From 6e33dbe9fd05087f243c2dedd24261ee2ca6baa3 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Thu, 17 Sep 2020 21:15:13 -0700 Subject: [PATCH 01/24] Created infrastructure for MBEDTLS_PSA_CRYPTO_CONFIG In order to prepare for PSA cryptographic mechanism for conditional inclusion of various modules, there needs to be some updates to the mbedtls configuration to enable that feature to work. This initial set of changes just lays the ground work and future changes will implement the functional features. Signed-off-by: John Durkop --- include/mbedtls/config.h | 18 +++++++++++++++++ include/mbedtls/config_psa.h | 39 ++++++++++++++++++++++++++++++++++++ include/psa/crypto_config.h | 37 ++++++++++++++++++++++++++++++++++ 3 files changed, 94 insertions(+) create mode 100644 include/mbedtls/config_psa.h create mode 100644 include/psa/crypto_config.h diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index b77b34b6b..cb84c865d 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2019,6 +2019,15 @@ */ //#define MBEDTLS_USE_PSA_CRYPTO +/** + * \def MBEDTLS_PSA_CRYPTO_CONFIG + * + * This setting should be used to allow for conditional inclusion of PSA features. + * + * Uncomment this to enable use of PSA Crypto configuration settings. + */ +//#define MBEDTLS_PSA_CRYPTO_CONFIG + /** * \def MBEDTLS_VERSION_FEATURES * @@ -3811,6 +3820,15 @@ #include MBEDTLS_USER_CONFIG_FILE #endif +/** + * \name SECTION: PSA Crypto settings + * + */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) +#include "mbedtls/config_psa.h" +#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ + + #include "mbedtls/check_config.h" #endif /* MBEDTLS_CONFIG_H */ diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h new file mode 100644 index 000000000..dde12b82c --- /dev/null +++ b/include/mbedtls/config_psa.h @@ -0,0 +1,39 @@ +/** + * \file mbedtls/config_psa.h + * \brief PSA crypto configuration options (set of defines) + * + * This set of compile-time options may be used to enable + * or disable PSA crypto features selectively. This will aid + * in reducing the size of the library by removing unused code. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef MBEDTLS_CONFIG_PSA_H +#define MBEDTLS_CONFIG_PSA_H + +#include "psa/crypto_config.h" + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* MBEDTLS_CONFIG_PSA_H */ diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h new file mode 100644 index 000000000..fa83f9a11 --- /dev/null +++ b/include/psa/crypto_config.h @@ -0,0 +1,37 @@ +/** + * \file psa/crypto_config.h + * \brief PSA crypto configuration options (set of defines) + * + * This set of compile-time options may be used to enable + * or disable PSA crypto features selectively. This will aid + * in reducing the size of the library by removing unused code. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#ifdef __cplusplus +extern "C" { +#endif + +#ifdef __cplusplus +} +#endif + +#endif /* PSA_CRYPTO_CONFIG_H */ From 7758c858ae4f497a5d83f2dc8af5e7a4429d7e57 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Thu, 17 Sep 2020 23:13:42 -0700 Subject: [PATCH 02/24] Update requires for MBEDTLS_PSA_CRYPTO_DRIVERS In order to test various PSA crypto settings the Requires section needed updating to require MBEDTLS_PSA_CRYPTO_C or MBEDTLS_PSA_CRYPTO_CONFIG. Signed-off-by: John Durkop --- include/mbedtls/config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index cb84c865d..4e2185d00 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1330,7 +1330,7 @@ * * Enable support for the experimental PSA crypto driver interface. * - * Requires: MBEDTLS_PSA_CRYPTO_C. + * Requires: MBEDTLS_PSA_CRYPTO_C or MBEDTLS_PSA_CRYPTO_CONFIG * * \warning This interface is experimental and may change or be removed * without notice. From d8959390c522ff06843fb9f0401fa42b06309486 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Sun, 20 Sep 2020 23:09:17 -0700 Subject: [PATCH 03/24] Add ECDSA support to PSA crypto configuration Initial changes to PSA crypto core to support configuration of ECDSA algorithm using PSA crypto configuration mechanism. Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have been changed to be based off PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to confirm new settings are working properly. Current code does not pass the tests since built in signature verification is not in place. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 17 +++++++++++++++++ library/psa_crypto.c | 20 ++++++++++---------- tests/scripts/all.sh | 34 ++++++++++++++++++++++++++++++++++ 3 files changed, 61 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index dde12b82c..376834a22 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -32,6 +32,23 @@ extern "C" { #endif +//#define PSA_WANT_ALG_ECDSA +//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA +//#define PSA_WANT_ALG_ECDSA_DETERMINISTIC +//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC + +#if defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) +#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA +#else /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/ +#define MBEDTLS_ECDSA_C +#endif /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/ + +#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) +#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA +#else /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ +#define MBEDTLS_ECDSA_DETERMINISTIC +#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ + #ifdef __cplusplus } #endif diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 931e2e915..fa3cea382 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2256,7 +2256,7 @@ exit: /* Message digests */ /****************************************************************/ -#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_DETERMINISTIC) +#if defined(MBEDTLS_RSA_C) || defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ) { switch( alg ) @@ -3530,7 +3530,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa, } #endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_ECDSA_C) +#if defined(PSA_WANT_ALG_ECDSA) /* `ecp` cannot be const because `ecp->grp` needs to be non-const * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det() * (even though these functions don't modify it). */ @@ -3554,7 +3554,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp, goto cleanup; } -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) +#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) ) { psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); @@ -3567,7 +3567,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp, &global_data.ctr_drbg ) ); } else -#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ +#endif /* PSA_WANT_ALG_ECDSA_DETERMINISTIC */ { (void) alg; MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d, @@ -3629,7 +3629,7 @@ cleanup: mbedtls_mpi_free( &s ); return( mbedtls_to_psa_error( ret ) ); } -#endif /* MBEDTLS_ECDSA_C */ +#endif /* PSA_WANT_ALG_ECDSA */ psa_status_t psa_sign_hash( psa_key_handle_t handle, psa_algorithm_t alg, @@ -3698,9 +3698,9 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { -#if defined(MBEDTLS_ECDSA_C) +#if defined(PSA_WANT_ALG_ECDSA) if( -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) +#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) PSA_ALG_IS_ECDSA( alg ) #else PSA_ALG_IS_RANDOMIZED_ECDSA( alg ) @@ -3723,7 +3723,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, mbedtls_free( ecp ); } else -#endif /* defined(MBEDTLS_ECDSA_C) */ +#endif /* defined(PSA_WANT_ALG_ECDSA) */ { status = PSA_ERROR_INVALID_ARGUMENT; } @@ -3799,7 +3799,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { -#if defined(MBEDTLS_ECDSA_C) +#if defined(PSA_WANT_ALG_ECDSA) if( PSA_ALG_IS_ECDSA( alg ) ) { mbedtls_ecp_keypair *ecp = NULL; @@ -3817,7 +3817,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, return( status ); } else -#endif /* defined(MBEDTLS_ECDSA_C) */ +#endif /* defined(PSA_WANT_ALG_ECDSA) */ { return( PSA_ERROR_INVALID_ARGUMENT ); } diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 578d03e3e..f07933403 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1290,6 +1290,40 @@ component_test_no_use_psa_crypto_full_cmake_asan() { if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' } +component_test_psa_crypto_config_basic() { + # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS, + # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO + msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG MBEDTLS_PSA_CRYPTO_DRIVERS" + msg "build: minus MBEDTLS_USE_PSA_CRYPTO" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + + msg "test: psa crypto config basic" + make test +} + +component_test_psa_crypto_config_want_ecdsa() { + # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS, + # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO + msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS," + msg "build: PSA_CRYPTO_DRIVER_TEST, MBEDTLS_PSA_ACCEL_ALG_ECDSA," + msg "build: PSA_WANT_ALG_ECDSA minus MBEDTLS_USE_PSA_CRYPTO" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_ECDSA_C + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_WANT_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + + msg "test: psa crypto config want ECDSA" + make test +} + component_test_check_params_functionality () { msg "build+test: MBEDTLS_CHECK_PARAMS functionality" scripts/config.py full # includes CHECK_PARAMS From 2dfaf9ca23f6c36a3d6824e5572f04a2c75c4288 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Thu, 24 Sep 2020 04:30:10 -0700 Subject: [PATCH 04/24] Update how MBEDTLS_PSA_CRYPTO_CONFIG is handled Originally, MBEDTLS_PSA_CRYPTO_CONFIG was being used to allow inclusion of mbedlts/config_psa.h, but that needed to be updated so that mbedtls/config_psa.h is always included and the definitions specific to PSA configuration are now guarded by MBEDTLS_PSA_CRYPTO_CONFIG. This will allow for the standard setup to continue working while new PSA configuration items to also work. Signed-off-by: John Durkop --- include/mbedtls/config.h | 3 --- include/mbedtls/config_psa.h | 23 +++++++++++++---------- include/psa/crypto_config.h | 7 +++++++ 3 files changed, 20 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 4e2185d00..902d0cbe8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -3824,10 +3824,7 @@ * \name SECTION: PSA Crypto settings * */ -#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) #include "mbedtls/config_psa.h" -#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ - #include "mbedtls/check_config.h" diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 376834a22..528e21503 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -32,22 +32,25 @@ extern "C" { #endif -//#define PSA_WANT_ALG_ECDSA -//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA -//#define PSA_WANT_ALG_ECDSA_DETERMINISTIC -//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) -#if defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) +#if defined(PSA_WANT_ALG_ECDSA) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) #define MBEDTLS_PSA_BUILTIN_ALG_ECDSA -#else /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/ +#else /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) */ #define MBEDTLS_ECDSA_C -#endif /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/ +#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) */ +#endif /* defined(PSA_WANT_ALG_ECDSA) */ -#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) +#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA -#else /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ +#else /* && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ #define MBEDTLS_ECDSA_DETERMINISTIC -#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ +#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ +#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) */ + +#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus } diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index fa83f9a11..8e2f40ed8 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -30,6 +30,13 @@ extern "C" { #endif +#define PSA_WANT_ALG_ECDSA + +#define PSA_WANT_ALG_ECDSA_DETERMINISTIC + +//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA +//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC + #ifdef __cplusplus } #endif From 2542c21ba8984ce69c86c413a5c365e3a9d0dae1 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Thu, 24 Sep 2020 21:06:35 -0700 Subject: [PATCH 05/24] Add MBEDTLS_PSA_CRYPTO_CONFIG to test program Since the recent changes required the addition of a new definition in mbedtls/config.h, we also need to update query_config.c to account for the new MBEDTLS_PSA_CRYPTO_CONFIG setting. Signed-off-by: John Durkop --- programs/test/query_config.c | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/programs/test/query_config.c b/programs/test/query_config.c index 887373434..c35502fa4 100644 --- a/programs/test/query_config.c +++ b/programs/test/query_config.c @@ -1592,6 +1592,14 @@ int query_config( const char *config ) } #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) + if( strcmp( "MBEDTLS_PSA_CRYPTO_CONFIG", config ) == 0 ) + { + MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_CONFIG ); + return( 0 ); + } +#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ + #if defined(MBEDTLS_VERSION_FEATURES) if( strcmp( "MBEDTLS_VERSION_FEATURES", config ) == 0 ) { From 39e09672a3c33ea0339e9fcfb83e735a774fdcaf Mon Sep 17 00:00:00 2001 From: John Durkop Date: Thu, 24 Sep 2020 21:09:25 -0700 Subject: [PATCH 06/24] Update version_features for new PSA crypto config The version features library needed updating to support the new MBEDTLS_PSA_CRYPTO_CONFIG definition. Signed-off-by: John Durkop --- library/version_features.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/version_features.c b/library/version_features.c index 478d8fa25..62b05537c 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -576,6 +576,9 @@ static const char * const features[] = { #if defined(MBEDTLS_USE_PSA_CRYPTO) "MBEDTLS_USE_PSA_CRYPTO", #endif /* MBEDTLS_USE_PSA_CRYPTO */ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) + "MBEDTLS_PSA_CRYPTO_CONFIG", +#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #if defined(MBEDTLS_VERSION_FEATURES) "MBEDTLS_VERSION_FEATURES", #endif /* MBEDTLS_VERSION_FEATURES */ From 736eb1de47c112547275ef1ea093461d755645e2 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Thu, 24 Sep 2020 21:11:10 -0700 Subject: [PATCH 07/24] Update to VS project file for PSA crypto config The new header files to support PSA crypto config needed to be added to the VS project file. Signed-off-by: John Durkop --- visualc/VS2010/mbedTLS.vcxproj | 2 ++ 1 file changed, 2 insertions(+) diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj index b243b73ae..0eaa80824 100644 --- a/visualc/VS2010/mbedTLS.vcxproj +++ b/visualc/VS2010/mbedTLS.vcxproj @@ -162,6 +162,7 @@ + @@ -223,6 +224,7 @@ + From 714e3a131815f0d4c15f7408c838ca93fb063c53 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Tue, 29 Sep 2020 22:07:04 -0700 Subject: [PATCH 08/24] Minor cleanup to fix errors with some unit tests With the new feature MBEDTLS_PSA_CRYPTO_CONFIG, needed to add support that when the feature is disabled, if there are defines like MBEDTLS_ECDSA_C defined, then the PSA_WANT_ equivalent define is also enabled. This ensures the guards in the library psa_crypto will work properly. Also fixed an error return code in the driver wrapper for cipher encrypt setup so it will properly pass unit tests. Ensured config.py full works properly with the new MBEDTLS_PSA_CRYPTO_CONFIG, it should not be set when the full option is used. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 18 +++++++++++++++++- library/psa_crypto_driver_wrappers.c | 2 +- scripts/config.py | 1 + 3 files changed, 19 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 528e21503..8b32378ef 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -26,7 +26,9 @@ #ifndef MBEDTLS_CONFIG_PSA_H #define MBEDTLS_CONFIG_PSA_H +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) #include "psa/crypto_config.h" +#endif /* defined(MBEDTLS_PSAY_CRYPTO_CONFIG) */ #ifdef __cplusplus extern "C" { @@ -42,7 +44,7 @@ extern "C" { #endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) */ #endif /* defined(PSA_WANT_ALG_ECDSA) */ -#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) +#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA #else /* && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ @@ -50,6 +52,20 @@ extern "C" { #endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ #endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) */ +#else /* MBEDTLS_PSA_CRYPTO_CONFIG */ + +/* + * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG + * is not defined + */ +#ifdef MBEDTLS_ECDSA_C +#define PSA_WANT_ALG_ECDSA +#endif /* MBEDTLS_ECDSA_C */ + +#ifdef MBEDTLS_ECDSA_DETERMINISTIC +#define PSA_WANT_ALG_ECDSA_DETERMINISTIC +#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index d41209bbf..140bab626 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -583,7 +583,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( #endif /* PSA_CRYPTO_DRIVER_TEST */ default: /* Key is declared with a lifetime not known to us */ - return( PSA_ERROR_BAD_STATE ); + return( PSA_ERROR_NOT_SUPPORTED ); } #else /* PSA_CRYPTO_DRIVER_PRESENT */ (void)slot; diff --git a/scripts/config.py b/scripts/config.py index 017bba0aa..bb3fa1b4a 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -184,6 +184,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper) 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature + 'MBEDTLS_PSA_CRYPTO_CONFIG', # used to switch between old/new style config 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM) 'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions) 'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature From 76228acfb9f38cae4faec76768b95d3d041c57f4 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Tue, 29 Sep 2020 22:33:49 -0700 Subject: [PATCH 09/24] Fix typo in define in comment This fixes error in check-names.sh test. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 8b32378ef..8e76372eb 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -28,7 +28,7 @@ #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) #include "psa/crypto_config.h" -#endif /* defined(MBEDTLS_PSAY_CRYPTO_CONFIG) */ +#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */ #ifdef __cplusplus extern "C" { From 814dca7069138a38b4cf1066820d9ca69d5ef18d Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 5 Oct 2020 06:31:12 -0700 Subject: [PATCH 10/24] Fix unit tests when MBEDTLS_PSA_CRYPTO_CONFIG is enabled This change fixes the decrypt cipher setup function to return the appropriate error code of PSA_ERROR_NOT_SUPPORTED instead of PSA_ERROR_BAD_STATE for invalid locations when the setup call is made. Signed-off-by: John Durkop --- library/psa_crypto_driver_wrappers.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 140bab626..dedbf54bf 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -664,7 +664,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( #endif /* PSA_CRYPTO_DRIVER_TEST */ default: /* Key is declared with a lifetime not known to us */ - return( PSA_ERROR_BAD_STATE ); + return( PSA_ERROR_NOT_SUPPORTED ); } #else /* PSA_CRYPTO_DRIVER_PRESENT */ (void)slot; From 816e0438058d30ab960e12cd344382a60ed4565e Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 5 Oct 2020 21:18:06 -0700 Subject: [PATCH 11/24] Update how test sets PSA_WANT_ALG_* With the introduction of new tests for PSA crypto config features the test needs to now be able to set and unset values from the psa/crypto_config.h file. This change updates from passing the defines as a build arguement to modifying the header files using config.py. Signed-off-by: John Durkop --- tests/scripts/all.sh | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f07933403..814c87f58 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1317,8 +1317,10 @@ component_test_psa_crypto_config_want_ecdsa() { scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA + scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA_DETERMINISTIC # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_WANT_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" msg "test: psa crypto config want ECDSA" make test From 185764f5f4d352bf9b0f9dccc10b47be88aadfd4 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 12 Oct 2020 21:32:12 -0700 Subject: [PATCH 12/24] Enhance description for MBEDTLS_PSA_CRYPTO_CONFIG Provided detailed description for MBEDTLS_PSA_CRYPTO_CONFIG so that it is more clear to the user when the feature should be enabled or disabled. It also mentions where to look for PSA crypto config settings; include/psa/crypto_config.h. Removed some other related comments that were not necessary. Signed-off-by: John Durkop --- include/mbedtls/config.h | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 902d0cbe8..6fbaeed0c 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -1330,7 +1330,7 @@ * * Enable support for the experimental PSA crypto driver interface. * - * Requires: MBEDTLS_PSA_CRYPTO_C or MBEDTLS_PSA_CRYPTO_CONFIG + * Requires: MBEDTLS_PSA_CRYPTO_C * * \warning This interface is experimental and may change or be removed * without notice. @@ -2022,9 +2022,14 @@ /** * \def MBEDTLS_PSA_CRYPTO_CONFIG * - * This setting should be used to allow for conditional inclusion of PSA features. + * This setting allows support for cryptographic mechanisms through the PSA + * API to be configured separately from support through the mbedtls API. * - * Uncomment this to enable use of PSA Crypto configuration settings. + * Uncomment this to enable use of PSA Crypto configuration settings which + * can be found in include/psa/crypto_config.h + * + * This feature is still experimental and is not ready for production since + * it is not completed. */ //#define MBEDTLS_PSA_CRYPTO_CONFIG @@ -3820,10 +3825,6 @@ #include MBEDTLS_USER_CONFIG_FILE #endif -/** - * \name SECTION: PSA Crypto settings - * - */ #include "mbedtls/config_psa.h" #include "mbedtls/check_config.h" From 348188229acdbb7297e021d8f6371200b77ed0df Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 12 Oct 2020 21:36:22 -0700 Subject: [PATCH 13/24] Correct inclusion of MBEDTLS_XXX based on PSA_WANT_XXX Provied a more detailed description for the config_psa.h header file. This new description makes it clear that the file should not be edited by users or integrators. Relevant changes should be made to psa/crypto_config.h instead. Fixed the logic for the inclusion of MBEDTLS_PSA_BUILTIN_XXX to be set when PSA_WANT_ALG_XXX and MBEDTLS_PSA_ACCEL_ALG_XXX is not defined, otherwise the MBEDTLS_XXX should be set. Ensure that MBEDTLS_PSA_BUILTIN_XXX is set to 1 and not simply defined per specification. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 28 +++++++++++++++------------- 1 file changed, 15 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 8e76372eb..02bdfb1b0 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -2,9 +2,13 @@ * \file mbedtls/config_psa.h * \brief PSA crypto configuration options (set of defines) * - * This set of compile-time options may be used to enable - * or disable PSA crypto features selectively. This will aid - * in reducing the size of the library by removing unused code. + * This set of compile-time options takes settings defined in + * include/mbedtls/config.h and include/psa/crypto_config.h and uses + * those definitions to define symbols used in the library code. + * + * Users and integrators should not edit this file, please edit + * include/mbedtls/config.h for MBETLS_XXX settings or + * include/psa/crypto_config.h for PSA_WANT_XXX settings. */ /* * Copyright The Mbed TLS Contributors @@ -38,19 +42,17 @@ extern "C" { #if defined(PSA_WANT_ALG_ECDSA) #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) -#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA -#else /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) */ +#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1 #define MBEDTLS_ECDSA_C -#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) */ -#endif /* defined(PSA_WANT_ALG_ECDSA) */ +#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */ +#endif /* PSA_WANT_ALG_ECDSA */ #if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) -#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA -#else /* && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ +#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1 #define MBEDTLS_ECDSA_DETERMINISTIC -#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */ -#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) */ +#endif /* MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC */ +#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */ #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ @@ -58,11 +60,11 @@ extern "C" { * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG * is not defined */ -#ifdef MBEDTLS_ECDSA_C +#if defined(MBEDTLS_ECDSA_C) #define PSA_WANT_ALG_ECDSA #endif /* MBEDTLS_ECDSA_C */ -#ifdef MBEDTLS_ECDSA_DETERMINISTIC +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) #define PSA_WANT_ALG_ECDSA_DETERMINISTIC #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ From c7c03b7d173b416e1d20157776e65b935eaa52a2 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 12 Oct 2020 21:42:03 -0700 Subject: [PATCH 14/24] Enhanced documentation for crypto_config.h Provided more detailed documentation for crypto_config.h file so it is clear to users can enable cryptographic mechanisms using PSA_WANT_XXX. If MBEDTLS_PSA_CRYPTO_CONFIG is not set the settings in this file are not used. Ensure that defines used in this file are set to 1 and not simply defined per the specification. Also removed the __cplusplus guards since they are not needed for this file. Signed-off-by: John Durkop --- include/psa/crypto_config.h | 46 +++++++++++++++++++++++-------------- 1 file changed, 29 insertions(+), 17 deletions(-) diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 8e2f40ed8..808c68a57 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -2,10 +2,34 @@ * \file psa/crypto_config.h * \brief PSA crypto configuration options (set of defines) * - * This set of compile-time options may be used to enable - * or disable PSA crypto features selectively. This will aid - * in reducing the size of the library by removing unused code. +*/ +#if defined(MBEDTLS_PSA_CRYPTO_CONFIG) +/** + * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in config.h, + * this file determines which cryptographic mechanisms are enabled + * through the PSA Cryptography API (\c psa_xxx() functions). + * + * To enable a cryptographic mechanism, uncomment the definition of + * the corresponding \c PSA_WANT_xxx preprocessor symbol. + * To disable a cryptographic mechanism, comment out the definition of + * the corresponding \c PSA_WANT_xxx preprocessor symbol. + * The names of cryptographic mechanisms correspond to values + * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead + * of \c PSA_. + * + * Note that many cryptographic mechanisms involve two symbols: one for + * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm + * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve + * additional symbols. */ +#else +/** + * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in config.h, + * this file is not used, and cryptographic mechanisms are supported + * through the PSA API if and only if they are supported through the + * mbedtls_xxx API. + */ +#endif /* * Copyright The Mbed TLS Contributors * SPDX-License-Identifier: Apache-2.0 @@ -26,19 +50,7 @@ #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H -#ifdef __cplusplus -extern "C" { -#endif - -#define PSA_WANT_ALG_ECDSA - -#define PSA_WANT_ALG_ECDSA_DETERMINISTIC - -//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA -//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC - -#ifdef __cplusplus -} -#endif +#define PSA_WANT_ALG_ECDSA 1 +#define PSA_WANT_ALG_ECDSA_DETERMINISTIC 1 #endif /* PSA_CRYPTO_CONFIG_H */ From dd544e1463fd1f5daab3e02629eb739d88ccd469 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 12 Oct 2020 21:47:19 -0700 Subject: [PATCH 15/24] Fixed comments and test message output for new PSA tests Provided a clearer comment for the description for ignoring MBEDTLS_PSA_CRYPTO_CONFIG for full build setting. Updated message output for test_psa_crypto_config_basic and test_psa_want_ecdsa_disabled_software so it is more clear and concise in what the test is doing. Removed inclusion of the MBEDTLS_PSA_ACCEL_ALG_ECDSA since it should not have been used for that particular tests. Signed-off-by: John Durkop --- scripts/config.py | 2 +- tests/scripts/all.sh | 18 +++++++----------- 2 files changed, 8 insertions(+), 12 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index bb3fa1b4a..6c299818f 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -184,7 +184,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper) 'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature - 'MBEDTLS_PSA_CRYPTO_CONFIG', # used to switch between old/new style config + 'MBEDTLS_PSA_CRYPTO_CONFIG', # toggles old/new style PSA config 'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM) 'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions) 'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 814c87f58..fe50134cc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1291,10 +1291,8 @@ component_test_no_use_psa_crypto_full_cmake_asan() { } component_test_psa_crypto_config_basic() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS, - # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO - msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG MBEDTLS_PSA_CRYPTO_DRIVERS" - msg "build: minus MBEDTLS_USE_PSA_CRYPTO" + # full plus MBEDTLS_PSA_CRYPTO_CONFIG + msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -1306,12 +1304,10 @@ component_test_psa_crypto_config_basic() { make test } -component_test_psa_crypto_config_want_ecdsa() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS, - # and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO - msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS," - msg "build: PSA_CRYPTO_DRIVER_TEST, MBEDTLS_PSA_ACCEL_ALG_ECDSA," - msg "build: PSA_WANT_ALG_ECDSA minus MBEDTLS_USE_PSA_CRYPTO" +component_test_psa_want_ecdsa_disabled_software() { + # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDSA + # without MBEDTLS_ECDSA_C + msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDSA without MBEDTLS_ECDSA_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS @@ -1320,7 +1316,7 @@ component_test_psa_crypto_config_want_ecdsa() { scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA_DETERMINISTIC # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" msg "test: psa crypto config want ECDSA" make test From 7b453130e26d1579b93c254a986216c90c216c52 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 12 Oct 2020 21:56:26 -0700 Subject: [PATCH 16/24] Updates to fix check-names and all.sh tests after review Need to make sure the new MBEDTLS_PSA_ACCEL_XXX defines are not checked since they should be defined by the PSA driver. Updated the list-macros.sh script to modify the instances of those found to match the corresponding MBEDTLS_PSA_BUILTIN_XXX that are defined in config_psa.h Fixed definition of MBEDTLS_PSA_BUILTIN_ALG_ECDSA_DETERMINISTIC, name was incorrect. Also fixed a missing space in the comments of crypto_config.h Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 2 +- include/psa/crypto_config.h | 2 +- tests/scripts/list-macros.sh | 6 ++++++ 3 files changed, 8 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 02bdfb1b0..87c092a17 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -49,7 +49,7 @@ extern "C" { #if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) -#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1 +#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA_DETERMINISTIC 1 #define MBEDTLS_ECDSA_DETERMINISTIC #endif /* MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC */ #endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */ diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 808c68a57..28702ebfa 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -2,7 +2,7 @@ * \file psa/crypto_config.h * \brief PSA crypto configuration options (set of defines) * -*/ + */ #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) /** * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in config.h, diff --git a/tests/scripts/list-macros.sh b/tests/scripts/list-macros.sh index 15d2590c1..a8617a083 100755 --- a/tests/scripts/list-macros.sh +++ b/tests/scripts/list-macros.sh @@ -30,4 +30,10 @@ sed -n -e 's/.*#define \([a-zA-Z0-9_]*\).*/\1/p' $HEADERS \ | egrep -v '^(asm|inline|EMIT|_CRT_SECURE_NO_DEPRECATE)$|^MULADDC_' \ | sort -u > macros +# For include/mbedtls/config_psa.h need to ignore the MBEDTLS_xxx define +# in that file since they may not be defined in include/psa/crypto_config.h +# This line renames the potentially missing defines to ones that should +# be present. +sed -ne 's/^MBEDTLS_PSA_BUILTIN_/MBEDTLS_PSA_ACCEL_/p' >macros + wc -l macros From 0ea39e0ee49267df3f6dfcf412e2a4c97c85e98b Mon Sep 17 00:00:00 2001 From: John Durkop Date: Tue, 13 Oct 2020 19:58:20 -0700 Subject: [PATCH 17/24] Correct use of MBEDTLS_PSA_BUILTIN_ALG_xxx in crypto library The psa crypto library was generically using PSA_WANT_ALG_xxx, but should have been using the correct MBEDTLS_PSA_BUILTIN_ALG_xxx definition since that code is the builtin version. There were also a couple of spots that needed to ensure the code block was enabled for either ECDSA or DETERMINISTIC_ECDSA, not just one of them. Fixed all the new ALG_ECDSA_DETERMINISTIC names to be ALG_DETERMINISTIC_ECDSA instead. Fixed test to use correct definitions. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 12 ++++++------ include/psa/crypto_config.h | 4 ++-- library/psa_crypto.c | 22 +++++++++++----------- tests/scripts/all.sh | 2 +- 4 files changed, 20 insertions(+), 20 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 87c092a17..9a1a1efba 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -47,11 +47,11 @@ extern "C" { #endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */ #endif /* PSA_WANT_ALG_ECDSA */ -#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) -#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) -#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA_DETERMINISTIC 1 +#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) +#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1 #define MBEDTLS_ECDSA_DETERMINISTIC -#endif /* MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC */ +#endif /* MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */ #endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */ #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ @@ -61,11 +61,11 @@ extern "C" { * is not defined */ #if defined(MBEDTLS_ECDSA_C) -#define PSA_WANT_ALG_ECDSA +#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA #endif /* MBEDTLS_ECDSA_C */ #if defined(MBEDTLS_ECDSA_DETERMINISTIC) -#define PSA_WANT_ALG_ECDSA_DETERMINISTIC +#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 28702ebfa..8dbb18d50 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -50,7 +50,7 @@ #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H -#define PSA_WANT_ALG_ECDSA 1 -#define PSA_WANT_ALG_ECDSA_DETERMINISTIC 1 +#define PSA_WANT_ALG_ECDSA 1 +#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 #endif /* PSA_CRYPTO_CONFIG_H */ diff --git a/library/psa_crypto.c b/library/psa_crypto.c index fa3cea382..a73c6c7bc 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -2256,7 +2256,7 @@ exit: /* Message digests */ /****************************************************************/ -#if defined(MBEDTLS_RSA_C) || defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) +#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ) { switch( alg ) @@ -2299,7 +2299,7 @@ static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ) return( NULL ); } } -#endif +#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ psa_status_t psa_hash_abort( psa_hash_operation_t *operation ) { @@ -3530,7 +3530,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa, } #endif /* MBEDTLS_RSA_C */ -#if defined(PSA_WANT_ALG_ECDSA) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) /* `ecp` cannot be const because `ecp->grp` needs to be non-const * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det() * (even though these functions don't modify it). */ @@ -3554,7 +3554,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp, goto cleanup; } -#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) ) { psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); @@ -3567,7 +3567,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp, &global_data.ctr_drbg ) ); } else -#endif /* PSA_WANT_ALG_ECDSA_DETERMINISTIC */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ { (void) alg; MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d, @@ -3629,7 +3629,7 @@ cleanup: mbedtls_mpi_free( &s ); return( mbedtls_to_psa_error( ret ) ); } -#endif /* PSA_WANT_ALG_ECDSA */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */ psa_status_t psa_sign_hash( psa_key_handle_t handle, psa_algorithm_t alg, @@ -3698,9 +3698,9 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { -#if defined(PSA_WANT_ALG_ECDSA) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) if( -#if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) PSA_ALG_IS_ECDSA( alg ) #else PSA_ALG_IS_RANDOMIZED_ECDSA( alg ) @@ -3723,7 +3723,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, mbedtls_free( ecp ); } else -#endif /* defined(PSA_WANT_ALG_ECDSA) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */ { status = PSA_ERROR_INVALID_ARGUMENT; } @@ -3799,7 +3799,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { -#if defined(PSA_WANT_ALG_ECDSA) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) if( PSA_ALG_IS_ECDSA( alg ) ) { mbedtls_ecp_keypair *ecp = NULL; @@ -3817,7 +3817,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, return( status ); } else -#endif /* defined(PSA_WANT_ALG_ECDSA) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */ { return( PSA_ERROR_INVALID_ARGUMENT ); } diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index fe50134cc..d42c6816b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1314,7 +1314,7 @@ component_test_psa_want_ecdsa_disabled_software() { scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA - scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA_DETERMINISTIC + scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_DETERMINISTIC_ECDSA # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" From 28baa1f141c21d9a700e4e79d7df7571c5ccb5bf Mon Sep 17 00:00:00 2001 From: John Durkop Date: Fri, 23 Oct 2020 00:51:52 -0700 Subject: [PATCH 18/24] Fixed test_psa_want_ecdsa_disabled_software to use proper macros Updated the test_psa_want_ecdsa_disabled_software to enable and disable the correct macros to accomplish the desired test. The previous version left out the disabling of additional macros to ensure items related to MBEDTLS_ECDSA_C were also unset. The test was also missing the setting of the accelerators MBEDTLS_PSA_ACCEL_ALG_ECDSA and DETERMINISTIC_ECDSA. With the accelerators enabled the test portion had to be temporarily disabled until the accelerator code is completed so the test will work properly. Updated the signature driver source to fix a compiler warning when MBEDTLS_ECDSA_C is unset. Signed-off-by: John Durkop --- tests/scripts/all.sh | 13 ++++++++----- tests/src/drivers/signature.c | 2 ++ 2 files changed, 10 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d42c6816b..1ac97b641 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1307,19 +1307,22 @@ component_test_psa_crypto_config_basic() { component_test_psa_want_ecdsa_disabled_software() { # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDSA # without MBEDTLS_ECDSA_C + # PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_DETERMINISTIC_ECDSA are already + # set in include/psa/crypto_config.h msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDSA without MBEDTLS_ECDSA_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_ECDSA - scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" - msg "test: psa crypto config want ECDSA" - make test + # This should be added back in once the accelerator ECDSA code is in place and ready to test. + #msg "test: psa crypto config want ECDSA" + #make test } component_test_check_params_functionality () { diff --git a/tests/src/drivers/signature.c b/tests/src/drivers/signature.c index 028d24a09..cea035190 100644 --- a/tests/src/drivers/signature.c +++ b/tests/src/drivers/signature.c @@ -262,6 +262,8 @@ cleanup: (void) alg; (void) hash; (void) hash_length; + (void) signature; + (void) signature_length; #endif /* defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \ defined(MBEDTLS_SHA256_C) */ From 6dff93ff9b7d7b6f0817f63d4aace0fb4531c94c Mon Sep 17 00:00:00 2001 From: John Durkop Date: Fri, 23 Oct 2020 01:22:58 -0700 Subject: [PATCH 19/24] Ensure dependent features also included by config_psa.h When the PSA crypto features need to be setup based on the PSA_WANT_xxx macros, the dependent features also need to be enabled. This change corrects that for the MBEDTLS_ECDSA_DETERMINISTIC. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 2 ++ 1 file changed, 2 insertions(+) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 9a1a1efba..d9cc4018b 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -51,6 +51,8 @@ extern "C" { #if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1 #define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_HMAC_DRBG_C +#define MBEDTLS_MD_C #endif /* MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */ #endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */ From 4377bf747937e2963bc1d0f1aae893045b0f71d1 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Fri, 23 Oct 2020 01:26:57 -0700 Subject: [PATCH 20/24] Added new PSA crypto config test with no test driver Added a new test to all.sh to confirm that using MBEDTLS_PSA_CRYPTO_CONFIG with no test driver and the library is configured with normal configurations that the test works. Minor updates to other PSA crypto tests to cleanup msg output for consistency. Signed-off-by: John Durkop --- tests/scripts/all.sh | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1ac97b641..74c3998dd 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1300,7 +1300,21 @@ component_test_psa_crypto_config_basic() { # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" - msg "test: psa crypto config basic" + msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG" + make test +} + +component_test_psa_crypto_config_no_driver() { + # full plus MBEDTLS_PSA_CRYPTO_CONFIG + msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py unset MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=gcc CFLAGS="$ASAN_CFLAGS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + + msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" make test } @@ -1321,7 +1335,7 @@ component_test_psa_want_ecdsa_disabled_software() { make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" # This should be added back in once the accelerator ECDSA code is in place and ready to test. - #msg "test: psa crypto config want ECDSA" + #msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDSA without MBEDTLS_ECDSA_C" #make test } From 8ac0b80e9bec41f1123f141aca902bb090a108b2 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Fri, 23 Oct 2020 01:32:15 -0700 Subject: [PATCH 21/24] Rename test_psa_want_ecdsa_disabled_softare Changed the test name from test_ to build_ to better reflect what the test is currently performing. Signed-off-by: John Durkop --- tests/scripts/all.sh | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 74c3998dd..d967d572e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1318,7 +1318,8 @@ component_test_psa_crypto_config_no_driver() { make test } -component_test_psa_want_ecdsa_disabled_software() { +# This should be renamed to test and updated once the accelerator ECDSA code is in place and ready to test. +component_build_psa_want_ecdsa_disabled_software() { # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDSA # without MBEDTLS_ECDSA_C # PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_DETERMINISTIC_ECDSA are already @@ -1333,10 +1334,6 @@ component_test_psa_want_ecdsa_disabled_software() { scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED # Need to define the correct symbol and include the test driver header path in order to build with the test driver make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" - - # This should be added back in once the accelerator ECDSA code is in place and ready to test. - #msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDSA without MBEDTLS_ECDSA_C" - #make test } component_test_check_params_functionality () { From 36a82e5a6b7265d152523a09b0f7e2c8a2c5d40a Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 26 Oct 2020 09:39:05 -0700 Subject: [PATCH 22/24] Ensure MBEDTLS_ECDSA_C is set when DETERMINISTIC_ECDSA is used Ensure that MBEDTLS_ECDSA_C is set when PSA_WANT_ALG_DETERMINISTIC_ECDSA is requested. Also added MBEDTLS_ECDSA_C to the requirements comment in config.h for MBEDTLS_ECDSA_DETERMINISTIC. Signed-off-by: John Durkop --- include/mbedtls/config.h | 2 +- include/mbedtls/config_psa.h | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 6fbaeed0c..48e8855e8 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -864,7 +864,7 @@ * may result in a compromise of the long-term signing key. This is avoided by * the deterministic variant. * - * Requires: MBEDTLS_HMAC_DRBG_C + * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C * * Comment this macro to disable deterministic ECDSA. */ diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index d9cc4018b..31c5e1d99 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -51,6 +51,7 @@ extern "C" { #if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1 #define MBEDTLS_ECDSA_DETERMINISTIC +#define MBEDTLS_ECDSA_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD_C #endif /* MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */ From e7012c7725e614ea3ced8f8af546b1b91e2447a0 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 26 Oct 2020 09:55:01 -0700 Subject: [PATCH 23/24] Cleaned up test_psa_crypto_config_no_driver based on review comments Removed comment referencing test driver header path and the inclusion of the test driver directory from the build since it is not required for that test. Signed-off-by: John Durkop --- tests/scripts/all.sh | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d967d572e..71f0f8e54 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1311,8 +1311,7 @@ component_test_psa_crypto_config_no_driver() { scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - # Need to define the correct symbol and include the test driver header path in order to build with the test driver - make CC=gcc CFLAGS="$ASAN_CFLAGS -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" make test From f87e3aea167df8061067ca87992f485297c0c876 Mon Sep 17 00:00:00 2001 From: John Durkop Date: Mon, 26 Oct 2020 15:25:23 -0700 Subject: [PATCH 24/24] Update guards in PSA crypto library for ECDSA and DETERMINISTIC support In the PSA crypto library, the code for verification of ECDSA is the same for both MBEDTLS_PSA_BUILTIN_ALG_ECDSA and MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA. So, the guards should allow for either one to enable the code blocks. The original implementation only had the check for ECDSA. In order to make this work, config_psa.h was updated to ensure when MBEDTLS_CRYPTO_CONFIG is disabled, the setting for DETERMINISTIC is only updated if MBEDTLS_ECDSA_C is also enabled. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 4 +++- library/psa_crypto.c | 8 ++++---- 2 files changed, 7 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 31c5e1d99..6af4d1999 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -65,12 +65,14 @@ extern "C" { */ #if defined(MBEDTLS_ECDSA_C) #define MBEDTLS_PSA_BUILTIN_ALG_ECDSA -#endif /* MBEDTLS_ECDSA_C */ +// Only add in DETERMINISTIC support if ECDSA is also enabled #if defined(MBEDTLS_ECDSA_DETERMINISTIC) #define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA #endif /* MBEDTLS_ECDSA_DETERMINISTIC */ +#endif /* MBEDTLS_ECDSA_C */ + #endif /* MBEDTLS_PSA_CRYPTO_CONFIG */ #ifdef __cplusplus diff --git a/library/psa_crypto.c b/library/psa_crypto.c index a73c6c7bc..45b689007 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3530,7 +3530,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa, } #endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) /* `ecp` cannot be const because `ecp->grp` needs to be non-const * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det() * (even though these functions don't modify it). */ @@ -3629,7 +3629,7 @@ cleanup: mbedtls_mpi_free( &s ); return( mbedtls_to_psa_error( ret ) ); } -#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */ psa_status_t psa_sign_hash( psa_key_handle_t handle, psa_algorithm_t alg, @@ -3799,7 +3799,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, #if defined(MBEDTLS_ECP_C) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) if( PSA_ALG_IS_ECDSA( alg ) ) { mbedtls_ecp_keypair *ecp = NULL; @@ -3817,7 +3817,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, return( status ); } else -#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */ { return( PSA_ERROR_INVALID_ARGUMENT ); }