reception time
|
||||||
|
instead of seconds. That avoids rounding errors when computing the age of
|
||||||
|
tickets compared to peer using a millisecond clock (observed with GnuTLS).
|
||||||
|
Fixes #6623.
|
2
ChangeLog.d/iar-gcc-perf.txt
Normal file
2
ChangeLog.d/iar-gcc-perf.txt
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
Features
|
||||||
|
* Improve performance for gcc (versions older than 9.3.0) and IAR.
|
4
ChangeLog.d/linux-aarch64-hwcap.txt
Normal file
4
ChangeLog.d/linux-aarch64-hwcap.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
Bugfix
|
||||||
|
* On Linux on ARMv8, fix a build error with SHA-256 and SHA-512
|
||||||
|
acceleration detection when the libc headers do not define the
|
||||||
|
corresponding constant. Reported by valord577.
|
3
ChangeLog.d/move-mbedtls-ecc-psa-helpers.txt
Normal file
3
ChangeLog.d/move-mbedtls-ecc-psa-helpers.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Changes
|
||||||
|
* Moved declaration of functions mbedtls_ecc_group_to_psa and
|
||||||
|
mbedtls_ecc_group_of_psa from psa/crypto_extra.h to mbedtls/psa_util.h
|
9
ChangeLog.d/no-cipher.txt
Normal file
9
ChangeLog.d/no-cipher.txt
Normal file
|
@ -0,0 +1,9 @@
|
||||||
|
Features
|
||||||
|
* Fewer modules depend on MBEDTLS_CIPHER_C, making it possible to save code
|
||||||
|
size by disabling it in more circumstances. In particular, the CCM and
|
||||||
|
GCM modules no longer depend on MBEDTLS_CIPHER_C. Also,
|
||||||
|
MBEDTLS_PSA_CRYPTO can now be enabled without MBEDTLS_CIPHER_C if all
|
||||||
|
unauthenticated (non-AEAD) ciphers are disabled, or if they're all
|
||||||
|
fully provided by drivers. See docs/driver-only-builds.md for full
|
||||||
|
details and current limitations; in particular, NIST_KW and PKCS5/PKCS12
|
||||||
|
decryption still unconditionally depend on MBEDTLS_CIPHER_C.
|
3
ChangeLog.d/non-psa-pk-implementation.txt
Normal file
3
ChangeLog.d/non-psa-pk-implementation.txt
Normal file
|
@ -0,0 +1,3 @@
|
||||||
|
Changes
|
||||||
|
* mbedtls_pk_sign_ext() is now always available, not just when
|
||||||
|
PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.
|
4
ChangeLog.d/pkwrite-pem-use-heap.txt
Normal file
4
ChangeLog.d/pkwrite-pem-use-heap.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
Changes
|
||||||
|
* Use heap memory to allocate DER encoded public/private key.
|
||||||
|
This reduces stack usage significantly for writing a public/private
|
||||||
|
key to a PEM string.
|
4
ChangeLog.d/rename-conf-early-data-API.txt
Normal file
4
ChangeLog.d/rename-conf-early-data-API.txt
Normal file
|
@ -0,0 +1,4 @@
|
||||||
|
API changes
|
||||||
|
* Remove `tls13_` in mbedtls_ssl_tls13_conf_early_data() and
|
||||||
|
mbedtls_ssl_tls13_conf_max_early_data_size() API names. Early data
|
||||||
|
feature may not be TLS 1.3 specific in the future. Fixes #6909.
|
7
ChangeLog.d/sha256-armce-arm.txt
Normal file
7
ChangeLog.d/sha256-armce-arm.txt
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
Features
|
||||||
|
* Support Armv8-A Crypto Extension acceleration for SHA-256
|
||||||
|
when compiling for Thumb (T32) or 32-bit Arm (A32).
|
||||||
|
New deprecations
|
||||||
|
* Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to
|
||||||
|
MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still
|
||||||
|
be used, but are deprecated.
|
351
LICENSE
351
LICENSE
|
@ -1,3 +1,10 @@
|
||||||
|
Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html)
|
||||||
|
OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license.
|
||||||
|
This means that users may choose which of these licenses they take the code
|
||||||
|
under.
|
||||||
|
|
||||||
|
The full text of each of these licenses is given below.
|
||||||
|
|
||||||
|
|
||||||
Apache License
|
Apache License
|
||||||
Version 2.0, January 2004
|
Version 2.0, January 2004
|
||||||
|
@ -200,3 +207,347 @@
|
||||||
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
||||||
See the License for the specific language governing permissions and
|
See the License for the specific language governing permissions and
|
||||||
limitations under the License.
|
limitations under the License.
|
||||||
|
|
||||||
|
|
||||||
|
===============================================================================
|
||||||
|
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
Version 2, June 1991
|
||||||
|
|
||||||
|
Copyright (C) 1989, 1991 Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA
|
||||||
|
Everyone is permitted to copy and distribute verbatim copies
|
||||||
|
of this license document, but changing it is not allowed.
|
||||||
|
|
||||||
|
Preamble
|
||||||
|
|
||||||
|
The licenses for most software are designed to take away your
|
||||||
|
freedom to share and change it. By contrast, the GNU General Public
|
||||||
|
License is intended to guarantee your freedom to share and change free
|
||||||
|
software--to make sure the software is free for all its users. This
|
||||||
|
General Public License applies to most of the Free Software
|
||||||
|
Foundation's software and to any other program whose authors commit to
|
||||||
|
using it. (Some other Free Software Foundation software is covered by
|
||||||
|
the GNU Lesser General Public License instead.) You can apply it to
|
||||||
|
your programs, too.
|
||||||
|
|
||||||
|
When we speak of free software, we are referring to freedom, not
|
||||||
|
price. Our General Public Licenses are designed to make sure that you
|
||||||
|
have the freedom to distribute copies of free software (and charge for
|
||||||
|
this service if you wish), that you receive source code or can get it
|
||||||
|
if you want it, that you can change the software or use pieces of it
|
||||||
|
in new free programs; and that you know you can do these things.
|
||||||
|
|
||||||
|
To protect your rights, we need to make restrictions that forbid
|
||||||
|
anyone to deny you these rights or to ask you to surrender the rights.
|
||||||
|
These restrictions translate to certain responsibilities for you if you
|
||||||
|
distribute copies of the software, or if you modify it.
|
||||||
|
|
||||||
|
For example, if you distribute copies of such a program, whether
|
||||||
|
gratis or for a fee, you must give the recipients all the rights that
|
||||||
|
you have. You must make sure that they, too, receive or can get the
|
||||||
|
source code. And you must show them these terms so they know their
|
||||||
|
rights.
|
||||||
|
|
||||||
|
We protect your rights with two steps: (1) copyright the software, and
|
||||||
|
(2) offer you this license which gives you legal permission to copy,
|
||||||
|
distribute and/or modify the software.
|
||||||
|
|
||||||
|
Also, for each author's protection and ours, we want to make certain
|
||||||
|
that everyone understands that there is no warranty for this free
|
||||||
|
software. If the software is modified by someone else and passed on, we
|
||||||
|
want its recipients to know that what they have is not the original, so
|
||||||
|
that any problems introduced by others will not reflect on the original
|
||||||
|
authors' reputations.
|
||||||
|
|
||||||
|
Finally, any free program is threatened constantly by software
|
||||||
|
patents. We wish to avoid the danger that redistributors of a free
|
||||||
|
program will individually obtain patent licenses, in effect making the
|
||||||
|
program proprietary. To prevent this, we have made it clear that any
|
||||||
|
patent must be licensed for everyone's free use or not licensed at all.
|
||||||
|
|
||||||
|
The precise terms and conditions for copying, distribution and
|
||||||
|
modification follow.
|
||||||
|
|
||||||
|
GNU GENERAL PUBLIC LICENSE
|
||||||
|
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
|
||||||
|
|
||||||
|
0. This License applies to any program or other work which contains
|
||||||
|
a notice placed by the copyright holder saying it may be distributed
|
||||||
|
under the terms of this General Public License. The "Program", below,
|
||||||
|
refers to any such program or work, and a "work based on the Program"
|
||||||
|
means either the Program or any derivative work under copyright law:
|
||||||
|
that is to say, a work containing the Program or a portion of it,
|
||||||
|
either verbatim or with modifications and/or translated into another
|
||||||
|
language. (Hereinafter, translation is included without limitation in
|
||||||
|
the term "modification".) Each licensee is addressed as "you".
|
||||||
|
|
||||||
|
Activities other than copying, distribution and modification are not
|
||||||
|
covered by this License; they are outside its scope. The act of
|
||||||
|
running the Program is not restricted, and the output from the Program
|
||||||
|
is covered only if its contents constitute a work based on the
|
||||||
|
Program (independent of having been made by running the Program).
|
||||||
|
Whether that is true depends on what the Program does.
|
||||||
|
|
||||||
|
1. You may copy and distribute verbatim copies of the Program's
|
||||||
|
source code as you receive it, in any medium, provided that you
|
||||||
|
conspicuously and appropriately publish on each copy an appropriate
|
||||||
|
copyright notice and disclaimer of warranty; keep intact all the
|
||||||
|
notices that refer to this License and to the absence of any warranty;
|
||||||
|
and give any other recipients of the Program a copy of this License
|
||||||
|
along with the Program.
|
||||||
|
|
||||||
|
You may charge a fee for the physical act of transferring a copy, and
|
||||||
|
you may at your option offer warranty protection in exchange for a fee.
|
||||||
|
|
||||||
|
2. You may modify your copy or copies of the Program or any portion
|
||||||
|
of it, thus forming a work based on the Program, and copy and
|
||||||
|
distribute such modifications or work under the terms of Section 1
|
||||||
|
above, provided that you also meet all of these conditions:
|
||||||
|
|
||||||
|
a) You must cause the modified files to carry prominent notices
|
||||||
|
stating that you changed the files and the date of any change.
|
||||||
|
|
||||||
|
b) You must cause any work that you distribute or publish, that in
|
||||||
|
whole or in part contains or is derived from the Program or any
|
||||||
|
part thereof, to be licensed as a whole at no charge to all third
|
||||||
|
parties under the terms of this License.
|
||||||
|
|
||||||
|
c) If the modified program normally reads commands interactively
|
||||||
|
when run, you must cause it, when started running for such
|
||||||
|
interactive use in the most ordinary way, to print or display an
|
||||||
|
announcement including an appropriate copyright notice and a
|
||||||
|
notice that there is no warranty (or else, saying that you provide
|
||||||
|
a warranty) and that users may redistribute the program under
|
||||||
|
these conditions, and telling the user how to view a copy of this
|
||||||
|
License. (Exception: if the Program itself is interactive but
|
||||||
|
does not normally print such an announcement, your work based on
|
||||||
|
the Program is not required to print an announcement.)
|
||||||
|
|
||||||
|
These requirements apply to the modified work as a whole. If
|
||||||
|
identifiable sections of that work are not derived from the Program,
|
||||||
|
and can be reasonably considered independent and separate works in
|
||||||
|
themselves, then this License, and its terms, do not apply to those
|
||||||
|
sections when you distribute them as separate works. But when you
|
||||||
|
distribute the same sections as part of a whole which is a work based
|
||||||
|
on the Program, the distribution of the whole must be on the terms of
|
||||||
|
this License, whose permissions for other licensees extend to the
|
||||||
|
entire whole, and thus to each and every part regardless of who wrote it.
|
||||||
|
|
||||||
|
Thus, it is not the intent of this section to claim rights or contest
|
||||||
|
your rights to work written entirely by you; rather, the intent is to
|
||||||
|
exercise the right to control the distribution of derivative or
|
||||||
|
collective works based on the Program.
|
||||||
|
|
||||||
|
In addition, mere aggregation of another work not based on the Program
|
||||||
|
with the Program (or with a work based on the Program) on a volume of
|
||||||
|
a storage or distribution medium does not bring the other work under
|
||||||
|
the scope of this License.
|
||||||
|
|
||||||
|
3. You may copy and distribute the Program (or a work based on it,
|
||||||
|
under Section 2) in object code or executable form under the terms of
|
||||||
|
Sections 1 and 2 above provided that you also do one of the following:
|
||||||
|
|
||||||
|
a) Accompany it with the complete corresponding machine-readable
|
||||||
|
source code, which must be distributed under the terms of Sections
|
||||||
|
1 and 2 above on a medium customarily used for software interchange; or,
|
||||||
|
|
||||||
|
b) Accompany it with a written offer, valid for at least three
|
||||||
|
years, to give any third party, for a charge no more than your
|
||||||
|
cost of physically performing source distribution, a complete
|
||||||
|
machine-readable copy of the corresponding source code, to be
|
||||||
|
distributed under the terms of Sections 1 and 2 above on a medium
|
||||||
|
customarily used for software interchange; or,
|
||||||
|
|
||||||
|
c) Accompany it with the information you received as to the offer
|
||||||
|
to distribute corresponding source code. (This alternative is
|
||||||
|
allowed only for noncommercial distribution and only if you
|
||||||
|
received the program in object code or executable form with such
|
||||||
|
an offer, in accord with Subsection b above.)
|
||||||
|
|
||||||
|
The source code for a work means the preferred form of the work for
|
||||||
|
making modifications to it. For an executable work, complete source
|
||||||
|
code means all the source code for all modules it contains, plus any
|
||||||
|
associated interface definition files, plus the scripts used to
|
||||||
|
control compilation and installation of the executable. However, as a
|
||||||
|
special exception, the source code distributed need not include
|
||||||
|
anything that is normally distributed (in either source or binary
|
||||||
|
form) with the major components (compiler, kernel, and so on) of the
|
||||||
|
operating system on which the executable runs, unless that component
|
||||||
|
itself accompanies the executable.
|
||||||
|
|
||||||
|
If distribution of executable or object code is made by offering
|
||||||
|
access to copy from a designated place, then offering equivalent
|
||||||
|
access to copy the source code from the same place counts as
|
||||||
|
distribution of the source code, even though third parties are not
|
||||||
|
compelled to copy the source along with the object code.
|
||||||
|
|
||||||
|
4. You may not copy, modify, sublicense, or distribute the Program
|
||||||
|
except as expressly provided under this License. Any attempt
|
||||||
|
otherwise to copy, modify, sublicense or distribute the Program is
|
||||||
|
void, and will automatically terminate your rights under this License.
|
||||||
|
However, parties who have received copies, or rights, from you under
|
||||||
|
this License will not have their licenses terminated so long as such
|
||||||
|
parties remain in full compliance.
|
||||||
|
|
||||||
|
5. You are not required to accept this License, since you have not
|
||||||
|
signed it. However, nothing else grants you permission to modify or
|
||||||
|
distribute the Program or its derivative works. These actions are
|
||||||
|
prohibited by law if you do not accept this License. Therefore, by
|
||||||
|
modifying or distributing the Program (or any work based on the
|
||||||
|
Program), you indicate your acceptance of this License to do so, and
|
||||||
|
all its terms and conditions for copying, distributing or modifying
|
||||||
|
the Program or works based on it.
|
||||||
|
|
||||||
|
6. Each time you redistribute the Program (or any work based on the
|
||||||
|
Program), the recipient automatically receives a license from the
|
||||||
|
original licensor to copy, distribute or modify the Program subject to
|
||||||
|
these terms and conditions. You may not impose any further
|
||||||
|
restrictions on the recipients' exercise of the rights granted herein.
|
||||||
|
You are not responsible for enforcing compliance by third parties to
|
||||||
|
this License.
|
||||||
|
|
||||||
|
7. If, as a consequence of a court judgment or allegation of patent
|
||||||
|
infringement or for any other reason (not limited to patent issues),
|
||||||
|
conditions are imposed on you (whether by court order, agreement or
|
||||||
|
otherwise) that contradict the conditions of this License, they do not
|
||||||
|
excuse you from the conditions of this License. If you cannot
|
||||||
|
distribute so as to satisfy simultaneously your obligations under this
|
||||||
|
License and any other pertinent obligations, then as a consequence you
|
||||||
|
may not distribute the Program at all. For example, if a patent
|
||||||
|
license would not permit royalty-free redistribution of the Program by
|
||||||
|
all those who receive copies directly or indirectly through you, then
|
||||||
|
the only way you could satisfy both it and this License would be to
|
||||||
|
refrain entirely from distribution of the Program.
|
||||||
|
|
||||||
|
If any portion of this section is held invalid or unenforceable under
|
||||||
|
any particular circumstance, the balance of the section is intended to
|
||||||
|
apply and the section as a whole is intended to apply in other
|
||||||
|
circumstances.
|
||||||
|
|
||||||
|
It is not the purpose of this section to induce you to infringe any
|
||||||
|
patents or other property right claims or to contest validity of any
|
||||||
|
such claims; this section has the sole purpose of protecting the
|
||||||
|
integrity of the free software distribution system, which is
|
||||||
|
implemented by public license practices. Many people have made
|
||||||
|
generous contributions to the wide range of software distributed
|
||||||
|
through that system in reliance on consistent application of that
|
||||||
|
system; it is up to the author/donor to decide if he or she is willing
|
||||||
|
to distribute software through any other system and a licensee cannot
|
||||||
|
impose that choice.
|
||||||
|
|
||||||
|
This section is intended to make thoroughly clear what is believed to
|
||||||
|
be a consequence of the rest of this License.
|
||||||
|
|
||||||
|
8. If the distribution and/or use of the Program is restricted in
|
||||||
|
certain countries either by patents or by copyrighted interfaces, the
|
||||||
|
original copyright holder who places the Program under this License
|
||||||
|
may add an explicit geographical distribution limitation excluding
|
||||||
|
those countries, so that distribution is permitted only in or among
|
||||||
|
countries not thus excluded. In such case, this License incorporates
|
||||||
|
the limitation as if written in the body of this License.
|
||||||
|
|
||||||
|
9. The Free Software Foundation may publish revised and/or new versions
|
||||||
|
of the General Public License from time to time. Such new versions will
|
||||||
|
be similar in spirit to the present version, but may differ in detail to
|
||||||
|
address new problems or concerns.
|
||||||
|
|
||||||
|
Each version is given a distinguishing version number. If the Program
|
||||||
|
specifies a version number of this License which applies to it and "any
|
||||||
|
later version", you have the option of following the terms and conditions
|
||||||
|
either of that version or of any later version published by the Free
|
||||||
|
Software Foundation. If the Program does not specify a version number of
|
||||||
|
this License, you may choose any version ever published by the Free Software
|
||||||
|
Foundation.
|
||||||
|
|
||||||
|
10. If you wish to incorporate parts of the Program into other free
|
||||||
|
programs whose distribution conditions are different, write to the author
|
||||||
|
to ask for permission. For software which is copyrighted by the Free
|
||||||
|
Software Foundation, write to the Free Software Foundation; we sometimes
|
||||||
|
make exceptions for this. Our decision will be guided by the two goals
|
||||||
|
of preserving the free status of all derivatives of our free software and
|
||||||
|
of promoting the sharing and reuse of software generally.
|
||||||
|
|
||||||
|
NO WARRANTY
|
||||||
|
|
||||||
|
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY
|
||||||
|
FOR THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
|
||||||
|
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
|
||||||
|
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
|
||||||
|
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
|
||||||
|
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS
|
||||||
|
TO THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE
|
||||||
|
PROGRAM PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING,
|
||||||
|
REPAIR OR CORRECTION.
|
||||||
|
|
||||||
|
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
|
||||||
|
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
|
||||||
|
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
|
||||||
|
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
|
||||||
|
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED
|
||||||
|
TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY
|
||||||
|
YOU OR THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
|
||||||
|
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
|
||||||
|
POSSIBILITY OF SUCH DAMAGES.
|
||||||
|
|
||||||
|
END OF TERMS AND CONDITIONS
|
||||||
|
|
||||||
|
How to Apply These Terms to Your New Programs
|
||||||
|
|
||||||
|
If you develop a new program, and you want it to be of the greatest
|
||||||
|
possible use to the public, the best way to achieve this is to make it
|
||||||
|
free software which everyone can redistribute and change under these terms.
|
||||||
|
|
||||||
|
To do so, attach the following notices to the program. It is safest
|
||||||
|
to attach them to the start of each source file to most effectively
|
||||||
|
convey the exclusion of warranty; and each file should have at least
|
||||||
|
the "copyright" line and a pointer to where the full notice is found.
|
||||||
|
|
||||||
|
<one line to give the program's name and a brief idea of what it does.>
|
||||||
|
Copyright (C) <year> <name of author>
|
||||||
|
|
||||||
|
This program is free software; you can redistribute it and/or modify
|
||||||
|
it under the terms of the GNU General Public License as published by
|
||||||
|
the Free Software Foundation; either version 2 of the License, or
|
||||||
|
(at your option) any later version.
|
||||||
|
|
||||||
|
This program is distributed in the hope that it will be useful,
|
||||||
|
but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||||
|
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||||
|
GNU General Public License for more details.
|
||||||
|
|
||||||
|
You should have received a copy of the GNU General Public License along
|
||||||
|
with this program; if not, write to the Free Software Foundation, Inc.,
|
||||||
|
51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
|
||||||
|
|
||||||
|
Also add information on how to contact you by electronic and paper mail.
|
||||||
|
|
||||||
|
If the program is interactive, make it output a short notice like this
|
||||||
|
when it starts in an interactive mode:
|
||||||
|
|
||||||
|
Gnomovision version 69, Copyright (C) year name of author
|
||||||
|
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details type `show w'.
|
||||||
|
This is free software, and you are welcome to redistribute it
|
||||||
|
under certain conditions; type `show c' for details.
|
||||||
|
|
||||||
|
The hypothetical commands `show w' and `show c' should show the appropriate
|
||||||
|
parts of the General Public License. Of course, the commands you use may
|
||||||
|
be called something other than `show w' and `show c'; they could even be
|
||||||
|
mouse-clicks or menu items--whatever suits your program.
|
||||||
|
|
||||||
|
You should also get your employer (if you work as a programmer) or your
|
||||||
|
school, if any, to sign a "copyright disclaimer" for the program, if
|
||||||
|
necessary. Here is a sample; alter the names:
|
||||||
|
|
||||||
|
Yoyodyne, Inc., hereby disclaims all copyright interest in the program
|
||||||
|
`Gnomovision' (which makes passes at compilers) written by James Hacker.
|
||||||
|
|
||||||
|
<signature of Ty Coon>, 1 April 1989
|
||||||
|
Ty Coon, President of Vice
|
||||||
|
|
||||||
|
This General Public License does not permit incorporating your program into
|
||||||
|
proprietary programs. If your program is a subroutine library, you may
|
||||||
|
consider it more useful to permit linking proprietary applications with the
|
||||||
|
library. If this is what you want to do, use the GNU Lesser General
|
||||||
|
Public License instead of this License.
|
||||||
|
|
|
@ -307,14 +307,14 @@ When using drivers, you will generally want to enable two compilation options (s
|
||||||
License
|
License
|
||||||
-------
|
-------
|
||||||
|
|
||||||
Unless specifically indicated otherwise in a file, Mbed TLS files are provided under the [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) license. See the [LICENSE](LICENSE) file for the full text of this license, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information.
|
Unless specifically indicated otherwise in a file, Mbed TLS files are provided under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license. See the [LICENSE](LICENSE) file for the full text of these licenses, and [the 'License and Copyright' section in the contributing guidelines](CONTRIBUTING.md#License-and-Copyright) for more information.
|
||||||
|
|
||||||
### Third-party code included in Mbed TLS
|
### Third-party code included in Mbed TLS
|
||||||
|
|
||||||
This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, and in source files. The projects are listed below:
|
This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, where it differs from the normal Mbed TLS license, and/or in source files. The projects are listed below:
|
||||||
|
|
||||||
* `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
|
* `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
|
||||||
* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is also used by Mbed TLS under the Apache 2.0 license. We do not plan to regularly update these files, so they may not contain fixes and improvements present in the upstream project.
|
* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is distributed in Mbed TLS under a dual Apache-2.0 OR GPL-2.0-or-later license with permission from the author.
|
||||||
|
|
||||||
Contributing
|
Contributing
|
||||||
------------
|
------------
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites
|
* Minimal configuration for DTLS 1.2 with PSK and AES-CCM ciphersuites
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
|
* Minimal configuration for TLS 1.2 with PSK and AES-CCM ciphersuites
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Minimal configuration of features that do not require an entropy source
|
* Minimal configuration of features that do not require an entropy source
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
|
* Minimal configuration for TLS NSA Suite B Profile (RFC 6460)
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* System support */
|
/* System support */
|
||||||
|
|
68
configs/config-tfm.h
Normal file
68
configs/config-tfm.h
Normal file
|
@ -0,0 +1,68 @@
|
||||||
|
/**
|
||||||
|
* \file config-tfm.h
|
||||||
|
*
|
||||||
|
* \brief TF-M medium profile, adapted to work on other platforms.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright The Mbed TLS Contributors
|
||||||
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* TF-M medium profile: mbedtls legacy configuration */
|
||||||
|
#include "../configs/ext/tfm_mbedcrypto_config_profile_medium.h"
|
||||||
|
|
||||||
|
/* TF-M medium profile: PSA crypto configuration */
|
||||||
|
#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/ext/crypto_config_profile_medium.h"
|
||||||
|
|
||||||
|
/***********************************************************/
|
||||||
|
/* Tweak the configuration to remove dependencies on TF-M. */
|
||||||
|
/***********************************************************/
|
||||||
|
|
||||||
|
/* MBEDTLS_PSA_CRYPTO_SPM needs third-party files, so disable it. */
|
||||||
|
#undef MBEDTLS_PSA_CRYPTO_SPM
|
||||||
|
|
||||||
|
/* Disable buffer-based memory allocator. This isn't strictly required,
|
||||||
|
* but using the native allocator is faster and works better with
|
||||||
|
* memory management analysis frameworks such as ASan. */
|
||||||
|
#undef MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||||
|
|
||||||
|
// This macro is enabled in TFM Medium but is disabled here because it is
|
||||||
|
// incompatible with baremetal builds in Mbed TLS.
|
||||||
|
#undef MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||||
|
|
||||||
|
// This macro is enabled in TFM Medium but is disabled here because it is
|
||||||
|
// incompatible with baremetal builds in Mbed TLS.
|
||||||
|
#undef MBEDTLS_ENTROPY_NV_SEED
|
||||||
|
|
||||||
|
// These platform-related TF-M settings are not useful here.
|
||||||
|
#undef MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||||
|
#undef MBEDTLS_PLATFORM_STD_MEM_HDR
|
||||||
|
#undef MBEDTLS_PLATFORM_SNPRINTF_MACRO
|
||||||
|
#undef MBEDTLS_PLATFORM_PRINTF_ALT
|
||||||
|
#undef MBEDTLS_PLATFORM_STD_EXIT_SUCCESS
|
||||||
|
#undef MBEDTLS_PLATFORM_STD_EXIT_FAILURE
|
||||||
|
|
||||||
|
/*
|
||||||
|
* In order to get an example config that works cleanly out-of-the-box
|
||||||
|
* for both baremetal and non-baremetal builds, we detect baremetal builds
|
||||||
|
* (either IAR, Arm compiler or __ARM_EABI__ defined), and adjust some
|
||||||
|
* variables accordingly.
|
||||||
|
*/
|
||||||
|
#if defined(__IAR_SYSTEMS_ICC__) || defined(__ARMCC_VERSION) || defined(__ARM_EABI__)
|
||||||
|
#define MBEDTLS_NO_PLATFORM_ENTROPY
|
||||||
|
#else
|
||||||
|
/* Use built-in platform entropy functions (TF-M provides its own). */
|
||||||
|
#undef MBEDTLS_NO_PLATFORM_ENTROPY
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/***********************************************************************
|
||||||
|
* Local changes to crypto config below this delimiter
|
||||||
|
**********************************************************************/
|
||||||
|
|
||||||
|
// We expect TF-M to pick this up soon
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
|
||||||
|
|
||||||
|
/* CCM is the only cipher/AEAD enabled in TF-M configuration files, but it
|
||||||
|
* does not need CIPHER_C to be enabled, so we can disable it in order
|
||||||
|
* to reduce code size further. */
|
||||||
|
#undef MBEDTLS_CIPHER_C
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef PSA_CRYPTO_CONFIG_H
|
#ifndef PSA_CRYPTO_CONFIG_H
|
||||||
|
|
25
configs/ext/README.md
Normal file
25
configs/ext/README.md
Normal file
|
@ -0,0 +1,25 @@
|
||||||
|
Summary
|
||||||
|
-------
|
||||||
|
|
||||||
|
The two files:
|
||||||
|
|
||||||
|
* crypto_config_profile_medium.h
|
||||||
|
* tfm_mbedcrypto_config_profile_medium.h
|
||||||
|
|
||||||
|
are copyright The Mbed TLS Contributors, and are distributed under the license normally
|
||||||
|
used by Mbed TLS: a dual Apache 2.0 or GPLv2-or-later license.
|
||||||
|
|
||||||
|
Background
|
||||||
|
----------
|
||||||
|
|
||||||
|
The two files crypto_config_profile_medium.h and tfm_mbedcrypto_config_profile_medium.h
|
||||||
|
are taken verbatim from the TF-M source code here:
|
||||||
|
|
||||||
|
https://git.trustedfirmware.org/TF-M/trusted-firmware-m.git/tree/lib/ext/mbedcrypto/mbedcrypto_config
|
||||||
|
|
||||||
|
In TF-M, they are distributed under a 3-Clause BSD license, as noted at the top of the files.
|
||||||
|
|
||||||
|
In Mbed TLS, with permission from the TF-M project, they are distributed under a dual [Apache-2.0](https://spdx.org/licenses/Apache-2.0.html) OR [GPL-2.0-or-later](https://spdx.org/licenses/GPL-2.0-or-later.html) license, with copyright assigned to The Mbed TLS Contributors.
|
||||||
|
|
||||||
|
We only retain the note at the top of the files because we are taking the files verbatim, for ease of
|
||||||
|
maintenance.
|
13
configs/ext/config_tfm.h
Normal file
13
configs/ext/config_tfm.h
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
/*
|
||||||
|
* Empty placeholder
|
||||||
|
*
|
||||||
|
* Copyright The Mbed TLS Contributors
|
||||||
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is intentionally empty.
|
||||||
|
*
|
||||||
|
* Having an empty file here allows us to build the TF-M config, which references this file,
|
||||||
|
* without making any changes to the TF-M config.
|
||||||
|
*/
|
|
@ -1,5 +1,5 @@
|
||||||
/*
|
/*
|
||||||
* Copyright (c) 2018-2022, Arm Limited. All rights reserved.
|
* Copyright (c) 2018-2023, Arm Limited. All rights reserved.
|
||||||
*
|
*
|
||||||
* SPDX-License-Identifier: BSD-3-Clause
|
* SPDX-License-Identifier: BSD-3-Clause
|
||||||
*
|
*
|
||||||
|
@ -51,7 +51,7 @@
|
||||||
//#define PSA_WANT_ALG_CFB 1
|
//#define PSA_WANT_ALG_CFB 1
|
||||||
//#define PSA_WANT_ALG_CHACHA20_POLY1305 1
|
//#define PSA_WANT_ALG_CHACHA20_POLY1305 1
|
||||||
//#define PSA_WANT_ALG_CTR 1
|
//#define PSA_WANT_ALG_CTR 1
|
||||||
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
|
//#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
|
||||||
//#define PSA_WANT_ALG_ECB_NO_PADDING 1
|
//#define PSA_WANT_ALG_ECB_NO_PADDING 1
|
||||||
#define PSA_WANT_ALG_ECDH 1
|
#define PSA_WANT_ALG_ECDH 1
|
||||||
#define PSA_WANT_ALG_ECDSA 1
|
#define PSA_WANT_ALG_ECDSA 1
|
||||||
|
@ -106,33 +106,27 @@
|
||||||
//#define PSA_WANT_KEY_TYPE_CAMELLIA 1
|
//#define PSA_WANT_KEY_TYPE_CAMELLIA 1
|
||||||
//#define PSA_WANT_KEY_TYPE_CHACHA20 1
|
//#define PSA_WANT_KEY_TYPE_CHACHA20 1
|
||||||
//#define PSA_WANT_KEY_TYPE_DES 1
|
//#define PSA_WANT_KEY_TYPE_DES 1
|
||||||
|
//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 /* Deprecated */
|
||||||
|
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
|
||||||
|
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
|
||||||
|
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1 /* Deprecated */
|
||||||
|
//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
|
||||||
|
|
||||||
|
/*
|
||||||
|
* The following symbols extend and deprecate the legacy
|
||||||
|
* PSA_WANT_KEY_TYPE_xxx_KEY_PAIR ones. They include the usage of that key in
|
||||||
|
* the name's suffix. "_USE" is the most generic and it can be used to describe
|
||||||
|
* a generic suport, whereas other ones add more features on top of that and
|
||||||
|
* they are more specific.
|
||||||
|
*/
|
||||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
|
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
|
||||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
|
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
|
||||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
|
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
|
||||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
||||||
#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
//#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
||||||
#define PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1
|
|
||||||
#define PSA_WANT_KEY_TYPE_RAW_DATA 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
|
|
||||||
|
|
||||||
/***********************************************************************
|
#ifdef CRYPTO_HW_ACCELERATOR
|
||||||
* Local edits below this delimiter
|
#include "crypto_accelerator_config.h"
|
||||||
**********************************************************************/
|
#endif
|
||||||
|
|
||||||
/* Between Mbed TLS 3.4 and 3.5, the PSA_WANT_KEY_TYPE_RSA_KEY_PAIR macro
|
|
||||||
* (commented-out above) has been replaced with the following new macros: */
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE 1 /* Not supported */
|
|
||||||
|
|
||||||
/* Between Mbed TLS 3.4 and 3.5, the following macros have been added: */
|
|
||||||
//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
|
||||||
//#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE 1 // Not supported
|
|
||||||
|
|
||||||
#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */
|
#endif /* PROFILE_M_PSA_CRYPTO_CONFIG_H */
|
13
configs/ext/mbedtls_entropy_nv_seed_config.h
Normal file
13
configs/ext/mbedtls_entropy_nv_seed_config.h
Normal file
|
@ -0,0 +1,13 @@
|
||||||
|
/*
|
||||||
|
* Empty placeholder
|
||||||
|
*
|
||||||
|
* Copyright The Mbed TLS Contributors
|
||||||
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
|
*/
|
||||||
|
|
||||||
|
/*
|
||||||
|
* This file is intentionally empty.
|
||||||
|
*
|
||||||
|
* Having an empty file here allows us to build the TF-M config, which references this file,
|
||||||
|
* without making any changes to the TF-M config.
|
||||||
|
*/
|
|
@ -8,7 +8,7 @@
|
||||||
* memory footprint.
|
* memory footprint.
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright (C) 2006-2022, ARM Limited, All Rights Reserved
|
* Copyright (C) 2006-2023, ARM Limited, All Rights Reserved
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
*
|
*
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
||||||
|
@ -29,6 +29,8 @@
|
||||||
#ifndef PROFILE_M_MBEDTLS_CONFIG_H
|
#ifndef PROFILE_M_MBEDTLS_CONFIG_H
|
||||||
#define PROFILE_M_MBEDTLS_CONFIG_H
|
#define PROFILE_M_MBEDTLS_CONFIG_H
|
||||||
|
|
||||||
|
#include "config_tfm.h"
|
||||||
|
|
||||||
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
|
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
|
||||||
#define _CRT_SECURE_NO_DEPRECATE 1
|
#define _CRT_SECURE_NO_DEPRECATE 1
|
||||||
#endif
|
#endif
|
||||||
|
@ -94,44 +96,6 @@
|
||||||
* \{
|
* \{
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
|
||||||
* \def MBEDTLS_MD2_PROCESS_ALT
|
|
||||||
*
|
|
||||||
* MBEDTLS__FUNCTION_NAME__ALT: Uncomment a macro to let mbed TLS use you
|
|
||||||
* alternate core implementation of symmetric crypto or hash function. Keep in
|
|
||||||
* mind that function prototypes should remain the same.
|
|
||||||
*
|
|
||||||
* This replaces only one function. The header file from mbed TLS is still
|
|
||||||
* used, in contrast to the MBEDTLS__MODULE_NAME__ALT flags.
|
|
||||||
*
|
|
||||||
* Example: In case you uncomment MBEDTLS_SHA256_PROCESS_ALT, mbed TLS will
|
|
||||||
* no longer provide the mbedtls_sha1_process() function, but it will still provide
|
|
||||||
* the other function (using your mbedtls_sha1_process() function) and the definition
|
|
||||||
* of mbedtls_sha1_context, so your implementation of mbedtls_sha1_process must be compatible
|
|
||||||
* with this definition.
|
|
||||||
*
|
|
||||||
* \note Because of a signature change, the core AES encryption and decryption routines are
|
|
||||||
* currently named mbedtls_aes_internal_encrypt and mbedtls_aes_internal_decrypt,
|
|
||||||
* respectively. When setting up alternative implementations, these functions should
|
|
||||||
* be overridden, but the wrapper functions mbedtls_aes_decrypt and mbedtls_aes_encrypt
|
|
||||||
* must stay untouched.
|
|
||||||
*
|
|
||||||
* \note If you use the AES_xxx_ALT macros, then is is recommended to also set
|
|
||||||
* MBEDTLS_AES_ROM_TABLES in order to help the linker garbage-collect the AES
|
|
||||||
* tables.
|
|
||||||
*
|
|
||||||
* Uncomment a macro to enable alternate implementation of the corresponding
|
|
||||||
* function.
|
|
||||||
*
|
|
||||||
* \warning MD2, MD4, MD5, DES and SHA-1 are considered weak and their use
|
|
||||||
* constitutes a security risk. If possible, we recommend avoiding
|
|
||||||
* dependencies on them, and considering stronger message digests
|
|
||||||
* and ciphers instead.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
#define MBEDTLS_AES_SETKEY_DEC_ALT
|
|
||||||
#define MBEDTLS_AES_DECRYPT_ALT
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_AES_ROM_TABLES
|
* \def MBEDTLS_AES_ROM_TABLES
|
||||||
*
|
*
|
||||||
|
@ -185,21 +149,6 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_ECP_NIST_OPTIM
|
#define MBEDTLS_ECP_NIST_OPTIM
|
||||||
|
|
||||||
/**
|
|
||||||
* \def MBEDTLS_ERROR_STRERROR_DUMMY
|
|
||||||
*
|
|
||||||
* Enable a dummy error function to make use of mbedtls_strerror() in
|
|
||||||
* third party libraries easier when MBEDTLS_ERROR_C is disabled
|
|
||||||
* (no effect when MBEDTLS_ERROR_C is enabled).
|
|
||||||
*
|
|
||||||
* You can safely disable this if MBEDTLS_ERROR_C is enabled, or if you're
|
|
||||||
* not using mbedtls_strerror() or error_strerror() in your application.
|
|
||||||
*
|
|
||||||
* Disable if you run into name conflicts and want to really remove the
|
|
||||||
* mbedtls_strerror()
|
|
||||||
*/
|
|
||||||
#define MBEDTLS_ERROR_STRERROR_DUMMY
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_NO_PLATFORM_ENTROPY
|
* \def MBEDTLS_NO_PLATFORM_ENTROPY
|
||||||
*
|
*
|
||||||
|
@ -237,26 +186,7 @@
|
||||||
* \note The entropy collector will write to the seed file before entropy is
|
* \note The entropy collector will write to the seed file before entropy is
|
||||||
* given to an external source, to update it.
|
* given to an external source, to update it.
|
||||||
*/
|
*/
|
||||||
// This macro is enabled in TFM Medium but is disabled here because it is
|
#define MBEDTLS_ENTROPY_NV_SEED
|
||||||
// incompatible with baremetal builds in Mbed TLS.
|
|
||||||
//#define MBEDTLS_ENTROPY_NV_SEED
|
|
||||||
|
|
||||||
/* MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
|
|
||||||
*
|
|
||||||
* Enable key identifiers that encode a key owner identifier.
|
|
||||||
*
|
|
||||||
* This is only meaningful when building the library as part of a
|
|
||||||
* multi-client service. When you activate this option, you must provide an
|
|
||||||
* implementation of the type mbedtls_key_owner_id_t and a translation from
|
|
||||||
* mbedtls_svc_key_id_t to file name in all the storage backends that you
|
|
||||||
* you wish to support.
|
|
||||||
*
|
|
||||||
* Note that while this define has been removed from TF-M's copy of this config
|
|
||||||
* file, TF-M still passes this option to Mbed TLS during the build via CMake.
|
|
||||||
* Therefore we keep it in our copy. See discussion on PR #7426 for more info.
|
|
||||||
*
|
|
||||||
*/
|
|
||||||
#define MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_PSA_CRYPTO_SPM
|
* \def MBEDTLS_PSA_CRYPTO_SPM
|
||||||
|
@ -339,6 +269,23 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_AES_C
|
#define MBEDTLS_AES_C
|
||||||
|
|
||||||
|
/**
|
||||||
|
* \def MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||||
|
*
|
||||||
|
* Use only 128-bit keys in AES operations to save ROM.
|
||||||
|
*
|
||||||
|
* Uncomment this macro to remove support for AES operations that use 192-
|
||||||
|
* or 256-bit keys.
|
||||||
|
*
|
||||||
|
* Uncommenting this macro reduces the size of AES code by ~300 bytes
|
||||||
|
* on v8-M/Thumb2.
|
||||||
|
*
|
||||||
|
* Module: library/aes.c
|
||||||
|
*
|
||||||
|
* Requires: MBEDTLS_AES_C
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_CIPHER_C
|
* \def MBEDTLS_CIPHER_C
|
||||||
*
|
*
|
||||||
|
@ -380,18 +327,6 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_ENTROPY_C
|
#define MBEDTLS_ENTROPY_C
|
||||||
|
|
||||||
/**
|
|
||||||
* \def MBEDTLS_ERROR_C
|
|
||||||
*
|
|
||||||
* Enable error code to error string conversion.
|
|
||||||
*
|
|
||||||
* Module: library/error.c
|
|
||||||
* Caller:
|
|
||||||
*
|
|
||||||
* This module enables mbedtls_strerror().
|
|
||||||
*/
|
|
||||||
#define MBEDTLS_ERROR_C
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_HKDF_C
|
* \def MBEDTLS_HKDF_C
|
||||||
*
|
*
|
||||||
|
@ -405,40 +340,7 @@
|
||||||
* This module adds support for the Hashed Message Authentication Code
|
* This module adds support for the Hashed Message Authentication Code
|
||||||
* (HMAC)-based key derivation function (HKDF).
|
* (HMAC)-based key derivation function (HKDF).
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
|
//#define MBEDTLS_HKDF_C /* Used for HUK deriviation */
|
||||||
|
|
||||||
/**
|
|
||||||
* \def MBEDTLS_MD_C
|
|
||||||
*
|
|
||||||
* Enable the generic layer for message digest (hashing) and HMAC.
|
|
||||||
*
|
|
||||||
* Requires: one of: MBEDTLS_MD5_C, MBEDTLS_RIPEMD160_C, MBEDTLS_SHA1_C,
|
|
||||||
* MBEDTLS_SHA224_C, MBEDTLS_SHA256_C, MBEDTLS_SHA384_C,
|
|
||||||
* MBEDTLS_SHA512_C, or MBEDTLS_PSA_CRYPTO_C with at least
|
|
||||||
* one hash.
|
|
||||||
* Module: library/md.c
|
|
||||||
* Caller: library/constant_time.c
|
|
||||||
* library/ecdsa.c
|
|
||||||
* library/ecjpake.c
|
|
||||||
* library/hkdf.c
|
|
||||||
* library/hmac_drbg.c
|
|
||||||
* library/pk.c
|
|
||||||
* library/pkcs5.c
|
|
||||||
* library/pkcs12.c
|
|
||||||
* library/psa_crypto_ecp.c
|
|
||||||
* library/psa_crypto_rsa.c
|
|
||||||
* library/rsa.c
|
|
||||||
* library/ssl_cookie.c
|
|
||||||
* library/ssl_msg.c
|
|
||||||
* library/ssl_tls.c
|
|
||||||
* library/x509.c
|
|
||||||
* library/x509_crt.c
|
|
||||||
* library/x509write_crt.c
|
|
||||||
* library/x509write_csr.c
|
|
||||||
*
|
|
||||||
* Uncomment to enable generic message digest wrappers.
|
|
||||||
*/
|
|
||||||
#define MBEDTLS_MD_C
|
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
* \def MBEDTLS_MEMORY_BUFFER_ALLOC_C
|
||||||
|
@ -476,6 +378,15 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_PLATFORM_C
|
#define MBEDTLS_PLATFORM_C
|
||||||
|
|
||||||
|
#define MBEDTLS_PLATFORM_NO_STD_FUNCTIONS
|
||||||
|
#define MBEDTLS_PLATFORM_STD_MEM_HDR <stdlib.h>
|
||||||
|
|
||||||
|
#include <stdio.h>
|
||||||
|
|
||||||
|
#define MBEDTLS_PLATFORM_SNPRINTF_MACRO snprintf
|
||||||
|
#define MBEDTLS_PLATFORM_PRINTF_ALT
|
||||||
|
#define MBEDTLS_PLATFORM_STD_EXIT_SUCCESS EXIT_SUCCESS
|
||||||
|
#define MBEDTLS_PLATFORM_STD_EXIT_FAILURE EXIT_FAILURE
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \def MBEDTLS_PSA_CRYPTO_C
|
* \def MBEDTLS_PSA_CRYPTO_C
|
||||||
|
@ -500,9 +411,7 @@
|
||||||
* either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
|
* either MBEDTLS_PSA_ITS_FILE_C or a native implementation of
|
||||||
* the PSA ITS interface
|
* the PSA ITS interface
|
||||||
*/
|
*/
|
||||||
// This macro is enabled in TFM Medium but is disabled here because it is
|
#define MBEDTLS_PSA_CRYPTO_STORAGE_C
|
||||||
// incompatible with baremetal builds in Mbed TLS.
|
|
||||||
//#define MBEDTLS_PSA_CRYPTO_STORAGE_C
|
|
||||||
|
|
||||||
/* \} name SECTION: mbed TLS modules */
|
/* \} name SECTION: mbed TLS modules */
|
||||||
|
|
||||||
|
@ -606,6 +515,47 @@
|
||||||
/* ECP options */
|
/* ECP options */
|
||||||
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
|
#define MBEDTLS_ECP_FIXED_POINT_OPTIM 0 /**< Disable fixed-point speed-up */
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Uncomment to enable p256-m. This is an alternative implementation of
|
||||||
|
* key generation, ECDH and (randomized) ECDSA on the curve SECP256R1.
|
||||||
|
* Compared to the default implementation:
|
||||||
|
*
|
||||||
|
* - p256-m has a much smaller code size and RAM footprint.
|
||||||
|
* - p256-m is only available via the PSA API. This includes the pk module
|
||||||
|
* when #MBEDTLS_USE_PSA_CRYPTO is enabled.
|
||||||
|
* - p256-m does not support deterministic ECDSA, EC-JPAKE, custom protocols
|
||||||
|
* over the core arithmetic, or deterministic derivation of keys.
|
||||||
|
*
|
||||||
|
* We recommend enabling this option if your application uses the PSA API
|
||||||
|
* and the only elliptic curve support it needs is ECDH and ECDSA over
|
||||||
|
* SECP256R1.
|
||||||
|
*
|
||||||
|
* If you enable this option, you do not need to enable any ECC-related
|
||||||
|
* MBEDTLS_xxx option. You do need to separately request support for the
|
||||||
|
* cryptographic mechanisms through the PSA API:
|
||||||
|
* - #MBEDTLS_PSA_CRYPTO_C and #MBEDTLS_PSA_CRYPTO_CONFIG for PSA-based
|
||||||
|
* configuration;
|
||||||
|
* - #MBEDTLS_USE_PSA_CRYPTO if you want to use p256-m from PK, X.509 or TLS;
|
||||||
|
* - #PSA_WANT_ECC_SECP_R1_256;
|
||||||
|
* - #PSA_WANT_ALG_ECDH and/or #PSA_WANT_ALG_ECDSA as needed;
|
||||||
|
* - #PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY, #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC,
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT,
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT and/or
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE as needed.
|
||||||
|
*
|
||||||
|
* \note To benefit from the smaller code size of p256-m, make sure that you
|
||||||
|
* do not enable any ECC-related option not supported by p256-m: this
|
||||||
|
* would cause the built-in ECC implementation to be built as well, in
|
||||||
|
* order to provide the required option.
|
||||||
|
* Make sure #PSA_WANT_ALG_DETERMINISTIC_ECDSA, #PSA_WANT_ALG_JPAKE and
|
||||||
|
* #PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE, and curves other than
|
||||||
|
* SECP256R1 are disabled as they are not supported by this driver.
|
||||||
|
* Also, avoid defining #MBEDTLS_PK_PARSE_EC_COMPRESSED or
|
||||||
|
* #MBEDTLS_PK_PARSE_EC_EXTENDED as those currently require a subset of
|
||||||
|
* the built-in ECC implementation, see docs/driver-only-builds.md.
|
||||||
|
*/
|
||||||
|
#define MBEDTLS_PSA_P256M_DRIVER_ENABLED
|
||||||
|
|
||||||
/* \} name SECTION: Customisation configuration options */
|
/* \} name SECTION: Customisation configuration options */
|
||||||
|
|
||||||
#if CRYPTO_NV_SEED
|
#if CRYPTO_NV_SEED
|
|
@ -99,8 +99,8 @@ We can classify code that implements or uses cryptographic mechanisms into sever
|
||||||
* Software implementations of primitive cryptographic mechanisms. These are not expected to change.
|
* Software implementations of primitive cryptographic mechanisms. These are not expected to change.
|
||||||
* Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
|
* Software implementations of constructed cryptographic mechanisms (e.g. HMAC, CTR_DRBG, RSA (calling a hash for PSS/OAEP, and needing to know the hash length in PKCS1v1.5 sign/verify), …). These need to keep working whenever a legacy implementation of the auxiliary mechanism is available, regardless of whether a PSA implementation is also available.
|
||||||
* Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
|
* Code implementing the PSA crypto interface. This is not expected to change, except perhaps to expose some internal functionality to overhauled glue code.
|
||||||
* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding TLS 1.3).
|
* Code that's subject to `MBEDTLS_USE_PSA_CRYPTO`: `pk.h`, X.509, TLS (excluding parts specific TLS 1.3).
|
||||||
* Code that always uses PSA for crypto: TLS 1.3, LMS.
|
* Code that always uses PSA for crypto: TLS 1.3 (except things common with 1.2), LMS.
|
||||||
|
|
||||||
For the purposes of this work, three domains emerge:
|
For the purposes of this work, three domains emerge:
|
||||||
|
|
||||||
|
@ -110,23 +110,79 @@ For the purposes of this work, three domains emerge:
|
||||||
|
|
||||||
#### Non-use-PSA modules
|
#### Non-use-PSA modules
|
||||||
|
|
||||||
The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption:
|
The following modules in Mbed TLS call another module to perform cryptographic operations which, in the long term, will be provided through a PSA interface, but cannot make any PSA-related assumption.
|
||||||
|
|
||||||
* CCM (block cipher in ECB mode; interdependent with cipher)
|
Hashes and HMAC (after the work on driver-only hashes):
|
||||||
* cipher (cipher and AEAD algorithms)
|
|
||||||
* CMAC (AES-ECB and DES-ECB, but could be extended to the other block ciphers; interdependent with cipher)
|
* entropy (hashes via MD-light)
|
||||||
* CTR\_DRBG (AES-ECB, but could be extended to the other block ciphers)
|
|
||||||
* entropy (hashes via low-level)
|
|
||||||
* ECDSA (HMAC\_DRBG; `md.h` exposed through API)
|
* ECDSA (HMAC\_DRBG; `md.h` exposed through API)
|
||||||
* ECJPAKE (hashes via md; `md.h` exposed through API)
|
* ECJPAKE (hashes via MD-light; `md.h` exposed through API)
|
||||||
* GCM (block cipher in ECB mode; interdependent with cipher)
|
* MD (hashes and HMAC)
|
||||||
* md (hashes and HMAC)
|
* HKDF (HMAC via `md.h`; `md.h` exposed through API)
|
||||||
* NIST\_KW (AES-ECB; interdependent with cipher)
|
|
||||||
* HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
|
* HMAC\_DRBG (hashes and HMAC via `md.h`; `md.h` exposed through API)
|
||||||
* PEM (AES and DES in CBC mode without padding; MD5 hash via low-level)
|
* PKCS12 (hashes via MD-light)
|
||||||
* PKCS12 (cipher, generically, selected from ASN.1 or function parameters; hashes via md; `cipher.h` exposed through API)
|
* PKCS5 (HMAC via `md.h`; `md.h` exposed through API)
|
||||||
* PKCS5 (cipher, generically, selected from ASN.1; HMAC via `md.h`; `md.h` exposed through API)
|
* PKCS7 (hashes via MD)
|
||||||
* RSA (hash via md for PSS and OAEP; `md.h` exposed through API)
|
* RSA (hash via MD-light for PSS and OAEP; `md.h` exposed through API)
|
||||||
|
* PEM (MD5 hash via MD-light)
|
||||||
|
|
||||||
|
Symmetric ciphers and AEADs (before work on driver-only cipher):
|
||||||
|
|
||||||
|
* PEM:
|
||||||
|
* AES, DES or 3DES in CBC mode without padding, decrypt only (!).
|
||||||
|
* Currently using low-level non-generic APIs.
|
||||||
|
* No hard dependency, features guarded by `AES_C` resp. `DES_C`.
|
||||||
|
* Functions called: `setkey_dec()` + `crypt_cbc()`.
|
||||||
|
* PKCS12:
|
||||||
|
* In practice: 2DES or 3DES in CBC mode with PKCS7 padding, decrypt only
|
||||||
|
(when called from pkparse).
|
||||||
|
* In principle: any cipher-mode (default padding), passed an
|
||||||
|
`mbedtls_cipher_type_t` as an argument, no documented restriction.
|
||||||
|
* Cipher, generically, selected from ASN.1 or function parameters;
|
||||||
|
no documented restriction but in practice TODO (inc. padding and
|
||||||
|
en/decrypt, look at standards and tests)
|
||||||
|
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
|
||||||
|
* Note: `cipher.h` exposed through API.
|
||||||
|
* Functions called: `setup`, `setkey`, `set_iv`, `reset`, `update`, `finish` (in sequence, once).
|
||||||
|
* PKCS5 (PBES2, `mbedtls_pkcs5_pbes2()`):
|
||||||
|
* 3DES or DES in CBC mode with PKCS7 padding, both encrypt and decrypt.
|
||||||
|
* Note: could also be AES in the future, see #7038.
|
||||||
|
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
|
||||||
|
* Functions called: `setup`, `setkey`, `crypt`.
|
||||||
|
* CTR\_DRBG:
|
||||||
|
* AES in ECB mode, encrypt only.
|
||||||
|
* Currently using low-level non-generic API (`aes.h`).
|
||||||
|
* Unconditional dependency on `AES_C` in `check_config.h`.
|
||||||
|
* Functions called: `setkey_enc`, `crypt_ecb`.
|
||||||
|
* CCM:
|
||||||
|
* AES, Camellia or Aria in ECB mode, encrypt only.
|
||||||
|
* Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
|
||||||
|
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
|
||||||
|
* Note: also called by `cipher.c` if enabled.
|
||||||
|
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
|
||||||
|
* CMAC:
|
||||||
|
* AES or DES in ECB mode, encrypt only.
|
||||||
|
* Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
|
||||||
|
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
|
||||||
|
* Note: also called by `cipher.c` if enabled.
|
||||||
|
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
|
||||||
|
* GCM:
|
||||||
|
* AES, Camellia or Aria in ECB mode, encrypt only.
|
||||||
|
* Unconditional dependency on `AES_C || CAMELLIA_C || ARIA_C` in `check_config.h`.
|
||||||
|
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
|
||||||
|
* Note: also called by `cipher.c` if enabled.
|
||||||
|
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
|
||||||
|
* NIST\_KW:
|
||||||
|
* AES in ECB mode, both encryt and decrypt.
|
||||||
|
* Unconditional dependency on `AES_C || DES_C` in `check_config.h`.
|
||||||
|
* Unconditional dependency on `CIPHER_C` in `check_config.h`.
|
||||||
|
* Note: also called by `cipher.c` if enabled.
|
||||||
|
* Note: `cipher.h` exposed through API.
|
||||||
|
* Functions called: `info`, `setup`, `setkey`, `update` (several times) - (never finish)
|
||||||
|
* Cipher:
|
||||||
|
* potentially any cipher/AEAD in any mode and any direction
|
||||||
|
|
||||||
|
Note: PSA cipher is built on Cipher, but PSA AEAD directly calls the underlying AEAD modules (GCM, CCM, ChachaPoly).
|
||||||
|
|
||||||
### Difficulties
|
### Difficulties
|
||||||
|
|
||||||
|
@ -263,12 +319,72 @@ These problems are easily solvable.
|
||||||
* We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
|
* We can make names and HMAC optional. The mixed-domain hash interface won't be the full `MBEDTLS_MD_C` but a subset.
|
||||||
* We can optimize `md.c` without making API changes to `md.h`.
|
* We can optimize `md.c` without making API changes to `md.h`.
|
||||||
|
|
||||||
|
### Scope reductions and priorities for 3.x
|
||||||
|
|
||||||
|
This section documents things that we chose to temporarily exclude from the scope in the 3.x branch (which will eventually be in scope again after 4.0) as well as things we chose to prioritize if we don't have time to support everything.
|
||||||
|
|
||||||
|
#### Don't support PK, X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`
|
||||||
|
|
||||||
|
We do not need to support driver-only hashes and ciphers in PK. X.509 and TLS without `MBEDTLS_USE_PSA_CRYPTO`. Users who want to take full advantage of drivers will need to enabled this macro.
|
||||||
|
|
||||||
|
Note that this applies to TLS 1.3 as well, as some uses of hashes and all uses of ciphers there are common with TLS 1.2, hence governed by `MBEDTLS_USE_PSA_CRYPTO`, see [this macro's extended documentation](../../docs/use-psa-crypto.html).
|
||||||
|
|
||||||
|
This will go away naturally in 4.0 when this macros is not longer an option (because it's always on).
|
||||||
|
|
||||||
|
#### Don't support for `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`
|
||||||
|
|
||||||
|
We generally don't really support builds with `MBEDTLS_PSA_CRYPTO_CLIENT` without `MBEDTLS_PSA_CRYPTO_C`. For example, both `MBEDTLS_USE_PSA_CRYPTO` and `MBEDTLS_SSL_PROTO_TLS1_3` require `MBEDTLS_PSA_CRYPTO_C`, while in principle they should only require `MBEDTLS_PSA_CRYPTO_CLIENT`.
|
||||||
|
|
||||||
|
Considering this existing restriction which we do not plan to lift before 4.0, it is acceptable driver-only hashes and cipher support to have the same restriction in 3.x.
|
||||||
|
|
||||||
|
It is however desirable for the design to keep support for `MBEDTLS_PSA_CRYPTO_CLIENT` in mind, in order to avoid making it more difficult to add in the future.
|
||||||
|
|
||||||
|
#### For cipher: prioritize constrained devices and modern TLS
|
||||||
|
|
||||||
|
The primary target is a configuration like TF-M's medium profile, plus TLS with only AEAD ciphersuites.
|
||||||
|
|
||||||
|
This excludes things like:
|
||||||
|
- Support for encrypted PEM, PKCS5 and PKCS12 encryption, and PKCS8 encrypted keys in PK parse. (Not widely used on highly constrained devices.)
|
||||||
|
- Support for NIST-KW. (Same justification.)
|
||||||
|
- Support for CMAC. (Same justification, plus can be directly accelerated.)
|
||||||
|
- Support for CBC ciphersuites in TLS. (They've been recommended against for a while now.)
|
||||||
|
|
||||||
|
### Dual-dispatch for block cipher primitives
|
||||||
|
|
||||||
|
Considering the priorities stated above, initially we want to support GCM, CCM and CTR-DRBG. All three of them use the block cipher primitive only in the encrypt direction. Currently, GCM and CCM use the Cipher layer in order to work with AES, Aria and Camellia (DES is excluded by the standards due to its smaller block size) and CTR-DRBG directly uses the low-level API from `aes.h`. In all cases, access to the "block cipher primitive" is done by using "ECB mode" (which for both Cipher and `aes.h` only allows a single block, contrary to PSA which implements actual ECB mode).
|
||||||
|
|
||||||
|
The two AEAD modes, GCM and CCM, have very similar needs and positions in the stack, strongly suggesting using the same design for both. On the other hand, there are a number of differences between CTR-DRBG and them.
|
||||||
|
- CTR-DRBG only uses AES (and there is no plan to extend it to other block ciphers at the moment), while GCM and CCM need to work with 3 block ciphers already.
|
||||||
|
- CTR-DRBG holds a special position in the stack: most users don't care about it per se, they only care about getting random numbers - in fact PSA users don't even need to know what DRBG is used. In particular, no part of the stack is asking questions like "is CTR-DRBG-AES available?" - an RNG needs to be available and that's it - contrary to similar questions about AES-GCM etc. which are asked for example by TLS.
|
||||||
|
|
||||||
|
So, it makes sense to use different designs for CTR-DRBG on one hand, and GCM/CCM on the other hand:
|
||||||
|
- CTR-DRBG can just check if `AES_C` is present and "fall back" to PSA if not.
|
||||||
|
- GCM and CCM need an common abstraction layer that allows:
|
||||||
|
- Using AES, Aria or Camellia in a uniform way.
|
||||||
|
- Dispatching to built-in or driver.
|
||||||
|
|
||||||
|
The abstraction layer used by GCM and CCM may either be a new internal module, or a subset of the existing Cipher API, extended with the ability to dispatch to a PSA driver.
|
||||||
|
|
||||||
|
Reasons for making this layer's API a subset of the existing Cipher API:
|
||||||
|
- No need to design, implement and test a new module. (Will need to test the new subset though, as well as the extended behaviour.)
|
||||||
|
- No code change in GCM and CCM - only need to update dependencies.
|
||||||
|
- No risk for code duplication between a potential new module and Cipher: source-level, and in in particular in builds that still have `CIPHER_C` enabled. (Compiled-code duplication could be avoided by excluding the new module in such builds, though.)
|
||||||
|
- If want to support other users of Cipher later (such as NIST-KW, CMAC, PKCS5 and PKCS12), we can just extend dual-dispatch support to other modes/operations in Cipher and keep those extra modules unchanged as well.
|
||||||
|
|
||||||
|
Possible costs of re-using (a subset of) the existing Cipher API instead of defining a new one:
|
||||||
|
- We carry over costs associated with `cipher_info_t` structures. (Currently the info structure is used for 3 things: (1) to check if the cipher is supported, (2) to check its block size, (3) because `setup()` requires it).
|
||||||
|
- We carry over questionable implementation decisions, like dynamic allocation of context.
|
||||||
|
|
||||||
|
Those costs could be avoided by refactoring (parts of) Cipher, but that would probably mean either:
|
||||||
|
- significant differences in how the `cipher.h` API is implemented between builds with the full Cipher or only a subset;
|
||||||
|
- or more work to apply the simplifications to all of Cipher.
|
||||||
|
|
||||||
|
Prototyping both approaches showed better code size savings and cleaner code with a new internal module (see section "Internal "block cipher" abstraction (Cipher light)" below).
|
||||||
|
|
||||||
## Specification
|
## Specification
|
||||||
|
|
||||||
### MD light
|
### MD light
|
||||||
|
|
||||||
https://github.com/Mbed-TLS/mbedtls/pull/6474 implements part of this specification, but it's based on Mbed TLS 3.2, so it needs to be rewritten for 3.3.
|
|
||||||
|
|
||||||
#### Definition of MD light
|
#### Definition of MD light
|
||||||
|
|
||||||
MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
|
MD light is a subset of `md.h` that implements the hash calculation interface described in ”[Designing an interface for hashes](#designing-an-interface-for-hashes)”. It is activated by `MBEDTLS_MD_LIGHT` in `mbedtls_config.h`.
|
||||||
|
@ -378,7 +494,7 @@ int psa_can_do_hash(psa_algorithm_t hash_alg);
|
||||||
|
|
||||||
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
|
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA.
|
||||||
|
|
||||||
As a starting point, return 1 if PSA crypto has been initialized. This will be refined later (to return 1 if the [accelerator subsystem](https://github.com/Mbed-TLS/mbedtls/issues/6007) has been initialized).
|
As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
|
||||||
|
|
||||||
Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
|
Usage note: for algorithms that are not enabled via PSA, calling `psa_can_do_hash` is generally safe: whether it returns 0 or 1, you can call a PSA hash function on the algorithm and it will return `PSA_ERROR_NOT_SUPPORTED`.
|
||||||
|
|
||||||
|
@ -398,31 +514,7 @@ Note that this assumes that an operation that has been started via PSA can be co
|
||||||
|
|
||||||
#### Error code conversion
|
#### Error code conversion
|
||||||
|
|
||||||
After calling a PSA function, call `mbedtls_md_error_from_psa` to convert its status code. This function is currently defined in `hash_info.c`.
|
After calling a PSA function, MD light calls `mbedtls_md_error_from_psa` to convert its status code.
|
||||||
|
|
||||||
### Migration to MD light
|
|
||||||
|
|
||||||
#### Migration of modules that used to call MD and now do the legacy-or-PSA dance
|
|
||||||
|
|
||||||
Get rid of the case where `MBEDTLS_MD_C` is undefined. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
|
|
||||||
|
|
||||||
#### Migration of modules that used to call a low-level hash module and now do the legacy-or-PSA dance
|
|
||||||
|
|
||||||
Switch to calling MD (light) unconditionally. Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
|
|
||||||
|
|
||||||
#### Migration of modules that call a low-level hash module
|
|
||||||
|
|
||||||
Switch to calling MD (light). Enable `MBEDTLS_MD_LIGHT` in `build_info.h`.
|
|
||||||
|
|
||||||
#### Migration of use-PSA mixed code
|
|
||||||
|
|
||||||
Instead of calling `hash_info.h` functions to obtain metadata, get it from `md.h`.
|
|
||||||
|
|
||||||
Optionally, code that currently tests on `MBEDTLS_USE_PSA_CRYPTO` just to determine whether to call MD or PSA to calculate hashes can switch to just having the MD variant.
|
|
||||||
|
|
||||||
#### Remove `legacy_or_psa.h`
|
|
||||||
|
|
||||||
It's no longer used.
|
|
||||||
|
|
||||||
### Support all legacy algorithms in PSA
|
### Support all legacy algorithms in PSA
|
||||||
|
|
||||||
|
@ -461,10 +553,6 @@ static inline psa_algorithm_t psa_alg_of_md_info(
|
||||||
|
|
||||||
Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
|
Work in progress on this conversion is at https://github.com/gilles-peskine-arm/mbedtls/tree/hash-unify-ids-wip-1
|
||||||
|
|
||||||
#### Get rid of the hash_info module
|
|
||||||
|
|
||||||
The hash_info module is redundant with MD light. Move `mbedtls_md_error_from_psa` to `md.c`, defined only when `MBEDTLS_MD_SOME_PSA` is defined. The rest is no longer used.
|
|
||||||
|
|
||||||
#### Unify HMAC with PSA
|
#### Unify HMAC with PSA
|
||||||
|
|
||||||
PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).
|
PSA has its own HMAC implementation. In builds with both `MBEDTLS_MD_C` and `PSA_WANT_ALG_HMAC` not fully provided by drivers, we should have a single implementation. Replace the one in `md.h` by calls to the PSA driver interface. This will also give mixed-domain modules access to HMAC accelerated directly by a PSA driver (eliminating the need to a HMAC interface in software if all supported hashes have an accelerator that includes HMAC support).
|
||||||
|
@ -477,3 +565,52 @@ The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a l
|
||||||
|
|
||||||
* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
|
* Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`.
|
||||||
* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
|
* Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim.
|
||||||
|
|
||||||
|
### Internal "block cipher" abstraction (previously known as "Cipher light")
|
||||||
|
|
||||||
|
#### Definition
|
||||||
|
|
||||||
|
The new module is automatically enabled in `config_adjust_legacy_crypto.h` by modules that need
|
||||||
|
it (namely: CCM, GCM) only when `CIPHER_C` is not available, or the new module
|
||||||
|
is needed for PSA dispatch (see next section). Note: CCM and GCM currently
|
||||||
|
depend on the full `CIPHER_C` (enforced by `check_config.h`); this hard
|
||||||
|
dependency would be replaced by the above auto-enablement.
|
||||||
|
|
||||||
|
The following API functions are offered:
|
||||||
|
```
|
||||||
|
void mbedtls_block_cipher_init(mbedtls_block_cipher_context_t *ctx);
|
||||||
|
void mbedtls_block_cipher_free(mbedtls_block_cipher_context_t *ctx);
|
||||||
|
int mbedtls_block_cipher_setup(mbedtls_block_cipher_context_t *ctx,
|
||||||
|
mbedtls_cipher_id_t cipher_id);
|
||||||
|
int mbedtls_block_cipher_setkey(mbedtls_block_cipher_context_t *ctx,
|
||||||
|
const unsigned char *key,
|
||||||
|
unsigned key_bitlen);
|
||||||
|
int mbedtls_block_cipher_encrypt(mbedtls_block_cipher_context_t *ctx,
|
||||||
|
const unsigned char input[16],
|
||||||
|
unsigned char output[16]);
|
||||||
|
```
|
||||||
|
|
||||||
|
The only supported ciphers are AES, ARIA and Camellia. They are identified by
|
||||||
|
an `mbedtls_cipher_id_t` in the `setup()` function, because that's how they're
|
||||||
|
identifed by callers (GCM/CCM).
|
||||||
|
|
||||||
|
#### Block cipher dual dispatch
|
||||||
|
|
||||||
|
Support for dual dispatch in the new internal module `block_cipher` is extremely similar to that in MD light.
|
||||||
|
|
||||||
|
A block cipher context contains either a legacy module's context (AES, ARIA, Camellia) or a PSA key identifier; it has a field indicating which one is in use. All fields are private.
|
||||||
|
|
||||||
|
The `engine` field is almost redundant with knowledge about `type`. However, when an algorithm is available both via a legacy module and a PSA accelerator, we will choose based on the runtime availability of the accelerator when the context is set up. This choice needs to be recorded in the context structure.
|
||||||
|
|
||||||
|
Support is determined at runtime using the new internal function
|
||||||
|
```
|
||||||
|
int psa_can_do_cipher(psa_key_type_t key_type, psa_algorithm_t cipher_alg);
|
||||||
|
```
|
||||||
|
|
||||||
|
The job of this private function is to return 1 if `hash_alg` can be performed through PSA now, and 0 otherwise. It is only defined on algorithms that are enabled via PSA. As a starting point, return 1 if PSA crypto's driver subsystem has been initialized.
|
||||||
|
|
||||||
|
Each function in the module needs to know whether to dispatch via PSA or legacy. All functions consult the context's `engine` field, except `setup()` which will set it according to the key type and the return value of `psa_can_do_cipher()` as discussed above.
|
||||||
|
|
||||||
|
Note that this assumes that an operation that has been started via PSA can be completed. This implies that `mbedtls_psa_crypto_free` must not be called while an operation using PSA is in progress.
|
||||||
|
|
||||||
|
After calling a PSA function, `block_cipher` functions call `mbedtls_cipher_error_from_psa` to convert its status code.
|
||||||
|
|
344
docs/architecture/psa-migration/psa-legacy-bridges.md
Normal file
344
docs/architecture/psa-migration/psa-legacy-bridges.md
Normal file
|
@ -0,0 +1,344 @@
|
||||||
|
Bridges between legacy and PSA crypto APIs
|
||||||
|
==========================================
|
||||||
|
|
||||||
|
## Introduction
|
||||||
|
|
||||||
|
### Goal of this document
|
||||||
|
|
||||||
|
This document explores the needs of applications that use both Mbed TLS legacy crypto interfaces and PSA crypto interfaces. Based on [requirements](#requirements), we [analyze gaps](#gap-analysis) and [API design](#api-design).
|
||||||
|
|
||||||
|
This is a design document. The target audience is library maintainers. See the companion document [“Transitioning to the PSA API”](../../psa-transition.md) for a user focus on the same topic.
|
||||||
|
|
||||||
|
### Keywords
|
||||||
|
|
||||||
|
* [TODO] A part of the analysis that isn't finished.
|
||||||
|
* [OPEN] Open question: a specific aspect of the design where there are several plausible decisions.
|
||||||
|
* [ACTION] A finalized part of the design that will need to be carried out.
|
||||||
|
|
||||||
|
### Context
|
||||||
|
|
||||||
|
Mbed TLS 3.x supports two cryptographic APIs:
|
||||||
|
|
||||||
|
* The legacy API `mbedtls_xxx` is inherited from PolarSSL.
|
||||||
|
* The PSA API `psa_xxx` was introduced in Mbed TLS 2.17.
|
||||||
|
|
||||||
|
Mbed TLS is gradually shifting from the legacy API to the PSA API. Mbed TLS 4.0 will be the first version where the PSA API is considered the main API, and large parts of the legacy API will be removed.
|
||||||
|
|
||||||
|
In Mbed TLS 4.0, the cryptography will be provided by a separate project [TF-PSA-Crypto](https://github.com/Mbed-TLS/TF-PSA-Crypto). For simplicity, in this document, we just refer to the whole as “Mbed TLS”.
|
||||||
|
|
||||||
|
### Document history
|
||||||
|
|
||||||
|
This document was originally written when preparing Mbed TLS 3.6. Mbed TLS 3.6 includes both PSA and legacy APIs covering largely overlapping ground. Many legacy APIs will be removed in Mbed TLS 4.0.
|
||||||
|
|
||||||
|
## Requirements
|
||||||
|
|
||||||
|
### Why mix APIs?
|
||||||
|
|
||||||
|
There is functionality that is tied to one API and is not directly available in the other API:
|
||||||
|
|
||||||
|
* Only PSA fully supports PSA accelerators and secure element integration.
|
||||||
|
* Only PSA supports isolating cryptographic material in a secure service.
|
||||||
|
* The legacy API has features that are not present (yet) in PSA, notably parsing and formatting asymmetric keys.
|
||||||
|
|
||||||
|
The legacy API can partially leverage PSA features via `MBEDTLS_USE_PSA_CRYPTO`, but this has limited scope.
|
||||||
|
|
||||||
|
In addition, many applications cannot be migrated in a single go. For large projects, it is impractical to rewrite a significant part of the code all at once. (For example, Mbed TLS itself will have taken more than 6 years to transition.) Projects that use one or more library in addition to Mbed TLS must follow the evolution of these libraries, each of which might have its own pace.
|
||||||
|
|
||||||
|
### Where mixing happens
|
||||||
|
|
||||||
|
Mbed TLS can be, and normally is, built with support for both APIs. Therefore no special effort is necessary to allow an application to use both APIs.
|
||||||
|
|
||||||
|
Special effort is necessary to use both APIs as part of the implementation of the same feature. From an informal analysis of typical application requirements, we identify four parts of the use of cryptography which can be provided by different APIs:
|
||||||
|
|
||||||
|
* Metadata manipulation: parsing and producing encrypted or signed files, finding mutually supported algorithms in a network protocol negotiation, etc.
|
||||||
|
* Key management: parsing, generating, deriving and formatting cryptographic keys.
|
||||||
|
* Data manipulation other than keys. In practice, most data formats within the scope of the legacy crypto APIs are trivial (ciphertexts, hashes, MACs, shared secrets). The one exception is ECDSA signatures.
|
||||||
|
* Cryptographic operations: hash, sign, encrypt, etc.
|
||||||
|
|
||||||
|
From this, we deduce the following requirements:
|
||||||
|
|
||||||
|
* Convert between PSA and legacy metadata.
|
||||||
|
* Creating a key with the legacy API and consuming it in the PSA API.
|
||||||
|
* Creating a key with the PSA API and consuming it in the legacy API.
|
||||||
|
* Manipulating data formats, other than keys, where the PSA API is lacking.
|
||||||
|
|
||||||
|
### Scope limitations
|
||||||
|
|
||||||
|
The goal of this document is to bridge the legacy API and the PSA API. The goal is not to provide a PSA way to do everything that is currently possible with the legacy API. The PSA API is less flexible in some regards, and extending it is out of scope in the present study.
|
||||||
|
|
||||||
|
With respect to the legacy API, we do not consider functionality of low-level modules for individual algorithms. Our focus is on applications that use high-level legacy crypto modules (md, cipher, pk) and need to combine that with uses of the PSA APIs.
|
||||||
|
|
||||||
|
## Gap analysis
|
||||||
|
|
||||||
|
The document [“Transitioning to the PSA API”](../../psa-transition.md) enumerates the public header files in Mbed TLS 3.4 and the API elements (especially enums and functions) that they provide, listing PSA equivalents where they exist. There are gaps in two cases:
|
||||||
|
|
||||||
|
* Where the PSA equivalents do not provide the same functionality. A typical example is parsing and formatting asymmetric keys.
|
||||||
|
* To convert between data representations used by legacy APIs and data representations used by PSA APIs.
|
||||||
|
|
||||||
|
Based on “[Where mixing happens](#where-mixing-happens)”, we focus the gap analysis on two topics: metadata and keys. This chapter explores the gaps in each family of cryptographic mechanisms.
|
||||||
|
|
||||||
|
### Generic metadata gaps
|
||||||
|
|
||||||
|
#### Need for error code conversion
|
||||||
|
|
||||||
|
Do we need public functions to convert between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` error codes? We have such functions for internal use.
|
||||||
|
|
||||||
|
Mbed TLS needs these conversions because it has many functions that expose one API (legacy/API) but are implemented on top of the other API. Most applications would convert legacy and PSA error code to their own error codes, and converting between `MBEDTLS_ERR_xxx` error codes and `PSA_ERROR_xxx` is not particularly helpful for that. Application code might need such conversion functions when implementing an X.509 or TLS callback (returning `MBEDTLS_ERR_xxx`) on top of PSA functions, but this is a very limited use case.
|
||||||
|
|
||||||
|
Conclusion: no need for public error code conversion functions.
|
||||||
|
|
||||||
|
### Hash gap analysis
|
||||||
|
|
||||||
|
Hashes do not involve keys, and involves no nontrivial data format. Therefore the only gap is with metadata, namely specifying a hash algorithm.
|
||||||
|
|
||||||
|
Hashes are often used as building blocks for other mechanisms (HMAC, signatures, key derivation, etc.). Therefore metadata about hashes is relevant not only when calculating hashes, but also when performing many other cryptographic operations.
|
||||||
|
|
||||||
|
Gap: functions to convert between `psa_algorithm_t` hash algorithms and `mbedtls_md_type_t`. Such functions exist in Mbed TLS 3.5 (`mbedtls_md_psa_alg_from_type`, `mbedtls_md_type_from_psa_alg`) but they are declared only in private headers.
|
||||||
|
|
||||||
|
### MAC gap analysis
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Cipher and AEAD gap analysis
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Key derivation gap analysis
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Random generation gap analysis
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Asymmetric cryptography gap analysis
|
||||||
|
|
||||||
|
#### Asymmetric cryptography metadata
|
||||||
|
|
||||||
|
The legacy API only has generic support for two key types: RSA and ECC, via the pk module. ECC keys can also be further classified according to their curve. The legacy API also supports DHM (Diffie-Hellman-Merkle = FFDH: finite-field Diffie-Hellman) keys, but those are not integrated in the pk module.
|
||||||
|
|
||||||
|
An RSA or ECC key can potentially be used for different algorithms in the scope of the pk module:
|
||||||
|
|
||||||
|
* RSA: PKCS#1v1.5 signature, PSS signature, PKCS#1v1.5 encryption, OAEP encryption.
|
||||||
|
* ECC: ECDSA signature (randomized or deterministic), ECDH key agreement (via `mbedtls_pk_ec`).
|
||||||
|
|
||||||
|
ECC keys are also involved in EC-JPAKE, but this happens internally: the EC-JPAKE interface only needs one piece of metadata, namely, to identify a curve.
|
||||||
|
|
||||||
|
Since there is no algorithm that can be used with multiple types, and PSA keys have a policy that (for the most part) limits them to one algorithm, there does not seem to be a need to convert between legacy and PSA asymmetric key types on their own. The useful metadata conversions are:
|
||||||
|
|
||||||
|
* Selecting an **elliptic curve**.
|
||||||
|
|
||||||
|
This means converting between an `mbedtls_ecp_group_id` and a pair of `{psa_ecc_family_t; size_t}`.
|
||||||
|
|
||||||
|
This is fulfilled by `mbedtls_ecc_group_to_psa` and `mbedtls_ecc_group_from_psa`, which were introduced into the public API between Mbed TLS 3.5 and 3.6 ([#8664](https://github.com/Mbed-TLS/mbedtls/pull/8664)).
|
||||||
|
|
||||||
|
* Selecting A **DHM group**.
|
||||||
|
|
||||||
|
PSA only supports predefined groups, whereas legacy only supports ad hoc groups. An existing application referring to `MBEDTLS_DHM_RFC7919_FFDHExxx` values would need to refer to `PSA_DH_FAMILY_RFC7919`; an existing application using arbitrary groups cannot migrate to PSA.
|
||||||
|
|
||||||
|
* Simultaneously supporting **a key type and an algorithm**.
|
||||||
|
|
||||||
|
On the legacy side, this is an `mbedtls_pk_type_t` value and more. For ECDSA, the choice between randomized and deterministic is made at compile time. For RSA, the choice of encryption or signature algorithm is made either by configuring the underlying `mbedtls_rsa_context` or when calling the operation function.
|
||||||
|
|
||||||
|
On the PSA side, this is a `psa_key_type_t` value and an algorithm which is normally encoded as policy information in a `psa_key_attributes_t`. The algorithm is also needed in its own right when calling operation functions.
|
||||||
|
|
||||||
|
#### Using a legacy key pair or public key with PSA
|
||||||
|
|
||||||
|
There are several scenarios where an application has a legacy key pair or public key (`mbedtls_pk_context`) and needs to create a PSA key object (`psa_key_id_t`).
|
||||||
|
|
||||||
|
Reasons for first creating a legacy key object, where it's impossible or impractical to directly create a PSA key:
|
||||||
|
|
||||||
|
* A very common case where the input is a legacy key object is parsing. PSA does not (yet) have an equivalent of the `mbedtls_pk_parse_xxx` functions.
|
||||||
|
* The PSA key creation interface is less flexible in some cases. In particular, PSA RSA key generation does not (yet) allow choosing the public exponent.
|
||||||
|
* The pk object may be created by a part of the application (or a third-party library) that hasn't been migrated to the PSA API yet.
|
||||||
|
|
||||||
|
Reasons for needing a PSA key object:
|
||||||
|
|
||||||
|
* Using the key with third-party interface that takes a PSA key identifier as input. (Mbed TLS itself has a few TLS functions that take PSA key identifiers, but as of Mbed TLS 3.5, it is always possible to use a legacy key instead.)
|
||||||
|
* Benefiting from a PSA accelerator, or from PSA's world separation, even without `MBEDTLS_USE_PSA_CRYPTO`. (Not a priority scenario: we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA.)
|
||||||
|
|
||||||
|
Gap: a way to create a PSA key object from an `mbedtls_pk_context`. This partially exists in the form of `mbedtls_pk_wrap_as_opaque`, but it is not fully satisfactory, for reasons that are detailed in “[API to create a PSA key from a PK context](#api-to-create-a-psa-key-from-a-pk-context)” below.
|
||||||
|
|
||||||
|
#### Using a PSA key as a PK context
|
||||||
|
|
||||||
|
There are several scenarios where an application has a PSA key and needs to use it through an interface that wants an `mbedtls_pk_context` object. Typically, there is an existing key in the PSA key store (possibly in a secure element and non-exportable), and the key needs to be used in an interface that requires a `mbedtls_pk_context *` input, such as Mbed TLS's X.509 and TLS APIs or a similar third-party interface, or the `mbedtls_pk_write_xxx` interfaces which do not (yet) have PSA equivalents.
|
||||||
|
|
||||||
|
There is a function `mbedtls_pk_setup_opaque` that mostly does this. However, it has several limitations:
|
||||||
|
|
||||||
|
* It creates a PK key of type `MBEDTLS_PK_OPAQUE` that wraps the PSA key. This is good enough in some scenarios, but not others. For example, it's ok for pkwrite, because we've upgraded the pkwrite code to handle `MBEDTLS_PK_OPAQUE`. That doesn't help users of third-party libraries that haven't yet been upgraded.
|
||||||
|
* It ties the lifetime of the PK object to the PSA key, which is error-prone: if the PSA key is destroyed but the PK object isn't, there is no way to reliably detect any subsequent misuse of the PK object.
|
||||||
|
* It is only available under `MBEDTLS_USE_PSA_CRYPTO`. This is not a priority concern, since we generally expect people to activate `MBEDTLS_USE_PSA_CRYPTO` at an early stage of their migration to PSA. However, this function is useful to use specific PSA keys in X.509/TLS regardless of whether X.509/TLS use the PSA API for all cryptographic operations, so this is a wart in the current API.
|
||||||
|
|
||||||
|
It therefore appears that we need two ways to “convert” a PSA key to PK:
|
||||||
|
|
||||||
|
* Wrapping, which is what `mbedtls_pk_setup_opaque` does. This works for any PSA key but is limited by the key's lifetime and creates a PK object with limited functionality.
|
||||||
|
* Copying, which requires a new function. This requires an exportable key but creates a fully independent, fully functional PK object.
|
||||||
|
|
||||||
|
Gap: a way to copy a PSA key into a PK context. This can only be expected to work if the PSA key is exportable.
|
||||||
|
|
||||||
|
After some discussion, have not identified anything we want to change in the behavior of `mbedtls_pk_setup_opaque`. We only want to generalize it to non-`MBEDTLS_USE_PSA_CRYPTO` and to document it better.
|
||||||
|
|
||||||
|
#### Signature formats
|
||||||
|
|
||||||
|
The pk module uses signature formats intended for X.509. The PSA module uses the simplest sensible signature format.
|
||||||
|
|
||||||
|
* For RSA, the formats are the same.
|
||||||
|
* For ECDSA, PSA uses a fixed-size concatenation of (r,s), whereas X.509 and pk use an ASN.1 DER encoding of the sequence (r,s).
|
||||||
|
|
||||||
|
Gap: We need APIs to convert between these two formats. The conversion code already exists under the hood, but it's in pieces that can't be called directly.
|
||||||
|
|
||||||
|
There is a design choice here: do we provide conversions functions for ECDSA specifically, or do we provide conversion functions that take an algorithm as argument and just happen to be a no-op with RSA? One factor is plausible extensions. These conversions functions will remain useful in Mbed TLS 4.x and perhaps beyond. We will at least add EdDSA support, and its signature encoding is the fixed-size concatenation (r,s) even in X.509. We may well also add support for some post-quantum signatures, and their concrete format is still uncertain.
|
||||||
|
|
||||||
|
Given the uncertainty, it would be nice to provide a sufficiently generic interface to convert between the PSA and the pk signature format, parametrized by the algorithm. However, it is difficult to predict exactly what parameters are needed. For example, converting from an ASN.1 ECDSA signature to (r,s) requires the knowledge of the curve, or at least the curve's size. Therefore we are not going to add a generic function at this stage.
|
||||||
|
|
||||||
|
For ECDSA, there are two plausible APIs: follow the ASN.1/X.509 write/parse APIs, or present an ordinary input/output API. The ASN.1 APIs are the way they are to accommodate nested TLV structures. But ECDSA signatures do not appear nested in TLV structures in either TLS (there's just a signature field) or X.509 (the signature is inside a BITSTRING, not directly in a SEQUENCE). So there does not seem to be a need for an ASN.1-like API for the ASN.1 format, just the format conversion itself in a buffer that just contains the signature.
|
||||||
|
|
||||||
|
#### Asymmetric cryptography TODO
|
||||||
|
|
||||||
|
[TODO] Other gaps?
|
||||||
|
|
||||||
|
## New APIs
|
||||||
|
|
||||||
|
This section presents new APIs to implement based on the [gap analysis](#gap-analysis).
|
||||||
|
|
||||||
|
### General notes
|
||||||
|
|
||||||
|
Each action to implement a function entails:
|
||||||
|
|
||||||
|
* Implement the library function.
|
||||||
|
* Document it precisely, including error conditions.
|
||||||
|
* Unit-test it.
|
||||||
|
* Mention it where relevant in the PSA transition guide.
|
||||||
|
|
||||||
|
### Hash APIs
|
||||||
|
|
||||||
|
Based on the [gap analysis](#hash-gap-analysis):
|
||||||
|
|
||||||
|
[ACTION] [#8340](https://github.com/Mbed-TLS/mbedtls/issues/8340) Move `mbedtls_md_psa_alg_from_type` and `mbedtls_md_type_from_psa_alg` from `library/md_psa.h` to `include/mbedtls/md.h`.
|
||||||
|
|
||||||
|
### MAC APIs
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Cipher and AEAD APIs
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Key derivation APIs
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Random generation APIs
|
||||||
|
|
||||||
|
[TODO]
|
||||||
|
|
||||||
|
### Asymmetric cryptography APIs
|
||||||
|
|
||||||
|
#### Asymmetric cryptography metadata APIs
|
||||||
|
|
||||||
|
Based on the [gap analysis](#asymmetric-cryptography-metadata):
|
||||||
|
|
||||||
|
* No further work is needed about RSA specifically. The amount of metadata other than hashes is sufficiently small to be handled in ad hoc ways in applications, and hashes have [their own conversions](#hash-apis).
|
||||||
|
* No further work is needed about ECC specifically. We have just added adequate functions.
|
||||||
|
* No further work is needed about DHM specifically. There is no good way to translate the relevant information.
|
||||||
|
* [OPEN] Is there a decent way to convert between `mbedtls_pk_type_t` plus extra information, and `psa_key_type_t` plus policy information? The two APIs are different in crucial ways, with different splits between key type, policy information and operation algorithm.
|
||||||
|
Thinking so far: there isn't really a nice way to present this conversion. For a specific key, `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_copy_from_psa` do the job.
|
||||||
|
|
||||||
|
#### API to create a PSA key from a PK context
|
||||||
|
|
||||||
|
Based on the [gap analysis](#using-a-legacy-key-pair-or-public-key-with-psa):
|
||||||
|
|
||||||
|
Given an `mbedtls_pk_context`, we want a function that creates a PSA key with the same key material and algorithm. “Same key material” is straightforward, but “same algorithm” is not, because a PK context has incomplete algorithm information. For example, there is no way to distinguish between an RSA key that is intended for signature or for encryption. Between algorithms of the same nature, there is no way to distinguish a key intended for PKCS#1v1.5 and one intended for PKCS#1v2.1 (OAEP/PSS): this is indicated in the underlying RSA context, but the indication there is only a default that can be overridden by calling `mbedtls_pk_{sign,verify}_ext`. Also there is no way to distinguish between `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)` and `PSA_ALG_RSA_PKCS1V15_SIGN_RAW`: in the legacy interface, this is only determined when actually doing a signature/verification operation. Therefore the function that creates the PSA key needs extra information to indicate which algorithm to put in the key's policy.
|
||||||
|
|
||||||
|
When creating a PSA key, apart from the key material, the key is determined by attributes, which fall under three categories:
|
||||||
|
|
||||||
|
* Type and size. These are directly related to the key material and can be deduced from it if the key material is in a structured format, which is the case with an `mbedtls_pk_context` input.
|
||||||
|
* Policy. This includes the chosen algorithm, which as discussed above cannot be fully deduced from the `mbedtls_pk_context` object. Just choosing one algorithm is problematic because it doesn't allow implementation-specific extensions, such as Mbed TLS's enrollment algorithm. The intended usage flags cannot be deduced from the PK context either, but the conversion function could sensibly just enable all the relevant usage flags. Users who want a more restrictive usage can call `psa_copy_key` and `psa_destroy_key` to obtain a PSA key object with a more restrictive usage.
|
||||||
|
* Persistence and location. This is completely orthogonal to the information from the `mbedtls_pk_context` object. It is convenient, but not necessary, for the conversion function to allow customizing these aspects. If it doesn't, users can call the conversion function and then call `psa_copy_key` and `psa_destroy_key` to move the key to its desired location.
|
||||||
|
|
||||||
|
To allow the full flexibility around policies, and make the creation of a persistent key more convenient, the conversion function shall take a `const psa_key_attributes_t *` input, like all other functions that create a PSA key. In addition, there shall be a helper function to populate a `psa_key_attributes_t` with a sensible default. This lets the caller choose a more flexible, or just different usage policy, unlike the default-then-copy approach which only allows restricting the policy.
|
||||||
|
|
||||||
|
This is close to the existing function `mbedtls_pk_wrap_as_opaque`, but does not bake in the implementation-specific consideration that a PSA key has exactly two algorithms, and also allows the caller to benefit from default for the policy in more cases.
|
||||||
|
|
||||||
|
[ACTION] [#8708](https://github.com/Mbed-TLS/mbedtls/issues/8708) Implement `mbedtls_pk_get_psa_attributes` and `mbedtls_pk_import_into_psa` as described below. These functions are available whenever `MBEDTLS_PK_C` and `MBEDTLS_PSA_CRYPTO_CLIENT` are both defined. Deprecate `mbedtls_pk_wrap_as_opaque`.
|
||||||
|
|
||||||
|
```
|
||||||
|
int mbedtls_pk_get_psa_attributes(const mbedtls_pk_context *pk,
|
||||||
|
psa_key_usage_flags_t usage,
|
||||||
|
psa_key_attributes_t *attributes);
|
||||||
|
int mbedtls_pk_import_into_psa(const mbedtls_pk_context *pk,
|
||||||
|
const psa_key_attributes_t *attributes,
|
||||||
|
mbedtls_svc_key_id_t *key_id);
|
||||||
|
```
|
||||||
|
|
||||||
|
* `mbedtls_pk_get_psa_attributes` does not change the id/lifetime fields of the attributes (which indicate a volatile key by default).
|
||||||
|
* [OPEN] Or should it reset them to 0? Resetting is more convenient for the case where the pk key is a `MBEDTLS_PK_OPAQUE`. But that's an uncommon use case. It's probably less surprising if this function leaves the lifetime-related alone, since its job is to set the type-related and policy-related attributes.
|
||||||
|
* `mbedtls_pk_get_psa_attributes` sets the type and size based on what's in the pk context.
|
||||||
|
* The key type is a key pair if the context contains a private key and the indicated usage is a private-key usage. The key type is a public key if the context only contains a public key, in which case a private-key usage is an error.
|
||||||
|
* `mbedtls_pk_get_psa_attributes` sets the usage flags based on the `usage` parameter. It extends the usage to other usage that is possible:
|
||||||
|
* `EXPORT` and `COPY` are always set.
|
||||||
|
* If `SIGN_{HASH,MESSAGE}` is set then so is `VERIFY_{HASH,MESSAGE}`.
|
||||||
|
* If `DECRYPT` is set then so is `ENCRYPT`.
|
||||||
|
* It is an error if `usage` has more than one flag set, or has a usage that is incompatible with the key type.
|
||||||
|
* `mbedtls_pk_get_psa_attributes` sets the algorithm usage policy based on information in the key object and on `usage`.
|
||||||
|
* For an RSA key with the `MBEDTLS_RSA_PKCS_V15` padding mode, the algorithm policy is `PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_PKCS1V15_CRYPT` for an encrypt/decrypt usage.
|
||||||
|
* For an RSA key with the `MBEDTLS_RSA_PKCS_V21` padding mode, the algorithm policy is `PSA_ALG_RSA_PSS_ANY_SALT(PSA_ALG_ANY_HASH)` for a sign/verify usage, and `PSA_ALG_RSA_OAEP(hash)` for an encrypt/decrypt usage where `hash` is from the RSA key's parameters. (Note that `PSA_ALG_ANY_HASH` is only allowed in signature algorithms.)
|
||||||
|
* For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDSA` with a sign/verify usage, the algorithm policy is `PSA_ALG_DETERMINISTIC_ECDSA` if `MBEDTLS_ECDSA_DETERMINISTIC` is enabled and `PSA_ALG_ECDSA` otherwise. In either case, the hash policy is `PSA_ALG_ANY_HASH`.
|
||||||
|
* For an `MBEDTLS_PK_ECKEY` or `MBEDTLS_PK_ECDKEY_DH` with the usage `PSA_KEY_USAGE_DERIVE`, the algorithm is `PSA_ALG_ECDH`.
|
||||||
|
* For a `MBEDTLS_PK_OPAQUE`, this function reads the attributes of the existing PK key and copies them (without overriding the lifetime and key identifier in `attributes`), then applies a public-key restriction if needed.
|
||||||
|
* Public-key restriction: if `usage` is a public-key usage, change the type to the corresponding public-key type, and remove private-key usage flags from the usage flags read from the existing key.
|
||||||
|
* `mbedtls_pk_import_into_psa` checks that the type field in the attributes is consistent with the content of the `mbedtls_pk_context` object (RSA/ECC, and availability of the private key).
|
||||||
|
* The key type can be a public key even if the private key is available.
|
||||||
|
* `mbedtls_pk_import_into_psa` does not need to check the bit-size in the attributes: `psa_import_key` will do enough checks.
|
||||||
|
* `mbedtls_pk_import_into_psa` does not check that the policy in the attributes is sensible. That's on the user.
|
||||||
|
|
||||||
|
#### API to copy a PSA key to a PK context
|
||||||
|
|
||||||
|
Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
|
||||||
|
|
||||||
|
[ACTION] [#8709](https://github.com/Mbed-TLS/mbedtls/issues/8709) Implement `mbedtls_pk_copy_from_psa` as described below.
|
||||||
|
|
||||||
|
```
|
||||||
|
int mbedtls_pk_copy_from_psa(mbedtls_svc_key_id_t key_id,
|
||||||
|
mbedtls_pk_context *pk);
|
||||||
|
```
|
||||||
|
|
||||||
|
* `pk` must be initialized, but not set up.
|
||||||
|
* It is an error if the key is neither a key pair nor a public key.
|
||||||
|
* It is an error if the key is not exportable.
|
||||||
|
* The resulting pk object has a transparent type, not `MBEDTLS_PK_OPAQUE`. That's `MBEDTLS_PK_RSA` for RSA keys (since pk objects don't use `MBEDTLS_PK_RSASSA_PSS` as a type), and `MBEDTLS_PK_ECKEY` for ECC keys (following the example of pkparse).
|
||||||
|
* Once this function returns, the pk object is completely independent of the PSA key.
|
||||||
|
* Calling `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt` on the resulting pk context will perform an algorithm that is compatible with the PSA key's primary algorithm policy (`psa_get_key_algorithm`) if that is a matching operation type (sign/verify, encrypt/decrypt), but with no restriction on the hash (as if the policy had `PSA_ALG_ANY_HASH` instead of a specific hash, and with `PSA_ALG_RSA_PKCS1V15_SIGN_RAW` merged with `PSA_ALG_RSA_PKCS1V15_SIGN(hash_alg)`).
|
||||||
|
* For ECDSA, the choice of deterministic vs randomized will be based on the compile-time setting `MBEDTLS_ECDSA_DETERMINISTIC`, like `mbedtls_pk_sign` today.
|
||||||
|
* For an RSA key, the output key will allow both encrypt/decrypt and sign/verify regardless of the original key's policy. The original key's policy determines the output key's padding mode.
|
||||||
|
* The primary intent of this requirement is to allow an application to switch to PSA for creating the key material (for example to benefit from a PSA accelerator driver, or to start using a secure element), without modifying the code that consumes the key. For RSA keys, the PSA primary algorithm policy is how one conveys the same information as RSA key padding information in the legacy API. Convey this in the documentation.
|
||||||
|
|
||||||
|
#### API to create a PK object that wraps a PSA key
|
||||||
|
|
||||||
|
Based on the [gap analysis](#using-a-psa-key-as-a-pk-context):
|
||||||
|
|
||||||
|
[ACTION] [#8712](https://github.com/Mbed-TLS/mbedtls/issues/8712) Clarify the documentation of `mbedtls_pk_setup_opaque` regarding which algorithms the resulting key will perform with `mbedtls_pk_sign`, `mbedtls_pk_verify`, `mbedtls_pk_encrypt`, `mbedtls_pk_decrypt`.
|
||||||
|
|
||||||
|
[ACTION] [#8710](https://github.com/Mbed-TLS/mbedtls/issues/8710) Provide `mbedtls_pk_setup_opaque` whenever `MBEDTLS_PSA_CRYPTO_CLIENT` is enabled, not just when `MBEDTLS_USE_PSA_CRYPTO` is enabled. This is nice-to-have, not critical. Update `use-psa-crypto.md` accordingly.
|
||||||
|
|
||||||
|
[OPEN] What about `mbedtls_pk_sign_ext` and `mbedtls_pk_verify_ext`?
|
||||||
|
|
||||||
|
#### API to convert between signature formats
|
||||||
|
|
||||||
|
Based on the [gap analysis](#signature-formats):
|
||||||
|
|
||||||
|
[ACTION] [#7765](https://github.com/Mbed-TLS/mbedtls/issues/7765) Implement `mbedtls_ecdsa_raw_to_der` and `mbedtls_ecdsa_der_to_raw` as described below.
|
||||||
|
|
||||||
|
```
|
||||||
|
int mbedtls_ecdsa_raw_to_der(size_t bits,
|
||||||
|
const unsigned char *raw, size_t raw_len,
|
||||||
|
unsigned char *der, size_t der_size, size_t *der_len);
|
||||||
|
int mbedtls_ecdsa_der_to_raw(size_t bits,
|
||||||
|
const unsigned char *der, size_t der_len,
|
||||||
|
unsigned char *raw, size_t raw_size, size_t *raw_len);
|
||||||
|
```
|
||||||
|
|
||||||
|
* These functions convert between the signature format used by `mbedtls_pk_{sign,verify}{,_ext}` and the signature format used by `psa_{sign,verify}_{hash,message}`.
|
||||||
|
* The input and output buffers can overlap.
|
||||||
|
* The `bits` parameter is necessary in the DER-to-raw direction because the DER format lacks leading zeros, so something else needs to convey the size of (r,s). The `bits` parameter is redundant in the raw-to-DER direction, but we have it anyway because [it helps catch errors](https://github.com/Mbed-TLS/mbedtls/pull/8681#discussion_r1445980971), and it isn't a burden on the caller because the information is readily available in practice.
|
||||||
|
* Should these functions rely on the ASN.1 module? We experimented [calling ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8681), [reimplementing simpler ASN.1 functions](https://github.com/Mbed-TLS/mbedtls/pull/8696), and [providing the functions from the ASN.1 module](https://github.com/Mbed-TLS/mbedtls/pull/8703). Providing the functions from the ASN.1 module [won on a compromise of code size and simplicity](https://github.com/Mbed-TLS/mbedtls/issues/7765#issuecomment-1893670015).
|
|
@ -1,19 +1,7 @@
|
||||||
#!/bin/sh
|
#!/bin/sh
|
||||||
#
|
#
|
||||||
# Copyright The Mbed TLS Contributors
|
# Copyright The Mbed TLS Contributors
|
||||||
# SPDX-License-Identifier: Apache-2.0
|
# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
#
|
|
||||||
# Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
# not use this file except in compliance with the License.
|
|
||||||
# You may obtain a copy of the License at
|
|
||||||
#
|
|
||||||
# http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
#
|
|
||||||
# Unless required by applicable law or agreed to in writing, software
|
|
||||||
# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
# See the License for the specific language governing permissions and
|
|
||||||
# limitations under the License.
|
|
||||||
#
|
#
|
||||||
# Purpose
|
# Purpose
|
||||||
#
|
#
|
||||||
|
|
|
@ -1,300 +0,0 @@
|
||||||
Thread safety of the PSA subsystem
|
|
||||||
==================================
|
|
||||||
|
|
||||||
## Requirements
|
|
||||||
|
|
||||||
### Backward compatibility requirement
|
|
||||||
|
|
||||||
Code that is currently working must keep working. There can be an exception for code that uses features that are advertised as experimental; for example, it would be annoying but ok to add extra requirements for drivers.
|
|
||||||
|
|
||||||
(In this section, “currently” means Mbed TLS releases without proper concurrency management: 3.0.0, 3.1.0, and any other subsequent 3.x version.)
|
|
||||||
|
|
||||||
In particular, if you either protect all PSA calls with a mutex, or only ever call PSA functions from a single thread, your application currently works and must keep working. If your application currently builds and works with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C` enabled, it must keep building and working.
|
|
||||||
|
|
||||||
As a consequence, we must not add a new platform requirement beyond mutexes for the base case. It would be ok to add new platform requirements if they're only needed for PSA drivers, or if they're only performance improvements.
|
|
||||||
|
|
||||||
Tempting platform requirements that we cannot add to the default `MBEDTLS_THREADING_C` include:
|
|
||||||
|
|
||||||
* Releasing a mutex from a different thread than the one that acquired it. This isn't even guaranteed to work with pthreads.
|
|
||||||
* New primitives such as semaphores or condition variables.
|
|
||||||
|
|
||||||
### Correctness out of the box
|
|
||||||
|
|
||||||
If you build with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C`, the code must be functionally correct: no race conditions, deadlocks or livelocks.
|
|
||||||
|
|
||||||
The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/overview/conventions.html#concurrent-calls) defines minimum expectations for concurrent calls. They must work as if they had been executed one at a time, except that the following cases have undefined behavior:
|
|
||||||
|
|
||||||
* Destroying a key while it's in use.
|
|
||||||
* Concurrent calls using the same operation object. (An operation object may not be used by more than one thread at a time. But it can move from one thread to another between calls.)
|
|
||||||
* Overlap of an output buffer with an input or output of a concurrent call.
|
|
||||||
* Modification of an input buffer during a call.
|
|
||||||
|
|
||||||
Note that while the specification does not define the behavior in such cases, Mbed TLS can be used as a crypto service. It's acceptable if an application can mess itself up, but it is not acceptable if an application can mess up the crypto service. As a consequence, destroying a key while it's in use may violate the security property that all key material is erased as soon as `psa_destroy_key` returns, but it may not cause data corruption or read-after-free inside the key store.
|
|
||||||
|
|
||||||
### No spinning
|
|
||||||
|
|
||||||
The code must not spin on a potentially non-blocking task. For example, this is proscribed:
|
|
||||||
```
|
|
||||||
lock(m);
|
|
||||||
while (!its_my_turn) {
|
|
||||||
unlock(m);
|
|
||||||
lock(m);
|
|
||||||
}
|
|
||||||
```
|
|
||||||
|
|
||||||
Rationale: this can cause battery drain, and can even be a livelock (spinning forever), e.g. if the thread that might unblock this one has a lower priority.
|
|
||||||
|
|
||||||
### Driver requirements
|
|
||||||
|
|
||||||
At the time of writing, the driver interface specification does not consider multithreaded environments.
|
|
||||||
|
|
||||||
We need to define clear policies so that driver implementers know what to expect. Here are two possible policies at two ends of the spectrum; what is desirable is probably somewhere in between.
|
|
||||||
|
|
||||||
* Driver entry points may be called concurrently from multiple threads, even if they're using the same key, and even including destroying a key while an operation is in progress on it.
|
|
||||||
* At most one driver entry point is active at any given time.
|
|
||||||
|
|
||||||
A more reasonable policy could be:
|
|
||||||
|
|
||||||
* By default, each driver only has at most one entry point active at any given time. In other words, each driver has its own exclusive lock.
|
|
||||||
* Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver.
|
|
||||||
* Even with a thread-safe driver, the core never starts the destruction of a key while there are operations in progress on it, and never performs concurrent calls on the same multipart operation.
|
|
||||||
|
|
||||||
### Long-term performance requirements
|
|
||||||
|
|
||||||
In the short term, correctness is the important thing. We can start with a global lock.
|
|
||||||
|
|
||||||
In the medium to long term, performing a slow or blocking operation (for example, a driver call, or an RSA decryption) should not block other threads, even if they're calling the same driver or using the same key object.
|
|
||||||
|
|
||||||
We may want to go directly to a more sophisticated approach because when a system works with a global lock, it's typically hard to get rid of it to get more fine-grained concurrency.
|
|
||||||
|
|
||||||
### Key destruction short-term requirements
|
|
||||||
|
|
||||||
#### Summary of guarantees in the short term
|
|
||||||
|
|
||||||
When `psa_destroy_key` returns:
|
|
||||||
|
|
||||||
1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
|
||||||
2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
|
||||||
3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
|
|
||||||
|
|
||||||
When `psa_destroy_key` is called on a key that is in use, guarantee 2. might be violated. (This is consistent with the requirement [“Correctness out of the box”](#correctness-out-of-the-box), as destroying a key while it's in use is undefined behavior.)
|
|
||||||
|
|
||||||
### Key destruction long-term requirements
|
|
||||||
|
|
||||||
The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#key-destruction) mandates that implementations make a best effort to ensure that the key material cannot be recovered. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material.
|
|
||||||
|
|
||||||
#### Summary of guarantees in the long term
|
|
||||||
|
|
||||||
When `psa_destroy_key` returns:
|
|
||||||
|
|
||||||
1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
|
||||||
2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
|
||||||
3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
|
|
||||||
4. No copy of the key material exists. Rationale: this is a security requirement. We do not have this requirement yet, but we need to document this as a security weakness, and we would like to satisfy this security requirement in the future.
|
|
||||||
|
|
||||||
As opposed to the short term requirements, all the above guarantees hold even if `psa_destroy_key` is called on a key that is in use.
|
|
||||||
|
|
||||||
## Resources to protect
|
|
||||||
|
|
||||||
Analysis of the behavior of the PSA key store as of Mbed TLS 9202ba37b19d3ea25c8451fd8597fce69eaa6867.
|
|
||||||
|
|
||||||
### Global variables
|
|
||||||
|
|
||||||
* `psa_crypto_slot_management::global_data.key_slots[i]`: see [“Key slots”](#key-slots).
|
|
||||||
|
|
||||||
* `psa_crypto_slot_management::global_data.key_slots_initialized`:
|
|
||||||
* `psa_initialize_key_slots`: modification.
|
|
||||||
* `psa_wipe_all_key_slots`: modification.
|
|
||||||
* `psa_get_empty_key_slot`: read.
|
|
||||||
* `psa_get_and_lock_key_slot`: read.
|
|
||||||
|
|
||||||
* `psa_crypto::global_data.rng`: depends on the RNG implementation. See [“Random generator”](#random-generator).
|
|
||||||
* `psa_generate_random`: query.
|
|
||||||
* `mbedtls_psa_crypto_configure_entropy_sources` (only if `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled): setup. Only called from `psa_crypto_init` via `mbedtls_psa_random_init`, or from test code.
|
|
||||||
* `mbedtls_psa_crypto_free`: deinit.
|
|
||||||
* `psa_crypto_init`: seed (via `mbedtls_psa_random_seed`); setup via `mbedtls_psa_crypto_configure_entropy_sources.
|
|
||||||
|
|
||||||
* `psa_crypto::global_data.{initialized,rng_state}`: these are bit-fields and cannot be modified independently so they must be protected by the same mutex. The following functions access these fields:
|
|
||||||
* `mbedtls_psa_crypto_configure_entropy_sources` [`rng_state`] (only if `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled): read. Only called from `psa_crypto_init` via `mbedtls_psa_random_init`, or from test code.
|
|
||||||
* `mbedtls_psa_crypto_free`: modification.
|
|
||||||
* `psa_crypto_init`: modification.
|
|
||||||
* Many functions via `GUARD_MODULE_INITIALIZED`: read.
|
|
||||||
|
|
||||||
### Key slots
|
|
||||||
|
|
||||||
#### Key slot array traversal
|
|
||||||
|
|
||||||
“Occupied key slot” is determined by `psa_is_key_slot_occupied` based on `slot->attr.type`.
|
|
||||||
|
|
||||||
The following functions traverse the key slot array:
|
|
||||||
|
|
||||||
* `psa_get_and_lock_key_slot_in_memory`: reads `slot->attr.id`.
|
|
||||||
* `psa_get_and_lock_key_slot_in_memory`: calls `psa_lock_key_slot` on one occupied slot.
|
|
||||||
* `psa_get_empty_key_slot`: calls `psa_is_key_slot_occupied`.
|
|
||||||
* `psa_get_empty_key_slot`: calls `psa_wipe_key_slot` and more modifications on one occupied slot with no active user.
|
|
||||||
* `psa_get_empty_key_slot`: calls `psa_lock_key_slot` and more modification on one unoccupied slot.
|
|
||||||
* `psa_wipe_all_key_slots`: writes to all slots.
|
|
||||||
* `mbedtls_psa_get_stats`: reads from all slots.
|
|
||||||
|
|
||||||
#### Key slot state
|
|
||||||
|
|
||||||
The following functions modify a slot's usage state:
|
|
||||||
|
|
||||||
* `psa_lock_key_slot`: writes to `slot->lock_count`.
|
|
||||||
* `psa_unlock_key_slot`: writes to `slot->lock_count`.
|
|
||||||
* `psa_wipe_key_slot`: writes to `slot->lock_count`.
|
|
||||||
* `psa_destroy_key`: reads `slot->lock_count`, calls `psa_lock_key_slot`.
|
|
||||||
* `psa_wipe_all_key_slots`: writes to all slots.
|
|
||||||
* `psa_get_empty_key_slot`: writes to `slot->lock_count` and calls `psa_wipe_key_slot` and `psa_lock_key_slot` on one occupied slot with no active user; calls `psa_lock_key_slot` on one unoccupied slot.
|
|
||||||
* `psa_close_key`: reads `slot->lock_count`; calls `psa_get_and_lock_key_slot_in_memory`, `psa_wipe_key_slot` and `psa_unlock_key_slot`.
|
|
||||||
* `psa_purge_key`: reads `slot->lock_count`; calls `psa_get_and_lock_key_slot_in_memory`, `psa_wipe_key_slot` and `psa_unlock_key_slot`.
|
|
||||||
|
|
||||||
**slot->attr access:**
|
|
||||||
`psa_crypto_core.h`:
|
|
||||||
* `psa_key_slot_set_flags` - writes to attr.flags
|
|
||||||
* `psa_key_slot_set_bits_in_flags` - writes to attr.flags
|
|
||||||
* `psa_key_slot_clear_bits` - writes to attr.flags
|
|
||||||
* `psa_is_key_slot_occupied` - reads attr.type (but see “[Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied)”)
|
|
||||||
* `psa_key_slot_get_flags` - reads attr.flags
|
|
||||||
|
|
||||||
`psa_crypto_slot_management.c`:
|
|
||||||
* `psa_get_and_lock_key_slot_in_memory` - reads attr.id
|
|
||||||
* `psa_get_empty_key_slot` - reads attr.lifetime
|
|
||||||
* `psa_load_persistent_key_into_slot` - passes attr pointer to psa_load_persistent_key
|
|
||||||
* `psa_load_persistent_key` - reads attr.id and passes pointer to psa_parse_key_data_from_storage
|
|
||||||
* `psa_parse_key_data_from_storage` - writes to many attributes
|
|
||||||
* `psa_get_and_lock_key_slot` - writes to attr.id, attr.lifetime, and attr.policy.usage
|
|
||||||
* `psa_purge_key` - reads attr.lifetime, calls psa_wipe_key_slot
|
|
||||||
* `mbedtls_psa_get_stats` - reads attr.lifetime, attr.id
|
|
||||||
|
|
||||||
`psa_crypto.c`:
|
|
||||||
* `psa_get_and_lock_key_slot_with_policy` - reads attr.type, attr.policy.
|
|
||||||
* `psa_get_and_lock_transparent_key_slot_with_policy` - reads attr.lifetime
|
|
||||||
* `psa_destroy_key` - reads attr.lifetime, attr.id
|
|
||||||
* `psa_get_key_attributes` - copies all publicly available attributes of a key
|
|
||||||
* `psa_export_key` - copies attributes
|
|
||||||
* `psa_export_public_key` - reads attr.type, copies attributes
|
|
||||||
* `psa_start_key_creation` - writes to the whole attr structure
|
|
||||||
* `psa_validate_optional_attributes` - reads attr.type, attr.bits
|
|
||||||
* `psa_import_key` - reads attr.bits
|
|
||||||
* `psa_copy_key` - reads attr.bits, attr.type, attr.lifetime, attr.policy
|
|
||||||
* `psa_mac_setup` - copies whole attr structure
|
|
||||||
* `psa_mac_compute_internal` - copies whole attr structure
|
|
||||||
* `psa_verify_internal` - copies whole attr structure
|
|
||||||
* `psa_sign_internal` - copies whole attr structure, reads attr.type
|
|
||||||
* `psa_assymmetric_encrypt` - reads attr.type
|
|
||||||
* `psa_assymetric_decrypt` - reads attr.type
|
|
||||||
* `psa_cipher_setup` - copies whole attr structure, reads attr.type
|
|
||||||
* `psa_cipher_encrypt` - copies whole attr structure, reads attr.type
|
|
||||||
* `psa_cipher_decrypt` - copies whole attr structure, reads attr.type
|
|
||||||
* `psa_aead_encrypt` - copies whole attr structure
|
|
||||||
* `psa_aead_decrypt` - copies whole attr structure
|
|
||||||
* `psa_aead_setup` - copies whole attr structure
|
|
||||||
* `psa_generate_derived_key_internal` - reads attr.type, writes to and reads from attr.bits, copies whole attr structure
|
|
||||||
* `psa_key_derivation_input_key` - reads attr.type
|
|
||||||
* `psa_key_agreement_raw_internal` - reads attr.type and attr.bits
|
|
||||||
|
|
||||||
#### Determining whether a key slot is occupied
|
|
||||||
|
|
||||||
`psa_is_key_slot_occupied` currently uses the `attr.type` field to determine whether a key slot is occupied. This works because we maintain the invariant that an occupied slot contains key material. With concurrency, it is desirable to allow a key slot to be reserved, but not yet contain key material or even metadata. When creating a key, determining the key type can be costly, for example when loading a persistent key from storage or (not yet implemented) when importing or unwrapping a key using an interface that determines the key type from the data that it parses. So we should not need to hold the global key store lock while the key type is undetermined.
|
|
||||||
|
|
||||||
Instead, `psa_is_key_slot_occupied` should use the key identifier to decide whether a slot is occupied. The key identifier is always readily available: when allocating a slot for a persistent key, it's an input of the function that allocates the key slot; when allocating a slot for a volatile key, the identifier is calculated from the choice of slot.
|
|
||||||
|
|
||||||
#### Key slot content
|
|
||||||
|
|
||||||
Other than what is used to determine the [“key slot state”](#key-slot-state), the contents of a key slot are only accessed as follows:
|
|
||||||
|
|
||||||
* Modification during key creation (between `psa_start_key_creation` and `psa_finish_key_creation` or `psa_fail_key_creation`).
|
|
||||||
* Destruction in `psa_wipe_key_slot`.
|
|
||||||
* Read in many functions, between calls to `psa_lock_key_slot` and `psa_unlock_key_slot`.
|
|
||||||
|
|
||||||
**slot->key access:**
|
|
||||||
* `psa_allocate_buffer_to_slot` - allocates key.data, sets key.bytes;
|
|
||||||
* `psa_copy_key_material_into_slot` - writes to key.data
|
|
||||||
* `psa_remove_key_data_from_memory` - writes and reads to/from key data
|
|
||||||
* `psa_get_key_attributes` - reads from key data
|
|
||||||
* `psa_export_key` - passes key data to psa_driver_wrapper_export_key
|
|
||||||
* `psa_export_public_key` - passes key data to psa_driver_wrapper_export_public_key
|
|
||||||
* `psa_finish_key_creation` - passes key data to psa_save_persistent_key
|
|
||||||
* `psa_validate_optional_attributes` - passes key data and bytes to mbedtls_psa_rsa_load_representation
|
|
||||||
* `psa_import_key` - passes key data to psa_driver_wrapper_import_key
|
|
||||||
* `psa_copy_key` - passes key data to psa_driver_wrapper_copy_key, psa_copy_key_material_into_slot
|
|
||||||
* `psa_mac_setup` - passes key data to psa_driver_wrapper_mac_sign_setup, psa_driver_wrapper_mac_verify_setup
|
|
||||||
* `psa_mac_compute_internal` - passes key data to psa_driver_wrapper_mac_compute
|
|
||||||
* `psa_sign_internal` - passes key data to psa_driver_wrapper_sign_message, psa_driver_wrapper_sign_hash
|
|
||||||
* `psa_verify_internal` - passes key data to psa_driver_wrapper_verify_message, psa_driver_wrapper_verify_hash
|
|
||||||
* `psa_asymmetric_encrypt` - passes key data to mbedtls_psa_rsa_load_representation
|
|
||||||
* `psa_asymmetric_decrypt` - passes key data to mbedtls_psa_rsa_load_representation
|
|
||||||
* `psa_cipher_setup ` - passes key data to psa_driver_wrapper_cipher_encrypt_setup and psa_driver_wrapper_cipher_decrypt_setup
|
|
||||||
* `psa_cipher_encrypt` - passes key data to psa_driver_wrapper_cipher_encrypt
|
|
||||||
* `psa_cipher_decrypt` - passes key data to psa_driver_wrapper_cipher_decrypt
|
|
||||||
* `psa_aead_encrypt` - passes key data to psa_driver_wrapper_aead_encrypt
|
|
||||||
* `psa_aead_decrypt` - passes key data to psa_driver_wrapper_aead_decrypt
|
|
||||||
* `psa_aead_setup` - passes key data to psa_driver_wrapper_aead_encrypt_setup and psa_driver_wrapper_aead_decrypt_setup
|
|
||||||
* `psa_generate_derived_key_internal` - passes key data to psa_driver_wrapper_import_key
|
|
||||||
* `psa_key_derivation_input_key` - passes key data to psa_key_derivation_input_internal
|
|
||||||
* `psa_key_agreement_raw_internal` - passes key data to mbedtls_psa_ecp_load_representation
|
|
||||||
* `psa_generate_key` - passes key data to psa_driver_wrapper_generate_key
|
|
||||||
|
|
||||||
### Random generator
|
|
||||||
|
|
||||||
The PSA RNG can be accessed both from various PSA functions, and from application code via `mbedtls_psa_get_random`.
|
|
||||||
|
|
||||||
With the built-in RNG implementations using `mbedtls_ctr_drbg_context` or `mbedtls_hmac_drbg_context`, querying the RNG with `mbedtls_xxx_drbg_random()` is thread-safe (protected by a mutex inside the RNG implementation), but other operations (init, free, seed) are not.
|
|
||||||
|
|
||||||
When `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled, thread safety depends on the implementation.
|
|
||||||
|
|
||||||
### Driver resources
|
|
||||||
|
|
||||||
Depends on the driver. The PSA driver interface specification does not discuss whether drivers must support concurrent calls.
|
|
||||||
|
|
||||||
## Simple global lock strategy
|
|
||||||
|
|
||||||
Have a single mutex protecting all accesses to the key store and other global variables. In practice, this means every PSA API function needs to take the lock on entry and release on exit, except for:
|
|
||||||
|
|
||||||
* Hash function.
|
|
||||||
* Accessors for key attributes and other local structures.
|
|
||||||
|
|
||||||
Note that operation functions do need to take the lock, since they need to prevent the destruction of the key.
|
|
||||||
|
|
||||||
Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, which is guaranteed to be thread-safe when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is disabled.
|
|
||||||
|
|
||||||
This approach is conceptually simple, but requires extra instrumentation to every function and has bad performance in a multithreaded environment since a slow operation in one thread blocks unrelated operations on other threads.
|
|
||||||
|
|
||||||
## Global lock excluding slot content
|
|
||||||
|
|
||||||
Have a single mutex protecting all accesses to the key store and other global variables, except that it's ok to access the content of a key slot without taking the lock if one of the following conditions holds:
|
|
||||||
|
|
||||||
* The key slot is in a state that guarantees that the thread has exclusive access.
|
|
||||||
* The key slot is in a state that guarantees that no other thread can modify the slot content, and the accessing thread is only reading the slot.
|
|
||||||
|
|
||||||
Note that a thread must hold the global mutex when it reads or changes a slot's state.
|
|
||||||
|
|
||||||
### Slot states
|
|
||||||
|
|
||||||
For concurrency purposes, a slot can be in one of three states:
|
|
||||||
|
|
||||||
* UNUSED: no thread is currently accessing the slot. It may be occupied by a volatile key or a cached key.
|
|
||||||
* WRITING: a thread has exclusive access to the slot. This can only happen in specific circumstances as detailed below.
|
|
||||||
* READING: any thread may read from the slot.
|
|
||||||
|
|
||||||
A high-level view of state transitions:
|
|
||||||
|
|
||||||
* `psa_get_empty_key_slot`: UNUSED → WRITING.
|
|
||||||
* `psa_get_and_lock_key_slot_in_memory`: UNUSED or READING → READING. This function only accepts slots in the UNUSED or READING state. A slot with the correct id but in the WRITING state is considered free.
|
|
||||||
* `psa_unlock_key_slot`: READING → UNUSED or READING.
|
|
||||||
* `psa_finish_key_creation`: WRITING → READING.
|
|
||||||
* `psa_fail_key_creation`: WRITING → UNUSED.
|
|
||||||
* `psa_wipe_key_slot`: any → UNUSED. If the slot is READING or WRITING on entry, this function must wait until the writer or all readers have finished. (By the way, the WRITING state is possible if `mbedtls_psa_crypto_free` is called while a key creation is in progress.) See [“Destruction of a key in use”](#destruction of a key in use).
|
|
||||||
|
|
||||||
The current `state->lock_count` corresponds to the difference between UNUSED and READING: a slot is in use iff its lock count is nonzero, so `lock_count == 0` corresponds to UNUSED and `lock_count != 0` corresponds to READING.
|
|
||||||
|
|
||||||
There is currently no indication of when a slot is in the WRITING state. This only happens between a call to `psa_start_key_creation` and a call to one of `psa_finish_key_creation` or `psa_fail_key_creation`. This new state can be conveyed by a new boolean flag, or by setting `lock_count` to `~0`.
|
|
||||||
|
|
||||||
### Destruction of a key in use
|
|
||||||
|
|
||||||
Problem: a key slot is destroyed (by `psa_wipe_key_slot`) while it's in use (READING or WRITING).
|
|
||||||
|
|
||||||
TODO: how do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock).
|
|
||||||
|
|
||||||
Solution: after some team discussion, we've decided to rely on a new threading abstraction which mimics C11 (i.e. `mbedtls_fff` where `fff` is the C11 function name, having the same parameters and return type, with default implementations for C11, pthreads and Windows). We'll likely use condition variables in addition to mutexes.
|
|
Binary file not shown.
After Width: | Height: | Size: 69 KiB |
450
docs/architecture/psa-thread-safety/psa-thread-safety.md
Normal file
450
docs/architecture/psa-thread-safety/psa-thread-safety.md
Normal file
|
@ -0,0 +1,450 @@
|
||||||
|
# Thread safety of the PSA subsystem
|
||||||
|
|
||||||
|
Currently PSA Crypto API calls in Mbed TLS releases are not thread-safe. In Mbed TLS 3.6 we are planning to add a minimal support for thread-safety of the PSA Crypto API (see section [Strategy for 3.6](#strategy-for-36)).
|
||||||
|
|
||||||
|
In the [Design analysis](#design-analysis) section we analyse design choices. This discussion is not constrained to what is planned for 3.6 and considers future developments. It also leaves some questions open and discusses options that have been (or probably will be) rejected.
|
||||||
|
|
||||||
|
## Design analysis
|
||||||
|
|
||||||
|
This section explores possible designs and does not reflect what is currently implemented.
|
||||||
|
|
||||||
|
### Requirements
|
||||||
|
|
||||||
|
#### Backward compatibility requirement
|
||||||
|
|
||||||
|
Code that is currently working must keep working. There can be an exception for code that uses features that are advertised as experimental; for example, it would be annoying but ok to add extra requirements for drivers.
|
||||||
|
|
||||||
|
(In this section, “currently” means Mbed TLS releases without proper concurrency management: 3.0.0, 3.1.0, and any other subsequent 3.x version.)
|
||||||
|
|
||||||
|
In particular, if you either protect all PSA calls with a mutex, or only ever call PSA functions from a single thread, your application currently works and must keep working. If your application currently builds and works with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C` enabled, it must keep building and working.
|
||||||
|
|
||||||
|
As a consequence, we must not add a new platform requirement beyond mutexes for the base case. It would be ok to add new platform requirements if they're only needed for PSA drivers, or if they're only performance improvements.
|
||||||
|
|
||||||
|
Tempting platform requirements that we cannot add to the default `MBEDTLS_THREADING_C` include:
|
||||||
|
|
||||||
|
* Releasing a mutex from a different thread than the one that acquired it. This isn't even guaranteed to work with pthreads.
|
||||||
|
* New primitives such as semaphores or condition variables.
|
||||||
|
|
||||||
|
#### Correctness out of the box
|
||||||
|
|
||||||
|
If you build with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C`, the code must be functionally correct: no race conditions, deadlocks or livelocks.
|
||||||
|
|
||||||
|
The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/overview/conventions.html#concurrent-calls) defines minimum expectations for concurrent calls. They must work as if they had been executed one at a time (excluding resource-management errors), except that the following cases have undefined behavior:
|
||||||
|
|
||||||
|
* Destroying a key while it's in use.
|
||||||
|
* Concurrent calls using the same operation object. (An operation object may not be used by more than one thread at a time. But it can move from one thread to another between calls.)
|
||||||
|
* Overlap of an output buffer with an input or output of a concurrent call.
|
||||||
|
* Modification of an input buffer during a call.
|
||||||
|
|
||||||
|
Note that while the specification does not define the behavior in such cases, Mbed TLS can be used as a crypto service. It's acceptable if an application can mess itself up, but it is not acceptable if an application can mess up the crypto service. As a consequence, destroying a key while it's in use may violate the security property that all key material is erased as soon as `psa_destroy_key` returns, but it may not cause data corruption or read-after-free inside the key store.
|
||||||
|
|
||||||
|
#### No spinning
|
||||||
|
|
||||||
|
The code must not spin on a potentially non-blocking task. For example, this is proscribed:
|
||||||
|
```
|
||||||
|
lock(m);
|
||||||
|
while (!its_my_turn) {
|
||||||
|
unlock(m);
|
||||||
|
lock(m);
|
||||||
|
}
|
||||||
|
```
|
||||||
|
|
||||||
|
Rationale: this can cause battery drain, and can even be a livelock (spinning forever), e.g. if the thread that might unblock this one has a lower priority.
|
||||||
|
|
||||||
|
#### Driver requirements
|
||||||
|
|
||||||
|
At the time of writing, the driver interface specification does not consider multithreaded environments.
|
||||||
|
|
||||||
|
We need to define clear policies so that driver implementers know what to expect. Here are two possible policies at two ends of the spectrum; what is desirable is probably somewhere in between.
|
||||||
|
|
||||||
|
* **Policy 1:** Driver entry points may be called concurrently from multiple threads, even if they're using the same key, and even including destroying a key while an operation is in progress on it.
|
||||||
|
* **Policy 2:** At most one driver entry point is active at any given time.
|
||||||
|
|
||||||
|
Combining the two we arrive at **Policy 3**:
|
||||||
|
|
||||||
|
* By default, each driver only has at most one entry point active at any given time. In other words, each driver has its own exclusive lock.
|
||||||
|
* Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver.
|
||||||
|
* Even with a thread-safe driver, the core never starts the destruction of a key while there are operations in progress on it, and never performs concurrent calls on the same multipart operation.
|
||||||
|
|
||||||
|
#### Long-term performance requirements
|
||||||
|
|
||||||
|
In the short term, correctness is the important thing. We can start with a global lock.
|
||||||
|
|
||||||
|
In the medium to long term, performing a slow or blocking operation (for example, a driver call, or an RSA decryption) should not block other threads, even if they're calling the same driver or using the same key object.
|
||||||
|
|
||||||
|
We may want to go directly to a more sophisticated approach because when a system works with a global lock, it's typically hard to get rid of it to get more fine-grained concurrency.
|
||||||
|
|
||||||
|
#### Key destruction short-term requirements
|
||||||
|
|
||||||
|
##### Summary of guarantees in the short term
|
||||||
|
|
||||||
|
When `psa_destroy_key` returns:
|
||||||
|
|
||||||
|
1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
||||||
|
2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
||||||
|
3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
|
||||||
|
|
||||||
|
When `psa_destroy_key` is called on a key that is in use, guarantee 2. might be violated. (This is consistent with the requirement [“Correctness out of the box”](#correctness-out-of-the-box), as destroying a key while it's in use is undefined behavior.)
|
||||||
|
|
||||||
|
#### Key destruction long-term requirements
|
||||||
|
|
||||||
|
The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#key-destruction) mandates that implementations make a best effort to ensure that the key material cannot be recovered. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material.
|
||||||
|
|
||||||
|
##### Summary of guarantees in the long term
|
||||||
|
|
||||||
|
When `psa_destroy_key` returns:
|
||||||
|
|
||||||
|
1. The key identifier doesn't exist. Rationale: this is a functional requirement for persistent keys: the caller can immediately create a new key with the same identifier.
|
||||||
|
2. The resources from the key have been freed. Rationale: in a low-resource condition, this may be necessary for the caller to re-create a similar key, which should be possible.
|
||||||
|
3. The call must not block indefinitely, and in particular cannot wait for an event that is triggered by application code such as calling an abort function. Rationale: this may not strictly be a functional requirement, but it is an expectation `psa_destroy_key` does not block forever due to another thread, which could potentially be another process on a multi-process system. In particular, it is only acceptable for `psa_destroy_key` to block, when waiting for another thread to complete a PSA Cryptography API call that it had already started.
|
||||||
|
4. No copy of the key material exists. Rationale: this is a security requirement. We do not have this requirement yet, but we need to document this as a security weakness, and we would like to satisfy this security requirement in the future.
|
||||||
|
|
||||||
|
As opposed to the short term requirements, all the above guarantees hold even if `psa_destroy_key` is called on a key that is in use.
|
||||||
|
|
||||||
|
### Resources to protect
|
||||||
|
|
||||||
|
Analysis of the behavior of the PSA key store as of Mbed TLS 9202ba37b19d3ea25c8451fd8597fce69eaa6867.
|
||||||
|
|
||||||
|
#### Global variables
|
||||||
|
|
||||||
|
* `psa_crypto_slot_management::global_data.key_slots[i]`: see [“Key slots”](#key-slots).
|
||||||
|
|
||||||
|
* `psa_crypto_slot_management::global_data.key_slots_initialized`:
|
||||||
|
* `psa_initialize_key_slots`: modification.
|
||||||
|
* `psa_wipe_all_key_slots`: modification.
|
||||||
|
* `psa_get_empty_key_slot`: read.
|
||||||
|
* `psa_get_and_lock_key_slot`: read.
|
||||||
|
|
||||||
|
* `psa_crypto::global_data.rng`: depends on the RNG implementation. See [“Random generator”](#random-generator).
|
||||||
|
* `psa_generate_random`: query.
|
||||||
|
* `mbedtls_psa_crypto_configure_entropy_sources` (only if `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled): setup. Only called from `psa_crypto_init` via `mbedtls_psa_random_init`, or from test code.
|
||||||
|
* `mbedtls_psa_crypto_free`: deinit.
|
||||||
|
* `psa_crypto_init`: seed (via `mbedtls_psa_random_seed`); setup via `mbedtls_psa_crypto_configure_entropy_sources.
|
||||||
|
|
||||||
|
* `psa_crypto::global_data.{initialized,rng_state}`: these are bit-fields and cannot be modified independently so they must be protected by the same mutex. The following functions access these fields:
|
||||||
|
* `mbedtls_psa_crypto_configure_entropy_sources` [`rng_state`] (only if `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled): read. Only called from `psa_crypto_init` via `mbedtls_psa_random_init`, or from test code.
|
||||||
|
* `mbedtls_psa_crypto_free`: modification.
|
||||||
|
* `psa_crypto_init`: modification.
|
||||||
|
* Many functions via `GUARD_MODULE_INITIALIZED`: read.
|
||||||
|
|
||||||
|
#### Key slots
|
||||||
|
|
||||||
|
##### Key slot array traversal
|
||||||
|
|
||||||
|
“Occupied key slot” is determined by `psa_is_key_slot_occupied` based on `slot->attr.type`.
|
||||||
|
|
||||||
|
The following functions traverse the key slot array:
|
||||||
|
|
||||||
|
* `psa_get_and_lock_key_slot_in_memory`: reads `slot->attr.id`.
|
||||||
|
* `psa_get_and_lock_key_slot_in_memory`: calls `psa_lock_key_slot` on one occupied slot.
|
||||||
|
* `psa_get_empty_key_slot`: calls `psa_is_key_slot_occupied`.
|
||||||
|
* `psa_get_empty_key_slot`: calls `psa_wipe_key_slot` and more modifications on one occupied slot with no active user.
|
||||||
|
* `psa_get_empty_key_slot`: calls `psa_lock_key_slot` and more modification on one unoccupied slot.
|
||||||
|
* `psa_wipe_all_key_slots`: writes to all slots.
|
||||||
|
* `mbedtls_psa_get_stats`: reads from all slots.
|
||||||
|
|
||||||
|
##### Key slot state
|
||||||
|
|
||||||
|
The following functions modify a slot's usage state:
|
||||||
|
|
||||||
|
* `psa_lock_key_slot`: writes to `slot->lock_count`.
|
||||||
|
* `psa_unlock_key_slot`: writes to `slot->lock_count`.
|
||||||
|
* `psa_wipe_key_slot`: writes to `slot->lock_count`.
|
||||||
|
* `psa_destroy_key`: reads `slot->lock_count`, calls `psa_lock_key_slot`.
|
||||||
|
* `psa_wipe_all_key_slots`: writes to all slots.
|
||||||
|
* `psa_get_empty_key_slot`: writes to `slot->lock_count` and calls `psa_wipe_key_slot` and `psa_lock_key_slot` on one occupied slot with no active user; calls `psa_lock_key_slot` on one unoccupied slot.
|
||||||
|
* `psa_close_key`: reads `slot->lock_count`; calls `psa_get_and_lock_key_slot_in_memory`, `psa_wipe_key_slot` and `psa_unlock_key_slot`.
|
||||||
|
* `psa_purge_key`: reads `slot->lock_count`; calls `psa_get_and_lock_key_slot_in_memory`, `psa_wipe_key_slot` and `psa_unlock_key_slot`.
|
||||||
|
|
||||||
|
**slot->attr access:**
|
||||||
|
`psa_crypto_core.h`:
|
||||||
|
* `psa_key_slot_set_flags` - writes to attr.flags
|
||||||
|
* `psa_key_slot_set_bits_in_flags` - writes to attr.flags
|
||||||
|
* `psa_key_slot_clear_bits` - writes to attr.flags
|
||||||
|
* `psa_is_key_slot_occupied` - reads attr.type (but see “[Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied)”)
|
||||||
|
* `psa_key_slot_get_flags` - reads attr.flags
|
||||||
|
|
||||||
|
`psa_crypto_slot_management.c`:
|
||||||
|
* `psa_get_and_lock_key_slot_in_memory` - reads attr.id
|
||||||
|
* `psa_get_empty_key_slot` - reads attr.lifetime
|
||||||
|
* `psa_load_persistent_key_into_slot` - passes attr pointer to psa_load_persistent_key
|
||||||
|
* `psa_load_persistent_key` - reads attr.id and passes pointer to psa_parse_key_data_from_storage
|
||||||
|
* `psa_parse_key_data_from_storage` - writes to many attributes
|
||||||
|
* `psa_get_and_lock_key_slot` - writes to attr.id, attr.lifetime, and attr.policy.usage
|
||||||
|
* `psa_purge_key` - reads attr.lifetime, calls psa_wipe_key_slot
|
||||||
|
* `mbedtls_psa_get_stats` - reads attr.lifetime, attr.id
|
||||||
|
|
||||||
|
`psa_crypto.c`:
|
||||||
|
* `psa_get_and_lock_key_slot_with_policy` - reads attr.type, attr.policy.
|
||||||
|
* `psa_get_and_lock_transparent_key_slot_with_policy` - reads attr.lifetime
|
||||||
|
* `psa_destroy_key` - reads attr.lifetime, attr.id
|
||||||
|
* `psa_get_key_attributes` - copies all publicly available attributes of a key
|
||||||
|
* `psa_export_key` - copies attributes
|
||||||
|
* `psa_export_public_key` - reads attr.type, copies attributes
|
||||||
|
* `psa_start_key_creation` - writes to the whole attr structure
|
||||||
|
* `psa_validate_optional_attributes` - reads attr.type, attr.bits
|
||||||
|
* `psa_import_key` - reads attr.bits
|
||||||
|
* `psa_copy_key` - reads attr.bits, attr.type, attr.lifetime, attr.policy
|
||||||
|
* `psa_mac_setup` - copies whole attr structure
|
||||||
|
* `psa_mac_compute_internal` - copies whole attr structure
|
||||||
|
* `psa_verify_internal` - copies whole attr structure
|
||||||
|
* `psa_sign_internal` - copies whole attr structure, reads attr.type
|
||||||
|
* `psa_assymmetric_encrypt` - reads attr.type
|
||||||
|
* `psa_assymetric_decrypt` - reads attr.type
|
||||||
|
* `psa_cipher_setup` - copies whole attr structure, reads attr.type
|
||||||
|
* `psa_cipher_encrypt` - copies whole attr structure, reads attr.type
|
||||||
|
* `psa_cipher_decrypt` - copies whole attr structure, reads attr.type
|
||||||
|
* `psa_aead_encrypt` - copies whole attr structure
|
||||||
|
* `psa_aead_decrypt` - copies whole attr structure
|
||||||
|
* `psa_aead_setup` - copies whole attr structure
|
||||||
|
* `psa_generate_derived_key_internal` - reads attr.type, writes to and reads from attr.bits, copies whole attr structure
|
||||||
|
* `psa_key_derivation_input_key` - reads attr.type
|
||||||
|
* `psa_key_agreement_raw_internal` - reads attr.type and attr.bits
|
||||||
|
|
||||||
|
##### Determining whether a key slot is occupied
|
||||||
|
|
||||||
|
`psa_is_key_slot_occupied` currently uses the `attr.type` field to determine whether a key slot is occupied. This works because we maintain the invariant that an occupied slot contains key material. With concurrency, it is desirable to allow a key slot to be reserved, but not yet contain key material or even metadata. When creating a key, determining the key type can be costly, for example when loading a persistent key from storage or (not yet implemented) when importing or unwrapping a key using an interface that determines the key type from the data that it parses. So we should not need to hold the global key store lock while the key type is undetermined.
|
||||||
|
|
||||||
|
Instead, `psa_is_key_slot_occupied` should use the key identifier to decide whether a slot is occupied. The key identifier is always readily available: when allocating a slot for a persistent key, it's an input of the function that allocates the key slot; when allocating a slot for a volatile key, the identifier is calculated from the choice of slot.
|
||||||
|
|
||||||
|
Alternatively, we could use a dedicated indicator that the slot is occupied. The advantage of this is that no field of the `attr` structure would be needed to determine the slot state. This would be a clean separation between key attributes and slot state and `attr` could be treated exactly like key slot content. This would save code size and maintenance effort. The cost of it would be that each slot would need an extra field to indicate whether it is occupied.
|
||||||
|
|
||||||
|
##### Key slot content
|
||||||
|
|
||||||
|
Other than what is used to determine the [“key slot state”](#key-slot-state), the contents of a key slot are only accessed as follows:
|
||||||
|
|
||||||
|
* Modification during key creation (between `psa_start_key_creation` and `psa_finish_key_creation` or `psa_fail_key_creation`).
|
||||||
|
* Destruction in `psa_wipe_key_slot`.
|
||||||
|
* Read in many functions, between calls to `psa_lock_key_slot` and `psa_unlock_key_slot`.
|
||||||
|
|
||||||
|
**slot->key access:**
|
||||||
|
* `psa_allocate_buffer_to_slot` - allocates key.data, sets key.bytes;
|
||||||
|
* `psa_copy_key_material_into_slot` - writes to key.data
|
||||||
|
* `psa_remove_key_data_from_memory` - writes and reads to/from key data
|
||||||
|
* `psa_get_key_attributes` - reads from key data
|
||||||
|
* `psa_export_key` - passes key data to psa_driver_wrapper_export_key
|
||||||
|
* `psa_export_public_key` - passes key data to psa_driver_wrapper_export_public_key
|
||||||
|
* `psa_finish_key_creation` - passes key data to psa_save_persistent_key
|
||||||
|
* `psa_validate_optional_attributes` - passes key data and bytes to mbedtls_psa_rsa_load_representation
|
||||||
|
* `psa_import_key` - passes key data to psa_driver_wrapper_import_key
|
||||||
|
* `psa_copy_key` - passes key data to psa_driver_wrapper_copy_key, psa_copy_key_material_into_slot
|
||||||
|
* `psa_mac_setup` - passes key data to psa_driver_wrapper_mac_sign_setup, psa_driver_wrapper_mac_verify_setup
|
||||||
|
* `psa_mac_compute_internal` - passes key data to psa_driver_wrapper_mac_compute
|
||||||
|
* `psa_sign_internal` - passes key data to psa_driver_wrapper_sign_message, psa_driver_wrapper_sign_hash
|
||||||
|
* `psa_verify_internal` - passes key data to psa_driver_wrapper_verify_message, psa_driver_wrapper_verify_hash
|
||||||
|
* `psa_asymmetric_encrypt` - passes key data to mbedtls_psa_rsa_load_representation
|
||||||
|
* `psa_asymmetric_decrypt` - passes key data to mbedtls_psa_rsa_load_representation
|
||||||
|
* `psa_cipher_setup ` - passes key data to psa_driver_wrapper_cipher_encrypt_setup and psa_driver_wrapper_cipher_decrypt_setup
|
||||||
|
* `psa_cipher_encrypt` - passes key data to psa_driver_wrapper_cipher_encrypt
|
||||||
|
* `psa_cipher_decrypt` - passes key data to psa_driver_wrapper_cipher_decrypt
|
||||||
|
* `psa_aead_encrypt` - passes key data to psa_driver_wrapper_aead_encrypt
|
||||||
|
* `psa_aead_decrypt` - passes key data to psa_driver_wrapper_aead_decrypt
|
||||||
|
* `psa_aead_setup` - passes key data to psa_driver_wrapper_aead_encrypt_setup and psa_driver_wrapper_aead_decrypt_setup
|
||||||
|
* `psa_generate_derived_key_internal` - passes key data to psa_driver_wrapper_import_key
|
||||||
|
* `psa_key_derivation_input_key` - passes key data to psa_key_derivation_input_internal
|
||||||
|
* `psa_key_agreement_raw_internal` - passes key data to mbedtls_psa_ecp_load_representation
|
||||||
|
* `psa_generate_key` - passes key data to psa_driver_wrapper_generate_key
|
||||||
|
|
||||||
|
#### Random generator
|
||||||
|
|
||||||
|
The PSA RNG can be accessed both from various PSA functions, and from application code via `mbedtls_psa_get_random`.
|
||||||
|
|
||||||
|
With the built-in RNG implementations using `mbedtls_ctr_drbg_context` or `mbedtls_hmac_drbg_context`, querying the RNG with `mbedtls_xxx_drbg_random()` is thread-safe (protected by a mutex inside the RNG implementation), but other operations (init, free, seed) are not.
|
||||||
|
|
||||||
|
When `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled, thread safety depends on the implementation.
|
||||||
|
|
||||||
|
#### Driver resources
|
||||||
|
|
||||||
|
Depends on the driver. The PSA driver interface specification does not discuss whether drivers must support concurrent calls.
|
||||||
|
|
||||||
|
### Simple global lock strategy
|
||||||
|
|
||||||
|
Have a single mutex protecting all accesses to the key store and other global variables. In practice, this means every PSA API function needs to take the lock on entry and release on exit, except for:
|
||||||
|
|
||||||
|
* Hash function.
|
||||||
|
* Accessors for key attributes and other local structures.
|
||||||
|
|
||||||
|
Note that operation functions do need to take the lock, since they need to prevent the destruction of the key.
|
||||||
|
|
||||||
|
Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, which is guaranteed to be thread-safe when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is disabled.
|
||||||
|
|
||||||
|
This approach is conceptually simple, but requires extra instrumentation to every function and has bad performance in a multithreaded environment since a slow operation in one thread blocks unrelated operations on other threads.
|
||||||
|
|
||||||
|
### Global lock excluding slot content
|
||||||
|
|
||||||
|
Have a single mutex protecting all accesses to the key store and other global variables, except that it's ok to access the content of a key slot without taking the lock if one of the following conditions holds:
|
||||||
|
|
||||||
|
* The key slot is in a state that guarantees that the thread has exclusive access.
|
||||||
|
* The key slot is in a state that guarantees that no other thread can modify the slot content, and the accessing thread is only reading the slot.
|
||||||
|
|
||||||
|
Note that a thread must hold the global mutex when it reads or changes a slot's state.
|
||||||
|
|
||||||
|
#### Slot states
|
||||||
|
|
||||||
|
For concurrency purposes, a slot can be in one of four states:
|
||||||
|
|
||||||
|
* EMPTY: no thread is currently accessing the slot, and no information is stored in the slot. Any thread is able to change the slot's state to FILLING and begin loading data.
|
||||||
|
* FILLING: one thread is currently loading or creating material to fill the slot, this thread is responsible for the next state transition. Other threads cannot read the contents of a slot which is in FILLING.
|
||||||
|
* FULL: the slot contains a key, and any thread is able to use the key after registering as a reader.
|
||||||
|
* PENDING_DELETION: the key within the slot has been destroyed or marked for destruction, but at least one thread is still registered as a reader. No thread can register to read this slot. The slot must not be wiped until the last reader de-registers, wiping the slot by calling `psa_wipe_key_slot`.
|
||||||
|
|
||||||
|
To change `slot` to state `new_state`, a function must call `psa_slot_state_transition(slot, new_state)`.
|
||||||
|
|
||||||
|
A counter field within each slot keeps track of how many readers have registered. Library functions must call `psa_register_read` before reading the key data within a slot, and `psa_unregister_read` after they have finished operating.
|
||||||
|
|
||||||
|
Any call to `psa_slot_state_transition`, `psa_register_read` or `psa_unregister_read` must be performed by a thread which holds the global mutex.
|
||||||
|
|
||||||
|
##### Linearizability of the system
|
||||||
|
|
||||||
|
To satisfy the requirements in [Correctness out of the box](#correctness-out-of-the-box), we require our functions to be "linearizable" (under certain constraints). This means that any (constraint satisfying) set of concurrent calls are performed as if they were executed in some sequential order.
|
||||||
|
|
||||||
|
The standard way of reasoning that this is the case is to identify a "linearization point" for each call, this is a single execution step where the function takes effect (this is usually a step in which the effects of the call become visible to other threads). If every call has a linearization point, the set of calls is equivalent to sequentially performing the calls in order of when their linearization point occurred.
|
||||||
|
|
||||||
|
We only require linearizability to hold in the case where a resource-management error is not returned. In a set of concurrent calls, it is permitted for a call c to fail with a PSA_ERROR_INSUFFICIENT_MEMORY return code even if there does not exist a sequential ordering of the calls in which c returns this error. Even if such an error occurs, all calls are still required to be functionally correct.
|
||||||
|
|
||||||
|
We only access and modify a slot's state and reader count while we hold the global lock. This ensures the memory in which these fields are stored is correctly synchronized. It also ensures that the key data within the slot is synchronised where needed (the writer unlocks the mutex after filling the data, and any reader must lock the mutex before reading the data).
|
||||||
|
|
||||||
|
To help justify that our system is linearizable, here is a list of key slot state changing functions and their linearization points (for the sake of brevity not all failure cases are covered, but those cases are not complex):
|
||||||
|
* `psa_wipe_key_slot, psa_register_read, psa_unregister_read, psa_slot_state_transition,` - These functions are all always performed under the global mutex, so they have no effects visible to other threads (this implies that they are linearizable).
|
||||||
|
* `psa_get_empty_key_slot, psa_get_and_lock_key_slot_in_memory, psa_load_X_key_into_slot, psa_fail_key_creation` - These functions hold the mutex for all non-setup/finalizing code, their linearization points are the release of the mutex.
|
||||||
|
* `psa_get_and_lock_key_slot` - If the key is already in a slot, the linearization point is the linearization point of the call to `psa_get_and_lock_key_slot_in_memory`. If the key is not in a slot and is loaded into one, the linearization point is the linearization point of the call to `psa_load_X_key_into_slot`.
|
||||||
|
* `psa_start_key_creation` - From the perspective of other threads, the only effect of a successful call to this function is that the amount of usable resources decreases (a key slot which was usable is now unusable). Since we do not consider resource management as linearizable behaviour, when arguing for linearizability of the system we consider this function to have no visible effect to other threads.
|
||||||
|
* `psa_finish_key_creation` - On a successful load, we lock the mutex and set the state of the slot to FULL, the linearization point is then the following unlock. On an unsuccessful load, the linearization point is when we return - no action we have performed has been made visible to another thread as the slot is still in a FILLING state.
|
||||||
|
* `psa_destroy_key, psa_close_key, psa_purge_key` - As per the requirements, we need only argue for the case where the key is not in use here. The linearization point is the unlock after wiping the data and setting the slot state to EMPTY.
|
||||||
|
* `psa_import_key, psa_copy_key, psa_generate_key, mbedtls_psa_register_se_key` - These functions call both `psa_start_key_creation` and `psa_finish_key_creation`, the linearization point of a successful call is the linearization point of the call to `psa_finish_key_creation`. The linearization point of an unsuccessful call is the linearization point of the call to `psa_fail_key_creation`.
|
||||||
|
* `psa_key_derivation_output_key` - Same as above. If the operation object is in use by multiple threads, the behaviour need not be linearizable.
|
||||||
|
|
||||||
|
Library functions which operate on a slot will return `PSA_ERROR_BAD_STATE` if the slot is in an inappropriate state for the function at the linearization point.
|
||||||
|
|
||||||
|
##### Key slot state transition diagram
|
||||||
|
|
||||||
|
![](key-slot-state-transitions.png)
|
||||||
|
|
||||||
|
In the state transition diagram above, an arrow between two states `q1` and `q2` with label `f` indicates that if the state of a slot is `q1` immediately before `f`'s linearization point, it may be `q2` immediately after `f`'s linearization point.
|
||||||
|
|
||||||
|
##### Generating the key slot state transition diagram from source
|
||||||
|
|
||||||
|
To generate the state transition diagram in https://app.diagrams.net/, open the following url:
|
||||||
|
|
||||||
|
https://viewer.diagrams.net/?tags=%7B%7D&highlight=FFFFFF&edit=_blank&layers=1&nav=1&title=key-slot-state-transitions#R5Vxbd5s4EP4t%2B%2BDH5iAJcXms4ySbrdtNT7qX9MWHgGyrxcABHNv59SsM2EhgDBhs3PVL0CANoBl9fDMaMkC3i%2FWDb3jzz65F7AGUrPUAjQYQAqBh9ieSbGKJIqFYMPOplXTaC57pO0mEUiJdUosEXMfQde2QerzQdB2HmCEnM3zfXfHdpq7NX9UzZiQneDYNOy%2F9h1rhPJZqUN3Lfyd0Nk%2BvDBQ9PrMw0s7JkwRzw3JXGRG6G6Bb33XD%2BGixviV2NHnpvMTj7g%2Bc3d2YT5ywyoDv4H08%2Ffvxj9VX3XGGw5cf3o9PHxJjvBn2MnngAVRspm9o0Td2OIsO7%2F8aj1Mx0585U9B5bgQTnxgW8YP07Ksv9he1bOcn3KSTzm6c2Zc1hqs5DcmzZ5jRmRVzsegK4cJmLcAOjcCLjT6la2LtVGUnJZmnN%2BKHZJ0RJZP0QNwFCf0N65KclbXEYDuPTdqrjP0T0Txj%2BlRmJB4322neG4UdJHapYSMACowkzphjfYy8nbVM2wgCavIT5btLx4pmaCSxFpscf%2FNvcmrbeMk2Rutsv9Emba1puBvEjl8y8v2QqJGOOGiNwF36Jjnul6Hhz0hY0k%2BO%2BxGLW8V522Zshwtsl8p8YhshfePXfpFBkys8uZQ92UHXwYrgE%2FFzJ6Oya1VUpOo3euancWplJKiNpymnduttu0k4wQFhzgGXjk9mNAiJv13seX9kBhkbr%2BxlwK9Xm86cyEeZQxCfCaJlSRnafkxOLKhlRTqGPgnou%2FG61Re5khc93PZx8XCAR4XOVb56RADYvTOSq3CwXAQM0g2UVJ2zxAd4mt%2BkaoAwxJ1OA9KNLasA%2Ft3np28v14nevQNvvXXwTmBYysAwKIXhHdxLWbiXjsB9c%2FCGFcEb9Au8ec%2FJgWxl7D7yDugYrFO6mXE4LzAmU4Pak59kMzEZXofUdfoM2ema6SNkJ5ohp1Qc3x1%2B51%2FF94%2Fj8eOXh17DMFIuDMNyldderTjnt18u0Lm4kXAVIz3dfRlt3b2inUZ347tvj39%2BuU4b9Y7PqF3RmepRZbPotTmdSdNOx%2BgM7BWdgRJ7%2BWkyVAGLJmWs8G9BLCs3KsAq1FTMGkhQX5XrAEUgTfJ5yY5WyHXYFSdk4YWbLeEJbDfsMdlJF1Qfuc5OjXwuegOKXtTt48sNbhIwxaMuGjL1K98VYYwkpRijMDjg0QBEWawUZJAmqc1QRpYElGG%2BjgSX7DoFVow0U%2BrQYH41cVW6uE7Gmg%2FM7rKu8mCDWvEpRSvUegboKaKfgi3Npf%2B2RZaYbZwv51492dMcg6rm3FGvMEhWMecwitowb4MVQZHIoQ9ADPMBY5PplizPwzes82imSlL5fUGhPzjSX9bK9LOD%2BI6bLp7RUDYBfTA9%2B50sH%2Bkz%2Fvi0rha6CVsGFQO4lNEZjjWxXfNnhtTV0GDabkCiobVGeUtm8uyo%2BtFjf9A%2FtVEb6A%2BQxntZO1k1nr5CfC7sR0X74K3QzixwVwxrMzyz2zy9XBHw%2B5WnhyrkvATjhoAPDuVWzsQpUVGsUwhDFglC392cDl%2FtQGVvIW63jFsIpmVN4aOZdBmc6L47HN5wkNc9xsmX4LfHwKs%2BTB6Eu57AE6N3mcwa0gBnbaSCorO1uaqsZpJ7CtDrXKQjHouQVn7P4l2iIzwWl%2BrvhsfmyyOup9JFbo3gsegeC47bEvh1kUgsNGT7%2BxSXxrfW6BzsFV4iIbzFTesukCpkCSvG72153HXtRZQumlYiRF3YcmqLPqVZzC4ThIWzc5ZKrspbEzwMdbg1UTUtiHsNKwpoCitCPZfSXfFtMSMprufiQsLeAkprhVwRoECekbQVj%2FG7GF0UchXb9UxV%2FcehoQkMNYcTXBFO%2BhXVwQNJ%2BNpwAgWWonRXHlrsdrDA7XJpoFzQUyN9tKIeyeXoryNvXr5Q26jQ2H0P1y6IAXQhEMuT3pwlz55TOohNfcESIXHSeMcSbbNAGpahrMs6RBoS9XLVGbAS0NRNA7GnyV4F6PxNqBK6UaG0%2B6HyJwJ6qTIA6ijDze%2Bso%2BxSPoToZXqpfK3%2Fz9JLT3S5Hk%2FhRNNmX9%2B%2B338yHccr%2FIyqHfLGlZw1%2BiSzM%2BpWtRC2X0VqSKgew2JeqDLc4iOZqvaoW6HPVWJuEQOzXcOaeMQPIlxxwi0ZY%2Ffk1q%2Ba2Gp6XVI7pM4JakrLN66DGpaiQAuIiGVQGIie6Pxnq6CAl6wAqu9Cv9gXl1VT%2F1VL9%2Fa74OmW%2Brk2T%2Fnkbu57gsolw4KiqrUde0WnLBnW3P9fj7j7%2Fr%2BjoLv%2FAA%3D%3D
|
||||||
|
|
||||||
|
#### Destruction of a key in use
|
||||||
|
|
||||||
|
Problem: In [Key destruction long-term requirements](#key-destruction-long-term-requirements) we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (FILLING or with at least one reader).
|
||||||
|
|
||||||
|
How do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock).
|
||||||
|
|
||||||
|
Solution: after some team discussion, we've decided to rely on a new threading abstraction which mimics C11 (i.e. `mbedtls_fff` where `fff` is the C11 function name, having the same parameters and return type, with default implementations for C11, pthreads and Windows). We'll likely use condition variables in addition to mutexes.
|
||||||
|
|
||||||
|
##### Mutex only
|
||||||
|
|
||||||
|
When calling `psa_wipe_key_slot` it is the callers responsibility to set the slot state to PENDING_DELETION first. For most functions this is a clean {FULL, !has_readers} -> PENDING_DELETION transition: psa_get_empty_key_slot, psa_get_and_lock_key_slot, psa_close_key, psa_purge_key.
|
||||||
|
|
||||||
|
`psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This is acceptable as an untrusted application cannot call `mbedtls_psa_crypto_free` in a crypto service. In a service integration, `mbedtls_psa_crypto_free` on the client cuts the communication with the crypto service. Also, this is the current behaviour.
|
||||||
|
|
||||||
|
`psa_destroy_key` registers as a reader, marks the slot as deleted, deletes persistent keys and opaque keys and unregisters before returning. This will free the key ID, but the slot might be still in use. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). `psa_destroy_key` transfers to PENDING_DELETION as an intermediate state. The last reading operation will wipe the key slot upon unregistering. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it.
|
||||||
|
|
||||||
|
These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the [Key destruction short-term requirements](#key-destruction-short-term-requirements).
|
||||||
|
|
||||||
|
Variations:
|
||||||
|
|
||||||
|
1. As a first step the multipart operations would lock the keys for reading on setup and release on free
|
||||||
|
2. In a later stage this would be improved by locking the keys on entry into multi-part API calls and released before exiting.
|
||||||
|
|
||||||
|
The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must be left unsupported in the first variant. This makes the first variant impractical (multipart operations returning an error in builds with multithreading enabled is not a behaviour that would be very useful to release).
|
||||||
|
|
||||||
|
We can't reuse the `lock_count` field to mark key slots deleted, as we still need to keep track the lock count while the slot is marked for deletion. This means that we will need to add a new field to key slots. This new field can be reused to indicate whether the slot is occupied (see section [Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied)). (There would be three states: deleted, occupied, empty.)
|
||||||
|
|
||||||
|
#### Condition variables
|
||||||
|
|
||||||
|
Clean UNUSED -> PENDING_DELETION transition works as before.
|
||||||
|
|
||||||
|
`psa_wipe_all_key_slots` and `psa_destroy_key` mark the slot as deleted and go to sleep until the slot has no registered readers. When waking up, they wipe the slot, and return.
|
||||||
|
|
||||||
|
If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy [Key destruction long-term requirements](#key-destruction-long-term-requirements) none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been wiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again.
|
||||||
|
|
||||||
|
To resolve this, we can either:
|
||||||
|
|
||||||
|
1. Depend on the deletion marker. If the slot has been reused and is marked for deletion again, the threads keep waiting until the second deletion completes.
|
||||||
|
2. Introduce a uuid (eg a global counter plus a slot ID), which is recorded by the thread waiting for deletion and checks whether it matches. If it doesn't, the function can return as the slot was already reallocated. If it does match, it can check whether it is still marked for deletion, if it is, the thread goes back to sleep, if it isn't, the function can return.
|
||||||
|
|
||||||
|
##### Platform abstraction
|
||||||
|
|
||||||
|
Introducing condition variables to the platform abstraction layer would be best done in a major version. If we can't wait until that, we will need to introduce a new compile time flag. Considering that this only will be needed on the PSA Crypto side and the upcoming split, it makes sense to make this flag responsible for the entire PSA Crypto threading support. Therefore if we want to keep the option open for implementing this in a backward compatible manner, we need to introduce and use this new flag already when implementing [Mutex only](#mutex-only). (If we keep the abstraction layer for mutexes the same, this shouldn't mean increase in code size and would mean only minimal effort on the porting side.)
|
||||||
|
|
||||||
|
#### Operation contexts
|
||||||
|
|
||||||
|
Concurrent access to the same operation context can compromise the crypto service for example if the operation context has a pointer (depending on the compiler and the platform, the pointer assignment may or may not be atomic). This violates the functional correctness requirement of the crypto service. (Concurrent calls to operations is undefined behaviour, but still should not compromise the CIA of the crypto service.)
|
||||||
|
|
||||||
|
If we want to protect against this in the library, operations will need a status field protected by a global mutex similarly to key slots. On entry, API calls would check the state and return an error if it is already ACTIVE. Otherwise they set it to ACTIVE and restore it to INACTIVE before returning.
|
||||||
|
|
||||||
|
Alternatively, protecting operation contexts can be left as the responsibility of the crypto service. The [PSA Crypto API Specification](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#concurrent-calls) does not require the library to provide any protection in this case. A crypto service can easily add its own mutex in its operation structure wrapper (the same structure where it keeps track of which client connection owns that operation object).
|
||||||
|
|
||||||
|
#### Drivers
|
||||||
|
|
||||||
|
Each driver that hasn’t got the "thread_safe” property set has a dedicated mutex.
|
||||||
|
|
||||||
|
Implementing "thread_safe” drivers depends on the condition variable protection in the key store, as we must guarantee that the core never starts the destruction of a key while there are operations in progress on it.
|
||||||
|
|
||||||
|
Start with implementing threading for drivers without the "thread_safe” property (all drivers behave like the property wasn't set). Add "thread_safe" drivers at some point after the [Condition variables](#condition-variables) approach is implemented in the core.
|
||||||
|
|
||||||
|
##### Reentrancy
|
||||||
|
|
||||||
|
It is natural sometimes to want to perform cryptographic operations from a driver, for example calculating a hash as part of various other crypto primitives, or using a block cipher in a driver for a mode, etc. Also encrypting/authenticating communication with a secure element.
|
||||||
|
|
||||||
|
**Non-thread-safe drivers:**
|
||||||
|
|
||||||
|
A driver is non-thread-safe if the `thread-safe` property (see [Driver requirements](#driver-requirements)) is set to false.
|
||||||
|
|
||||||
|
In the non-thread-safe case we have these natural assumptions/requirements:
|
||||||
|
1. Drivers don't call the core for any operation for which they provide an entry point
|
||||||
|
2. The core doesn't hold the driver mutex between calls to entry points
|
||||||
|
|
||||||
|
With these, the only way of a deadlock is when we have several drivers and they have circular dependencies. That is, Driver A makes a call that is despatched to Driver B and upon executing that Driver B makes a call that is despatched to Driver A. For example Driver A does CCM calls Driver B to do CBC-MAC, which in turn calls Driver A to do AES. This example is pretty contrived and it is hard to find a more practical example.
|
||||||
|
|
||||||
|
Potential ways for resolving this:
|
||||||
|
1. Non-thread-safe drivers must not call the core
|
||||||
|
2. Provide a new public API that drivers can safely call
|
||||||
|
3. Make the dispatch layer public for drivers to call
|
||||||
|
4. There is a whitelist of core APIs that drivers can call. Drivers providing entry points to these must not make a call to the core when handling these calls. (Drivers are still allowed to call any core API that can't have a driver entry point.)
|
||||||
|
|
||||||
|
The first is too restrictive, the second and the third would require making it a stable API, and would likely increase the code size for a relatively rare feature. We are choosing the fourth as that is the most viable option.
|
||||||
|
|
||||||
|
**Thread-safe drivers:**
|
||||||
|
|
||||||
|
A driver is non-thread-safe if the `thread-safe` property (see [Driver requirements](#driver-requirements)) is set to true.
|
||||||
|
|
||||||
|
To make reentrancy in non-thread-safe drivers work, thread-safe drivers must not make a call to the core when handling a call that is on the non-thread-safe driver core API whitelist.
|
||||||
|
|
||||||
|
Thread-safe drivers have less guarantees from the core and need to implement more complex logic and we can reasonably expect them to be more flexible in terms of reentrancy as well. At this point it is hard to see what further guarantees would be useful and feasible. Therefore, we don't provide any further guarantees for now.
|
||||||
|
|
||||||
|
Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed in the [Reentrancy](#reentrancy) and [Driver requirements](#driver-requirements) sections.
|
||||||
|
|
||||||
|
#### Global data
|
||||||
|
|
||||||
|
PSA Crypto makes use of a `global_data` variable that will be accessible from multiple threads and needs to be protected. Any function accessing this variable (or its members) must take the corresponding lock first. Since `global_data` holds the RNG state, these will involve relatively expensive operations and therefore ideally `global_data` should be protected by its own, dedicated lock (different from the one protecting the key store).
|
||||||
|
|
||||||
|
Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, which is guaranteed to be thread-safe when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is disabled. Still, doing so is conceptually simpler and we probably will want to remove the lower level mutex in the long run, since the corresponding interface will be removed from the public API. The two mutexes are different and are always taken in the same order, there is no risk of deadlock.
|
||||||
|
|
||||||
|
The purpose of `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is very similar to the driver interface (and might even be added to it in the long run), therefore it makes sense to handle it the same way. In particular, we can use the `global_data` mutex to protect it as a default and when we implement the "thread_safe” property for drivers, we implement it for `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` as well.
|
||||||
|
|
||||||
|
#### Implementation notes
|
||||||
|
|
||||||
|
Since we only have simple mutexes, locking the same mutex from the same thread is a deadlock. Therefore functions taking the global mutex must not be called while holding the same mutex. Functions taking the mutex will document this fact and the implications.
|
||||||
|
|
||||||
|
Releasing the mutex before a function call might introduce race conditions. Therefore might not be practical to take the mutex in low level access functions. If functions like that don't take the mutex, they need to rely on the caller to take it for them. These functions will document that the caller is required to hold the mutex.
|
||||||
|
|
||||||
|
To avoid performance degradation, functions must hold mutexes for as short time as possible. In particular, they must not start expensive operations (eg. doing cryptography) while holding the mutex.
|
||||||
|
|
||||||
|
## Strategy for 3.6
|
||||||
|
|
||||||
|
The goal is to provide viable threading support without extending the platform abstraction. (Condition variables should be added in 4.0.) This means that we will be relying on mutexes only.
|
||||||
|
|
||||||
|
- Key Store
|
||||||
|
- Slot states are described in the [Slot states](#slot-states) section. They guarantee safe concurrent access to slot contents.
|
||||||
|
- Slot states will be protected by a global mutex as described in the introduction of the [Global lock excluding slot content](#global-lock-excluding-slot-content) section.
|
||||||
|
- Simple key destruction strategy as described in the [Mutex only](#mutex-only) section (variant 2).
|
||||||
|
- The slot state and key attributes will be separated as described in the last paragraph of the [Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied) section.
|
||||||
|
- The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex as described in the [Global data](#global-data) section.
|
||||||
|
- The solution shall use the pre-existing `MBEDTLS_THREADING_C` threading abstraction. That is, the flag proposed in the [Platform abstraction](#platform-abstraction) section won't be implemented.
|
||||||
|
- The core makes no additional guarantees for drivers. That is, Policy 1 in section [Driver requirements](#driver-requirements) applies.
|
|
@ -16,6 +16,7 @@ driver.
|
||||||
|
|
||||||
In order to have some mechanism provided only by a driver, you'll want
|
In order to have some mechanism provided only by a driver, you'll want
|
||||||
the following compile-time configuration options enabled:
|
the following compile-time configuration options enabled:
|
||||||
|
|
||||||
- `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto.
|
- `MBEDTLS_PSA_CRYPTO_C` (enabled by default) - this enables PSA Crypto.
|
||||||
- `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and
|
- `MBEDTLS_USE_PSA_CRYPTO` (disabled by default) - this makes PK, X.509 and
|
||||||
TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS
|
TLS use PSA Crypto. You need to enable this if you're using PK, X.509 or TLS
|
||||||
|
@ -28,6 +29,7 @@ mechanism through the PSA API in Mbed
|
||||||
TLS](proposed/psa-conditional-inclusion-c.md) for details.
|
TLS](proposed/psa-conditional-inclusion-c.md) for details.
|
||||||
|
|
||||||
In addition, for each mechanism you want provided only by your driver:
|
In addition, for each mechanism you want provided only by your driver:
|
||||||
|
|
||||||
- Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this
|
- Define the corresponding `PSA_WANT` macro in `psa/crypto_config.h` - this
|
||||||
means the algorithm will be available in the PSA Crypto API.
|
means the algorithm will be available in the PSA Crypto API.
|
||||||
- Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be
|
- Define the corresponding `MBEDTLS_PSA_ACCEL` in your build. This could be
|
||||||
|
@ -52,9 +54,21 @@ Mechanisms covered
|
||||||
------------------
|
------------------
|
||||||
|
|
||||||
For now, only the following (families of) mechanisms are supported:
|
For now, only the following (families of) mechanisms are supported:
|
||||||
|
|
||||||
- hashes: SHA-3, SHA-2, SHA-1, MD5, etc.
|
- hashes: SHA-3, SHA-2, SHA-1, MD5, etc.
|
||||||
- elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types.
|
- elliptic-curve cryptography (ECC): ECDH, ECDSA, EC J-PAKE, ECC key types.
|
||||||
- finite-field Diffie-Hellman: FFDH algorithm, DH key types.
|
- finite-field Diffie-Hellman: FFDH algorithm, DH key types.
|
||||||
|
- RSA: PKCS#1 v1.5 and v2.1 signature and encryption algorithms, RSA key types
|
||||||
|
(for now, only crypto, no X.509 or TLS support).
|
||||||
|
- AEADs:
|
||||||
|
- GCM and CCM with AES, ARIA and Camellia key types
|
||||||
|
- ChachaPoly with ChaCha20 Key type
|
||||||
|
- Unauthenticated ciphers:
|
||||||
|
- key types: AES, ARIA, Camellia, DES
|
||||||
|
- modes: ECB, CBC, CTR, CFB, OFB, XTS
|
||||||
|
|
||||||
|
For each family listed above, all the mentioned alorithms/key types are also
|
||||||
|
all the mechanisms that exist in PSA API.
|
||||||
|
|
||||||
Supported means that when those are provided only by drivers, everything
|
Supported means that when those are provided only by drivers, everything
|
||||||
(including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should
|
(including PK, X.509 and TLS if `MBEDTLS_USE_PSA_CRYPTO` is enabled) should
|
||||||
|
@ -62,18 +76,13 @@ work in the same way as if the mechanisms where built-in, except as documented
|
||||||
in the "Limitations" sub-sections of the sections dedicated to each family
|
in the "Limitations" sub-sections of the sections dedicated to each family
|
||||||
below.
|
below.
|
||||||
|
|
||||||
In the near future (end of 2023), we are planning to also add support for
|
|
||||||
ciphers (AES) and AEADs (GCM, CCM, ChachaPoly).
|
|
||||||
|
|
||||||
Currently (mid-2023) we don't have plans to extend this to RSA. If
|
|
||||||
you're interested in driver-only support for RSA, please let us know.
|
|
||||||
|
|
||||||
Hashes
|
Hashes
|
||||||
------
|
------
|
||||||
|
|
||||||
It is possible to have all hash operations provided only by a driver.
|
It is possible to have all hash operations provided only by a driver.
|
||||||
|
|
||||||
More precisely:
|
More precisely:
|
||||||
|
|
||||||
- you can enable `PSA_WANT_ALG_SHA_256` without `MBEDTLS_SHA256_C`, provided
|
- you can enable `PSA_WANT_ALG_SHA_256` without `MBEDTLS_SHA256_C`, provided
|
||||||
you have `MBEDTLS_PSA_ACCEL_ALG_SHA_256` enabled;
|
you have `MBEDTLS_PSA_ACCEL_ALG_SHA_256` enabled;
|
||||||
- and similarly for all supported hash algorithms: `MD5`, `RIPEMD160`,
|
- and similarly for all supported hash algorithms: `MD5`, `RIPEMD160`,
|
||||||
|
@ -92,6 +101,7 @@ considerations](#general-considerations) above.
|
||||||
If you want to check at compile-time whether a certain hash algorithm is
|
If you want to check at compile-time whether a certain hash algorithm is
|
||||||
available in the present build of Mbed TLS, regardless of whether it's
|
available in the present build of Mbed TLS, regardless of whether it's
|
||||||
provided by a driver or built-in, you should use the following macros:
|
provided by a driver or built-in, you should use the following macros:
|
||||||
|
|
||||||
- for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from
|
- for code that uses only the PSA Crypto API: `PSA_WANT_ALG_xxx` from
|
||||||
`psa/crypto.h`;
|
`psa/crypto.h`;
|
||||||
- for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from
|
- for code that uses non-PSA crypto APIs: `MBEDTLS_MD_CAN_xxx` from
|
||||||
|
@ -101,10 +111,12 @@ Elliptic-curve cryptography (ECC)
|
||||||
---------------------------------
|
---------------------------------
|
||||||
|
|
||||||
It is possible to have most ECC operations provided only by a driver:
|
It is possible to have most ECC operations provided only by a driver:
|
||||||
|
|
||||||
- the ECDH, ECDSA and EC J-PAKE algorithms;
|
- the ECDH, ECDSA and EC J-PAKE algorithms;
|
||||||
- key import, export, and random generation.
|
- key import, export, and random generation.
|
||||||
|
|
||||||
More precisely, if:
|
More precisely, if:
|
||||||
|
|
||||||
- you have driver support for ECC public and using private keys (that is,
|
- you have driver support for ECC public and using private keys (that is,
|
||||||
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY` and
|
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY` and
|
||||||
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC` are enabled), and
|
`MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC` are enabled), and
|
||||||
|
@ -113,6 +125,7 @@ More precisely, if:
|
||||||
`MBEDTLS_PSA_ACCEL_ECC_xxx` macros is enabled as well);
|
`MBEDTLS_PSA_ACCEL_ECC_xxx` macros is enabled as well);
|
||||||
|
|
||||||
then you can:
|
then you can:
|
||||||
|
|
||||||
- enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C`, provided
|
- enable `PSA_WANT_ALG_ECDH` without `MBEDTLS_ECDH_C`, provided
|
||||||
`MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled
|
`MBEDTLS_PSA_ACCEL_ALG_ECDH` is enabled
|
||||||
- enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C`, provided
|
- enable `PSA_WANT_ALG_ECDSA` without `MBEDTLS_ECDSA_C`, provided
|
||||||
|
@ -121,6 +134,7 @@ then you can:
|
||||||
`MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled.
|
`MBEDTLS_PSA_ACCEL_ALG_JPAKE` is enabled.
|
||||||
|
|
||||||
In addition, if:
|
In addition, if:
|
||||||
|
|
||||||
- none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, `MBEDTLS_ECJPAKE_C` are enabled
|
- none of `MBEDTLS_ECDH_C`, `MBEDTLS_ECDSA_C`, `MBEDTLS_ECJPAKE_C` are enabled
|
||||||
(see conditions above), and
|
(see conditions above), and
|
||||||
- you have driver support for all enabled ECC key pair operations - that is,
|
- you have driver support for all enabled ECC key pair operations - that is,
|
||||||
|
@ -132,9 +146,11 @@ then you can also disable `MBEDTLS_ECP_C`. However, a small subset of it might
|
||||||
still be included in the build, see limitations sub-section below.
|
still be included in the build, see limitations sub-section below.
|
||||||
|
|
||||||
In addition, if:
|
In addition, if:
|
||||||
- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below), and
|
|
||||||
- support for RSA key types and algorithms is fully disabled, and
|
- `MBEDTLS_ECP_C` is fully removed (see limitation sub-section below),
|
||||||
- support for DH key types and the FFDH algorithm is either disabled, or
|
- and support for RSA key types and algorithms is either fully disabled or
|
||||||
|
fully provided by a driver,
|
||||||
|
- and support for DH key types and the FFDH algorithm is either disabled or
|
||||||
fully provided by a driver,
|
fully provided by a driver,
|
||||||
|
|
||||||
then you can also disable `MBEDTLS_BIGNUM_C`.
|
then you can also disable `MBEDTLS_BIGNUM_C`.
|
||||||
|
@ -142,6 +158,7 @@ then you can also disable `MBEDTLS_BIGNUM_C`.
|
||||||
In such builds, all crypto operations via the PSA Crypto API will work as
|
In such builds, all crypto operations via the PSA Crypto API will work as
|
||||||
usual, as well as the PK, X.509 and TLS modules if `MBEDTLS_USE_PSA_CRYPTO` is
|
usual, as well as the PK, X.509 and TLS modules if `MBEDTLS_USE_PSA_CRYPTO` is
|
||||||
enabled, with the following exceptions:
|
enabled, with the following exceptions:
|
||||||
|
|
||||||
- direct calls to APIs from the disabled modules are not possible;
|
- direct calls to APIs from the disabled modules are not possible;
|
||||||
- PK, X.509 and TLS will not support restartable ECC operations (see
|
- PK, X.509 and TLS will not support restartable ECC operations (see
|
||||||
limitation sub-section below).
|
limitation sub-section below).
|
||||||
|
@ -149,6 +166,7 @@ enabled, with the following exceptions:
|
||||||
If you want to check at compile-time whether a certain curve is available in
|
If you want to check at compile-time whether a certain curve is available in
|
||||||
the present build of Mbed TLS, regardless of whether ECC is provided by a
|
the present build of Mbed TLS, regardless of whether ECC is provided by a
|
||||||
driver or built-in, you should use the following macros:
|
driver or built-in, you should use the following macros:
|
||||||
|
|
||||||
- for code that uses only the PSA Crypto API: `PSA_WANT_ECC_xxx` from
|
- for code that uses only the PSA Crypto API: `PSA_WANT_ECC_xxx` from
|
||||||
`psa/crypto.h`;
|
`psa/crypto.h`;
|
||||||
- for code that may also use non-PSA crypto APIs: `MBEDTLS_ECP_HAVE_xxx` from
|
- for code that may also use non-PSA crypto APIs: `MBEDTLS_ECP_HAVE_xxx` from
|
||||||
|
@ -164,6 +182,7 @@ automatically defined when enabling `MBEDTLS_PSA_P256M_DRIVER_ENABLED`.
|
||||||
|
|
||||||
A limited subset of `ecp.c` will still be automatically re-enabled if any of
|
A limited subset of `ecp.c` will still be automatically re-enabled if any of
|
||||||
the following is enabled:
|
the following is enabled:
|
||||||
|
|
||||||
- `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the
|
- `MBEDTLS_PK_PARSE_EC_COMPRESSED` - support for parsing ECC keys where the
|
||||||
public part is in compressed format;
|
public part is in compressed format;
|
||||||
- `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the
|
- `MBEDTLS_PK_PARSE_EC_EXTENDED` - support for parsing ECC keys where the
|
||||||
|
@ -237,6 +256,184 @@ The same holds for the associated algorithm:
|
||||||
`[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
|
`[PSA_WANT|MBEDTLS_PSA_ACCEL]_ALG_FFDH` allow builds accelerating FFDH and
|
||||||
removing builtin support (i.e. `MBEDTLS_DHM_C`).
|
removing builtin support (i.e. `MBEDTLS_DHM_C`).
|
||||||
|
|
||||||
### Limitations
|
RSA
|
||||||
Support for deterministic derivation of a DH keypair
|
---
|
||||||
(i.e. `PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE`) is not supported.
|
|
||||||
|
It is possible for all RSA operations to be provided only by a driver.
|
||||||
|
|
||||||
|
More precisely, if:
|
||||||
|
|
||||||
|
- all the RSA algorithms that are enabled (`PSA_WANT_ALG_RSA_*`) are also
|
||||||
|
accelerated (`MBEDTLS_PSA_ACCEL_ALG_RSA_*`),
|
||||||
|
- and all the RSA key types that are enabled (`PSA_WANT_KEY_TYPE_RSA_*`) are
|
||||||
|
also accelerated (`MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_*`),
|
||||||
|
|
||||||
|
then you can disable `MBEDTLS_RSA_C`, `MBEDTLS_PKCS1_V15` and
|
||||||
|
`MBEDTLS_PKCS1_V21`, and RSA will still work in PSA Crypto.
|
||||||
|
|
||||||
|
### Limitations on RSA acceleration
|
||||||
|
|
||||||
|
Unlike other mechanisms, for now in configurations with driver-only RSA, only
|
||||||
|
PSA Crypto works. In particular, PK, X.509 and TLS will _not_ work with
|
||||||
|
driver-only RSA even if `MBEDTLS_USE_PSA_CRYPTO` is enabled.
|
||||||
|
|
||||||
|
Currently (early 2024) we don't have plans to extend this support. If you're
|
||||||
|
interested in wider driver-only support for RSA, please let us know.
|
||||||
|
|
||||||
|
Ciphers (unauthenticated and AEAD)
|
||||||
|
----------------------------------
|
||||||
|
|
||||||
|
It is possible to have all ciphers and AEAD operations provided only by a
|
||||||
|
driver. More precisely, for each desired combination of key type and
|
||||||
|
algorithm/mode you can:
|
||||||
|
|
||||||
|
- Enable desired PSA key type(s):
|
||||||
|
- `PSA_WANT_KEY_TYPE_AES`,
|
||||||
|
- `PSA_WANT_KEY_TYPE_ARIA`,
|
||||||
|
- `PSA_WANT_KEY_TYPE_CAMELLIA`,
|
||||||
|
- `PSA_WANT_KEY_TYPE_CHACHA20`,
|
||||||
|
- `PSA_WANT_KEY_TYPE_DES`.
|
||||||
|
- Enable desired PSA algorithm(s):
|
||||||
|
- Unauthenticated ciphers modes:
|
||||||
|
- `PSA_WANT_ALG_CBC_NO_PADDING`,
|
||||||
|
- `PSA_WANT_ALG_CBC_PKCS7`,
|
||||||
|
- `PSA_WANT_ALG_CCM_STAR_NO_TAG`,
|
||||||
|
- `PSA_WANT_ALG_CFB`,
|
||||||
|
- `PSA_WANT_ALG_CTR`,
|
||||||
|
- `PSA_WANT_ALG_ECB_NO_PADDING`,
|
||||||
|
- `PSA_WANT_ALG_OFB`,
|
||||||
|
- `PSA_WANT_ALG_STREAM_CIPHER`.
|
||||||
|
- AEADs:
|
||||||
|
- `PSA_WANT_ALG_CCM`,
|
||||||
|
- `PSA_WANT_ALG_GCM`,
|
||||||
|
- `PSA_WANT_ALG_CHACHA20_POLY1305`.
|
||||||
|
- Enable `MBEDTLS_PSA_ACCEL_[KEY_TYPE_xxx|ALG_yyy]` symbol(s) which correspond
|
||||||
|
to the `PSA_WANT_KEY_TYPE_xxx` and `PSA_WANT_ALG_yyy` of the previous steps.
|
||||||
|
- Disable builtin support of key types:
|
||||||
|
- `MBEDTLS_AES_C`,
|
||||||
|
- `MBEDTLS_ARIA_C`,
|
||||||
|
- `MBEDTLS_CAMELLIA_C`,
|
||||||
|
- `MBEDTLS_DES_C`,
|
||||||
|
- `MBEDTLS_CHACHA20_C`.
|
||||||
|
and algorithms/modes:
|
||||||
|
- `MBEDTLS_CBC_C`,
|
||||||
|
- `MBEDTLS_CFB_C`,
|
||||||
|
- `MBEDTLS_CTR_C`,
|
||||||
|
- `MBEDTLS_OFB_C`,
|
||||||
|
- `MBEDTLS_XTS_C`,
|
||||||
|
- `MBEDTLS_CCM_C`,
|
||||||
|
- `MBEDTLS_GCM_C`,
|
||||||
|
- `MBEDTLS_CHACHAPOLY_C`,
|
||||||
|
- `MBEDTLS_NULL_CIPHER`.
|
||||||
|
|
||||||
|
Once a key type and related algorithm are accelerated, all the PSA Crypto APIs
|
||||||
|
will work, as well as X.509 and TLS (with `MBEDTLS_USE_PSA_CRYPTO` enabled) but
|
||||||
|
some non-PSA APIs will be absent or have reduced functionality, see
|
||||||
|
[Restrictions](#restrictions) for details.
|
||||||
|
|
||||||
|
### Restrictions
|
||||||
|
|
||||||
|
- If an algorithm other than CCM and GCM (see
|
||||||
|
["Partial acceleration for CCM/GCM"](#partial-acceleration-for-ccmgcm) below)
|
||||||
|
is enabled but not accelerated, then all key types that can be used with it
|
||||||
|
will need to be built-in.
|
||||||
|
- If a key type is enabled but not accelerated, then all algorithms that can be
|
||||||
|
used with it will need to be built-in.
|
||||||
|
|
||||||
|
Some legacy modules can't take advantage of PSA drivers yet, and will either
|
||||||
|
need to be disabled, or have reduced features when the built-in implementations
|
||||||
|
of some ciphers are removed:
|
||||||
|
|
||||||
|
- `MBEDTLS_NIST_KW_C` needs built-in AES: it must be disabled when
|
||||||
|
`MBEDTLS_AES_C` is disabled.
|
||||||
|
- `MBEDTLS_CMAC_C` needs built-in AES/DES: it must be disabled when
|
||||||
|
`MBEDTLS_AES_C` and `MBEDTLS_DES_C` are both disabled. When only one of them
|
||||||
|
is enabled, then only the corresponding cipher will be available at runtime
|
||||||
|
for use with `mbedtls_cipher_cmac_xxx`. (Note: if there is driver support for
|
||||||
|
CMAC and all compatible key types, then `PSA_WANT_ALG_CMAC` can be enabled
|
||||||
|
without `MBEDTLS_CMAC_C` and CMAC will be usable with `psa_max_xxx` APIs.)
|
||||||
|
- `MBEDTLS_CIPHER_C`: the `mbedtls_cipher_xxx()` APIs will only work with
|
||||||
|
ciphers that are built-in - that is, both the underlying cipher
|
||||||
|
(eg `MBEDTLS_AES_C`) and the mode (eg `MBEDTLS_CIPHER_MODE_CBC` or
|
||||||
|
`MBEDTLS_GCM_C`).
|
||||||
|
- `MBEDTLS_PKCS5_C`: encryption/decryption (PBES2, PBE) will only work with
|
||||||
|
ciphers that are built-in.
|
||||||
|
- PEM decryption will only work with ciphers that are built-in.
|
||||||
|
- PK parse will only be able to parse encrypted keys using built-in ciphers.
|
||||||
|
|
||||||
|
Note that if you also disable `MBEDTLS_CIPHER_C`, there will be additional
|
||||||
|
restrictions, see [Disabling `MBEDTLS_CIPHER_C`](#disabling-mbedtls_cipher_c).
|
||||||
|
|
||||||
|
### Legacy <-> PSA matching
|
||||||
|
|
||||||
|
Note that the relationship between legacy (i.e. `MBEDTLS_xxx_C`) and PSA
|
||||||
|
(i.e. `PSA_WANT_xxx`) symbols is not always 1:1. For example:
|
||||||
|
|
||||||
|
- ECB mode is always enabled in the legacy configuration for each key type that
|
||||||
|
allows it (AES, ARIA, Camellia, DES), whereas it must be explicitly enabled
|
||||||
|
in PSA with `PSA_WANT_ALG_ECB_NO_PADDING`.
|
||||||
|
- In the legacy API, `MBEDTLS_CHACHA20_C` enables the ChaCha20 stream cipher, and
|
||||||
|
enabling `MBEDTLS_CHACHAPOLY_C` also enables the ChaCha20-Poly1305 AEAD. In the
|
||||||
|
PSA API, you need to enable `PSA_KEY_TYPE_CHACHA20` for both, plus
|
||||||
|
`PSA_ALG_STREAM_CIPHER` or `PSA_ALG_CHACHA20_POLY1305` as desired.
|
||||||
|
- The legacy symbol `MBEDTLS_CCM_C` adds support for both cipher and AEAD,
|
||||||
|
whereas in PSA there are 2 different symbols: `PSA_WANT_ALG_CCM_STAR_NO_TAG`
|
||||||
|
and `PSA_WANT_ALG_CCM`, respectively.
|
||||||
|
|
||||||
|
### Partial acceleration for CCM/GCM
|
||||||
|
|
||||||
|
[This section depends on #8598 so it might be updated while that PR progresses.]
|
||||||
|
|
||||||
|
In case legacy CCM/GCM algorithms are enabled, it is still possible to benefit
|
||||||
|
from PSA acceleration of the underlying block cipher by enabling support for
|
||||||
|
ECB mode (`PSA_WANT_ALG_ECB_NO_PADDING` + `MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING`)
|
||||||
|
together with desired key type(s) (`PSA_WANT_KEY_TYPE_[AES|ARIA|CAMELLIA]` +
|
||||||
|
`MBEDTLS_PSA_ACCEL_KEY_TYPE_[AES|ARIA|CAMELLIA]`).
|
||||||
|
|
||||||
|
In such configurations it is possible to:
|
||||||
|
|
||||||
|
- Use CCM and GCM via the PSA Crypto APIs.
|
||||||
|
- Use CCM and GCM via legacy functions `mbedtls_[ccm|gcm]_xxx()` (but not the
|
||||||
|
legacy functions `mbedtls_cipher_xxx()`).
|
||||||
|
- Disable legacy key types (`MBEDTLS_[AES|ARIA|CAMELLIA]_C`) if there is no
|
||||||
|
other dependency requiring them.
|
||||||
|
|
||||||
|
ChaChaPoly has no such feature, so it requires full acceleration (key type +
|
||||||
|
algorithm) in order to work with a driver.
|
||||||
|
|
||||||
|
### CTR-DRBG
|
||||||
|
|
||||||
|
The legacy CTR-DRBG module (enabled by `MBEDTLS_CTR_DRBG_C`) can also benefit
|
||||||
|
from PSA acceleration if both of the following conditions are met:
|
||||||
|
|
||||||
|
- The legacy AES module (`MBEDTLS_AES_C`) is not enabled and
|
||||||
|
- AES is supported on the PSA side together with ECB mode, i.e.
|
||||||
|
`PSA_WANT_KEY_TYPE_AES` + `PSA_WANT_ALG_ECB_NO_PADDING`.
|
||||||
|
|
||||||
|
### Disabling `MBEDTLS_CIPHER_C`
|
||||||
|
|
||||||
|
It is possible to save code size by disabling MBEDTLS_CIPHER_C when all of the
|
||||||
|
following conditions are met:
|
||||||
|
|
||||||
|
- The application is not using the `mbedtls_cipher_` API.
|
||||||
|
- In PSA, all unauthenticated (that is, non-AEAD) ciphers are either disabled or
|
||||||
|
fully accelerated (that is, all compatible key types are accelerated too).
|
||||||
|
- Either TLS is disabled, or `MBEDTLS_USE_PSA_CRYPTO` is enabled.
|
||||||
|
- `MBEDTLS_NIST_KW` is disabled.
|
||||||
|
- `MBEDTLS_CMAC_C` is disabled. (Note: support for CMAC in PSA can be provided by
|
||||||
|
a driver.)
|
||||||
|
|
||||||
|
In such a build, everything will work as usual except for the following:
|
||||||
|
|
||||||
|
- Encryption/decryption functions from the PKCS5 and PKCS12 module will not be
|
||||||
|
available (only key derivation functions).
|
||||||
|
- Parsing of PKCS5- or PKCS12-encrypted keys in PK parse will fail.
|
||||||
|
|
||||||
|
Note: AEAD ciphers (CCM, GCM, ChachaPoly) do not have a dependency on
|
||||||
|
MBEDTLS_CIPHER_C even when using the built-in implementations.
|
||||||
|
|
||||||
|
If you also have some ciphers fully accelerated and the built-ins removed, see
|
||||||
|
[Restrictions](#restrictions) for restrictions related to removing the built-ins.
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -4,7 +4,7 @@ Migrating to an auto generated psa_crypto_driver_wrappers.h file
|
||||||
This document describes how to migrate to the auto generated psa_crypto_driver_wrappers.h file.
|
This document describes how to migrate to the auto generated psa_crypto_driver_wrappers.h file.
|
||||||
It is meant to give the library user migration guidelines while the Mbed TLS project tides over multiple minor revs of version 1.0, after which this will be merged into psa-driver-interface.md.
|
It is meant to give the library user migration guidelines while the Mbed TLS project tides over multiple minor revs of version 1.0, after which this will be merged into psa-driver-interface.md.
|
||||||
|
|
||||||
For a practical guide with a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.html).
|
For a practical guide with a description of the current state of drivers Mbed TLS, see our [PSA Cryptoprocessor driver development examples](../psa-driver-example-and-guide.md).
|
||||||
|
|
||||||
## Introduction
|
## Introduction
|
||||||
|
|
||||||
|
|
1349
docs/psa-transition.md
Normal file
1349
docs/psa-transition.md
Normal file
File diff suppressed because it is too large
Load diff
|
@ -7,5 +7,5 @@
|
||||||
# expose it.
|
# expose it.
|
||||||
|
|
||||||
- type: exact
|
- type: exact
|
||||||
from_url: /projects/api/en/latest/$rest
|
from_url: /projects/api/en/latest/*
|
||||||
to_url: /projects/api/en/development/
|
to_url: /projects/api/en/development/:splat
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -6,23 +6,11 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* @mainpage Mbed TLS v3.5.0 API Documentation
|
* @mainpage Mbed TLS v3.5.2 API Documentation
|
||||||
*
|
*
|
||||||
* This documentation describes the internal structure of Mbed TLS. It was
|
* This documentation describes the internal structure of Mbed TLS. It was
|
||||||
* automatically generated from specially formatted comment blocks in
|
* automatically generated from specially formatted comment blocks in
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -6,19 +6,7 @@
|
||||||
/*
|
/*
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -1,4 +1,4 @@
|
||||||
PROJECT_NAME = "Mbed TLS v3.5.0"
|
PROJECT_NAME = "Mbed TLS v3.5.2"
|
||||||
OUTPUT_DIRECTORY = ../apidoc/
|
OUTPUT_DIRECTORY = ../apidoc/
|
||||||
FULL_PATH_NAMES = NO
|
FULL_PATH_NAMES = NO
|
||||||
OPTIMIZE_OUTPUT_FOR_C = YES
|
OPTIMIZE_OUTPUT_FOR_C = YES
|
||||||
|
@ -6,7 +6,7 @@ EXTRACT_ALL = YES
|
||||||
EXTRACT_PRIVATE = YES
|
EXTRACT_PRIVATE = YES
|
||||||
EXTRACT_STATIC = YES
|
EXTRACT_STATIC = YES
|
||||||
CASE_SENSE_NAMES = NO
|
CASE_SENSE_NAMES = NO
|
||||||
INPUT = ../include input
|
INPUT = ../include input ../tests/include/alt-dummy
|
||||||
FILE_PATTERNS = *.h
|
FILE_PATTERNS = *.h
|
||||||
RECURSIVE = YES
|
RECURSIVE = YES
|
||||||
EXCLUDE_SYMLINKS = YES
|
EXCLUDE_SYMLINKS = YES
|
||||||
|
|
|
@ -22,19 +22,7 @@
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_AES_H
|
#ifndef MBEDTLS_AES_H
|
||||||
|
@ -167,6 +155,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL
|
||||||
int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
|
int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
|
||||||
unsigned int keybits);
|
unsigned int keybits);
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
|
||||||
/**
|
/**
|
||||||
* \brief This function sets the decryption key.
|
* \brief This function sets the decryption key.
|
||||||
*
|
*
|
||||||
|
@ -185,6 +174,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
|
||||||
MBEDTLS_CHECK_RETURN_TYPICAL
|
MBEDTLS_CHECK_RETURN_TYPICAL
|
||||||
int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
|
int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
|
||||||
unsigned int keybits);
|
unsigned int keybits);
|
||||||
|
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
|
||||||
|
|
||||||
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||||
/**
|
/**
|
||||||
|
@ -604,6 +594,7 @@ int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
|
||||||
const unsigned char input[16],
|
const unsigned char input[16],
|
||||||
unsigned char output[16]);
|
unsigned char output[16]);
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
|
||||||
/**
|
/**
|
||||||
* \brief Internal AES block decryption function. This is only
|
* \brief Internal AES block decryption function. This is only
|
||||||
* exposed to allow overriding it using see
|
* exposed to allow overriding it using see
|
||||||
|
@ -619,6 +610,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL
|
||||||
int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
|
int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
|
||||||
const unsigned char input[16],
|
const unsigned char input[16],
|
||||||
unsigned char output[16]);
|
unsigned char output[16]);
|
||||||
|
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
|
||||||
|
|
||||||
#if defined(MBEDTLS_SELF_TEST)
|
#if defined(MBEDTLS_SELF_TEST)
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -11,19 +11,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_ARIA_H
|
#ifndef MBEDTLS_ARIA_H
|
||||||
|
@ -110,6 +98,7 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
|
||||||
const unsigned char *key,
|
const unsigned char *key,
|
||||||
unsigned int keybits);
|
unsigned int keybits);
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
|
||||||
/**
|
/**
|
||||||
* \brief This function sets the decryption key.
|
* \brief This function sets the decryption key.
|
||||||
*
|
*
|
||||||
|
@ -128,6 +117,7 @@ int mbedtls_aria_setkey_enc(mbedtls_aria_context *ctx,
|
||||||
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
|
int mbedtls_aria_setkey_dec(mbedtls_aria_context *ctx,
|
||||||
const unsigned char *key,
|
const unsigned char *key,
|
||||||
unsigned int keybits);
|
unsigned int keybits);
|
||||||
|
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief This function performs an ARIA single-block encryption or
|
* \brief This function performs an ARIA single-block encryption or
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
#ifndef MBEDTLS_ASN1_H
|
#ifndef MBEDTLS_ASN1_H
|
||||||
#define MBEDTLS_ASN1_H
|
#define MBEDTLS_ASN1_H
|
||||||
|
@ -209,7 +197,8 @@ typedef struct mbedtls_asn1_named_data {
|
||||||
}
|
}
|
||||||
mbedtls_asn1_named_data;
|
mbedtls_asn1_named_data;
|
||||||
|
|
||||||
#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C)
|
#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
|
||||||
|
defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
|
||||||
/**
|
/**
|
||||||
* \brief Get the length of an ASN.1 element.
|
* \brief Get the length of an ASN.1 element.
|
||||||
* Updates the pointer to immediately behind the length.
|
* Updates the pointer to immediately behind the length.
|
||||||
|
@ -256,7 +245,7 @@ int mbedtls_asn1_get_len(unsigned char **p,
|
||||||
int mbedtls_asn1_get_tag(unsigned char **p,
|
int mbedtls_asn1_get_tag(unsigned char **p,
|
||||||
const unsigned char *end,
|
const unsigned char *end,
|
||||||
size_t *len, int tag);
|
size_t *len, int tag);
|
||||||
#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */
|
#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
|
||||||
|
|
||||||
#if defined(MBEDTLS_ASN1_PARSE_C)
|
#if defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
#ifndef MBEDTLS_ASN1_WRITE_H
|
#ifndef MBEDTLS_ASN1_WRITE_H
|
||||||
#define MBEDTLS_ASN1_WRITE_H
|
#define MBEDTLS_ASN1_WRITE_H
|
||||||
|
@ -48,7 +36,8 @@
|
||||||
extern "C" {
|
extern "C" {
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C)
|
#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \
|
||||||
|
defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
|
||||||
/**
|
/**
|
||||||
* \brief Write a length field in ASN.1 format.
|
* \brief Write a length field in ASN.1 format.
|
||||||
*
|
*
|
||||||
|
@ -77,7 +66,7 @@ int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start,
|
||||||
*/
|
*/
|
||||||
int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start,
|
int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start,
|
||||||
unsigned char tag);
|
unsigned char tag);
|
||||||
#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */
|
#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA*/
|
||||||
|
|
||||||
#if defined(MBEDTLS_ASN1_WRITE_C)
|
#if defined(MBEDTLS_ASN1_WRITE_C)
|
||||||
/**
|
/**
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
#ifndef MBEDTLS_BASE64_H
|
#ifndef MBEDTLS_BASE64_H
|
||||||
#define MBEDTLS_BASE64_H
|
#define MBEDTLS_BASE64_H
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
#ifndef MBEDTLS_BIGNUM_H
|
#ifndef MBEDTLS_BIGNUM_H
|
||||||
#define MBEDTLS_BIGNUM_H
|
#define MBEDTLS_BIGNUM_H
|
||||||
|
|
76
include/mbedtls/block_cipher.h
Normal file
76
include/mbedtls/block_cipher.h
Normal file
|
@ -0,0 +1,76 @@
|
||||||
|
/**
|
||||||
|
* \file block_cipher.h
|
||||||
|
*
|
||||||
|
* \brief Internal abstraction layer.
|
||||||
|
*/
|
||||||
|
/*
|
||||||
|
* Copyright The Mbed TLS Contributors
|
||||||
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
|
*/
|
||||||
|
#ifndef MBEDTLS_BLOCK_CIPHER_H
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_H
|
||||||
|
|
||||||
|
#include "mbedtls/private_access.h"
|
||||||
|
|
||||||
|
#include "mbedtls/build_info.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_AES_C)
|
||||||
|
#include "mbedtls/aes.h"
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_ARIA_C)
|
||||||
|
#include "mbedtls/aria.h"
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_CAMELLIA_C)
|
||||||
|
#include "mbedtls/camellia.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
|
||||||
|
#include "psa/crypto_types.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
extern "C" {
|
||||||
|
#endif
|
||||||
|
|
||||||
|
typedef enum {
|
||||||
|
MBEDTLS_BLOCK_CIPHER_ID_NONE = 0, /**< Unset. */
|
||||||
|
MBEDTLS_BLOCK_CIPHER_ID_AES, /**< The AES cipher. */
|
||||||
|
MBEDTLS_BLOCK_CIPHER_ID_CAMELLIA, /**< The Camellia cipher. */
|
||||||
|
MBEDTLS_BLOCK_CIPHER_ID_ARIA, /**< The Aria cipher. */
|
||||||
|
} mbedtls_block_cipher_id_t;
|
||||||
|
|
||||||
|
/**
|
||||||
|
* Used internally to indicate whether a context uses legacy or PSA.
|
||||||
|
*
|
||||||
|
* Internal use only.
|
||||||
|
*/
|
||||||
|
typedef enum {
|
||||||
|
MBEDTLS_BLOCK_CIPHER_ENGINE_LEGACY = 0,
|
||||||
|
MBEDTLS_BLOCK_CIPHER_ENGINE_PSA,
|
||||||
|
} mbedtls_block_cipher_engine_t;
|
||||||
|
|
||||||
|
typedef struct {
|
||||||
|
mbedtls_block_cipher_id_t MBEDTLS_PRIVATE(id);
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA)
|
||||||
|
mbedtls_block_cipher_engine_t MBEDTLS_PRIVATE(engine);
|
||||||
|
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(psa_key_id);
|
||||||
|
#endif
|
||||||
|
union {
|
||||||
|
unsigned dummy; /* Make the union non-empty even with no supported algorithms. */
|
||||||
|
#if defined(MBEDTLS_AES_C)
|
||||||
|
mbedtls_aes_context MBEDTLS_PRIVATE(aes);
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_ARIA_C)
|
||||||
|
mbedtls_aria_context MBEDTLS_PRIVATE(aria);
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_CAMELLIA_C)
|
||||||
|
mbedtls_camellia_context MBEDTLS_PRIVATE(camellia);
|
||||||
|
#endif
|
||||||
|
} MBEDTLS_PRIVATE(ctx);
|
||||||
|
} mbedtls_block_cipher_context_t;
|
||||||
|
|
||||||
|
#ifdef __cplusplus
|
||||||
|
}
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_BLOCK_CIPHER_H */
|
|
@ -8,19 +8,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_BUILD_INFO_H
|
#ifndef MBEDTLS_BUILD_INFO_H
|
||||||
|
@ -38,16 +26,16 @@
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_VERSION_MAJOR 3
|
#define MBEDTLS_VERSION_MAJOR 3
|
||||||
#define MBEDTLS_VERSION_MINOR 5
|
#define MBEDTLS_VERSION_MINOR 5
|
||||||
#define MBEDTLS_VERSION_PATCH 0
|
#define MBEDTLS_VERSION_PATCH 2
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* The single version number has the following structure:
|
* The single version number has the following structure:
|
||||||
* MMNNPP00
|
* MMNNPP00
|
||||||
* Major version | Minor version | Patch version
|
* Major version | Minor version | Patch version
|
||||||
*/
|
*/
|
||||||
#define MBEDTLS_VERSION_NUMBER 0x03050000
|
#define MBEDTLS_VERSION_NUMBER 0x03050200
|
||||||
#define MBEDTLS_VERSION_STRING "3.5.0"
|
#define MBEDTLS_VERSION_STRING "3.5.2"
|
||||||
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.0"
|
#define MBEDTLS_VERSION_STRING_FULL "Mbed TLS 3.5.2"
|
||||||
|
|
||||||
/* Macros for build-time platform detection */
|
/* Macros for build-time platform detection */
|
||||||
|
|
||||||
|
@ -74,6 +62,35 @@
|
||||||
#define MBEDTLS_ARCH_IS_X86
|
#define MBEDTLS_ARCH_IS_X86
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64) && \
|
||||||
|
(defined(_M_ARM64) || defined(_M_ARM64EC))
|
||||||
|
#define MBEDTLS_PLATFORM_IS_WINDOWS_ON_ARM64
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* This is defined if the architecture is Armv8-A, or higher */
|
||||||
|
#if !defined(MBEDTLS_ARCH_IS_ARMV8_A)
|
||||||
|
#if defined(__ARM_ARCH) && defined(__ARM_ARCH_PROFILE)
|
||||||
|
#if (__ARM_ARCH >= 8) && (__ARM_ARCH_PROFILE == 'A')
|
||||||
|
/* GCC, clang, armclang and IAR */
|
||||||
|
#define MBEDTLS_ARCH_IS_ARMV8_A
|
||||||
|
#endif
|
||||||
|
#elif defined(__ARM_ARCH_8A)
|
||||||
|
/* Alternative defined by clang */
|
||||||
|
#define MBEDTLS_ARCH_IS_ARMV8_A
|
||||||
|
#elif defined(_M_ARM64) || defined(_M_ARM64EC)
|
||||||
|
/* MSVC ARM64 is at least Armv8.0-A */
|
||||||
|
#define MBEDTLS_ARCH_IS_ARMV8_A
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(__GNUC__) && !defined(__ARMCC_VERSION) && !defined(__clang__) \
|
||||||
|
&& !defined(__llvm__) && !defined(__INTEL_COMPILER)
|
||||||
|
/* Defined if the compiler really is gcc and not clang, etc */
|
||||||
|
#define MBEDTLS_COMPILER_IS_GCC
|
||||||
|
#define MBEDTLS_GCC_VERSION \
|
||||||
|
(__GNUC__ * 10000 + __GNUC_MINOR__ * 100 + __GNUC_PATCHLEVEL__)
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
|
#if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE)
|
||||||
#define _CRT_SECURE_NO_DEPRECATE 1
|
#define _CRT_SECURE_NO_DEPRECATE 1
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
#ifndef MBEDTLS_CAMELLIA_H
|
#ifndef MBEDTLS_CAMELLIA_H
|
||||||
#define MBEDTLS_CAMELLIA_H
|
#define MBEDTLS_CAMELLIA_H
|
||||||
|
@ -93,6 +81,7 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
|
||||||
const unsigned char *key,
|
const unsigned char *key,
|
||||||
unsigned int keybits);
|
unsigned int keybits);
|
||||||
|
|
||||||
|
#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
|
||||||
/**
|
/**
|
||||||
* \brief Perform a CAMELLIA key schedule operation for decryption.
|
* \brief Perform a CAMELLIA key schedule operation for decryption.
|
||||||
*
|
*
|
||||||
|
@ -108,6 +97,7 @@ int mbedtls_camellia_setkey_enc(mbedtls_camellia_context *ctx,
|
||||||
int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
|
int mbedtls_camellia_setkey_dec(mbedtls_camellia_context *ctx,
|
||||||
const unsigned char *key,
|
const unsigned char *key,
|
||||||
unsigned int keybits);
|
unsigned int keybits);
|
||||||
|
#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Perform a CAMELLIA-ECB block encryption/decryption operation.
|
* \brief Perform a CAMELLIA-ECB block encryption/decryption operation.
|
||||||
|
|
|
@ -29,19 +29,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CCM_H
|
#ifndef MBEDTLS_CCM_H
|
||||||
|
@ -52,6 +40,10 @@
|
||||||
|
|
||||||
#include "mbedtls/cipher.h"
|
#include "mbedtls/cipher.h"
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_C)
|
||||||
|
#include "mbedtls/block_cipher.h"
|
||||||
|
#endif
|
||||||
|
|
||||||
#define MBEDTLS_CCM_DECRYPT 0
|
#define MBEDTLS_CCM_DECRYPT 0
|
||||||
#define MBEDTLS_CCM_ENCRYPT 1
|
#define MBEDTLS_CCM_ENCRYPT 1
|
||||||
#define MBEDTLS_CCM_STAR_DECRYPT 2
|
#define MBEDTLS_CCM_STAR_DECRYPT 2
|
||||||
|
@ -92,7 +84,11 @@ typedef struct mbedtls_ccm_context {
|
||||||
#MBEDTLS_CCM_DECRYPT or
|
#MBEDTLS_CCM_DECRYPT or
|
||||||
#MBEDTLS_CCM_STAR_ENCRYPT or
|
#MBEDTLS_CCM_STAR_ENCRYPT or
|
||||||
#MBEDTLS_CCM_STAR_DECRYPT. */
|
#MBEDTLS_CCM_STAR_DECRYPT. */
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_C)
|
||||||
|
mbedtls_block_cipher_context_t MBEDTLS_PRIVATE(block_cipher_ctx); /*!< The cipher context used. */
|
||||||
|
#else
|
||||||
mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */
|
mbedtls_cipher_context_t MBEDTLS_PRIVATE(cipher_ctx); /*!< The cipher context used. */
|
||||||
|
#endif
|
||||||
int MBEDTLS_PRIVATE(state); /*!< Working value holding context's
|
int MBEDTLS_PRIVATE(state); /*!< Working value holding context's
|
||||||
state. Used for chunked data input */
|
state. Used for chunked data input */
|
||||||
}
|
}
|
||||||
|
@ -513,7 +509,7 @@ int mbedtls_ccm_update(mbedtls_ccm_context *ctx,
|
||||||
int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
|
int mbedtls_ccm_finish(mbedtls_ccm_context *ctx,
|
||||||
unsigned char *tag, size_t tag_len);
|
unsigned char *tag, size_t tag_len);
|
||||||
|
|
||||||
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_AES_C)
|
#if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_CCM_GCM_CAN_AES)
|
||||||
/**
|
/**
|
||||||
* \brief The CCM checkup routine.
|
* \brief The CCM checkup routine.
|
||||||
*
|
*
|
||||||
|
|
|
@ -14,19 +14,7 @@
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CHACHA20_H
|
#ifndef MBEDTLS_CHACHA20_H
|
||||||
|
|
|
@ -14,19 +14,7 @@
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CHACHAPOLY_H
|
#ifndef MBEDTLS_CHACHAPOLY_H
|
||||||
|
|
|
@ -5,19 +5,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CHECK_CONFIG_H
|
#ifndef MBEDTLS_CHECK_CONFIG_H
|
||||||
|
@ -165,7 +153,9 @@
|
||||||
#endif /* not all curves accelerated */
|
#endif /* not all curves accelerated */
|
||||||
#endif /* some curve accelerated */
|
#endif /* some curve accelerated */
|
||||||
|
|
||||||
#if defined(MBEDTLS_CTR_DRBG_C) && !defined(MBEDTLS_AES_C)
|
#if defined(MBEDTLS_CTR_DRBG_C) && !(defined(MBEDTLS_AES_C) || \
|
||||||
|
(defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_KEY_TYPE_AES) && \
|
||||||
|
defined(PSA_WANT_ALG_ECB_NO_PADDING)))
|
||||||
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
|
#error "MBEDTLS_CTR_DRBG_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -183,6 +173,36 @@
|
||||||
#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
|
#error "MBEDTLS_NIST_KW_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT) && defined(MBEDTLS_PSA_CRYPTO_CONFIG)
|
||||||
|
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_NO_PADDING cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#if defined(PSA_WANT_ALG_CBC_PKCS7)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_CBC_PKCS7 cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#if defined(PSA_WANT_ALG_ECB_NO_PADDING)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_ALG_ECB_NO_PADDING cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#if defined(PSA_WANT_KEY_TYPE_DES)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and PSA_WANT_KEY_TYPE_DES cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
|
||||||
|
#if defined(MBEDTLS_CIPHER_MODE_CBC)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_CIPHER_MODE_CBC cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_CIPHER_MODE_XTS)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_CIPHER_MODE_XTS cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_DES_C)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_DES_C cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_NIST_KW_C)
|
||||||
|
#error "MBEDTLS_BLOCK_CIPHER_NO_DECRYPT and MBEDTLS_NIST_KW_C cannot be defined simultaneously"
|
||||||
|
#endif
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
|
#if defined(MBEDTLS_ECDH_C) && !defined(MBEDTLS_ECP_C)
|
||||||
#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
|
#error "MBEDTLS_ECDH_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
@ -205,6 +225,15 @@
|
||||||
#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
|
#error "MBEDTLS_ECDSA_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PK_C) && defined(MBEDTLS_USE_PSA_CRYPTO)
|
||||||
|
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) && !defined(MBEDTLS_ASN1_WRITE_C)
|
||||||
|
#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_WRITE_C for ECDSA signature"
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PK_CAN_ECDSA_VERIFY) && !defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
|
#error "MBEDTLS_PK_C with MBEDTLS_USE_PSA_CRYPTO needs MBEDTLS_ASN1_PARSE_C for ECDSA verification"
|
||||||
|
#endif
|
||||||
|
#endif /* MBEDTLS_PK_C && MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECJPAKE_C) && \
|
#if defined(MBEDTLS_ECJPAKE_C) && \
|
||||||
( !defined(MBEDTLS_ECP_C) || \
|
( !defined(MBEDTLS_ECP_C) || \
|
||||||
!( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) )
|
!( defined(MBEDTLS_MD_C) || defined(MBEDTLS_PSA_CRYPTO_C) ) )
|
||||||
|
@ -231,7 +260,7 @@
|
||||||
#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
|
#error "MBEDTLS_ECDSA_DETERMINISTIC defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_C) && ( !defined(MBEDTLS_BIGNUM_C) || ( \
|
#if defined(MBEDTLS_ECP_LIGHT) && ( !defined(MBEDTLS_BIGNUM_C) || ( \
|
||||||
!defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \
|
!defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) && \
|
||||||
!defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \
|
!defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) && \
|
||||||
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \
|
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && \
|
||||||
|
@ -245,22 +274,13 @@
|
||||||
!defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && \
|
!defined(MBEDTLS_ECP_DP_SECP256K1_ENABLED) && \
|
||||||
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && \
|
!defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) && \
|
||||||
!defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
|
!defined(MBEDTLS_ECP_DP_CURVE448_ENABLED) ) )
|
||||||
#error "MBEDTLS_ECP_C defined, but not all prerequisites"
|
#error "MBEDTLS_ECP_C defined (or a subset enabled), but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
|
#if defined(MBEDTLS_PK_PARSE_C) && !defined(MBEDTLS_ASN1_PARSE_C)
|
||||||
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
|
#error "MBEDTLS_PK_PARSE_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PKCS12_C) && !defined(MBEDTLS_CIPHER_C)
|
|
||||||
#error "MBEDTLS_PKCS12_C defined, but not all prerequisites"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_PKCS5_C) && \
|
|
||||||
!defined(MBEDTLS_CIPHER_C)
|
|
||||||
#error "MBEDTLS_PKCS5_C defined, but not all prerequisites"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Helpers for hash dependencies, will be undefined at the end of the file */
|
/* Helpers for hash dependencies, will be undefined at the end of the file */
|
||||||
/* Do SHA-256, 384, 512 to cover Entropy and TLS. */
|
/* Do SHA-256, 384, 512 to cover Entropy and TLS. */
|
||||||
#if defined(MBEDTLS_SHA256_C) || \
|
#if defined(MBEDTLS_SHA256_C) || \
|
||||||
|
@ -304,21 +324,15 @@
|
||||||
#endif
|
#endif
|
||||||
#undef MBEDTLS_HAS_MEMSAN
|
#undef MBEDTLS_HAS_MEMSAN
|
||||||
|
|
||||||
#if defined(MBEDTLS_CCM_C) && ( \
|
#if defined(MBEDTLS_CCM_C) && \
|
||||||
!defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
|
!(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \
|
||||||
|
defined(MBEDTLS_CCM_GCM_CAN_CAMELLIA))
|
||||||
#error "MBEDTLS_CCM_C defined, but not all prerequisites"
|
#error "MBEDTLS_CCM_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_CCM_C) && !defined(MBEDTLS_CIPHER_C)
|
#if defined(MBEDTLS_GCM_C) && \
|
||||||
#error "MBEDTLS_CCM_C defined, but not all prerequisites"
|
!(defined(MBEDTLS_CCM_GCM_CAN_AES) || defined(MBEDTLS_CCM_GCM_CAN_ARIA) || \
|
||||||
#endif
|
defined(MBEDTLS_CCM_GCM_CAN_CAMELLIA))
|
||||||
|
|
||||||
#if defined(MBEDTLS_GCM_C) && ( \
|
|
||||||
!defined(MBEDTLS_AES_C) && !defined(MBEDTLS_CAMELLIA_C) && !defined(MBEDTLS_ARIA_C) )
|
|
||||||
#error "MBEDTLS_GCM_C defined, but not all prerequisites"
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(MBEDTLS_GCM_C) && !defined(MBEDTLS_CIPHER_C)
|
|
||||||
#error "MBEDTLS_GCM_C defined, but not all prerequisites"
|
#error "MBEDTLS_GCM_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -766,7 +780,8 @@
|
||||||
#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
|
#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_PSA_CRYPTO_C) && !defined(MBEDTLS_CIPHER_C )
|
#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_HAVE_SOFT_BLOCK_MODE) && \
|
||||||
|
defined(PSA_HAVE_SOFT_BLOCK_CIPHER) && !defined(MBEDTLS_CIPHER_C)
|
||||||
#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
|
#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -849,25 +864,24 @@
|
||||||
#error "MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system"
|
#error "MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
|
#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \
|
||||||
defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
|
defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
|
||||||
#error "Must only define one of MBEDTLS_SHA256_USE_A64_CRYPTO_*"
|
#error "Must only define one of MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \
|
#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \
|
||||||
defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY)
|
defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
|
||||||
#if !defined(MBEDTLS_SHA256_C)
|
#if !defined(MBEDTLS_SHA256_C)
|
||||||
#error "MBEDTLS_SHA256_USE_A64_CRYPTO_* defined without MBEDTLS_SHA256_C"
|
#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA256_C"
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT)
|
#if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT)
|
||||||
#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_*"
|
#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && \
|
#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8_A)
|
||||||
!defined(__aarch64__) && !defined(_M_ARM64)
|
#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY defined on non-Armv8-A system"
|
||||||
#error "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system"
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* TLS 1.3 requires separate HKDF parts from PSA,
|
/* TLS 1.3 requires separate HKDF parts from PSA,
|
||||||
|
@ -948,7 +962,8 @@
|
||||||
#error "MBEDTLS_SSL_ASYNC_PRIVATE defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_ASYNC_PRIVATE defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_TLS_C) && !defined(MBEDTLS_CIPHER_C)
|
#if defined(MBEDTLS_SSL_TLS_C) && !(defined(MBEDTLS_CIPHER_C) || \
|
||||||
|
defined(MBEDTLS_USE_PSA_CRYPTO))
|
||||||
#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_TLS_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -1040,7 +1055,8 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_TICKET_C) && \
|
#if defined(MBEDTLS_SSL_TICKET_C) && \
|
||||||
!( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) )
|
!( defined(MBEDTLS_SSL_HAVE_CCM) || defined(MBEDTLS_SSL_HAVE_GCM) || \
|
||||||
|
defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) )
|
||||||
#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -1141,7 +1157,9 @@
|
||||||
#error "MBEDTLS_SSL_RECORD_SIZE_LIMIT defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_RECORD_SIZE_LIMIT defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) )
|
#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && \
|
||||||
|
!( defined(MBEDTLS_SSL_HAVE_CCM) || defined(MBEDTLS_SSL_HAVE_GCM) || \
|
||||||
|
defined(MBEDTLS_SSL_HAVE_CHACHAPOLY) )
|
||||||
#error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites"
|
#error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
|
|
@ -9,19 +9,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CIPHER_H
|
#ifndef MBEDTLS_CIPHER_H
|
||||||
|
@ -492,7 +480,7 @@ static inline size_t mbedtls_cipher_info_get_key_bitlen(
|
||||||
if (info == NULL) {
|
if (info == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
} else {
|
} else {
|
||||||
return info->MBEDTLS_PRIVATE(key_bitlen) << MBEDTLS_KEY_BITLEN_SHIFT;
|
return ((size_t) info->MBEDTLS_PRIVATE(key_bitlen)) << MBEDTLS_KEY_BITLEN_SHIFT;
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
@ -690,7 +678,6 @@ int MBEDTLS_DEPRECATED mbedtls_cipher_setup_psa(mbedtls_cipher_context_t *ctx,
|
||||||
static inline unsigned int mbedtls_cipher_get_block_size(
|
static inline unsigned int mbedtls_cipher_get_block_size(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -710,7 +697,6 @@ static inline unsigned int mbedtls_cipher_get_block_size(
|
||||||
static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
|
static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, MBEDTLS_MODE_NONE);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return MBEDTLS_MODE_NONE;
|
return MBEDTLS_MODE_NONE;
|
||||||
}
|
}
|
||||||
|
@ -731,7 +717,6 @@ static inline mbedtls_cipher_mode_t mbedtls_cipher_get_cipher_mode(
|
||||||
static inline int mbedtls_cipher_get_iv_size(
|
static inline int mbedtls_cipher_get_iv_size(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -755,8 +740,6 @@ static inline int mbedtls_cipher_get_iv_size(
|
||||||
static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
|
static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(
|
|
||||||
ctx != NULL, MBEDTLS_CIPHER_NONE);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return MBEDTLS_CIPHER_NONE;
|
return MBEDTLS_CIPHER_NONE;
|
||||||
}
|
}
|
||||||
|
@ -776,7 +759,6 @@ static inline mbedtls_cipher_type_t mbedtls_cipher_get_type(
|
||||||
static inline const char *mbedtls_cipher_get_name(
|
static inline const char *mbedtls_cipher_get_name(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(ctx != NULL, 0);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return 0;
|
return 0;
|
||||||
}
|
}
|
||||||
|
@ -796,8 +778,6 @@ static inline const char *mbedtls_cipher_get_name(
|
||||||
static inline int mbedtls_cipher_get_key_bitlen(
|
static inline int mbedtls_cipher_get_key_bitlen(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(
|
|
||||||
ctx != NULL, MBEDTLS_KEY_LENGTH_NONE);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return MBEDTLS_KEY_LENGTH_NONE;
|
return MBEDTLS_KEY_LENGTH_NONE;
|
||||||
}
|
}
|
||||||
|
@ -817,8 +797,6 @@ static inline int mbedtls_cipher_get_key_bitlen(
|
||||||
static inline mbedtls_operation_t mbedtls_cipher_get_operation(
|
static inline mbedtls_operation_t mbedtls_cipher_get_operation(
|
||||||
const mbedtls_cipher_context_t *ctx)
|
const mbedtls_cipher_context_t *ctx)
|
||||||
{
|
{
|
||||||
MBEDTLS_INTERNAL_VALIDATE_RET(
|
|
||||||
ctx != NULL, MBEDTLS_OPERATION_NONE);
|
|
||||||
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
if (ctx->MBEDTLS_PRIVATE(cipher_info) == NULL) {
|
||||||
return MBEDTLS_OPERATION_NONE;
|
return MBEDTLS_OPERATION_NONE;
|
||||||
}
|
}
|
||||||
|
|
|
@ -9,19 +9,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CMAC_H
|
#ifndef MBEDTLS_CMAC_H
|
||||||
|
|
|
@ -7,19 +7,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#if defined(MBEDTLS_DEPRECATED_WARNING)
|
#if defined(MBEDTLS_DEPRECATED_WARNING)
|
||||||
|
|
|
@ -16,24 +16,26 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
|
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
|
||||||
#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
|
#define MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H
|
||||||
|
|
||||||
|
/* Auto-enable CIPHER_C when any of the unauthenticated ciphers is builtin
|
||||||
|
* in PSA. */
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_C) && \
|
||||||
|
(defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG))
|
||||||
|
#define MBEDTLS_CIPHER_C
|
||||||
|
#endif
|
||||||
|
|
||||||
/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
|
/* Auto-enable MBEDTLS_MD_LIGHT based on MBEDTLS_MD_C.
|
||||||
* This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
|
* This allows checking for MD_LIGHT rather than MD_LIGHT || MD_C.
|
||||||
*/
|
*/
|
||||||
|
@ -56,6 +58,202 @@
|
||||||
#define MBEDTLS_MD_LIGHT
|
#define MBEDTLS_MD_LIGHT
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_MD_LIGHT)
|
||||||
|
/*
|
||||||
|
* - MBEDTLS_MD_CAN_xxx is defined if the md module can perform xxx.
|
||||||
|
* - MBEDTLS_MD_xxx_VIA_PSA is defined if the md module may perform xxx via PSA
|
||||||
|
* (see below).
|
||||||
|
* - MBEDTLS_MD_SOME_PSA is defined if at least one algorithm may be performed
|
||||||
|
* via PSA (see below).
|
||||||
|
* - MBEDTLS_MD_SOME_LEGACY is defined if at least one algorithm may be performed
|
||||||
|
* via a direct legacy call (see below).
|
||||||
|
*
|
||||||
|
* The md module performs an algorithm via PSA if there is a PSA hash
|
||||||
|
* accelerator and the PSA driver subsytem is initialized at the time the
|
||||||
|
* operation is started, and makes a direct legacy call otherwise.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* PSA accelerated implementations */
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_MD5)
|
||||||
|
#define MBEDTLS_MD_CAN_MD5
|
||||||
|
#define MBEDTLS_MD_MD5_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_1)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA1
|
||||||
|
#define MBEDTLS_MD_SHA1_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_224)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA224
|
||||||
|
#define MBEDTLS_MD_SHA224_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_256)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA256
|
||||||
|
#define MBEDTLS_MD_SHA256_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_384)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA384
|
||||||
|
#define MBEDTLS_MD_SHA384_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA_512)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA512
|
||||||
|
#define MBEDTLS_MD_SHA512_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_RIPEMD160)
|
||||||
|
#define MBEDTLS_MD_CAN_RIPEMD160
|
||||||
|
#define MBEDTLS_MD_RIPEMD160_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_224)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_224
|
||||||
|
#define MBEDTLS_MD_SHA3_224_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_256)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_256
|
||||||
|
#define MBEDTLS_MD_SHA3_256_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_384)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_384
|
||||||
|
#define MBEDTLS_MD_SHA3_384_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_ALG_SHA3_512)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_512
|
||||||
|
#define MBEDTLS_MD_SHA3_512_VIA_PSA
|
||||||
|
#define MBEDTLS_MD_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||||
|
|
||||||
|
/* Built-in implementations */
|
||||||
|
#if defined(MBEDTLS_MD5_C)
|
||||||
|
#define MBEDTLS_MD_CAN_MD5
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA1_C)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA1
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA224_C)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA224
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA256_C)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA256
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA384_C)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA384
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA512_C)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA512
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA3_C)
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_224
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_256
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_384
|
||||||
|
#define MBEDTLS_MD_CAN_SHA3_512
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_RIPEMD160_C)
|
||||||
|
#define MBEDTLS_MD_CAN_RIPEMD160
|
||||||
|
#define MBEDTLS_MD_SOME_LEGACY
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#endif /* MBEDTLS_MD_LIGHT */
|
||||||
|
|
||||||
|
/* BLOCK_CIPHER module can dispatch to PSA when:
|
||||||
|
* - PSA is enabled and drivers have been initialized
|
||||||
|
* - desired key type is supported on the PSA side
|
||||||
|
* If the above conditions are not met, but the legacy support is enabled, then
|
||||||
|
* BLOCK_CIPHER will dynamically fallback to it.
|
||||||
|
*
|
||||||
|
* In case BLOCK_CIPHER is defined (see below) the following symbols/helpers
|
||||||
|
* can be used to define its capabilities:
|
||||||
|
* - MBEDTLS_BLOCK_CIPHER_SOME_PSA: there is at least 1 key type between AES,
|
||||||
|
* ARIA and Camellia which is supported through a driver;
|
||||||
|
* - MBEDTLS_BLOCK_CIPHER_xxx_VIA_PSA: xxx key type is supported through a
|
||||||
|
* driver;
|
||||||
|
* - MBEDTLS_BLOCK_CIPHER_xxx_VIA_LEGACY: xxx key type is supported through
|
||||||
|
* a legacy module (i.e. MBEDTLS_xxx_C)
|
||||||
|
*/
|
||||||
|
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_AES)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_SOME_PSA
|
||||||
|
#endif
|
||||||
|
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_AES_C)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_ARIA_C)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_CAMELLIA_C)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Helpers to state that BLOCK_CIPHER module supports AES, ARIA and/or Camellia
|
||||||
|
* block ciphers via either PSA or legacy. */
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_PSA) || \
|
||||||
|
defined(MBEDTLS_BLOCK_CIPHER_AES_VIA_LEGACY)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_CAN_AES
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_PSA) || \
|
||||||
|
defined(MBEDTLS_BLOCK_CIPHER_ARIA_VIA_LEGACY)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_CAN_ARIA
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_PSA) || \
|
||||||
|
defined(MBEDTLS_BLOCK_CIPHER_CAMELLIA_VIA_LEGACY)
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* GCM_C and CCM_C can either depend on (in order of preference) BLOCK_CIPHER_C
|
||||||
|
* or CIPHER_C. The former is auto-enabled when:
|
||||||
|
* - CIPHER_C is not defined, which is also the legacy solution;
|
||||||
|
* - BLOCK_CIPHER_SOME_PSA because in this case BLOCK_CIPHER can take advantage
|
||||||
|
* of the driver's acceleration.
|
||||||
|
*/
|
||||||
|
#if (defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C)) && \
|
||||||
|
(!defined(MBEDTLS_CIPHER_C) || defined(MBEDTLS_BLOCK_CIPHER_SOME_PSA))
|
||||||
|
#define MBEDTLS_BLOCK_CIPHER_C
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Helpers for GCM/CCM capabilities */
|
||||||
|
#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_AES_C)) || \
|
||||||
|
(defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_AES))
|
||||||
|
#define MBEDTLS_CCM_GCM_CAN_AES
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_ARIA_C)) || \
|
||||||
|
(defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_ARIA))
|
||||||
|
#define MBEDTLS_CCM_GCM_CAN_ARIA
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if (defined(MBEDTLS_CIPHER_C) && defined(MBEDTLS_CAMELLIA_C)) || \
|
||||||
|
(defined(MBEDTLS_BLOCK_CIPHER_C) && defined(MBEDTLS_BLOCK_CIPHER_CAN_CAMELLIA))
|
||||||
|
#define MBEDTLS_CCM_GCM_CAN_CAMELLIA
|
||||||
|
#endif
|
||||||
|
|
||||||
/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
|
/* MBEDTLS_ECP_LIGHT is auto-enabled by the following symbols:
|
||||||
* - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
|
* - MBEDTLS_ECP_C because now it consists of MBEDTLS_ECP_LIGHT plus functions
|
||||||
* for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
|
* for curve arithmetic. As a consequence if MBEDTLS_ECP_C is required for
|
||||||
|
@ -126,15 +324,6 @@
|
||||||
#define MBEDTLS_PSA_CRYPTO_CLIENT
|
#define MBEDTLS_PSA_CRYPTO_CLIENT
|
||||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
||||||
|
|
||||||
/* The PK wrappers need pk_write functions to format RSA key objects
|
|
||||||
* when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
|
|
||||||
* and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */
|
|
||||||
#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
|
|
||||||
#define MBEDTLS_PK_C
|
|
||||||
#define MBEDTLS_PK_WRITE_C
|
|
||||||
#define MBEDTLS_PK_PARSE_C
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Helpers to state that each key is supported either on the builtin or PSA side. */
|
/* Helpers to state that each key is supported either on the builtin or PSA side. */
|
||||||
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
|
#if defined(MBEDTLS_ECP_DP_SECP521R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_521)
|
||||||
#define MBEDTLS_ECP_HAVE_SECP521R1
|
#define MBEDTLS_ECP_HAVE_SECP521R1
|
||||||
|
@ -192,4 +381,61 @@
|
||||||
#define MBEDTLS_CIPHER_PADDING_PKCS7
|
#define MBEDTLS_CIPHER_PADDING_PKCS7
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Backwards compatibility for some macros which were renamed to reflect that
|
||||||
|
* they are related to Armv8, not aarch64. */
|
||||||
|
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \
|
||||||
|
!defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT)
|
||||||
|
#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
|
||||||
|
#endif
|
||||||
|
#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY)
|
||||||
|
#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* psa_util file features some ECDSA conversion functions, to convert between
|
||||||
|
* legacy's ASN.1 DER format and PSA's raw one. */
|
||||||
|
#if defined(MBEDTLS_ECDSA_C) || (defined(MBEDTLS_PSA_CRYPTO_C) && \
|
||||||
|
(defined(PSA_WANT_ALG_ECDSA) || defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)))
|
||||||
|
#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Some internal helpers to determine which keys are availble. */
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
|
||||||
|
#define MBEDTLS_SSL_HAVE_AES
|
||||||
|
#endif
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
|
||||||
|
#define MBEDTLS_SSL_HAVE_ARIA
|
||||||
|
#endif
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
|
||||||
|
#define MBEDTLS_SSL_HAVE_CAMELLIA
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* Some internal helpers to determine which operation modes are availble. */
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
|
||||||
|
#define MBEDTLS_SSL_HAVE_CBC
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_GCM_C)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_GCM))
|
||||||
|
#define MBEDTLS_SSL_HAVE_GCM
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CCM_C)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM))
|
||||||
|
#define MBEDTLS_SSL_HAVE_CCM
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CHACHAPOLY_C)) || \
|
||||||
|
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305))
|
||||||
|
#define MBEDTLS_SSL_HAVE_CHACHAPOLY
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_SSL_HAVE_GCM) || defined(MBEDTLS_SSL_HAVE_CCM) || \
|
||||||
|
defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
|
||||||
|
#define MBEDTLS_SSL_HAVE_AEAD
|
||||||
|
#endif
|
||||||
|
|
||||||
#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */
|
#endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */
|
||||||
|
|
|
@ -10,19 +10,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
|
#ifndef MBEDTLS_CONFIG_ADJUST_LEGACY_FROM_PSA_H
|
||||||
|
@ -59,139 +47,65 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/* ECC: curves: is acceleration complete? */
|
/* ECC: curves: is acceleration complete? */
|
||||||
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \
|
#if (defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) && \
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)
|
!defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_256)) || \
|
||||||
|
(defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)) || \
|
||||||
|
(defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_R1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_R1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_R1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_R1_384) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_R1_521) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_K1_192) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_K1_224) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)) || \
|
||||||
|
(defined(PSA_WANT_ECC_SECP_K1_256) && !defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256))
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384) && \
|
#if (defined(PSA_WANT_ECC_MONTGOMERY_255) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)) || \
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_384)
|
(defined(PSA_WANT_ECC_MONTGOMERY_448) && !defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448))
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_BRAINPOOL_P_R1_512)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_MONTGOMERY_255) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_255)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_MONTGOMERY_448) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_MONTGOMERY_448)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_R1_192) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_R1_224) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_R1_256) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_R1_384) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_R1_521) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_K1_192) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_K1_224) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_224)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ECC_SECP_K1_256) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_WEIERSTRASS_CURVES
|
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* ECC: algs: is acceleration complete? */
|
/* ECC: algs: is acceleration complete? */
|
||||||
#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
|
#if (defined(PSA_WANT_ALG_ECDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)) || \
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
|
(defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)) || \
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
|
(defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && \
|
||||||
#endif
|
!defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)) || \
|
||||||
|
(defined(PSA_WANT_ALG_JPAKE) && !defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE))
|
||||||
#if defined(PSA_WANT_ALG_ECDH) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_ECDSA) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_JPAKE) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ALG_JPAKE)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
|
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* ECC: key types: is acceleration complete? */
|
/* ECC: key types: is acceleration complete? */
|
||||||
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
|
#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
|
||||||
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC))
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
|
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES_BASIC
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
|
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
|
||||||
#endif
|
|
||||||
|
|
||||||
/* Special case: we don't support cooked key derivation in drivers yet */
|
/* Special case: we don't support cooked key derivation in drivers yet */
|
||||||
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
|
#if defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
|
||||||
#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
|
#undef MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
/* Note: the condition is always true as DERIVE can't be accelerated yet */
|
/* Note: the condition about key derivation is always true as DERIVE can't be
|
||||||
#if defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
|
* accelerated yet */
|
||||||
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
|
#if (defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_PUBLIC_KEY)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_BASIC)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE))
|
||||||
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
#define MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_KEY_TYPES
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
@ -398,8 +312,6 @@
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY 1
|
||||||
#define MBEDTLS_ECP_LIGHT
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* missing accel */
|
#endif /* missing accel */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
|
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
|
||||||
|
|
||||||
|
@ -408,8 +320,6 @@
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES) || \
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_ALGS)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC 1
|
||||||
#define MBEDTLS_ECP_LIGHT
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* missing accel */
|
#endif /* missing accel */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
|
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC */
|
||||||
|
|
||||||
|
@ -417,8 +327,6 @@
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1
|
||||||
#define MBEDTLS_ECP_LIGHT
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* missing accel */
|
#endif /* missing accel */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
|
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
|
||||||
|
|
||||||
|
@ -426,8 +334,6 @@
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT 1
|
||||||
#define MBEDTLS_ECP_C
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* missing accel */
|
#endif /* missing accel */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT */
|
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_EXPORT */
|
||||||
|
|
||||||
|
@ -435,8 +341,6 @@
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_GENERATE) || \
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1
|
||||||
#define MBEDTLS_ECP_C
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* missing accel */
|
#endif /* missing accel */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
|
#endif /* PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE */
|
||||||
|
|
||||||
|
@ -445,20 +349,149 @@
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE) || \
|
||||||
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
defined(MBEDTLS_PSA_ECC_ACCEL_INCOMPLETE_CURVES)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1
|
||||||
#define MBEDTLS_ECP_LIGHT
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* missing accel */
|
#endif /* missing accel */
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ECC_KEY_PAIR_DERIVE */
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_PUBLIC_KEY) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_BASIC) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_IMPORT) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_DERIVE)
|
||||||
|
#define MBEDTLS_ECP_LIGHT
|
||||||
|
#define MBEDTLS_BIGNUM_C
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_EXPORT) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_ECC_KEY_PAIR_GENERATE)
|
||||||
|
#define MBEDTLS_ECP_C
|
||||||
|
#define MBEDTLS_BIGNUM_C
|
||||||
|
#endif
|
||||||
|
|
||||||
/* End of ECC section */
|
/* End of ECC section */
|
||||||
|
|
||||||
|
/*
|
||||||
|
* DH key types follow the same pattern used above for EC keys. They are defined
|
||||||
|
* by a triplet (group, key_type, alg). A triplet is accelerated if all its
|
||||||
|
* component are accelerated, otherwise each component needs to be builtin.
|
||||||
|
*/
|
||||||
|
|
||||||
|
/* DH: groups: is acceleration complete? */
|
||||||
|
#if (defined(PSA_WANT_DH_RFC7919_2048) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048)) || \
|
||||||
|
(defined(PSA_WANT_DH_RFC7919_3072) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072)) || \
|
||||||
|
(defined(PSA_WANT_DH_RFC7919_4096) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096)) || \
|
||||||
|
(defined(PSA_WANT_DH_RFC7919_6144) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144)) || \
|
||||||
|
(defined(PSA_WANT_DH_RFC7919_8192) && !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192))
|
||||||
|
#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* DH: algs: is acceleration complete? */
|
||||||
|
#if defined(PSA_WANT_ALG_FFDH) && !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
|
||||||
|
#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS
|
||||||
|
#endif
|
||||||
|
|
||||||
|
/* DH: key types: is acceleration complete? */
|
||||||
|
#if (defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT)) || \
|
||||||
|
(defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE) && \
|
||||||
|
!defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE))
|
||||||
|
#define MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES
|
||||||
|
#endif
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_DH_RFC7919_2048)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_2048) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
|
||||||
|
#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 */
|
||||||
|
#endif /* PSA_WANT_DH_RFC7919_2048 */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_DH_RFC7919_3072)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_3072) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
|
||||||
|
#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 */
|
||||||
|
#endif /* PSA_WANT_DH_RFC7919_3072 */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_DH_RFC7919_4096)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_4096) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
|
||||||
|
#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 */
|
||||||
|
#endif /* PSA_WANT_DH_RFC7919_4096 */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_DH_RFC7919_6144)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_6144) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
|
||||||
|
#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 */
|
||||||
|
#endif /* PSA_WANT_DH_RFC7919_6144 */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_DH_RFC7919_8192)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_DH_RFC7919_8192) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
|
||||||
|
#endif /* !MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 */
|
||||||
|
#endif /* PSA_WANT_DH_RFC7919_8192 */
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_FFDH)
|
#if defined(PSA_WANT_ALG_FFDH)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH)
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_FFDH) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_KEY_TYPES)
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
|
||||||
#define MBEDTLS_BIGNUM_C
|
#define MBEDTLS_BIGNUM_C
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
|
#endif /* !MBEDTLS_PSA_ACCEL_ALG_FFDH */
|
||||||
#endif /* PSA_WANT_ALG_FFDH */
|
#endif /* PSA_WANT_ALG_FFDH */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
||||||
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */
|
||||||
|
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
||||||
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */
|
||||||
|
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
||||||
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */
|
||||||
|
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
||||||
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */
|
||||||
|
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_GROUPS) || \
|
||||||
|
defined(MBEDTLS_PSA_DH_ACCEL_INCOMPLETE_ALGS)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
|
||||||
|
#define MBEDTLS_BIGNUM_C
|
||||||
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
|
||||||
|
#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
|
||||||
|
|
||||||
|
/* End of DH section */
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_HKDF)
|
#if defined(PSA_WANT_ALG_HKDF)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
|
||||||
/*
|
/*
|
||||||
|
@ -646,46 +679,12 @@
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC */
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR_BASIC */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
|
#endif /* PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT)
|
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_IMPORT */
|
|
||||||
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT */
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT)
|
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_EXPORT */
|
|
||||||
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT */
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE)
|
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_GENERATE */
|
|
||||||
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE */
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC)
|
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_KEY_PAIR_BASIC */
|
|
||||||
#endif /* PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC */
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY)
|
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
|
|
||||||
#define MBEDTLS_BIGNUM_C
|
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_DH_PUBLIC_KEY */
|
|
||||||
#endif /* PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY */
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
|
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY 1
|
||||||
#define MBEDTLS_RSA_C
|
#define MBEDTLS_RSA_C
|
||||||
#define MBEDTLS_BIGNUM_C
|
#define MBEDTLS_BIGNUM_C
|
||||||
#define MBEDTLS_OID_C
|
#define MBEDTLS_OID_C
|
||||||
#define MBEDTLS_PK_PARSE_C
|
|
||||||
#define MBEDTLS_PK_WRITE_C
|
|
||||||
#define MBEDTLS_PK_C
|
|
||||||
#define MBEDTLS_ASN1_PARSE_C
|
#define MBEDTLS_ASN1_PARSE_C
|
||||||
#define MBEDTLS_ASN1_WRITE_C
|
#define MBEDTLS_ASN1_WRITE_C
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY */
|
||||||
|
@ -697,20 +696,13 @@
|
||||||
#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
|
#if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \
|
||||||
(defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
|
(defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \
|
||||||
(defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
|
(defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \
|
||||||
defined(PSA_WANT_ALG_ECB_NO_PADDING) || \
|
(defined(PSA_WANT_ALG_ECB_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)) || \
|
||||||
(defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
|
(defined(PSA_WANT_ALG_CBC_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \
|
(defined(PSA_WANT_ALG_CBC_PKCS7) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \
|
||||||
(defined(PSA_WANT_ALG_CBC_PKCS7) && \
|
|
||||||
!defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \
|
|
||||||
(defined(PSA_WANT_ALG_CMAC) && !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC))
|
(defined(PSA_WANT_ALG_CMAC) && !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC))
|
||||||
#define PSA_HAVE_SOFT_BLOCK_MODE 1
|
#define PSA_HAVE_SOFT_BLOCK_MODE 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if (defined(PSA_WANT_ALG_GCM) && !defined(MBEDTLS_PSA_ACCEL_ALG_GCM)) || \
|
|
||||||
(defined(PSA_WANT_ALG_CCM) && !defined(MBEDTLS_PSA_ACCEL_ALG_CCM))
|
|
||||||
#define PSA_HAVE_SOFT_BLOCK_AEAD 1
|
|
||||||
#endif
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
|
#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_AES_CMAC_PRF_128 1
|
||||||
|
@ -723,9 +715,7 @@
|
||||||
#define PSA_HAVE_SOFT_KEY_TYPE_AES 1
|
#define PSA_HAVE_SOFT_KEY_TYPE_AES 1
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */
|
||||||
#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
|
#if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
|
defined(PSA_HAVE_SOFT_BLOCK_MODE)
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_AEAD) || \
|
|
||||||
defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1
|
||||||
#define MBEDTLS_AES_C
|
#define MBEDTLS_AES_C
|
||||||
#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
|
#endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */
|
||||||
|
@ -736,8 +726,7 @@
|
||||||
#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1
|
#define PSA_HAVE_SOFT_KEY_TYPE_ARIA 1
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA */
|
||||||
#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
|
#if defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
|
defined(PSA_HAVE_SOFT_BLOCK_MODE)
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_AEAD)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_ARIA 1
|
||||||
#define MBEDTLS_ARIA_C
|
#define MBEDTLS_ARIA_C
|
||||||
#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */
|
#endif /* PSA_HAVE_SOFT_KEY_TYPE_ARIA || PSA_HAVE_SOFT_BLOCK_MODE */
|
||||||
|
@ -748,8 +737,7 @@
|
||||||
#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
|
#define PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA 1
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */
|
#endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_CAMELLIA */
|
||||||
#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \
|
#if defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA) || \
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_MODE) || \
|
defined(PSA_HAVE_SOFT_BLOCK_MODE)
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_AEAD)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CAMELLIA 1
|
||||||
#define MBEDTLS_CAMELLIA_C
|
#define MBEDTLS_CAMELLIA_C
|
||||||
#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */
|
#endif /* PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA || PSA_HAVE_SOFT_BLOCK_MODE */
|
||||||
|
@ -766,8 +754,15 @@
|
||||||
#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */
|
#endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */
|
||||||
#endif /* PSA_WANT_KEY_TYPE_DES */
|
#endif /* PSA_WANT_KEY_TYPE_DES */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_ALG_STREAM_CIPHER)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
|
||||||
|
#endif /* MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER */
|
||||||
|
#endif /* PSA_WANT_ALG_STREAM_CIPHER */
|
||||||
|
|
||||||
#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
|
#if defined(PSA_WANT_KEY_TYPE_CHACHA20)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20)
|
#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) || \
|
||||||
|
defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER)
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
|
||||||
#define MBEDTLS_CHACHA20_C
|
#define MBEDTLS_CHACHA20_C
|
||||||
#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */
|
#endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */
|
||||||
|
@ -783,10 +778,6 @@
|
||||||
#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
|
#define PSA_HAVE_SOFT_BLOCK_CIPHER 1
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_STREAM_CIPHER)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
|
|
||||||
#endif /* PSA_WANT_ALG_STREAM_CIPHER */
|
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_CBC_MAC)
|
#if defined(PSA_WANT_ALG_CBC_MAC)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
|
||||||
#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS."
|
#error "CBC-MAC is not yet supported via the PSA API in Mbed TLS."
|
||||||
|
@ -796,8 +787,7 @@
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_CMAC)
|
#if defined(PSA_WANT_ALG_CMAC)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \
|
||||||
defined(PSA_HAVE_SOFT_BLOCK_CIPHER) || \
|
defined(PSA_HAVE_SOFT_BLOCK_CIPHER)
|
||||||
defined(PSA_HAVE_SOFT_PBKDF2_CMAC)
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1
|
||||||
#define MBEDTLS_CMAC_C
|
#define MBEDTLS_CMAC_C
|
||||||
#endif /* !MBEDTLS_PSA_ACCEL_ALG_CMAC */
|
#endif /* !MBEDTLS_PSA_ACCEL_ALG_CMAC */
|
||||||
|
@ -860,11 +850,20 @@
|
||||||
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
|
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
|
||||||
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
|
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
|
|
||||||
#define MBEDTLS_CCM_C
|
#define MBEDTLS_CCM_C
|
||||||
#endif
|
#endif
|
||||||
#endif /* PSA_WANT_ALG_CCM */
|
#endif /* PSA_WANT_ALG_CCM */
|
||||||
|
|
||||||
|
#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
|
||||||
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG) || \
|
||||||
|
defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
|
||||||
|
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
|
||||||
|
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
|
||||||
|
#define MBEDTLS_CCM_C
|
||||||
|
#endif
|
||||||
|
#endif /* PSA_WANT_ALG_CCM_STAR_NO_TAG */
|
||||||
|
|
||||||
#if defined(PSA_WANT_ALG_GCM)
|
#if defined(PSA_WANT_ALG_GCM)
|
||||||
#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
|
#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
|
||||||
defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
|
defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
|
||||||
|
|
|
@ -12,19 +12,7 @@
|
||||||
*/
|
*/
|
||||||
/*
|
/*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
||||||
*
|
|
||||||
* Licensed under the Apache License, Version 2.0 (the "License"); you may
|
|
||||||
* not use this file except in compliance with the License.
|
|
||||||
* You may obtain a copy of the License at
|
|
||||||
*
|
|
||||||
* http://www.apache.org/licenses/LICENSE-2.0
|
|
||||||
*
|
|
||||||
* Unless required by applicable law or agreed to in writing, software
|
|
||||||
* distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
|
|
||||||
* WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
|
|
||||||
* See the License for the specific language governing permissions and
|
|
||||||
* limitations under the License.
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
|
#ifndef MBEDTLS_CONFIG_ADJUST_PSA_FROM_LEGACY_H
|
||||||
|
@ -37,9 +25,11 @@
|
||||||
|
|
||||||
#if defined(MBEDTLS_CCM_C)
|
#if defined(MBEDTLS_CCM_C)
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
|
|
||||||
#define PSA_WANT_ALG_CCM 1
|
#define PSA_WANT_ALG_CCM 1
|
||||||
|
#if defined(MBEDTLS_CIPHER_C)
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
|
||||||
#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
|
#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1
|
||||||
|
#endif /* MBEDTLS_CIPHER_C */
|
||||||
#endif /* MBEDTLS_CCM_C */
|
#endif /* MBEDTLS_CCM_C */
|
||||||
|
|
||||||
#if defined(MBEDTLS_CMAC_C)
|
#if defined(MBEDTLS_CMAC_C)
|
||||||
|
@ -91,13 +81,22 @@
|
||||||
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
#define PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
||||||
#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
|
#define PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY 1
|
||||||
#define PSA_WANT_ALG_FFDH 1
|
#define PSA_WANT_ALG_FFDH 1
|
||||||
#define PSA_WANT_DH_FAMILY_RFC7919 1
|
#define PSA_WANT_DH_RFC7919_2048 1
|
||||||
|
#define PSA_WANT_DH_RFC7919_3072 1
|
||||||
|
#define PSA_WANT_DH_RFC7919_4096 1
|
||||||
|
#define PSA_WANT_DH_RFC7919_6144 1
|
||||||
|
#define PSA_WANT_DH_RFC7919_8192 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_FFDH 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_BASIC 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_IMPORT 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_EXPORT 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_KEY_PAIR_GENERATE 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_DH_PUBLIC_KEY 1
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_2048 1
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_3072 1
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_4096 1
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_6144 1
|
||||||
|
#define MBEDTLS_PSA_BUILTIN_DH_RFC7919_8192 1
|
||||||
#endif /* MBEDTLS_DHM_C */
|
#endif /* MBEDTLS_DHM_C */
|
||||||
|
|
||||||
#if defined(MBEDTLS_GCM_C)
|
#if defined(MBEDTLS_GCM_C)
|
||||||
|
@ -238,9 +237,12 @@
|
||||||
|
|
||||||
#if defined(MBEDTLS_CHACHA20_C)
|
#if defined(MBEDTLS_CHACHA20_C)
|
||||||
#define PSA_WANT_KEY_TYPE_CHACHA20 1
|
#define PSA_WANT_KEY_TYPE_CHACHA20 1
|
||||||
#define PSA_WANT_ALG_STREAM_CIPHER 1
|
|
||||||
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
|
#define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1
|
||||||
|
/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */
|
||||||
|
#if defined(MBEDTLS_CIPHER_C)
|
||||||
|
#define PSA_WANT_ALG_STREAM_CIPHER 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1
|
||||||
|
#endif
|
||||||
#if defined(MBEDTLS_CHACHAPOLY_C)
|
#if defined(MBEDTLS_CHACHAPOLY_C)
|
||||||
#define PSA_WANT_ALG_CHACHA20_POLY1305 1
|
#define PSA_WANT_ALG_CHACHA20_POLY1305 1
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1
|
||||||
|
@ -256,8 +258,9 @@
|
||||||
#endif
|
#endif
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
|
#if (defined(MBEDTLS_AES_C) || defined(MBEDTLS_DES_C) || \
|
||||||
defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)
|
defined(MBEDTLS_ARIA_C) || defined(MBEDTLS_CAMELLIA_C)) && \
|
||||||
|
defined(MBEDTLS_CIPHER_C)
|
||||||
#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
|
#define MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING 1
|
||||||
#define PSA_WANT_ALG_ECB_NO_PADDING 1
|
#define PSA_WANT_ALG_ECB_NO_PADDING 1
|
||||||
#endif
|
#endif
|
||||||
|
|
Some files were not shown because too many files have changed in this diff Show more
Loading…
Reference in a new issue