Although the library documentation does not guarantee that calling
mbedtls_entropy_free() twice works, it's a plausible assumption and it's
natural to write code that frees an object twice. While this is uncommon for
an entropy context, which is usually a global variable, it came up in our
own unit tests (random_twice tests in test_suite_random).
Announce this in the same changelog entry as for RSA because it's the same
bug in the two modules.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Document the usage inside the library, and relate it with how it's
additionally used in the test code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
PSA_KEY_TYPE_RAW_DATA and PSA_KEY_TYPE_DERIVE are always supported.
Make this explicit by declaring PSA_WANT_KEY_TYPE_RAW_DATA and
PSA_WANT_KEY_TYPE_DERIVE unconditionally. This makes it easier to
infer dependencies in a systematic way.
Don't generate not-supported test cases for those key types. They
would always be skipped, which is noise and would make it impossible
to eventually validate that all test cases pass in at least one
configuration over the whole CI.
Don't remove the exception in set_psa_test_dependencies.py for now, to
get less noise in dependencies. This may be revised later if it is
deemed more important to be systematic.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Update with CHACHA20_POLY1305, CHACHA20. Add in CTR, which was missing,
and move ALG_XTS to its proper location alphabetically.
Signed-off-by: David Brown <david.brown@linaro.org>
With the else branch commented out, both lines are unnecessary. We
could check for the invalid configuration in the future, once tests were
made to exclude this combination.
Signed-off-by: David Brown <david.brown@linaro.org>
There is no PSA ALG_ECB, only ALG_ECB_NO_PADDING. Fix one incorrect
declaration, and remove another that is just redundant.
Signed-off-by: David Brown <david.brown@linaro.org>
Only define MBEDTLS_CIPHER_MODE_CBC if one of the CBC modes is requested
and everything isn't covered by an accelerated version. This keeps this
from being defined in cases where everything needed would be
accelerated.
Signed-off-by: David Brown <david.brown@linaro.org>
Try to make these definitions clearer given the complexity of the
mapping between the PSA config options and the MBEDTLS ones.
Signed-off-by: David Brown <david.brown@linaro.org>
If any of the software block ciphers are selected, define an internal
macro to indicate this. This eliminates some redundancy that needs to
check for this.
Signed-off-by: David Brown <david.brown@linaro.org>
Add checks for PSA_WANT_KEY_TYPE_CHACHA20, both with and without
MBEDTLS_PSA_CRYPTO_CONFIG. This only adds support for the ciphers
itself, presumably as a stream cipher (and not yet AEAD).
Signed-off-by: David Brown <david.brown@linaro.org>
Even if there is an accelerated version of a (block) key type, enable
the SW implementation if there are block modes that don't have
acceleration.
Signed-off-by: David Brown <david.brown@linaro.org>
Add additional ifdef checks in the PSA config to detect when an
algorithm is entirely implemented in hardware. If there is any
combination of cipher and padding type that is not supported by the HW
acceleration, enable the SW acceleration.
Signed-off-by: David Brown <david.brown@linaro.org>
Ensure that the builtin definitions are defined when selected by the
traditional configuration options.
Signed-off-by: David Brown <david.brown@linaro.org>
PSA defines CBC with no padding, and CBC with PKCS7 padding. The bare
"ALG_CBC" is not defined, so remove this definition.
Signed-off-by: David Brown <david.brown@linaro.org>
For the new features conditionalized on MBEDTLS_PSA_ACCEL_..., define a
correlated MBEDTLS_PSA_BUILTIN_... if it is not defined. This prevents
check_names from considering these new defines as typos.
Signed-off-by: David Brown <david.brown@linaro.org>
Add support for supported block modes using the PSA crypto config.
These are mapped to Mbed TLS config options as best as possible.
Signed-off-by: David Brown <david.brown@linaro.org>
Update the psa/crypto_config.h with the newly defined PSA_WANT_
definitions for symmetric ciphers and block modes.
Signed-off-by: David Brown <david.brown@linaro.org>
There was some intentional duplication between
library/psa_crypto_random_impl.h and include/mbedtls/psa_util.h, with
the intent that the compiler would complain if one file was edited in
a way that's incompatible with the other file. However, the two files
were never included together, and in fact could not be included
together because some definitions can't be duplicated (type, static
variable).
Now library/psa_crypto_random_impl.h includes
include/mbedtls/psa_util.h, so the compiler will check what it can.
There is less redundancy since it isn't always possible to declare
something twice (specifically, types can't be declared).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This brings them in line with PSA Crypto API 1.0.0
PSA_ALG_AEAD_WITH_DEFAULT_TAG_LENGTH -> PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG
PSA_ALG_AEAD_WITH_TAG_LENGTH -> PSA_ALG_AEAD_WITH_SHORTENED_TAG
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Make sure MBEDTLS_PSA_CRYPTO_CLIENT is defined
when MBEDTLS_PSA_CRYPTO_C is defined and guard
PSA client code only with MBEDTLS_PSA_CRYPTO_CLIENT.
The definition of MBEDTLS_PSA_CRYPTO_CLIENT is done
in crypto_types.h before the definition of
psa_key_attributes_t. That way as PSA crypto client
code is related to key attributes we can be quite
confident that MBEDTLS_PSA_CRYPTO_CLIENT will be
defined when needed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Attempting to create an ECC key with a curve specification that is not
valid can plausibly fail with PSA_ERROR_INVALID_ARGUMENT ("this is not
a curve specification at all") or PSA_ERROR_NOT_SUPPORTED ("this may
be a curve specification, but not one I support"). The choice of error
is somewhat subjective.
Before this commit, due to happenstance in the implementation, an
attempt to use a curve that is declared in the PSA API but not
implemented in Mbed TLS returned PSA_ERROR_INVALID_ARGUMENT, whereas
an attempt to use a curve that Mbed TLS supports but for which support
was disabled at compile-time returned PSA_ERROR_NOT_SUPPORTED. This
inconsistency made it difficult to write negative tests that could
work whether the curve is implemented via Mbed TLS code or via a
driver.
After this commit, any attempt to use parameters that are not
recognized fails with NOT_SUPPORTED, whether a curve with the
specified size might plausibly exist or not, because "might plausibly
exist" is not something Mbed TLS can determine.
To keep returning INVALID_ARGUMENT when importing an ECC key with an
explicit "bits" attribute that is inconsistent with the size of the
key material, this commit changes the way mbedtls_ecc_group_of_psa()
works: it now works on a size in bits rather than bytes, with an extra
flag indicating whether the bit-size must be exact or not.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Rename the enum constants TLS12_PRF_xxx, which are declared in a
public header but not intended for use in application code, to start
with MBEDTLS_PSA_.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some of the material was originally the PSA specification, and
discusses how different implementations might behave. Replace such
statements by a description of how Mbed TLS behaves.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's about who has access to the key material in plaintext, not directly
where the operation is performed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Executed ./scripts/bump_version.sh --version 2.25.0 --so-crypto 6
Increasing the SO version of the crypto library, because the openless
API improvement came with API/ABI incompatibilities. For example
- the size of psa_key_handle_t changed
- the type of a parameter in 18 public functions has changed from
psa_key_handle_t to mbedtls_svc_key_id_t
Signed-off-by: Janos Follath <janos.follath@arm.com>
This algorithm replaces the pre-existing stream cipher algorithms.
The underlying stream cipher is determined by the key type.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
This temporarily breaks all.sh '*deprecated*' (deprecated functions still used
in the library), which will be fix in the next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Work in progress: next steps are to implement and test it.
Compared to the existing non-ext version:
- to separate tag parameter
- explicit output_len parameter
Also, this version will retain support for NIST_KW (hence documents it), while
the non-ext version will lose it in a few commits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- Document constraints on buffers/pointers NULLability explicitly.
- Simplify terminology around IV/nonce: all AEADs implemented so far call that
a nonce. Keep the parameter names (iv, iv_len) to avoid having to change the
code (or having different names in the header and C files).
- Align documentation to the code regarding parameter constraints: the
documentation said the for ciphers with fixed nonce/tag length, the
iv_len/tag_len arguments were ignored, while the code enforced them to be the
expected value. This is more consistent with what's done with GCM/CCM, which
for tag_len for example accept more than one value, but from a relatively
small set, and will return errors for values outside that set. Accepting a
single value is a particular case of that (the set of acceptable value only
has one element).
Don't document behaviour with NIST KW as we're about to change that.
Note: this function is currently only defined if at least one of GCM, CCM or
ChachaPoly is enabled, even though it's supposed to handle NIST KW as well. No
need to fix this as the function will soon no longer support NIST KW.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Removed unecessary checks on the ALG_SHA_224 and ALG_SHA_384 since
those are handled in config_psa.h by ensuring the correct _C is
included. Reformatted config_psa.h to be alphabetical and made the
assignments line up correctly for consistency. Fixed the guards
for ALG_SHA_224 and ALG_SHA_384 to be correct in the crypto library
source.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
The driver interfaces described in crypto_accel_driver.h and
crypto_entropy_driver.h are no longer being worked on. We do not
intend to finish the design of these interfaces or to implement them
in Mbed TLS. They have been superseded by the unified driver
interface (docs/proposed/psa-driver-interface.md), which is being
actively worked on both to finalize the specification and to implement
it in Mbed TLS.
The partially implemented dynamic secure element interface is staying
for now.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Due to a misplaced #endif, the (non-functional) macro definitions were
not properly removed from crypto_compat.h if MBEDTLS_DEPRECATED_REMOVED
was declared.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>