Merge pull request #6283 from mpg/driver-only-hashes-wrap-up
Driver only hashes wrap-up
This commit is contained in:
commit
d433cd7d07
36 changed files with 139 additions and 120 deletions
20
ChangeLog.d/driver-only-hashes.txt
Normal file
20
ChangeLog.d/driver-only-hashes.txt
Normal file
|
@ -0,0 +1,20 @@
|
||||||
|
Features
|
||||||
|
* Some crypto modules that previously depended on MD or a low-level hash
|
||||||
|
module, either unconditionally (RSA, PK, PKCS5, PKCS12, EC J-PAKE), or
|
||||||
|
for some features (PEM for encrypted files), are now able to use PSA
|
||||||
|
Crypto instead when the legacy API is not available. This means it is
|
||||||
|
now possible to use all features from those modules in configurations
|
||||||
|
where the built-in implementations of hashes are excluded and the hashes
|
||||||
|
are only provided by PSA drivers. In these configurations, you need to
|
||||||
|
call `psa_crypto_init()` before you call any function from those
|
||||||
|
modules; this is not required in configurations where the built-in
|
||||||
|
implementation is still available. Note that some crypto modules and
|
||||||
|
features still depend on the built-in implementation of hashes:
|
||||||
|
MBEDTLS_HKDF_C (but the PSA HKDF function do not depend on it),
|
||||||
|
MBEDTLS_ENTROPY_C, MBEDTLS_HMAC_DRBG_C and MBEDTLS_ECDSA_DETERMINISTIC.
|
||||||
|
In particular, for now, compiling without built-in hashes requires use
|
||||||
|
of MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG.
|
||||||
|
* When MBEDTLS_USE_PSA_CRYPTO is enabled, X.509, TLS 1.2 and TLS 1.3 no
|
||||||
|
longer depend on MD. This means it is now possible to use them in
|
||||||
|
configurations where the built-in implementations of hashes are excluded
|
||||||
|
and the hashes are only provided by PSA drivers.
|
|
@ -29,11 +29,6 @@ github.
|
||||||
|
|
||||||
[ffdh]: https://github.com/Mbed-TLS/mbedtls/issues/3261
|
[ffdh]: https://github.com/Mbed-TLS/mbedtls/issues/3261
|
||||||
|
|
||||||
PSA Crypto has an experimental API for EC J-PAKE, but it's not implemented in
|
|
||||||
Mbed TLS yet. See the [EC J-PAKE follow-up EPIC][ecjp] on github.
|
|
||||||
|
|
||||||
[ecjp]: https://github.com/orgs/Mbed-TLS/projects/1#column-17950140
|
|
||||||
|
|
||||||
Arbitrary parameters for FFDH
|
Arbitrary parameters for FFDH
|
||||||
-----------------------------
|
-----------------------------
|
||||||
|
|
||||||
|
|
|
@ -345,19 +345,29 @@ available. Data related to a certain hash (OID, sizes, translations) should
|
||||||
only be included in the build if it is possible to use that hash in some way.
|
only be included in the build if it is possible to use that hash in some way.
|
||||||
|
|
||||||
In order to cater to these new needs, new families of macros are introduced in
|
In order to cater to these new needs, new families of macros are introduced in
|
||||||
`library/legacy_or_psa.h`, see its documentation for details.
|
`legacy_or_psa.h`, see its documentation for details.
|
||||||
|
|
||||||
It should be noted that there are currently:
|
It should be noted that there are currently:
|
||||||
- too many different ways of computing a hash (low-level, MD, PSA);
|
- too many different ways of computing a hash (low-level, MD, PSA);
|
||||||
- too many different ways to configure the library that influence which of
|
- too many different ways to configure the library that influence which of
|
||||||
these ways is available and will be used (`MBEDTLS_USE_PSA_CRYPTO`,
|
these ways is available and will be used (`MBEDTLS_USE_PSA_CRYPTO`,
|
||||||
`MBEDTLS_PSA_CRYPTO_CONFIG`, `mbedtls_config.h` + `psa/crypto_config.h`).
|
`MBEDTLS_PSA_CRYPTO_CONFIG`, `mbedtls_config.h` + `psa/crypto_config.h`).
|
||||||
|
|
||||||
As a result, we need more families of dependency macros than we'd like to.
|
As a result, we need more families of dependency macros than we'd like to.
|
||||||
This is a temporary situation until we move to a place where everything is
|
This is a temporary situation until we move to a place where everything is
|
||||||
based on PSA Crypto. In the meantime, long and explicit names where chosen for
|
based on PSA Crypto. In the meantime, long and explicit names where chosen for
|
||||||
the new macros in the hope of avoiding confusion.
|
the new macros in the hope of avoiding confusion.
|
||||||
|
|
||||||
|
Note: the new macros supplement but do not replace the existing macros:
|
||||||
|
- code that always uses PSA Crypto (for example, code specific to TLS 1.3)
|
||||||
|
should use `PSA_WANT_xxx`;
|
||||||
|
- code that always uses the legacy API (for example, crypto modules that have
|
||||||
|
not undergone step 1 yet) should use `MBEDTLS_xxx_C`;
|
||||||
|
- code that may use one of the two APIs, either based on
|
||||||
|
`MBEDTLS_USE_PSA_CRYPTO` (X.509, TLS 1.2, shared between TLS 1.2 and 1.3),
|
||||||
|
or based on availability (crypto modules after step 1), should use one of
|
||||||
|
the new macros from `legacy_or_psa.h`.
|
||||||
|
|
||||||
Executing step 3 will mostly consist of using the right dependency macros in
|
Executing step 3 will mostly consist of using the right dependency macros in
|
||||||
the right places (once the previous steps are done).
|
the right places (once the previous steps are done).
|
||||||
|
|
||||||
|
|
|
@ -320,11 +320,20 @@
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
|
||||||
( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) || \
|
( !defined(MBEDTLS_ECJPAKE_C) || \
|
||||||
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
|
!defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
|
||||||
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
|
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
|
/* Use of EC J-PAKE in TLS requires SHA-256.
|
||||||
|
* This will be taken from MD if it is present, or from PSA if MD is absent.
|
||||||
|
* Note: ECJPAKE_C depends on MD_C || PSA_CRYPTO_C. */
|
||||||
|
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
|
||||||
|
!( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) && \
|
||||||
|
!( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) )
|
||||||
|
#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
|
||||||
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
|
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
|
||||||
!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \
|
!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) && \
|
||||||
( !defined(MBEDTLS_SHA256_C) && \
|
( !defined(MBEDTLS_SHA256_C) && \
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/**
|
/**
|
||||||
* Internal macros to express dependencies for code and tests
|
* Macros to express dependencies for code and tests that may use either the
|
||||||
* that may use either the legacy API or PSA in various builds.
|
* legacy API or PSA in various builds; mostly for internal use.
|
||||||
*
|
*
|
||||||
* Copyright The Mbed TLS Contributors
|
* Copyright The Mbed TLS Contributors
|
||||||
* SPDX-License-Identifier: Apache-2.0
|
* SPDX-License-Identifier: Apache-2.0
|
||||||
|
@ -19,6 +19,18 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
/*
|
/*
|
||||||
|
* Note: applications that are targeting a specific configuration do not need
|
||||||
|
* to use these macros; instead they should directly use the functions they
|
||||||
|
* know are available in their configuration.
|
||||||
|
*
|
||||||
|
* Note: code that is purely based on PSA Crypto (psa_xxx() functions)
|
||||||
|
* does not need to use these macros; instead it should use the relevant
|
||||||
|
* PSA_WANT_xxx macros.
|
||||||
|
*
|
||||||
|
* Note: code that is purely based on the legacy crypto APIs (mbedtls_xxx())
|
||||||
|
* does not need to use these macros; instead it should use the relevant
|
||||||
|
* MBEDTLS_xxx macros.
|
||||||
|
*
|
||||||
* These macros are for code that wants to use <crypto feature> and will do so
|
* These macros are for code that wants to use <crypto feature> and will do so
|
||||||
* using <legacy API> or PSA depending on <condition>, where:
|
* using <legacy API> or PSA depending on <condition>, where:
|
||||||
* - <crypto feature> will generally be an algorithm (SHA-256, ECDH) but may
|
* - <crypto feature> will generally be an algorithm (SHA-256, ECDH) but may
|
||||||
|
@ -36,15 +48,10 @@
|
||||||
* - TLS 1.2 will compute hashes using either mbedtls_md_xxx() (and
|
* - TLS 1.2 will compute hashes using either mbedtls_md_xxx() (and
|
||||||
* mbedtls_sha256_xxx()) or psa_aead_xxx() depending on whether
|
* mbedtls_sha256_xxx()) or psa_aead_xxx() depending on whether
|
||||||
* MBEDTLS_USE_PSA_CRYPTO is defined;
|
* MBEDTLS_USE_PSA_CRYPTO is defined;
|
||||||
* - RSA PKCS#1 v2.1 will, in the near future*, compute hashes (for padding)
|
* - RSA PKCS#1 v2.1 will compute hashes (for padding) using either
|
||||||
* using either `mbedtls_md()` if it's available, or `psa_hash_compute()`
|
* `mbedtls_md()` if it's available, or `psa_hash_compute()` otherwise;
|
||||||
* otherwise;
|
* - PEM decoding of PEM-encrypted keys will compute MD5 hashes using either
|
||||||
* - PEM decoding of PEM-encrypted keys will, in the near future*, compute MD5
|
* `mbedtls_md5_xxx()` if it's available, or `psa_hash_xxx()` otherwise.
|
||||||
* hashes using either `mbedtls_md5_xxx()` if it's available, or
|
|
||||||
* `psa_hash_xxx()` otherwise.
|
|
||||||
* *See docs/architecture/psa-migration/strategy.md, section "Supporting
|
|
||||||
* builds with drivers without the software implementation", strategy for step
|
|
||||||
* 1 (libmbedcrypto except the RNG subsystem).
|
|
||||||
*
|
*
|
||||||
* Note: the macros are essential to express test dependencies. Inside code,
|
* Note: the macros are essential to express test dependencies. Inside code,
|
||||||
* we could instead just use the equivalent pre-processor condition, but
|
* we could instead just use the equivalent pre-processor condition, but
|
||||||
|
@ -70,9 +77,9 @@
|
||||||
* MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA
|
* MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA
|
||||||
*
|
*
|
||||||
* Note: every time it's possible to use, say SHA-256, via the MD API, then
|
* Note: every time it's possible to use, say SHA-256, via the MD API, then
|
||||||
* it's also possible to used it via the low-level API. So, code that wants to
|
* it's also possible to use it via the low-level API. So, code that wants to
|
||||||
* use SHA-256 via both APIs only needs to depend on the MD macro. Also, it
|
* use SHA-256 via both APIs only needs to depend on the MD macro. Also, it
|
||||||
* just so happens that all the choosing which API to use based on
|
* just so happens that all the code choosing which API to use based on
|
||||||
* MBEDTLS_USE_PSA_CRYPTO (X.509, TLS 1.2/shared), always uses the abstraction
|
* MBEDTLS_USE_PSA_CRYPTO (X.509, TLS 1.2/shared), always uses the abstraction
|
||||||
* layer (sometimes in addition to the low-level API), so we don't need the
|
* layer (sometimes in addition to the low-level API), so we don't need the
|
||||||
* MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA_BASED_ON_USE_PSA macros.
|
* MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA_BASED_ON_USE_PSA macros.
|
||||||
|
@ -89,7 +96,7 @@
|
||||||
#ifndef MBEDTLS_OR_PSA_HELPERS_H
|
#ifndef MBEDTLS_OR_PSA_HELPERS_H
|
||||||
#define MBEDTLS_OR_PSA_HELPERS_H
|
#define MBEDTLS_OR_PSA_HELPERS_H
|
||||||
|
|
||||||
#include "common.h"
|
#include "mbedtls/build_info.h"
|
||||||
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
#if defined(MBEDTLS_PSA_CRYPTO_C)
|
||||||
#include "psa/crypto.h"
|
#include "psa/crypto.h"
|
||||||
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
#endif /* MBEDTLS_PSA_CRYPTO_C */
|
|
@ -958,7 +958,7 @@
|
||||||
* might still happen. For this reason, this is disabled by default.
|
* might still happen. For this reason, this is disabled by default.
|
||||||
*
|
*
|
||||||
* Requires: MBEDTLS_ECJPAKE_C
|
* Requires: MBEDTLS_ECJPAKE_C
|
||||||
* MBEDTLS_SHA256_C
|
* SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C)
|
||||||
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
|
||||||
*
|
*
|
||||||
* This enables the following ciphersuites (if other requisites are
|
* This enables the following ciphersuites (if other requisites are
|
||||||
|
@ -1492,13 +1492,14 @@
|
||||||
*
|
*
|
||||||
* Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
|
* Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
|
||||||
*
|
*
|
||||||
* Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
|
* Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and
|
||||||
* (Depends on ciphersuites) when MBEDTLS_USE_PSA_CRYPTO
|
* (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C)
|
||||||
* is not defined, PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or
|
* With MBEDTLS_USE_PSA_CRYPTO:
|
||||||
* PSA_WANT_ALG_SHA_512 when MBEDTLS_USE_PSA_CRYPTO is defined.
|
* PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or
|
||||||
|
* PSA_WANT_ALG_SHA_512
|
||||||
*
|
*
|
||||||
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
|
* \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
|
||||||
* before doing any TLS operation.
|
* psa_crypto_init() before doing any TLS operations.
|
||||||
*
|
*
|
||||||
* Comment this macro to disable support for TLS 1.2 / DTLS 1.2
|
* Comment this macro to disable support for TLS 1.2 / DTLS 1.2
|
||||||
*/
|
*/
|
||||||
|
@ -1517,11 +1518,11 @@
|
||||||
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
* Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
|
||||||
* Requires: MBEDTLS_PSA_CRYPTO_C
|
* Requires: MBEDTLS_PSA_CRYPTO_C
|
||||||
*
|
*
|
||||||
* Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use
|
* Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditonally
|
||||||
* PSA for all crypto operations, you need to also enable
|
* for most operations, if you want it to only use PSA for all crypto
|
||||||
* MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are
|
* operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509
|
||||||
* common with TLS 1.2 (record protection, running handshake hash) will still
|
* operations, and functions that are common with TLS 1.2 (record protection,
|
||||||
* use non-PSA crypto.
|
* running handshake hash) will still use non-PSA crypto.
|
||||||
*
|
*
|
||||||
* Uncomment this macro to enable the support for TLS 1.3.
|
* Uncomment this macro to enable the support for TLS 1.3.
|
||||||
*/
|
*/
|
||||||
|
@ -2357,7 +2358,7 @@
|
||||||
* This module is used by the following key exchanges:
|
* This module is used by the following key exchanges:
|
||||||
* ECJPAKE
|
* ECJPAKE
|
||||||
*
|
*
|
||||||
* Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
|
* Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
|
||||||
*
|
*
|
||||||
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
|
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
|
||||||
* before doing any EC J-PAKE operations.
|
* before doing any EC J-PAKE operations.
|
||||||
|
@ -2674,7 +2675,10 @@
|
||||||
*
|
*
|
||||||
* Module: library/pkcs5.c
|
* Module: library/pkcs5.c
|
||||||
*
|
*
|
||||||
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
|
* Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.
|
||||||
|
*
|
||||||
|
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
|
||||||
|
* before doing any PKCS5 operation.
|
||||||
*
|
*
|
||||||
* This module adds support for the PKCS#5 functions.
|
* This module adds support for the PKCS#5 functions.
|
||||||
*/
|
*/
|
||||||
|
@ -3156,8 +3160,8 @@
|
||||||
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
|
* Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
|
||||||
* (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
|
* (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
|
||||||
*
|
*
|
||||||
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
|
* \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
|
||||||
* before doing any X.509 operation.
|
* psa_crypto_init() before doing any X.509 operation.
|
||||||
*
|
*
|
||||||
* This module is required for the X.509 parsing modules.
|
* This module is required for the X.509 parsing modules.
|
||||||
*/
|
*/
|
||||||
|
@ -3217,8 +3221,8 @@
|
||||||
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
|
* Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
|
||||||
* (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
|
* (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
|
||||||
*
|
*
|
||||||
* \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
|
* \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
|
||||||
* before doing any X.509 create operation.
|
* psa_crypto_init() before doing any X.509 create operation.
|
||||||
*
|
*
|
||||||
* This module is the basis for creating X.509 certificates and CSRs.
|
* This module is the basis for creating X.509 certificates and CSRs.
|
||||||
*/
|
*/
|
||||||
|
|
|
@ -52,9 +52,7 @@
|
||||||
#include "mbedtls/platform_time.h"
|
#include "mbedtls/platform_time.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
|
||||||
#include "psa/crypto.h"
|
#include "psa/crypto.h"
|
||||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* SSL Error codes
|
* SSL Error codes
|
||||||
|
@ -629,11 +627,7 @@ union mbedtls_ssl_premaster_secret
|
||||||
|
|
||||||
#define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret )
|
#define MBEDTLS_PREMASTER_SIZE sizeof( union mbedtls_ssl_premaster_secret )
|
||||||
|
|
||||||
#if defined(MBEDTLS_USE_PSA_CRYPTO)
|
|
||||||
#define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE
|
#define MBEDTLS_TLS1_3_MD_MAX_SIZE PSA_HASH_MAX_SIZE
|
||||||
#else
|
|
||||||
#define MBEDTLS_TLS1_3_MD_MAX_SIZE MBEDTLS_MD_MAX_SIZE
|
|
||||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
|
||||||
|
|
||||||
|
|
||||||
/* Length in number of bytes of the TLS sequence number */
|
/* Length in number of bytes of the TLS sequence number */
|
||||||
|
|
|
@ -24,6 +24,7 @@
|
||||||
#include "mbedtls/private_access.h"
|
#include "mbedtls/private_access.h"
|
||||||
|
|
||||||
#include "mbedtls/build_info.h"
|
#include "mbedtls/build_info.h"
|
||||||
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#include "mbedtls/x509.h"
|
#include "mbedtls/x509.h"
|
||||||
#include "mbedtls/x509_crl.h"
|
#include "mbedtls/x509_crl.h"
|
||||||
|
@ -1108,7 +1109,7 @@ int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
|
||||||
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
|
int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
|
||||||
int is_ca, int max_pathlen );
|
int is_ca, int max_pathlen );
|
||||||
|
|
||||||
#if defined(MBEDTLS_SHA1_C) || ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) )
|
#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA)
|
||||||
/**
|
/**
|
||||||
* \brief Set the subjectKeyIdentifier extension for a CRT
|
* \brief Set the subjectKeyIdentifier extension for a CRT
|
||||||
* Requires that mbedtls_x509write_crt_set_subject_key() has been
|
* Requires that mbedtls_x509write_crt_set_subject_key() has been
|
||||||
|
@ -1130,7 +1131,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct
|
||||||
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
* \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
|
||||||
*/
|
*/
|
||||||
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
|
int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
|
||||||
#endif /* MBEDTLS_SHA1_C || (MBEDTLS_PSA_CRYPTO_C && PSA_WANT_ALG_SHA_1)*/
|
#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */
|
||||||
|
|
||||||
/**
|
/**
|
||||||
* \brief Set the Key Usage Extension flags
|
* \brief Set the Key Usage Extension flags
|
||||||
|
|
|
@ -21,7 +21,7 @@
|
||||||
*/
|
*/
|
||||||
|
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
|
||||||
typedef struct
|
typedef struct
|
||||||
|
|
|
@ -27,7 +27,7 @@
|
||||||
#include "mbedtls/rsa.h"
|
#include "mbedtls/rsa.h"
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#include <stdio.h>
|
#include <stdio.h>
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
|
@ -45,12 +45,14 @@
|
||||||
#include "psa/crypto.h"
|
#include "psa/crypto.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && defined(MBEDTLS_CIPHER_MODE_CBC) && \
|
#if defined(MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA) && \
|
||||||
|
defined(MBEDTLS_CIPHER_MODE_CBC) && \
|
||||||
( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
|
( defined(MBEDTLS_DES_C) || defined(MBEDTLS_AES_C) )
|
||||||
#define PEM_RFC1421
|
#define PEM_RFC1421
|
||||||
#endif /* MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA && MBEDTLS_CIPHER_MODE_CBC &&
|
#endif /* MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA &&
|
||||||
|
MBEDTLS_CIPHER_MODE_CBC &&
|
||||||
( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
|
( MBEDTLS_AES_C || MBEDTLS_DES_C ) */
|
||||||
|
|
||||||
#if defined(MBEDTLS_PEM_PARSE_C)
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
||||||
|
|
|
@ -33,7 +33,7 @@
|
||||||
#include "mbedtls/ssl.h"
|
#include "mbedtls/ssl.h"
|
||||||
#include "ssl_misc.h"
|
#include "ssl_misc.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
|
|
@ -38,7 +38,7 @@
|
||||||
#include "mbedtls/platform_util.h"
|
#include "mbedtls/platform_util.h"
|
||||||
#include "mbedtls/constant_time.h"
|
#include "mbedtls/constant_time.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#include <string.h>
|
#include <string.h>
|
||||||
|
|
||||||
|
|
|
@ -32,7 +32,7 @@
|
||||||
#include "mbedtls/psa_util.h"
|
#include "mbedtls/psa_util.h"
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
#endif
|
#endif
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#if defined(MBEDTLS_MD5_C)
|
#if defined(MBEDTLS_MD5_C)
|
||||||
#include "mbedtls/md5.h"
|
#include "mbedtls/md5.h"
|
||||||
|
|
|
@ -54,7 +54,7 @@
|
||||||
#include "mbedtls/psa_util.h"
|
#include "mbedtls/psa_util.h"
|
||||||
#include "psa/crypto.h"
|
#include "psa/crypto.h"
|
||||||
#endif
|
#endif
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
#if defined(MBEDTLS_X509_CRT_PARSE_C)
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
|
|
|
@ -62,7 +62,7 @@
|
||||||
#include <time.h>
|
#include <time.h>
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
|
#define CHECK(code) if( ( ret = ( code ) ) != 0 ){ return( ret ); }
|
||||||
#define CHECK_RANGE(min, max, val) \
|
#define CHECK_RANGE(min, max, val) \
|
||||||
|
|
|
@ -46,7 +46,7 @@
|
||||||
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
#endif /* MBEDTLS_USE_PSA_CRYPTO */
|
||||||
|
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
void mbedtls_x509write_crt_init( mbedtls_x509write_cert *ctx )
|
||||||
{
|
{
|
||||||
|
|
|
@ -1478,11 +1478,11 @@ int main( int argc, char *argv[] )
|
||||||
if( opt.psk_opaque != 0 )
|
if( opt.psk_opaque != 0 )
|
||||||
{
|
{
|
||||||
/* Determine KDF algorithm the opaque PSK will be used in. */
|
/* Determine KDF algorithm the opaque PSK will be used in. */
|
||||||
#if defined(HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
|
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
|
||||||
else
|
else
|
||||||
#endif /* HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||||
|
|
|
@ -2261,11 +2261,11 @@ int main( int argc, char *argv[] )
|
||||||
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
|
if( opt.psk_opaque != 0 || opt.psk_list_opaque != 0 )
|
||||||
{
|
{
|
||||||
/* Determine KDF algorithm the opaque PSK will be used in. */
|
/* Determine KDF algorithm the opaque PSK will be used in. */
|
||||||
#if defined(HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
if( ciphersuite_info->mac == MBEDTLS_MD_SHA384 )
|
||||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
|
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
|
||||||
else
|
else
|
||||||
#endif /* HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
#endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
|
||||||
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
|
||||||
}
|
}
|
||||||
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
#endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */
|
||||||
|
|
|
@ -297,49 +297,23 @@ int send_cb( void *ctx, unsigned char const *buf, size_t len )
|
||||||
#define MBEDTLS_SSL_SIG_ALG( hash )
|
#define MBEDTLS_SSL_SIG_ALG( hash )
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
|
||||||
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C) ) || \
|
|
||||||
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_1) )
|
|
||||||
#define HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
|
||||||
#endif
|
|
||||||
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
|
||||||
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA224_C) ) || \
|
|
||||||
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_224) )
|
|
||||||
#define HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
|
||||||
#endif
|
|
||||||
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
|
||||||
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \
|
|
||||||
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_256) )
|
|
||||||
#define HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
|
||||||
#endif
|
|
||||||
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
|
||||||
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \
|
|
||||||
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_384) )
|
|
||||||
#define HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
|
||||||
#endif
|
|
||||||
#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
|
|
||||||
defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA512_C) ) || \
|
|
||||||
( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_512) )
|
|
||||||
#define HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA
|
|
||||||
#endif
|
|
||||||
|
|
||||||
uint16_t ssl_sig_algs_for_test[] = {
|
uint16_t ssl_sig_algs_for_test[] = {
|
||||||
#if defined(HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
|
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA512 )
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
|
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA384 )
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
|
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA256 )
|
||||||
#endif
|
#endif
|
||||||
#if defined(HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA224 )
|
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA224 )
|
||||||
#endif
|
#endif
|
||||||
#if defined(MBEDTLS_RSA_C) && defined(HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
|
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
|
||||||
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
|
#endif /* MBEDTLS_RSA_C && MBEDTLS_SHA256_C */
|
||||||
#if defined(HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
|
||||||
/* Allow SHA-1 as we use it extensively in tests. */
|
/* Allow SHA-1 as we use it extensively in tests. */
|
||||||
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA1 )
|
MBEDTLS_SSL_SIG_ALG( MBEDTLS_SSL_HASH_SHA1 )
|
||||||
#endif
|
#endif
|
||||||
|
|
|
@ -1715,7 +1715,7 @@ component_test_psa_crypto_config_accel_ecdsa () {
|
||||||
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
|
||||||
|
|
||||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||||
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
make CFLAGS="$ASAN_CFLAGS -O -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
||||||
|
|
||||||
not grep mbedtls_ecdsa_ library/ecdsa.o
|
not grep mbedtls_ecdsa_ library/ecdsa.o
|
||||||
|
|
||||||
|
@ -1797,7 +1797,7 @@ component_test_psa_crypto_config_accel_rsa_signature () {
|
||||||
scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING
|
scripts/config.py unset MBEDTLS_SSL_CBC_RECORD_SPLITTING
|
||||||
|
|
||||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||||
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
||||||
|
|
||||||
not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o
|
not grep mbedtls_rsa_rsassa_pkcs1_v15_sign library/rsa.o
|
||||||
not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o
|
not grep mbedtls_rsa_rsassa_pss_sign_ext library/rsa.o
|
||||||
|
@ -1827,7 +1827,7 @@ component_test_psa_crypto_config_accel_hash () {
|
||||||
scripts/config.py unset MBEDTLS_SHA384_C
|
scripts/config.py unset MBEDTLS_SHA384_C
|
||||||
scripts/config.py unset MBEDTLS_SHA512_C
|
scripts/config.py unset MBEDTLS_SHA512_C
|
||||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||||
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
||||||
|
|
||||||
not grep mbedtls_sha512_init library/sha512.o
|
not grep mbedtls_sha512_init library/sha512.o
|
||||||
not grep mbedtls_sha1_init library/sha1.o
|
not grep mbedtls_sha1_init library/sha1.o
|
||||||
|
@ -1848,21 +1848,28 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
|
||||||
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
|
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
|
||||||
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
|
make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
|
||||||
|
|
||||||
|
# start with config full for maximum coverage (also enables USE_PSA)
|
||||||
|
scripts/config.py full
|
||||||
|
# enable support for drivers and configuring PSA-only algorithms
|
||||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
|
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
|
||||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
|
||||||
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
|
# disable the built-in implementation of hashes
|
||||||
scripts/config.py unset MBEDTLS_MD5_C
|
scripts/config.py unset MBEDTLS_MD5_C
|
||||||
scripts/config.py unset MBEDTLS_RIPEMD160_C
|
scripts/config.py unset MBEDTLS_RIPEMD160_C
|
||||||
scripts/config.py unset MBEDTLS_SHA1_C
|
scripts/config.py unset MBEDTLS_SHA1_C
|
||||||
scripts/config.py unset MBEDTLS_SHA224_C
|
scripts/config.py unset MBEDTLS_SHA224_C
|
||||||
scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
|
scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
|
||||||
|
scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
|
||||||
scripts/config.py unset MBEDTLS_SHA384_C
|
scripts/config.py unset MBEDTLS_SHA384_C
|
||||||
scripts/config.py unset MBEDTLS_SHA512_C
|
scripts/config.py unset MBEDTLS_SHA512_C
|
||||||
|
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
|
||||||
# Use an external RNG as currently internal RNGs depend on entropy.c
|
# Use an external RNG as currently internal RNGs depend on entropy.c
|
||||||
# which in turn hard-depends on SHA256_C (or SHA512_C).
|
# which in turn hard-depends on SHA256_C (or SHA512_C).
|
||||||
# See component_test_psa_external_rng_no_drbg_use_psa.
|
# See component_test_psa_external_rng_no_drbg_use_psa.
|
||||||
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
|
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
|
||||||
scripts/config.py unset MBEDTLS_ENTROPY_C
|
scripts/config.py unset MBEDTLS_ENTROPY_C
|
||||||
|
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED # depends on ENTROPY_C
|
||||||
|
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT # depends on former
|
||||||
# Also unset MD_C and things that depend on it;
|
# Also unset MD_C and things that depend on it;
|
||||||
# see component_test_crypto_full_no_md.
|
# see component_test_crypto_full_no_md.
|
||||||
scripts/config.py unset MBEDTLS_MD_C
|
scripts/config.py unset MBEDTLS_MD_C
|
||||||
|
@ -1870,10 +1877,6 @@ component_test_psa_crypto_config_accel_hash_use_psa () {
|
||||||
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
|
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
|
||||||
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
|
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
|
||||||
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
|
||||||
# Enable TLS 1.3: use PSA implementation for hashes
|
|
||||||
scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3
|
|
||||||
scripts/config.py set MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE
|
|
||||||
scripts/config.py set MBEDTLS_SSL_CID_TLS1_3_PADDING_GRANULARITY 1
|
|
||||||
|
|
||||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||||
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
|
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" all
|
||||||
|
@ -1925,7 +1928,7 @@ component_test_psa_crypto_config_accel_cipher () {
|
||||||
scripts/config.py unset MBEDTLS_DES_C
|
scripts/config.py unset MBEDTLS_DES_C
|
||||||
|
|
||||||
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
|
||||||
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS"
|
||||||
|
|
||||||
not grep mbedtls_des* library/des.o
|
not grep mbedtls_des* library/des.o
|
||||||
|
|
||||||
|
|
|
@ -23,7 +23,7 @@
|
||||||
|
|
||||||
#include "mbedtls/build_info.h"
|
#include "mbedtls/build_info.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
/*
|
/*
|
||||||
* Test CA Certificates
|
* Test CA Certificates
|
||||||
|
|
|
@ -1,7 +1,7 @@
|
||||||
/* BEGIN_HEADER */
|
/* BEGIN_HEADER */
|
||||||
#include "mbedtls/ecdsa.h"
|
#include "mbedtls/ecdsa.h"
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
#if ( defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C) ) || \
|
#if ( defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_SHA256_C) ) || \
|
||||||
( !defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) )
|
( !defined(MBEDTLS_ECDSA_DETERMINISTIC) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA) )
|
||||||
#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC
|
#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_IF_DETERMINISTIC
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/* BEGIN_HEADER */
|
/* BEGIN_HEADER */
|
||||||
#include "mbedtls/ecjpake.h"
|
#include "mbedtls/ecjpake.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA)
|
#if defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) && defined(MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA)
|
||||||
static const unsigned char ecjpake_test_x1[] = {
|
static const unsigned char ecjpake_test_x1[] = {
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
#include "mbedtls/asn1.h"
|
#include "mbedtls/asn1.h"
|
||||||
#include "mbedtls/asn1write.h"
|
#include "mbedtls/asn1write.h"
|
||||||
#include "string.h"
|
#include "string.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
|
|
@ -3,7 +3,7 @@
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#include "mbedtls/des.h"
|
#include "mbedtls/des.h"
|
||||||
#include "mbedtls/aes.h"
|
#include "mbedtls/aes.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
|
|
|
@ -8,7 +8,7 @@
|
||||||
#include "mbedtls/rsa.h"
|
#include "mbedtls/rsa.h"
|
||||||
|
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#include <limits.h>
|
#include <limits.h>
|
||||||
#include <stdint.h>
|
#include <stdint.h>
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
#include "mbedtls/pkcs12.h"
|
#include "mbedtls/pkcs12.h"
|
||||||
#include "common.h"
|
#include "common.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
typedef enum
|
typedef enum
|
||||||
{
|
{
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
#include "mbedtls/rsa.h"
|
#include "mbedtls/rsa.h"
|
||||||
#include "mbedtls/md.h"
|
#include "mbedtls/md.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/* BEGIN_HEADER */
|
/* BEGIN_HEADER */
|
||||||
#include "mbedtls/rsa.h"
|
#include "mbedtls/rsa.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
|
|
@ -1,6 +1,6 @@
|
||||||
/* BEGIN_HEADER */
|
/* BEGIN_HEADER */
|
||||||
#include "mbedtls/pkcs5.h"
|
#include "mbedtls/pkcs5.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
#include "mbedtls/pk.h"
|
#include "mbedtls/pk.h"
|
||||||
#include "mbedtls/pem.h"
|
#include "mbedtls/pem.h"
|
||||||
#include "mbedtls/oid.h"
|
#include "mbedtls/oid.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
|
|
@ -2,7 +2,7 @@
|
||||||
#include "mbedtls/rsa.h"
|
#include "mbedtls/rsa.h"
|
||||||
#include "rsa_alt_helpers.h"
|
#include "rsa_alt_helpers.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
/* END_HEADER */
|
/* END_HEADER */
|
||||||
|
|
||||||
/* BEGIN_DEPENDENCIES
|
/* BEGIN_DEPENDENCIES
|
||||||
|
|
|
@ -11,7 +11,7 @@
|
||||||
#include "mbedtls/ssl_cache.h"
|
#include "mbedtls/ssl_cache.h"
|
||||||
#endif
|
#endif
|
||||||
|
|
||||||
#include <legacy_or_psa.h>
|
#include <mbedtls/legacy_or_psa.h>
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
|
|
||||||
#include <constant_time_internal.h>
|
#include <constant_time_internal.h>
|
||||||
|
@ -5439,7 +5439,7 @@ void ssl_cf_hmac( int hash )
|
||||||
size_t min_in_len, in_len, max_in_len, i;
|
size_t min_in_len, in_len, max_in_len, i;
|
||||||
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
|
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
|
||||||
unsigned char add_data[13];
|
unsigned char add_data[13];
|
||||||
unsigned char ref_out[MBEDTLS_MD_MAX_SIZE];
|
unsigned char ref_out[MBEDTLS_HASH_MAX_SIZE];
|
||||||
unsigned char *data = NULL;
|
unsigned char *data = NULL;
|
||||||
unsigned char *out = NULL;
|
unsigned char *out = NULL;
|
||||||
unsigned char rec_num = 0;
|
unsigned char rec_num = 0;
|
||||||
|
|
|
@ -10,7 +10,7 @@
|
||||||
#include "mbedtls/error.h"
|
#include "mbedtls/error.h"
|
||||||
#include "string.h"
|
#include "string.h"
|
||||||
|
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
|
#if MBEDTLS_X509_MAX_INTERMEDIATE_CA > 19
|
||||||
#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
|
#error "The value of MBEDTLS_X509_MAX_INTERMEDIATE_C is larger \
|
||||||
|
|
|
@ -7,7 +7,7 @@
|
||||||
#include "mbedtls/rsa.h"
|
#include "mbedtls/rsa.h"
|
||||||
|
|
||||||
#include "hash_info.h"
|
#include "hash_info.h"
|
||||||
#include "legacy_or_psa.h"
|
#include "mbedtls/legacy_or_psa.h"
|
||||||
|
|
||||||
#if defined(MBEDTLS_RSA_C)
|
#if defined(MBEDTLS_RSA_C)
|
||||||
int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen,
|
int mbedtls_rsa_decrypt_func( void *ctx, size_t *olen,
|
||||||
|
|
Loading…
Reference in a new issue