AuroraMiddleware/mbedtls
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Phase 2 support for MBEDTLS_PSA_CRYPTO_CONFIG

Browse Source 
This phase adds in support for the following features being
added to the list of features that can be configured in the
include/psa/crypto_config.h header file using the PSA_WANT_ALG_xxx
macros: ECDH, HMAC, HKDF, and RSA. These changes include changes to
the PSA crypto library to use the appropriate new guards that
will allow the feature to be compiled in or out either using
new PSA_WANT_ALG_xxx or the previous MBEDTLS_xxx macros.

For HKDF and HMAC, most of the PSA library code did not have a
specific matching MBEDTLS_xxx macro for that feature, but was instead
using the generic dependent MBEDTLS_MD_C macro. The ECDH and RSA
features more closely aligned with a direct replacement with a similar
macro.

The new tests for RSA, HMAC, and HKDF would normally unset additional
dependent macros, but when attempting to implement that level of
testing it required removal of too many core features like MD_C, PK_C,
ECP_C and other low level features. This may point to additional phases of
work to complete the transition of these features to the new model.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
This commit is contained in:
John Durkop 2020-10-29 21:37:36 -07:00
parent a455e71588
commit d032195278
4 changed files with 187 additions and 67 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

55
include/mbedtls/config_psa.h
View File

@ -54,9 +54,42 @@ extern "C" {
#define MBEDTLS_ECDSA_C
#define MBEDTLS_HMAC_DRBG_C
#define MBEDTLS_MD_C
#endif /* MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */
#endif /* !MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */
#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
#if defined(PSA_WANT_ALG_ECDH)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH)
#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
#define MBEDTLS_ECDH_C
#define MBEDTLS_ECP_C
#define MBEDTLS_BIGNUM_C
#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) */
#endif /* defined(PSA_WANT_ALG_ECDH) */
#if defined(PSA_WANT_ALG_HMAC)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#define MBEDTLS_MD_C
#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) */
#endif /* defined(PSA_WANT_ALG_HMAC) */
#if defined(PSA_WANT_ALG_HKDF)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
#define MBEDTLS_HKDF_C
#define MBEDTLS_MD_C
#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) */
#endif /* defined(PSA_WANT_ALG_HKDF) */
#if defined(PSA_WANT_ALG_RSA)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA)
#define MBEDTLS_PSA_BUILTIN_ALG_RSA
#define MBEDTLS_RSA_C
#define MBEDTLS_BIGNUM_C
#define MBEDTLS_OID_C
#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) */
#endif /* defined(PSA_WANT_ALG_RSA) */
#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
/*
@ -64,15 +97,31 @@ extern "C" {
* is not defined
*/
#if defined(MBEDTLS_ECDSA_C)
#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
// Only add in DETERMINISTIC support if ECDSA is also enabled
#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
#endif /* MBEDTLS_ECDSA_C */
#if defined(MBEDTLS_ECDH_C)
#define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1
#endif /* MBEDTLS_ECDH_C */
#if defined(MBEDTLS_MD_C)
#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1
#endif /* MBEDTLS_MD_C */
#if defined(MBEDTLS_HKDF_C)
#define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1
#endif /* MBEDTLS_HKDF_C */
#ifdef MBEDTLS_RSA_C
#define MBEDTLS_PSA_BUILTIN_ALG_RSA 1
#endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
#ifdef __cplusplus

4
include/psa/crypto_config.h
View File

@ -52,5 +52,9 @@
#define PSA_WANT_ALG_ECDSA 1
#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
#define PSA_WANT_ALG_ECDH 1
#define PSA_WANT_ALG_HMAC 1
#define PSA_WANT_ALG_HKDF 1
#define PSA_WANT_ALG_RSA 1
#endif /* PSA_CRYPTO_CONFIG_H */

138
library/psa_crypto.c
View File

@ -491,7 +491,7 @@ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type,
return( PSA_SUCCESS );
}
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
#if defined(MBEDTLS_PK_PARSE_C)
/* Mbed TLS doesn't support non-byte-aligned key sizes (i.e. key sizes
@ -709,7 +709,7 @@ exit:
return( PSA_SUCCESS );
}
#endif /* defined(MBEDTLS_RSA_C) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
#if defined(MBEDTLS_ECP_C)
/** Load the contents of a key buffer into an internal ECP representation
@ -1075,12 +1075,12 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot,
return( psa_import_ecp_key( slot, data, data_length ) );
}
#endif /* defined(MBEDTLS_ECP_C) */
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
return( psa_import_rsa_key( slot, data, data_length ) );
}
#endif /* defined(MBEDTLS_RSA_C) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
/* Fell through the fallback as well, so have nothing else to try. */
return( PSA_ERROR_NOT_SUPPORTED );
@ -1426,7 +1426,7 @@ psa_status_t psa_get_key_domain_parameters(
return( PSA_SUCCESS );
}
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
static psa_status_t psa_get_rsa_public_exponent(
const mbedtls_rsa_context *rsa,
psa_key_attributes_t *attributes )
@ -1466,7 +1466,7 @@ exit:
mbedtls_free( buffer );
return( mbedtls_to_psa_error( ret ) );
}
#endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
/** Retrieve all the publicly-accessible attributes of a key.
*/
@ -1493,7 +1493,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
switch( slot->attr.type )
{
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
case PSA_KEY_TYPE_RSA_KEY_PAIR:
case PSA_KEY_TYPE_RSA_PUBLIC_KEY:
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
@ -1520,7 +1520,7 @@ psa_status_t psa_get_key_attributes( psa_key_handle_t handle,
mbedtls_free( rsa );
}
break;
#endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
default:
/* Nothing else to do. */
break;
@ -1620,7 +1620,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
* so conversion is needed */
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
mbedtls_rsa_context *rsa = NULL;
psa_status_t status = psa_load_rsa_representation(
slot->attr.type,
@ -1643,7 +1643,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot,
#else
/* We don't know how to convert a private RSA key to public. */
return( PSA_ERROR_NOT_SUPPORTED );
#endif
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
}
else
{
@ -2059,7 +2059,7 @@ static psa_status_t psa_validate_optional_attributes(
if( attributes->domain_parameters_size != 0 )
{
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
mbedtls_rsa_context *rsa = NULL;
@ -2096,7 +2096,7 @@ static psa_status_t psa_validate_optional_attributes(
return( mbedtls_to_psa_error( ret ) );
}
else
#endif
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
{
return( PSA_ERROR_INVALID_ARGUMENT );
}
@ -2289,7 +2289,7 @@ exit:
/* Message digests */
/****************************************************************/
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
{
switch( alg )
@ -2332,7 +2332,7 @@ static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
return( NULL );
}
}
#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
{
@ -2849,7 +2849,7 @@ static const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa(
(int) key_bits, mode ) );
}
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
static size_t psa_get_hash_block_size( psa_algorithm_t alg )
{
switch( alg )
@ -2876,7 +2876,7 @@ static size_t psa_get_hash_block_size( psa_algorithm_t alg )
return( 0 );
}
}
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
/* Initialize the MAC operation structure. Once this function has been
* called, psa_mac_abort can run and will do the right thing. */
@ -2901,7 +2901,7 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
}
else
#endif /* MBEDTLS_CMAC_C */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
if( PSA_ALG_IS_HMAC( operation->alg ) )
{
/* We'll set up the hash operation later in psa_hmac_setup_internal. */
@ -2909,7 +2909,7 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
status = PSA_SUCCESS;
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
{
if( ! PSA_ALG_IS_MAC( alg ) )
status = PSA_ERROR_INVALID_ARGUMENT;
@ -2920,13 +2920,13 @@ static psa_status_t psa_mac_init( psa_mac_operation_t *operation,
return( status );
}
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
static psa_status_t psa_hmac_abort_internal( psa_hmac_internal_data *hmac )
{
mbedtls_platform_zeroize( hmac->opad, sizeof( hmac->opad ) );
return( psa_hash_abort( &hmac->hash_ctx ) );
}
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
{
@ -2945,13 +2945,13 @@ psa_status_t psa_mac_abort( psa_mac_operation_t *operation )
}
else
#endif /* MBEDTLS_CMAC_C */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
if( PSA_ALG_IS_HMAC( operation->alg ) )
{
psa_hmac_abort_internal( &operation->ctx.hmac );
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
{
/* Sanity check (shouldn't happen: operation->alg should
* always have been initialized to a valid value). */
@ -2997,7 +2997,7 @@ static int psa_cmac_setup( psa_mac_operation_t *operation,
}
#endif /* MBEDTLS_CMAC_C */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
static psa_status_t psa_hmac_setup_internal( psa_hmac_internal_data *hmac,
const uint8_t *key,
size_t key_length,
@ -3059,7 +3059,7 @@ cleanup:
return( status );
}
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
psa_key_handle_t handle,
@ -3109,7 +3109,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
}
else
#endif /* MBEDTLS_CMAC_C */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
if( PSA_ALG_IS_HMAC( full_length_alg ) )
{
psa_algorithm_t hash_alg = PSA_ALG_HMAC_GET_HASH( alg );
@ -3140,7 +3140,7 @@ static psa_status_t psa_mac_setup( psa_mac_operation_t *operation,
hash_alg );
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
{
(void) key_bits;
status = PSA_ERROR_NOT_SUPPORTED;
@ -3212,14 +3212,14 @@ psa_status_t psa_mac_update( psa_mac_operation_t *operation,
}
else
#endif /* MBEDTLS_CMAC_C */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
if( PSA_ALG_IS_HMAC( operation->alg ) )
{
status = psa_hash_update( &operation->ctx.hmac.hash_ctx, input,
input_length );
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
{
/* This shouldn't happen if `operation` was initialized by
* a setup function. */
@ -3231,7 +3231,7 @@ psa_status_t psa_mac_update( psa_mac_operation_t *operation,
return( status );
}
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC) || defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
static psa_status_t psa_hmac_finish_internal( psa_hmac_internal_data *hmac,
uint8_t *mac,
size_t mac_size )
@ -3269,7 +3269,7 @@ exit:
mbedtls_platform_zeroize( tmp, hash_size );
return( status );
}
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC || MBEDTLS_PSA_BUILTIN_ALG_HKDF */
static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
uint8_t *mac,
@ -3295,14 +3295,14 @@ static psa_status_t psa_mac_finish_internal( psa_mac_operation_t *operation,
}
else
#endif /* MBEDTLS_CMAC_C */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HMAC)
if( PSA_ALG_IS_HMAC( operation->alg ) )
{
return( psa_hmac_finish_internal( &operation->ctx.hmac,
mac, operation->mac_size ) );
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */
{
/* This shouldn't happen if `operation` was initialized by
* a setup function. */
@ -3398,7 +3398,7 @@ cleanup:
/* Asymmetric cryptography */
/****************************************************************/
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
/* Decode the hash algorithm from alg and store the mbedtls encoding in
* md_alg. Verify that the hash length is acceptable. */
static psa_status_t psa_rsa_decode_md_type( psa_algorithm_t alg,
@ -3561,7 +3561,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
return( PSA_ERROR_INVALID_SIGNATURE );
return( mbedtls_to_psa_error( ret ) );
}
#endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA */
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
/* `ecp` cannot be const because `ecp->grp` needs to be non-const
@ -3705,7 +3705,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
goto exit;
/* If the operation was not supported by any accelerator, try fallback. */
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
mbedtls_rsa_context *rsa = NULL;
@ -3727,7 +3727,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
mbedtls_free( rsa );
}
else
#endif /* defined(MBEDTLS_RSA_C) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
@ -3807,7 +3807,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
psa_key_lifetime_is_external( slot->attr.lifetime ) )
return status;
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
mbedtls_rsa_context *rsa = NULL;
@ -3828,7 +3828,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
return( status );
}
else
#endif /* defined(MBEDTLS_RSA_C) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
@ -3862,7 +3862,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
}
}
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_PKCS1_V21)
static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
mbedtls_rsa_context *rsa )
{
@ -3871,7 +3871,7 @@ static void psa_rsa_oaep_set_padding_mode( psa_algorithm_t alg,
mbedtls_md_type_t md_alg = mbedtls_md_get_type( md_info );
mbedtls_rsa_set_padding( rsa, MBEDTLS_RSA_PKCS_V21, md_alg );
}
#endif /* defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_PKCS1_V21) */
psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
psa_algorithm_t alg,
@ -3904,7 +3904,7 @@ psa_status_t psa_asymmetric_encrypt( psa_key_handle_t handle,
PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) ) )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) )
{
mbedtls_rsa_context *rsa = NULL;
@ -3963,7 +3963,7 @@ rsa_exit:
return( status );
}
else
#endif /* defined(MBEDTLS_RSA_C) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
{
return( PSA_ERROR_NOT_SUPPORTED );
}
@ -3999,7 +3999,7 @@ psa_status_t psa_asymmetric_decrypt( psa_key_handle_t handle,
if( ! PSA_KEY_TYPE_IS_KEY_PAIR( slot->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
#if defined(MBEDTLS_RSA_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA)
if( slot->attr.type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
mbedtls_rsa_context *rsa = NULL;
@ -4058,7 +4058,7 @@ rsa_exit:
return( status );
}
else
#endif /* defined(MBEDTLS_RSA_C) */
#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */
{
return( PSA_ERROR_NOT_SUPPORTED );
}
@ -4949,7 +4949,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation
* nothing to do. */
}
else
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
if( PSA_ALG_IS_HKDF( kdf_alg ) )
{
mbedtls_free( operation->ctx.hkdf.info );
@ -4979,7 +4979,7 @@ psa_status_t psa_key_derivation_abort( psa_key_derivation_operation_t *operation
* mbedtls_platform_zeroize() in the end of this function. */
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
{
status = PSA_ERROR_BAD_STATE;
}
@ -5011,7 +5011,7 @@ psa_status_t psa_key_derivation_set_capacity( psa_key_derivation_operation_t *op
return( PSA_SUCCESS );
}
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
/* Read some bytes from an HKDF-based operation. This performs a chunk
* of the expand phase of the HKDF algorithm. */
static psa_status_t psa_key_derivation_hkdf_read( psa_hkdf_key_derivation_t *hkdf,
@ -5227,7 +5227,7 @@ static psa_status_t psa_key_derivation_tls12_prf_read(
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
psa_status_t psa_key_derivation_output_bytes(
psa_key_derivation_operation_t *operation,
@ -5235,7 +5235,9 @@ psa_status_t psa_key_derivation_output_bytes(
size_t output_length )
{
psa_status_t status;
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
#endif
if( operation->alg == 0 )
{
@ -5263,7 +5265,7 @@ psa_status_t psa_key_derivation_output_bytes(
}
operation->capacity -= output_length;
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
if( PSA_ALG_IS_HKDF( kdf_alg ) )
{
psa_algorithm_t hash_alg = PSA_ALG_HKDF_GET_HASH( kdf_alg );
@ -5279,7 +5281,7 @@ psa_status_t psa_key_derivation_output_bytes(
output_length );
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
{
return( PSA_ERROR_BAD_STATE );
}
@ -5393,12 +5395,15 @@ static psa_status_t psa_key_derivation_setup_kdf(
psa_key_derivation_operation_t *operation,
psa_algorithm_t kdf_alg )
{
#if !defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
(void)kdf_alg;
#endif
/* Make sure that operation->ctx is properly zero-initialised. (Macro
* initialisers for this union leave some bytes unspecified.) */
memset( &operation->ctx, 0, sizeof( operation->ctx ) );
/* Make sure that kdf_alg is a supported key derivation algorithm. */
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
if( PSA_ALG_IS_HKDF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PRF( kdf_alg ) ||
PSA_ALG_IS_TLS12_PSK_TO_MS( kdf_alg ) )
@ -5416,8 +5421,8 @@ static psa_status_t psa_key_derivation_setup_kdf(
operation->capacity = 255 * hash_size;
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_MD_C */
else
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
return( PSA_ERROR_NOT_SUPPORTED );
}
@ -5448,7 +5453,7 @@ psa_status_t psa_key_derivation_setup( psa_key_derivation_operation_t *operation
return( status );
}
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
static psa_status_t psa_hkdf_input( psa_hkdf_key_derivation_t *hkdf,
psa_algorithm_t hash_alg,
psa_key_derivation_step_t step,
@ -5645,7 +5650,7 @@ static psa_status_t psa_tls12_prf_psk_to_ms_input(
return( psa_tls12_prf_input( prf, hash_alg, step, data, data_length ) );
}
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
/** Check whether the given key type is acceptable for the given
* input step of a key derivation.
@ -5689,13 +5694,18 @@ static psa_status_t psa_key_derivation_input_internal(
size_t data_length )
{
psa_status_t status;
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
psa_algorithm_t kdf_alg = psa_key_derivation_get_kdf_alg( operation );
#else
(void)data;
(void)data_length;
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
status = psa_key_derivation_check_input_type( step, key_type );
if( status != PSA_SUCCESS )
goto exit;
#if defined(MBEDTLS_MD_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF)
if( PSA_ALG_IS_HKDF( kdf_alg ) )
{
status = psa_hkdf_input( &operation->ctx.hkdf,
@ -5715,7 +5725,7 @@ static psa_status_t psa_key_derivation_input_internal(
step, data, data_length );
}
else
#endif /* MBEDTLS_MD_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF */
{
/* This can't happen unless the operation object was not initialized */
return( PSA_ERROR_BAD_STATE );
@ -5772,7 +5782,7 @@ psa_status_t psa_key_derivation_input_key(
/* Key agreement */
/****************************************************************/
#if defined(MBEDTLS_ECDH_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key,
size_t peer_key_length,
const mbedtls_ecp_keypair *our_key,
@ -5823,7 +5833,7 @@ exit:
return( status );
}
#endif /* MBEDTLS_ECDH_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
#define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES
@ -5837,7 +5847,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
{
switch( alg )
{
#if defined(MBEDTLS_ECDH_C)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH)
case PSA_ALG_ECDH:
if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) )
return( PSA_ERROR_INVALID_ARGUMENT );
@ -5856,7 +5866,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg,
mbedtls_ecp_keypair_free( ecp );
mbedtls_free( ecp );
return( status );
#endif /* MBEDTLS_ECDH_C */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */
default:
(void) private_key;
(void) peer_key;
@ -6020,7 +6030,7 @@ psa_status_t mbedtls_psa_inject_entropy( const uint8_t *seed,
}
#endif /* MBEDTLS_PSA_INJECT_ENTROPY */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_GENPRIME)
static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
size_t domain_parameters_size,
int *exponent )
@ -6046,7 +6056,7 @@ static psa_status_t psa_read_rsa_exponent( const uint8_t *domain_parameters,
*exponent = acc;
return( PSA_SUCCESS );
}
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
static psa_status_t psa_generate_key_internal(
psa_key_slot_t *slot, size_t bits,
@ -6084,7 +6094,7 @@ static psa_status_t psa_generate_key_internal(
}
else
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
#if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) && defined(MBEDTLS_GENPRIME)
if ( type == PSA_KEY_TYPE_RSA_KEY_PAIR )
{
mbedtls_rsa_context rsa;
@ -6132,7 +6142,7 @@ static psa_status_t psa_generate_key_internal(
return( status );
}
else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */
#if defined(MBEDTLS_ECP_C)
if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) )

57
tests/scripts/all.sh
View File

@ -1335,6 +1335,63 @@ component_build_psa_want_ecdsa_disabled_software() {
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
# This should be renamed to test and updated once the accelerator ECDH code is in place and ready to test.
component_build_psa_want_ecdh_disabled_software() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDH
# without MBEDTLS_ECDH_C
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
component_build_psa_want_hmac_disabled_software() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
component_build_psa_want_hkdf_disabled_software() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HKDF
# without MBEDTLS_HKDF_C
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_HKDF_C
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
component_build_psa_want_rsa_disabled_software() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_RSA
msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
}
component_test_check_params_functionality () {
msg "build+test: MBEDTLS_CHECK_PARAMS functionality"
scripts/config.py full # includes CHECK_PARAMS