From c1d50b631452cddb8b5cf0dda7d074535ca67cfc Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:20:00 +0200 Subject: [PATCH 01/14] check_config: fix dependency of PSA_CRYPTO_C on CIPHER_C Signed-off-by: Valerio Setti --- include/mbedtls/check_config.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 619f8428e..1251cdfa7 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -766,7 +766,9 @@ #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)" #endif -#if defined(MBEDTLS_PSA_CRYPTO_C) && !defined(MBEDTLS_CIPHER_C ) +#if defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(PSA_HAVE_SOFT_BLOCK_CIPHER) || defined(PSA_HAVE_SOFT_BLOCK_AEAD)) && \ + !defined(MBEDTLS_CIPHER_C) #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites" #endif From c5d9dd262b96d2b99a0ff2c08e81bc6e29bb405b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:21:31 +0200 Subject: [PATCH 02/14] adjust_psa_from_legacy: enable ALG_STREAM_CIPHER on when CIPHER_C is defined Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_psa_from_legacy.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config_adjust_psa_from_legacy.h b/include/mbedtls/config_adjust_psa_from_legacy.h index 088711d37..296d62461 100644 --- a/include/mbedtls/config_adjust_psa_from_legacy.h +++ b/include/mbedtls/config_adjust_psa_from_legacy.h @@ -238,9 +238,12 @@ #if defined(MBEDTLS_CHACHA20_C) #define PSA_WANT_KEY_TYPE_CHACHA20 1 -#define PSA_WANT_ALG_STREAM_CIPHER 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 +/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */ +#if defined(MBEDTLS_CIPHER_C) +#define PSA_WANT_ALG_STREAM_CIPHER 1 #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 +#endif #if defined(MBEDTLS_CHACHAPOLY_C) #define PSA_WANT_ALG_CHACHA20_POLY1305 1 #define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 From 2c2adedd829f318047d58063992b95f7f9c5b8f3 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:22:19 +0200 Subject: [PATCH 03/14] psa_crypto_aead: add guard for CIPHER_C dependency Signed-off-by: Valerio Setti --- library/psa_crypto_aead.c | 9 +++++---- library/psa_crypto_cipher.c | 2 ++ library/psa_crypto_cipher.h | 2 ++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index 85d1f39be..73d8b01e9 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -43,13 +43,13 @@ static psa_status_t psa_aead_setup( psa_algorithm_t alg) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t key_bits; - const mbedtls_cipher_info_t *cipher_info; - mbedtls_cipher_id_t cipher_id; (void) key_buffer_size; - key_bits = attributes->core.bits; +#if defined(MBEDTLS_CIPHER_C) + const mbedtls_cipher_info_t *cipher_info; + mbedtls_cipher_id_t cipher_id; + size_t key_bits = attributes->core.bits; cipher_info = mbedtls_cipher_info_from_psa(alg, attributes->core.type, key_bits, @@ -57,6 +57,7 @@ static psa_status_t psa_aead_setup( if (cipher_info == NULL) { return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MBEDTLS_CIPHER_C */ switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index b997a07cf..c881d65b6 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,6 +31,7 @@ #include +#if defined(MBEDTLS_CIPHER_C) const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, @@ -158,6 +159,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode); } +#endif /* MBEDTLS_CIPHER_C */ #if defined(MBEDTLS_PSA_BUILTIN_CIPHER) diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index bf43ff08a..933092ddd 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -24,6 +24,7 @@ #include #include +#if defined(MBEDTLS_CIPHER_C) /** Get Mbed TLS cipher information given the cipher algorithm PSA identifier * as well as the PSA type and size of the key to be used with the cipher * algorithm. @@ -39,6 +40,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, size_t key_bits, mbedtls_cipher_id_t *cipher_id); +#endif /* MBEDTLS_CIPHER_C */ /** * \brief Set the key for a multipart symmetric encryption operation. From 4a249828a8ab2773661be9225c3bd26acc3648f2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 18 Oct 2023 12:34:54 +0200 Subject: [PATCH 04/14] psa_crypto_cipher: add mbedtls_cipher_values_from_psa() This commit splits mbedtls_cipher_info_from_psa() in 2 parts: - mbedtls_cipher_values_from_psa() that performs parameters' validation and return cipher's values - mbedtls_cipher_info_from_psa() which then use those values to return the proper cipher_info pointer. Of course this depends on CIPHER_C. Signed-off-by: Valerio Setti --- library/psa_crypto_aead.c | 19 ++++------ library/psa_crypto_cipher.c | 69 ++++++++++++++++++++++++------------- library/psa_crypto_cipher.h | 21 +++++++++++ 3 files changed, 73 insertions(+), 36 deletions(-) diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index 73d8b01e9..6f026a0d7 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -43,21 +43,16 @@ static psa_status_t psa_aead_setup( psa_algorithm_t alg) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - + mbedtls_cipher_id_t cipher_id; + mbedtls_cipher_mode_t mode; + size_t key_bits = attributes->core.bits; (void) key_buffer_size; -#if defined(MBEDTLS_CIPHER_C) - const mbedtls_cipher_info_t *cipher_info; - mbedtls_cipher_id_t cipher_id; - size_t key_bits = attributes->core.bits; - - cipher_info = mbedtls_cipher_info_from_psa(alg, - attributes->core.type, key_bits, - &cipher_id); - if (cipher_info == NULL) { - return PSA_ERROR_NOT_SUPPORTED; + status = mbedtls_cipher_values_from_psa(alg, attributes->core.type, + &key_bits, &mode, &cipher_id); + if (status != PSA_SUCCESS) { + return status; } -#endif /* MBEDTLS_CIPHER_C */ switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index c881d65b6..7e81dfee7 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,15 +31,15 @@ #include -#if defined(MBEDTLS_CIPHER_C) -const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( +psa_status_t mbedtls_cipher_values_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, - size_t key_bits, + size_t *key_bits, + mbedtls_cipher_mode_t *mode, mbedtls_cipher_id_t *cipher_id) { - mbedtls_cipher_mode_t mode; mbedtls_cipher_id_t cipher_id_tmp; + (void) key_bits; if (PSA_ALG_IS_AEAD(alg)) { alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0); @@ -49,66 +49,66 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( switch (alg) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) case PSA_ALG_STREAM_CIPHER: - mode = MBEDTLS_MODE_STREAM; + *mode = MBEDTLS_MODE_STREAM; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) case PSA_ALG_CTR: - mode = MBEDTLS_MODE_CTR; + *mode = MBEDTLS_MODE_CTR; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) case PSA_ALG_CFB: - mode = MBEDTLS_MODE_CFB; + *mode = MBEDTLS_MODE_CFB; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) case PSA_ALG_OFB: - mode = MBEDTLS_MODE_OFB; + *mode = MBEDTLS_MODE_OFB; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) case PSA_ALG_ECB_NO_PADDING: - mode = MBEDTLS_MODE_ECB; + *mode = MBEDTLS_MODE_ECB; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) case PSA_ALG_CBC_NO_PADDING: - mode = MBEDTLS_MODE_CBC; + *mode = MBEDTLS_MODE_CBC; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) case PSA_ALG_CBC_PKCS7: - mode = MBEDTLS_MODE_CBC; + *mode = MBEDTLS_MODE_CBC; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) case PSA_ALG_CCM_STAR_NO_TAG: - mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; + *mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): - mode = MBEDTLS_MODE_CCM; + *mode = MBEDTLS_MODE_CCM; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): - mode = MBEDTLS_MODE_GCM; + *mode = MBEDTLS_MODE_GCM; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): - mode = MBEDTLS_MODE_CHACHAPOLY; + *mode = MBEDTLS_MODE_CHACHAPOLY; break; #endif default: - return NULL; + return PSA_ERROR_NOT_SUPPORTED; } } else if (alg == PSA_ALG_CMAC) { - mode = MBEDTLS_MODE_ECB; + *mode = MBEDTLS_MODE_ECB; } else { - return NULL; + return PSA_ERROR_NOT_SUPPORTED; } switch (key_type) { @@ -126,7 +126,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( case PSA_KEY_TYPE_DES: /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES, * and 192 for three-key Triple-DES. */ - if (key_bits == 64) { + if (*key_bits == 64) { cipher_id_tmp = MBEDTLS_CIPHER_ID_DES; } else { cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES; @@ -134,8 +134,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( /* mbedtls doesn't recognize two-key Triple-DES as an algorithm, * but two-key Triple-DES is functionally three-key Triple-DES * with K1=K3, so that's how we present it to mbedtls. */ - if (key_bits == 128) { - key_bits = 192; + if (*key_bits == 128) { + *key_bits = 192; } break; #endif @@ -150,14 +150,35 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( break; #endif default: - return NULL; + return PSA_ERROR_NOT_SUPPORTED; } if (cipher_id != NULL) { *cipher_id = cipher_id_tmp; } - return mbedtls_cipher_info_from_values(cipher_id_tmp, - (int) key_bits, mode); + return PSA_SUCCESS; +} + +#if defined(MBEDTLS_CIPHER_C) +const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( + psa_algorithm_t alg, + psa_key_type_t key_type, + size_t key_bits, + mbedtls_cipher_id_t *cipher_id) +{ + mbedtls_cipher_mode_t mode; + psa_status_t status; + mbedtls_cipher_id_t cipher_id_tmp; + + status = mbedtls_cipher_values_from_psa(alg, key_type, &key_bits, &mode, &cipher_id_tmp); + if (status != PSA_SUCCESS) { + return NULL; + } + if (cipher_id != NULL) { + *cipher_id = cipher_id_tmp; + } + + return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode); } #endif /* MBEDTLS_CIPHER_C */ diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index 933092ddd..5ed8a7779 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -24,6 +24,27 @@ #include #include +/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier + * as well as the PSA type and size of the key to be used with the cipher + * algorithm. + * + * \param[in] alg PSA cipher algorithm identifier + * \param[in] key_type PSA key type + * \param[in,out] key_bits Size of the key in bits. The value provided in input + * might be updated if necessary. + * \param[out] mode Mbed TLS cipher mode + * \param[out] cipher_id Mbed TLS cipher algorithm identifier + * + * \return On success \c PSA_SUCCESS is returned and key_bits, mode and cipher_id + * are properly updated. + * \c PSA_ERROR_NOT_SUPPORTED is returned if the cipher algorithm is not + * supported. + */ + +psa_status_t mbedtls_cipher_values_from_psa(psa_algorithm_t alg, psa_key_type_t key_type, + size_t *key_bits, mbedtls_cipher_mode_t *mode, + mbedtls_cipher_id_t *cipher_id); + #if defined(MBEDTLS_CIPHER_C) /** Get Mbed TLS cipher information given the cipher algorithm PSA identifier * as well as the PSA type and size of the key to be used with the cipher From 7e710e8272d9803c4a8e3eded629c64723113e45 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:14:15 +0200 Subject: [PATCH 05/14] all.sh: add components as full_no_cipher with CRYPTO_C and CRYPTO_CONFIG Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 87 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b0b32fed5..db6bed835 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1488,7 +1488,7 @@ component_test_crypto_full_md_light_only () { } component_test_full_no_cipher () { - msg "build: full minus CIPHER" + msg "build: full - CIPHER - PSA_CRYPTO_C" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C # Don't pull in cipher via PSA mechanisms @@ -1518,10 +1518,93 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_LMS_PRIVATE make - msg "test: full minus CIPHER" + msg "test: full - CIPHER - PSA_CRYPTO_C" make test } +# This is a common configurator and test function that is used in: +# - component_test_full_no_cipher_with_crypto +# - component_test_full_no_cipher_with_crypto_config +# It accepts 2 input parameters: +# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG +# - $2: a text string which describes the test component +common_test_full_no_cipher_with_crypto () { + USE_CRYPTO_CONFIG="$1" + COMPONENT_DESCRIPTION="$2" + + msg "build: $COMPONENT_DESCRIPTION" + + scripts/config.py full + scripts/config.py unset MBEDTLS_CIPHER_C + + if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then + # Direct dependencies from PSA config + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_AES + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_CAMELLIA + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ARIA + else + # Don't pull in cipher via PSA mechanisms + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + fi + # Direct dependencies + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_PKCS12_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_SSL_TLS_C + scripts/config.py unset MBEDTLS_SSL_TICKET_C + # Disable cipher modes/keys that make PSA depend on CIPHER_C. + # Keep CHACHA20 enabled since it does not depend on CIPHER_C. + scripts/config.py unset-all MBEDTLS_CIPHER_MODE + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + # Dependencies on AES_C + scripts/config.py unset MBEDTLS_CTR_DRBG_C + # Disable dependencies on the AEAD algs + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + # Indirect dependencies + scripts/config.py unset MBEDTLS_SSL_CLI_C + scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_SSL_SRV_C + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + make + + # Ensure that CIPHER_C was not re-enabled + not grep mbedtls_cipher_init library/cipher.o + + msg "test: $COMPONENT_DESCRIPTION" + make test +} + +component_test_full_no_cipher_with_crypto() { + common_test_full_no_cipher_with_crypto 0 "full - CIPHER - CRYPTO_CONFIG" +} + +component_test_full_no_cipher_with_crypto_config() { + common_test_full_no_cipher_with_crypto 1 "full - CIPHER" +} + component_test_full_no_bignum () { msg "build: full minus bignum" scripts/config.py full From 1e21f26d886bb9e86476c185bd761e20b5905329 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 20 Oct 2023 16:24:07 +0200 Subject: [PATCH 06/14] psa_crypto_cipher: add helper to validate PSA cipher values Signed-off-by: Valerio Setti --- library/psa_crypto_cipher.c | 54 ++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 7e81dfee7..b195bb9fd 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,6 +31,58 @@ #include +/* mbedtls_cipher_values_from_psa() below only checks if the proper build symbols + * are enabled, but it does not provide any compatibility check between them + * (i.e. if the specified key works with the specified algorithm). This helper + * function is meant to provide this support. + * mbedtls_cipher_info_from_psa() might be used for the same purpose, but it + * requires CIPHER_C to be enabled. + */ +static psa_status_t mbedtls_cipher_validate_values( + psa_algorithm_t alg, + psa_key_type_t key_type) +{ + switch (alg) { + case PSA_ALG_STREAM_CIPHER: + case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): + if (key_type != PSA_KEY_TYPE_CHACHA20) { + return PSA_ERROR_NOT_SUPPORTED; + } + break; + + case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): + case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): + case PSA_ALG_CCM_STAR_NO_TAG: + if ((key_type != PSA_KEY_TYPE_AES) && + (key_type != PSA_KEY_TYPE_ARIA) && + (key_type != PSA_KEY_TYPE_CAMELLIA)) { + return PSA_ERROR_NOT_SUPPORTED; + } + break; + + case PSA_ALG_CTR: + case PSA_ALG_CFB: + case PSA_ALG_OFB: + case PSA_ALG_XTS: + case PSA_ALG_ECB_NO_PADDING: + case PSA_ALG_CBC_NO_PADDING: + case PSA_ALG_CBC_PKCS7: + case PSA_ALG_CMAC: + if ((key_type != PSA_KEY_TYPE_AES) && + (key_type != PSA_KEY_TYPE_ARIA) && + (key_type != PSA_KEY_TYPE_DES) && + (key_type != PSA_KEY_TYPE_CAMELLIA)) { + return PSA_ERROR_NOT_SUPPORTED; + } + break; + + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + return PSA_SUCCESS; +} + psa_status_t mbedtls_cipher_values_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, @@ -156,7 +208,7 @@ psa_status_t mbedtls_cipher_values_from_psa( *cipher_id = cipher_id_tmp; } - return PSA_SUCCESS; + return mbedtls_cipher_validate_values(alg, key_type); } #if defined(MBEDTLS_CIPHER_C) From 36fe8b9f4b4b65432d84bbd26ebcad97e6d6e593 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:12:23 +0200 Subject: [PATCH 07/14] psa_crypto_cipher: add guard for unused variable Signed-off-by: Valerio Setti --- library/psa_crypto_cipher.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index b195bb9fd..38be84b0b 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -91,7 +91,10 @@ psa_status_t mbedtls_cipher_values_from_psa( mbedtls_cipher_id_t *cipher_id) { mbedtls_cipher_id_t cipher_id_tmp; + /* Only DES modifies key_bits */ +#if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) (void) key_bits; +#endif if (PSA_ALG_IS_AEAD(alg)) { alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0); From df17a102e50e7a0db66c8ee9649d54485870d26a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:14:19 +0200 Subject: [PATCH 08/14] all.sh: replace minus sign in text messages with "no" Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index db6bed835..8f5263759 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1488,7 +1488,7 @@ component_test_crypto_full_md_light_only () { } component_test_full_no_cipher () { - msg "build: full - CIPHER - PSA_CRYPTO_C" + msg "build: full no CIPHER no PSA_CRYPTO_C" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C # Don't pull in cipher via PSA mechanisms @@ -1518,7 +1518,7 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_LMS_PRIVATE make - msg "test: full - CIPHER - PSA_CRYPTO_C" + msg "test: full no CIPHER no PSA_CRYPTO_C" make test } @@ -1598,11 +1598,11 @@ common_test_full_no_cipher_with_crypto () { } component_test_full_no_cipher_with_crypto() { - common_test_full_no_cipher_with_crypto 0 "full - CIPHER - CRYPTO_CONFIG" + common_test_full_no_cipher_with_crypto 0 "full no CIPHER no CRYPTO_CONFIG" } component_test_full_no_cipher_with_crypto_config() { - common_test_full_no_cipher_with_crypto 1 "full - CIPHER" + common_test_full_no_cipher_with_crypto 1 "full no CIPHER" } component_test_full_no_bignum () { From c84d940704a4608e7085f2cf639100746900d89d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:58:25 +0200 Subject: [PATCH 09/14] all.sh: fix comments in common_test_full_no_cipher_with_crypto() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8f5263759..d0e0c6098 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1538,7 +1538,7 @@ common_test_full_no_cipher_with_crypto () { scripts/config.py unset MBEDTLS_CIPHER_C if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then - # Direct dependencies from PSA config + # The built-in implementation of these modes currently depends on CIPHER_C scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM @@ -1558,7 +1558,7 @@ common_test_full_no_cipher_with_crypto () { # Don't pull in cipher via PSA mechanisms scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG fi - # Direct dependencies + # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_GCM_C From fb0b0ffaa4b3d3745cb7d43d0932c6f2f37a3ad2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:58:55 +0200 Subject: [PATCH 10/14] all.sh: keep symbols that don't depend on CIPHER_C (directly or indirectly) Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d0e0c6098..c27923ce8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1576,18 +1576,7 @@ common_test_full_no_cipher_with_crypto () { scripts/config.py unset MBEDTLS_CAMELLIA_C # Dependencies on AES_C scripts/config.py unset MBEDTLS_CTR_DRBG_C - # Disable dependencies on the AEAD algs - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Indirect dependencies - scripts/config.py unset MBEDTLS_SSL_CLI_C - scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_SSL_SRV_C - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE + make # Ensure that CIPHER_C was not re-enabled From 4529d65e30179d25e38dd09301c1f1350c109079 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 11:51:58 +0200 Subject: [PATCH 11/14] all.sh: improve test_full_no_cipher() - remove unnecessary disabled items (most of them were already disabled automatically once MBEDTLS_SSL_TLS_C was disabled) - improve dependencies' comments, especially the last one which list items depending on PSA_CRYPTO_C Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c27923ce8..0e4d0e22a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1494,7 +1494,7 @@ component_test_full_no_cipher () { # Don't pull in cipher via PSA mechanisms # (currently ignored anyway because we completely disable PSA) scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG - # Direct dependencies + # Disable features that depend on CIPHER_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_GCM_C @@ -1504,15 +1504,9 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_C scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Indirect dependencies - scripts/config.py unset MBEDTLS_SSL_CLI_C + # Disable features that depend on PSA_CRYPTO_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_LMS_C scripts/config.py unset MBEDTLS_LMS_PRIVATE From 5b4039f36dc27c65a442d941cb187bfa6081a730 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 13:41:44 +0200 Subject: [PATCH 12/14] all.sh: rename common config/test function Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 0e4d0e22a..b33795176 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1522,7 +1522,7 @@ component_test_full_no_cipher () { # It accepts 2 input parameters: # - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG # - $2: a text string which describes the test component -common_test_full_no_cipher_with_crypto () { +common_test_full_no_cipher_with_psa_crypto () { USE_CRYPTO_CONFIG="$1" COMPONENT_DESCRIPTION="$2" @@ -1581,11 +1581,11 @@ common_test_full_no_cipher_with_crypto () { } component_test_full_no_cipher_with_crypto() { - common_test_full_no_cipher_with_crypto 0 "full no CIPHER no CRYPTO_CONFIG" + common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG" } component_test_full_no_cipher_with_crypto_config() { - common_test_full_no_cipher_with_crypto 1 "full no CIPHER" + common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER" } component_test_full_no_bignum () { From 862021a1189f50f6690f97b78af7897c7bce5574 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 13:52:06 +0200 Subject: [PATCH 13/14] all.sh: improve comments in common_test_full_no_cipher_with_psa_crypto Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b33795176..eb12a89d7 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1532,7 +1532,10 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py unset MBEDTLS_CIPHER_C if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then - # The built-in implementation of these modes currently depends on CIPHER_C + # The built-in implementation of the following algs/key-types depends + # on CIPHER_C so we disable them. + # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 + # so we keep them enabled. scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM @@ -1562,7 +1565,7 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C # Disable cipher modes/keys that make PSA depend on CIPHER_C. - # Keep CHACHA20 enabled since it does not depend on CIPHER_C. + # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. scripts/config.py unset-all MBEDTLS_CIPHER_MODE scripts/config.py unset MBEDTLS_AES_C scripts/config.py unset MBEDTLS_DES_C From 287f6d1f5c1c967195054edd46ca66f0ff484fda Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 14:12:59 +0200 Subject: [PATCH 14/14] all.sh: unset MBEDTLS symbols for modes/keys only when !PSA_CRYPTO_CONFIG Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index eb12a89d7..1eea025cb 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1554,6 +1554,15 @@ common_test_full_no_cipher_with_psa_crypto () { else # Don't pull in cipher via PSA mechanisms scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + # Disable cipher modes/keys that make PSA depend on CIPHER_C. + # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. + scripts/config.py unset-all MBEDTLS_CIPHER_MODE + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + # Dependencies on AES_C + scripts/config.py unset MBEDTLS_CTR_DRBG_C fi # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_CCM_C @@ -1564,15 +1573,6 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py unset MBEDTLS_PKCS5_C scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Disable cipher modes/keys that make PSA depend on CIPHER_C. - # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. - scripts/config.py unset-all MBEDTLS_CIPHER_MODE - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - # Dependencies on AES_C - scripts/config.py unset MBEDTLS_CTR_DRBG_C make