From 885ea8db8f04cdc4237a220ed3ad3f05909e3e87 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Wed, 24 Apr 2024 16:34:14 +0100 Subject: [PATCH 01/23] Add a crypto config file for config-thread This file consists of PSA symbols which are defined if and only if the original config was set Signed-off-by: Ryan Everett --- configs/config-thread.h | 12 ++++----- configs/crypto-config-thread.h | 46 ++++++++++++++++++++++++++++++++++ 2 files changed, 51 insertions(+), 7 deletions(-) create mode 100644 configs/crypto-config-thread.h diff --git a/configs/config-thread.h b/configs/config-thread.h index 2f81f9007..e696583b3 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -17,15 +17,19 @@ * - no X.509 * - support for experimental EC J-PAKE key exchange * + * To be used in conjunction with configs/crypto-config-thread.h. * See README.txt for usage instructions. */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h" + +#define MBEDTLS_PSA_CRYPTO_CONFIG + /* System support */ #define MBEDTLS_HAVE_ASM /* Mbed TLS feature support */ #define MBEDTLS_AES_ROM_TABLES -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED #define MBEDTLS_ECP_NIST_OPTIM #define MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED #define MBEDTLS_SSL_MAX_FRAGMENT_LENGTH @@ -35,23 +39,17 @@ #define MBEDTLS_SSL_DTLS_HELLO_VERIFY /* Mbed TLS modules */ -#define MBEDTLS_AES_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BIGNUM_C -#define MBEDTLS_CCM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_CMAC_C -#define MBEDTLS_ECJPAKE_C -#define MBEDTLS_ECP_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD_C #define MBEDTLS_OID_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C -#define MBEDTLS_SHA256_C #define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h new file mode 100644 index 000000000..7ea66da31 --- /dev/null +++ b/configs/crypto-config-thread.h @@ -0,0 +1,46 @@ +/** + * \file crypto-config-thread.h + * + * \brief Minimal crypto configuration for using TLS as part of Thread + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +/** + * Minimal crypto configuration for using TLS as part of Thread + * http://threadgroup.org/ + * + * Distinguishing features: + * - no RSA or classic DH, fully based on ECC + * - no X.509 + * - support for experimental EC J-PAKE key exchange + * + * To be used in conjunction with configs/config-thread.h. + * See README.txt for usage instructions. + */ + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_CMAC 1 +#define PSA_WANT_ALG_JPAKE 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ECC_SECP_R1_256 1 + +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_DERIVE 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#define PSA_WANT_KEY_TYPE_RAW_DATA 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +#endif /* PSA_CRYPTO_CONFIG_H */ From d3b11571e2707624fb168b3ea106da70d3ba4522 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 25 Apr 2024 14:34:33 +0100 Subject: [PATCH 02/23] Add a crypto-config file for symmetric-only Replaces legacy symbols with the PSA equivalents. This doesn't change the code generated when this config is active Signed-off-by: Ryan Everett --- configs/config-symmetric-only.h | 31 +++------------ configs/crypto-config-symmetric-only.h | 55 ++++++++++++++++++++++++++ 2 files changed, 60 insertions(+), 26 deletions(-) create mode 100644 configs/crypto-config-symmetric-only.h diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h index 512dd7616..ad6a4419c 100644 --- a/configs/config-symmetric-only.h +++ b/configs/config-symmetric-only.h @@ -8,18 +8,17 @@ * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h" + +#define MBEDTLS_PSA_CRYPTO_CONFIG + /* System support */ //#define MBEDTLS_HAVE_ASM #define MBEDTLS_HAVE_TIME #define MBEDTLS_HAVE_TIME_DATE /* Mbed TLS feature support */ -#define MBEDTLS_CIPHER_MODE_CBC -#define MBEDTLS_CIPHER_MODE_CFB -#define MBEDTLS_CIPHER_MODE_CTR -#define MBEDTLS_CIPHER_MODE_OFB #define MBEDTLS_CIPHER_MODE_XTS -#define MBEDTLS_CIPHER_PADDING_PKCS7 #define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS #define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN #define MBEDTLS_CIPHER_PADDING_ZEROS @@ -31,47 +30,27 @@ #define MBEDTLS_VERSION_FEATURES /* Mbed TLS modules */ -#define MBEDTLS_AES_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BASE64_C -#define MBEDTLS_CAMELLIA_C -#define MBEDTLS_ARIA_C -#define MBEDTLS_CCM_C -#define MBEDTLS_CHACHA20_C -#define MBEDTLS_CHACHAPOLY_C #define MBEDTLS_CIPHER_C -#define MBEDTLS_CMAC_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_DES_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_ERROR_C -#define MBEDTLS_GCM_C -#define MBEDTLS_HKDF_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_NIST_KW_C #define MBEDTLS_MD_C -#define MBEDTLS_MD5_C #define MBEDTLS_OID_C #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_WRITE_C #define MBEDTLS_PKCS5_C #define MBEDTLS_PKCS12_C #define MBEDTLS_PLATFORM_C -#define MBEDTLS_POLY1305_C #define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_SE_C #define MBEDTLS_PSA_CRYPTO_STORAGE_C #define MBEDTLS_PSA_ITS_FILE_C -#define MBEDTLS_RIPEMD160_C -#define MBEDTLS_SHA1_C -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ -#define MBEDTLS_SHA224_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SHA384_C -#define MBEDTLS_SHA512_C + //#define MBEDTLS_THREADING_C #define MBEDTLS_TIMING_C #define MBEDTLS_VERSION_C diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h new file mode 100644 index 000000000..799890d4e --- /dev/null +++ b/configs/crypto-config-symmetric-only.h @@ -0,0 +1,55 @@ +/** + * \file crypto-config-symmetric-only.h + * + * \brief Crypto configuration without any asymmetric cryptography. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +/** + * To be used in conjunction with configs/config-symmetric-only.h. */ + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#define PSA_WANT_ALG_CBC_NO_PADDING 1 +#define PSA_WANT_ALG_CBC_PKCS7 1 +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 +#define PSA_WANT_ALG_CFB 1 +#define PSA_WANT_ALG_CHACHA20_POLY1305 1 +#define PSA_WANT_ALG_CMAC 1 +#define PSA_WANT_ALG_CTR 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_GCM 1 +#define PSA_WANT_ALG_HKDF 1 +#define PSA_WANT_ALG_HKDF_EXTRACT 1 +#define PSA_WANT_ALG_HKDF_EXPAND 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_MD5 1 +#define PSA_WANT_ALG_OFB 1 +#define PSA_WANT_ALG_RIPEMD160 1 +#define PSA_WANT_ALG_SHA_1 1 +#define PSA_WANT_ALG_STREAM_CIPHER 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 + +/* The library does not currently support enabling SHA-224 without SHA-256. + * A future version of the library will have this option disabled + * by default. */ +#define PSA_WANT_ALG_SHA_224 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_SHA_384 1 +#define PSA_WANT_ALG_SHA_512 1 + +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_ARIA 1 +#define PSA_WANT_KEY_TYPE_CAMELLIA 1 +#define PSA_WANT_KEY_TYPE_CHACHA20 1 +#define PSA_WANT_KEY_TYPE_DES 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 + +#endif /* PSA_CRYPTO_CONFIG_H */ From ab5ec9d3a488f33aef46f3b477260b66b9653ad3 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 25 Apr 2024 15:05:31 +0100 Subject: [PATCH 03/23] Add a crypto config file for ccm-psk-tls1_2.h Also convert legacy symbols to their PSA equivalents. This does not change code compiled when this config is active with PSA enabled Signed-off-by: Ryan Everett --- configs/config-ccm-psk-tls1_2.h | 7 +++--- configs/crypto-config-ccm-psk-tls1_2.h | 30 ++++++++++++++++++++++++++ 2 files changed, 34 insertions(+), 3 deletions(-) create mode 100644 configs/crypto-config-ccm-psk-tls1_2.h diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index d49adfd72..cbc7dab86 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -22,19 +22,20 @@ * See README.txt for usage instructions. */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h" + +#define MBEDTLS_PSA_CRYPTO_CONFIG + /* System support */ //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ /* Mbed TLS modules */ -#define MBEDTLS_AES_C -#define MBEDTLS_CCM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_MD_C #define MBEDTLS_NET_C -#define MBEDTLS_SHA256_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h new file mode 100644 index 000000000..2891b4e00 --- /dev/null +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -0,0 +1,30 @@ +/** + * \file crypto-config-ccm-psk-tls1_2.h + * + * \brief Minimal crypto configuration for TLS 1.2 with + * PSK and AES-CCM ciphersuites + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +/** + * To be used in conjunction with configs/config-ccm-psk-tls1_2.h + * or configs/config-ccm-psk-dtls1_2.h. */ + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#define PSA_WANT_ALG_CCM 1 +#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 + +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#endif /* PSA_CRYPTO_CONFIG_H */ From 0a0393e8bd32fa2b9abf06dd41b5d2b73bed6d81 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 25 Apr 2024 15:43:52 +0100 Subject: [PATCH 04/23] Use crypto config for ccm-psk-dtls1_2.h Convert legacy symbols to their PSA equivalents. This does not change code compiled when this config is active with PSA enabled Signed-off-by: Ryan Everett --- configs/config-ccm-psk-dtls1_2.h | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index 19e09d957..2ea9ac461 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -23,19 +23,20 @@ * See README.txt for usage instructions. */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h" + +#define MBEDTLS_PSA_CRYPTO_CONFIG + /* System support */ //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ /* Mbed TLS modules */ -#define MBEDTLS_AES_C -#define MBEDTLS_CCM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_MD_C #define MBEDTLS_NET_C -#define MBEDTLS_SHA256_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_COOKIE_C #define MBEDTLS_SSL_SRV_C From 4540cd342900bb9bd64f540ea51cb0629e614da0 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Thu, 25 Apr 2024 17:30:30 +0100 Subject: [PATCH 05/23] Add a crypto config file for suite-b Also converts legacy symbols into their PSA equivalents. When PSA is defined this does not change the compiled code Signed-off-by: Ryan Everett --- configs/config-suite-b.h | 4 --- configs/crypto-config-suite-b.h | 50 +++++++++++++++++++++++++++++++++ 2 files changed, 50 insertions(+), 4 deletions(-) create mode 100644 configs/crypto-config-suite-b.h diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 9bba6e6cb..20bd7f9e1 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -32,17 +32,13 @@ #define MBEDTLS_SSL_PROTO_TLS1_2 /* Mbed TLS modules */ -#define MBEDTLS_AES_C #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ECDH_C -#define MBEDTLS_ECDSA_C #define MBEDTLS_ECP_C #define MBEDTLS_ENTROPY_C -#define MBEDTLS_GCM_C #define MBEDTLS_MD_C #define MBEDTLS_NET_C #define MBEDTLS_OID_C diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h new file mode 100644 index 000000000..8ad38754e --- /dev/null +++ b/configs/crypto-config-suite-b.h @@ -0,0 +1,50 @@ +/** + * \file crypto-config-symmetric-only.h + * + * \brief \brief Minimal crypto configuration for + * TLS NSA Suite B Profile (RFC 6460). + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +/** + * Minimal crypto configuration for TLS NSA Suite B Profile (RFC 6460) + * + * Distinguishing features: + * - no RSA or classic DH, fully based on ECC + * - optimized for low RAM usage + * + * Possible improvements: + * - if 128-bit security is enough, disable secp384r1 and SHA-512 + * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C + * + * To be used in conjunction with configs/config-suite-b.h. */ + +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h" + +#define MBEDTLS_PSA_CRYPTO_CONFIG + +#ifndef PSA_CRYPTO_CONFIG_H +#define PSA_CRYPTO_CONFIG_H + +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_ECDH 1 +#define PSA_WANT_ALG_ECDSA 1 +#define PSA_WANT_ALG_GCM 1 +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_ALG_SHA_256 1 +#define PSA_WANT_ALG_SHA_384 1 +#define PSA_WANT_ALG_SHA_512 1 +#define PSA_WANT_ECC_SECP_R1_256 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 + +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#endif /* PSA_CRYPTO_CONFIG_H */ From 44d7ddf82fa5d0d4b1b61a36c8d370c073476f5d Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Fri, 26 Apr 2024 11:25:43 +0100 Subject: [PATCH 06/23] In suite-b move definition of MBEDTLS_PSA_CRYPTO_CONFIG_FILE Signed-off-by: Ryan Everett --- configs/config-suite-b.h | 4 ++++ configs/crypto-config-suite-b.h | 4 ---- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 20bd7f9e1..b408a9e59 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -21,6 +21,10 @@ * See README.txt for usage instructions. */ +#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h" + +#define MBEDTLS_PSA_CRYPTO_CONFIG + /* System support */ #define MBEDTLS_HAVE_ASM #define MBEDTLS_HAVE_TIME diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 8ad38754e..0d8f46530 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -22,10 +22,6 @@ * * To be used in conjunction with configs/config-suite-b.h. */ -#define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h" - -#define MBEDTLS_PSA_CRYPTO_CONFIG - #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H From c3051572cac18d6222fdc37c1294e5824eafe066 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Apr 2024 17:20:42 +0100 Subject: [PATCH 07/23] Address suite-b comments Signed-off-by: Ryan Everett --- configs/config-suite-b.h | 5 ----- configs/crypto-config-suite-b.h | 5 +---- 2 files changed, 1 insertion(+), 9 deletions(-) diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index b408a9e59..77c0b1772 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -38,19 +38,14 @@ /* Mbed TLS modules */ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ECP_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_MD_C #define MBEDTLS_NET_C #define MBEDTLS_OID_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C -#define MBEDTLS_SHA256_C -#define MBEDTLS_SHA384_C -#define MBEDTLS_SHA512_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C #define MBEDTLS_SSL_TLS_C diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 0d8f46530..2351ecb09 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -25,7 +25,6 @@ #ifndef PSA_CRYPTO_CONFIG_H #define PSA_CRYPTO_CONFIG_H -#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 #define PSA_WANT_ALG_GCM 1 @@ -35,12 +34,10 @@ #define PSA_WANT_ALG_SHA_512 1 #define PSA_WANT_ECC_SECP_R1_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 -#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 -#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 #define PSA_WANT_KEY_TYPE_HMAC 1 #endif /* PSA_CRYPTO_CONFIG_H */ From 2abd658030d14360f130f1444180f12995cd4d52 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Apr 2024 17:21:15 +0100 Subject: [PATCH 08/23] Address symmetric-only comments Signed-off-by: Ryan Everett --- configs/config-symmetric-only.h | 4 ---- configs/crypto-config-symmetric-only.h | 17 ++++++++++------- 2 files changed, 10 insertions(+), 11 deletions(-) diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h index ad6a4419c..faeab178f 100644 --- a/configs/config-symmetric-only.h +++ b/configs/config-symmetric-only.h @@ -18,10 +18,6 @@ #define MBEDTLS_HAVE_TIME_DATE /* Mbed TLS feature support */ -#define MBEDTLS_CIPHER_MODE_XTS -#define MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS -#define MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN -#define MBEDTLS_CIPHER_PADDING_ZEROS #define MBEDTLS_ERROR_STRERROR_DUMMY #define MBEDTLS_FS_IO #define MBEDTLS_ENTROPY_NV_SEED diff --git a/configs/crypto-config-symmetric-only.h b/configs/crypto-config-symmetric-only.h index 799890d4e..5d6bf8529 100644 --- a/configs/crypto-config-symmetric-only.h +++ b/configs/crypto-config-symmetric-only.h @@ -33,17 +33,20 @@ #define PSA_WANT_ALG_RIPEMD160 1 #define PSA_WANT_ALG_SHA_1 1 #define PSA_WANT_ALG_STREAM_CIPHER 1 -#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 -#define PSA_WANT_ALG_TLS12_PRF 1 -#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 - -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ #define PSA_WANT_ALG_SHA_224 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 +#define PSA_WANT_ALG_SHA3_224 1 +#define PSA_WANT_ALG_SHA3_256 1 +#define PSA_WANT_ALG_SHA3_384 1 +#define PSA_WANT_ALG_SHA3_512 1 +#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 +#define PSA_WANT_ALG_TLS12_PRF 1 +#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 + +/* XTS is not yet supported via the PSA API in Mbed TLS. */ +//#define PSA_WANT_ALG_XTS 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_ARIA 1 From 0855b26a808b3be43eeac75ee60cd0eaa244b0f9 Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Apr 2024 17:21:43 +0100 Subject: [PATCH 09/23] Address thread comments Signed-off-by: Ryan Everett --- configs/config-thread.h | 1 - configs/crypto-config-thread.h | 8 +++----- 2 files changed, 3 insertions(+), 6 deletions(-) diff --git a/configs/config-thread.h b/configs/config-thread.h index e696583b3..e9b267c4c 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -41,7 +41,6 @@ /* Mbed TLS modules */ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_BIGNUM_C #define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index 7ea66da31..4ba8b5eb4 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -26,13 +26,11 @@ #define PSA_WANT_ALG_CCM 1 #define PSA_WANT_ALG_CMAC 1 +#define PSA_WANT_ALG_ECB_NO_PADDING 1 +#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_JPAKE 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 -#define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 -#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 -#define PSA_WANT_ALG_ECB_NO_PADDING 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 #define PSA_WANT_ECC_SECP_R1_256 1 @@ -41,6 +39,6 @@ #define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 +#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 -#define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE 1 #endif /* PSA_CRYPTO_CONFIG_H */ From 21eaa77ba8363404cf1135fe05b47cfba82d3c5b Mon Sep 17 00:00:00 2001 From: Ryan Everett Date: Tue, 30 Apr 2024 17:21:57 +0100 Subject: [PATCH 10/23] Address ccm-psk-tls1_2 comments Signed-off-by: Ryan Everett --- configs/crypto-config-ccm-psk-tls1_2.h | 3 --- 1 file changed, 3 deletions(-) diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index 2891b4e00..d59729cd1 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -17,13 +17,10 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_CCM_STAR_NO_TAG 1 -#define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 -#define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_HMAC 1 From 640276268dc8b11829c2f36481485fad0c056476 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 14 May 2024 10:51:27 +0200 Subject: [PATCH 11/23] Fix compat.sh filters Signed-off-by: Ronald Cron --- tests/scripts/test-ref-configs.pl | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 055023a5f..a6bc0ec74 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -17,11 +17,11 @@ use strict; my %configs = ( 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'test_again_with_use_psa' => 1 }, 'config-ccm-psk-dtls1_2.h' => { - 'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'opt' => ' ', 'opt_needs_debug' => 1, 'test_again_with_use_psa' => 1 @@ -29,7 +29,7 @@ my %configs = ( 'config-no-entropy.h' => { }, 'config-suite-b.h' => { - 'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", + 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'test_again_with_use_psa' => 1, 'opt' => ' ', 'opt_needs_debug' => 1, From 4dd6631aac97c8eb50cb5a2aa326b57e73453500 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 May 2024 11:22:04 +0200 Subject: [PATCH 12/23] test-ref-configs.pl: Detect automatically test with USE_PSA enabled Change the way we decide if for a given configuration we need to run tests with and without MBEDTLS_USE_PSA_CRYPTO enabled. That makes the script suitable for 3.6 and development branch. Signed-off-by: Ronald Cron --- tests/scripts/test-ref-configs.pl | 18 +++++++++++------- 1 file changed, 11 insertions(+), 7 deletions(-) diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index a6bc0ec74..edd778a11 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -18,31 +18,25 @@ use strict; my %configs = ( 'config-ccm-psk-tls1_2.h' => { 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', - 'test_again_with_use_psa' => 1 }, 'config-ccm-psk-dtls1_2.h' => { 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'opt' => ' ', 'opt_needs_debug' => 1, - 'test_again_with_use_psa' => 1 }, 'config-no-entropy.h' => { }, 'config-suite-b.h' => { 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", - 'test_again_with_use_psa' => 1, 'opt' => ' ', 'opt_needs_debug' => 1, }, 'config-symmetric-only.h' => { - 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, 'config-tfm.h' => { - 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, 'config-thread.h' => { 'opt' => '-f ECJPAKE.*nolog', - 'test_again_with_use_psa' => 1, }, ); @@ -148,7 +142,17 @@ sub perform_test { } foreach my $conf ( @configs_to_test ) { - my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'}; + my $test_with_psa = 0; + + open(CONFIG_FILE, "<", "configs/$conf") or die "Opening config file '$conf': $!"; + while (my $line = ) { + if ($line =~ /^\/\/#define MBEDTLS_USE_PSA_CRYPTO/) { + $test_with_psa = 1; + last; + } + } + close(CONFIG_FILE); + if ( $test_with_psa ) { perform_test( $conf, $configs{$conf}, $test_with_psa ); From 4de85396cf98891b41e6277f54822a7e9de60a05 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 14 May 2024 10:20:56 +0200 Subject: [PATCH 13/23] Enable MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO Enable MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO is reference configurations as we are working towards removing (always on) them. Signed-off-by: Ronald Cron --- configs/config-ccm-psk-dtls1_2.h | 7 ++----- configs/config-ccm-psk-tls1_2.h | 7 ++----- configs/config-suite-b.h | 7 ++----- configs/config-symmetric-only.h | 4 ++-- configs/config-thread.h | 7 ++----- 5 files changed, 10 insertions(+), 22 deletions(-) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index 2ea9ac461..fa012db8b 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -25,7 +25,9 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h" +#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_USE_PSA_CRYPTO /* System support */ //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ @@ -82,11 +84,6 @@ */ #define MBEDTLS_ENTROPY_MAX_SOURCES 2 -/* These defines are present so that the config modifying scripts can enable - * them during tests/scripts/test-ref-configs.pl */ -//#define MBEDTLS_USE_PSA_CRYPTO -//#define MBEDTLS_PSA_CRYPTO_C - /* Error messages and TLS debugging traces * (huge code size increase, needed for tests/ssl-opt.sh) */ //#define MBEDTLS_DEBUG_C diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index cbc7dab86..eb23fca1c 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -24,7 +24,9 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-ccm-psk-tls1_2.h" +#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_USE_PSA_CRYPTO /* System support */ //#define MBEDTLS_HAVE_TIME /* Optionally used in Hello messages */ @@ -73,11 +75,6 @@ */ #define MBEDTLS_ENTROPY_MAX_SOURCES 2 -/* These defines are present so that the config modifying scripts can enable - * them during tests/scripts/test-ref-configs.pl */ -//#define MBEDTLS_USE_PSA_CRYPTO -//#define MBEDTLS_PSA_CRYPTO_C - /* Error messages and TLS debugging traces * (huge code size increase, needed for tests/ssl-opt.sh) */ //#define MBEDTLS_DEBUG_C diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 77c0b1772..bb9a312b3 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -23,7 +23,9 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-suite-b.h" +#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_USE_PSA_CRYPTO /* System support */ #define MBEDTLS_HAVE_ASM @@ -90,11 +92,6 @@ #define MBEDTLS_SSL_IN_CONTENT_LEN 1024 #define MBEDTLS_SSL_OUT_CONTENT_LEN 1024 -/* These defines are present so that the config modifying scripts can enable - * them during tests/scripts/test-ref-configs.pl */ -//#define MBEDTLS_USE_PSA_CRYPTO -//#define MBEDTLS_PSA_CRYPTO_C - /* Error messages and TLS debugging traces * (huge code size increase, needed for tests/ssl-opt.sh) */ //#define MBEDTLS_DEBUG_C diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h index faeab178f..e307c0b96 100644 --- a/configs/config-symmetric-only.h +++ b/configs/config-symmetric-only.h @@ -10,7 +10,9 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-symmetric-only.h" +#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_USE_PSA_CRYPTO /* System support */ //#define MBEDTLS_HAVE_ASM @@ -22,7 +24,6 @@ #define MBEDTLS_FS_IO #define MBEDTLS_ENTROPY_NV_SEED #define MBEDTLS_SELF_TEST -#define MBEDTLS_USE_PSA_CRYPTO #define MBEDTLS_VERSION_FEATURES /* Mbed TLS modules */ @@ -42,7 +43,6 @@ #define MBEDTLS_PKCS5_C #define MBEDTLS_PKCS12_C #define MBEDTLS_PLATFORM_C -#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_SE_C #define MBEDTLS_PSA_CRYPTO_STORAGE_C #define MBEDTLS_PSA_ITS_FILE_C diff --git a/configs/config-thread.h b/configs/config-thread.h index e9b267c4c..48c830166 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -23,7 +23,9 @@ #define MBEDTLS_PSA_CRYPTO_CONFIG_FILE "../configs/crypto-config-thread.h" +#define MBEDTLS_PSA_CRYPTO_C #define MBEDTLS_PSA_CRYPTO_CONFIG +#define MBEDTLS_USE_PSA_CRYPTO /* System support */ #define MBEDTLS_HAVE_ASM @@ -66,8 +68,3 @@ /* Save ROM and a few bytes of RAM by specifying our own ciphersuite list */ #define MBEDTLS_SSL_CIPHERSUITES MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8 - -/* These defines are present so that the config modifying scripts can enable - * them during tests/scripts/test-ref-configs.pl */ -//#define MBEDTLS_USE_PSA_CRYPTO -//#define MBEDTLS_PSA_CRYPTO_C From b16e1c2c2fb7ff6201c3767fedb676a728d85c6e Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 14 May 2024 11:27:40 +0200 Subject: [PATCH 14/23] Remove direct enablement of MBEDTLS_CIPHER/MD_C Kept MD in thread config as needed for HMAC_DRBG. Signed-off-by: Ronald Cron --- configs/config-ccm-psk-dtls1_2.h | 2 -- configs/config-ccm-psk-tls1_2.h | 2 -- configs/config-suite-b.h | 2 -- configs/config-symmetric-only.h | 2 -- configs/config-thread.h | 1 - 5 files changed, 9 deletions(-) diff --git a/configs/config-ccm-psk-dtls1_2.h b/configs/config-ccm-psk-dtls1_2.h index fa012db8b..be785b7ae 100644 --- a/configs/config-ccm-psk-dtls1_2.h +++ b/configs/config-ccm-psk-dtls1_2.h @@ -34,10 +34,8 @@ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ /* Mbed TLS modules */ -#define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C -#define MBEDTLS_MD_C #define MBEDTLS_NET_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_COOKIE_C diff --git a/configs/config-ccm-psk-tls1_2.h b/configs/config-ccm-psk-tls1_2.h index eb23fca1c..d8f4f9c18 100644 --- a/configs/config-ccm-psk-tls1_2.h +++ b/configs/config-ccm-psk-tls1_2.h @@ -33,10 +33,8 @@ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ /* Mbed TLS modules */ -#define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C -#define MBEDTLS_MD_C #define MBEDTLS_NET_C #define MBEDTLS_SSL_CLI_C #define MBEDTLS_SSL_SRV_C diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index bb9a312b3..2925a87b2 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -40,10 +40,8 @@ /* Mbed TLS modules */ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C -#define MBEDTLS_MD_C #define MBEDTLS_NET_C #define MBEDTLS_OID_C #define MBEDTLS_PK_C diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h index e307c0b96..13e4d2667 100644 --- a/configs/config-symmetric-only.h +++ b/configs/config-symmetric-only.h @@ -30,13 +30,11 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_BASE64_C -#define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_ERROR_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_NIST_KW_C -#define MBEDTLS_MD_C #define MBEDTLS_OID_C #define MBEDTLS_PEM_PARSE_C #define MBEDTLS_PEM_WRITE_C diff --git a/configs/config-thread.h b/configs/config-thread.h index 48c830166..160aded92 100644 --- a/configs/config-thread.h +++ b/configs/config-thread.h @@ -43,7 +43,6 @@ /* Mbed TLS modules */ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C -#define MBEDTLS_CIPHER_C #define MBEDTLS_CTR_DRBG_C #define MBEDTLS_ENTROPY_C #define MBEDTLS_HMAC_DRBG_C From b3a400b9bd060ee9b78eae6d44f3986e9d34632b Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 14 May 2024 14:26:12 +0200 Subject: [PATCH 15/23] config-suite-b: Enable EC with PSA_WANT Signed-off-by: Ronald Cron --- configs/config-suite-b.h | 2 -- configs/crypto-config-suite-b.h | 1 + 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/configs/config-suite-b.h b/configs/config-suite-b.h index 2925a87b2..cdea16e25 100644 --- a/configs/config-suite-b.h +++ b/configs/config-suite-b.h @@ -32,8 +32,6 @@ #define MBEDTLS_HAVE_TIME /* Mbed TLS feature support */ -#define MBEDTLS_ECP_DP_SECP256R1_ENABLED -#define MBEDTLS_ECP_DP_SECP384R1_ENABLED #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #define MBEDTLS_SSL_PROTO_TLS1_2 diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 2351ecb09..268db60d7 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -33,6 +33,7 @@ #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 #define PSA_WANT_ECC_SECP_R1_256 1 +#define PSA_WANT_ECC_SECP_R1_384 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_KEY_TYPE_AES 1 From b0c96f47e7dfa7f463cb92f886842a48d85e1d26 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 May 2024 09:27:27 +0200 Subject: [PATCH 16/23] Resolve some HMAC dependencies automatically Signed-off-by: Ronald Cron --- configs/crypto-config-ccm-aes-sha256.h | 4 +-- configs/crypto-config-ccm-psk-tls1_2.h | 2 -- configs/crypto-config-suite-b.h | 3 --- include/mbedtls/config_psa.h | 2 ++ .../psa/crypto_adjust_config_dependencies.h | 27 +++++++++++++++++++ 5 files changed, 30 insertions(+), 8 deletions(-) create mode 100644 include/psa/crypto_adjust_config_dependencies.h diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h index 7f8d58768..68a9c0a53 100644 --- a/configs/crypto-config-ccm-aes-sha256.h +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -2,7 +2,7 @@ * \file configs/crypto-config-ccm-aes-sha256.h * * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES, - * SHA-256, HMAC and key derivation + * SHA-256 and key derivation (uses HMAC). */ /* * Copyright The Mbed TLS Contributors @@ -13,12 +13,10 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index d59729cd1..f4928e2ee 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -17,11 +17,9 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_KEY_TYPE_AES 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 #endif /* PSA_CRYPTO_CONFIG_H */ diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 268db60d7..ec209193e 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -18,7 +18,6 @@ * * Possible improvements: * - if 128-bit security is enough, disable secp384r1 and SHA-512 - * - use embedded certs in DER format and disable PEM_PARSE_C and BASE64_C * * To be used in conjunction with configs/config-suite-b.h. */ @@ -28,7 +27,6 @@ #define PSA_WANT_ALG_ECDH 1 #define PSA_WANT_ALG_ECDSA 1 #define PSA_WANT_ALG_GCM 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_SHA_384 1 #define PSA_WANT_ALG_SHA_512 1 @@ -40,5 +38,4 @@ #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 #endif /* PSA_CRYPTO_CONFIG_H */ diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 17da61b3e..de961ec0f 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -22,6 +22,8 @@ #include "psa/crypto_adjust_config_synonyms.h" +#include "psa/crypto_adjust_config_dependencies.h" + #include "mbedtls/config_adjust_psa_superset_legacy.h" #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h new file mode 100644 index 000000000..776f05b42 --- /dev/null +++ b/include/psa/crypto_adjust_config_dependencies.h @@ -0,0 +1,27 @@ +/** + * \file psa/crypto_adjust_config_dependencies.h + * \brief Adjust PSA configuration by resolving some dependencies. + * + * See docs/proposed/psa-conditional-inclusion-c.md. + * If a cryptographic mechanism A depends on a cryptographic mechanism B and + * A is enabled then enable B. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H +#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H + +#if defined(PSA_WANT_ALG_TLS12_PRF) || \ + defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) || \ + defined(PSA_WANT_ALG_HKDF) || \ + defined(PSA_WANT_ALG_HKDF_EXTRACT) || \ + defined(PSA_WANT_ALG_HKDF_EXPAND) || \ + defined(PSA_WANT_ALG_PBKDF2_HMAC) +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#endif + +#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */ From a33a824d8a5a5b4711c16c1acc3ee721f43ac1da Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 May 2024 18:31:17 +0200 Subject: [PATCH 17/23] Resolve PBKDF2_AES_CMAC_PRF_128 dependencies Signed-off-by: Ronald Cron --- include/psa/crypto_adjust_config_dependencies.h | 5 +++++ tests/scripts/all.sh | 8 ++++++-- 2 files changed, 11 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h index 776f05b42..ffca8ca37 100644 --- a/include/psa/crypto_adjust_config_dependencies.h +++ b/include/psa/crypto_adjust_config_dependencies.h @@ -24,4 +24,9 @@ #define PSA_WANT_KEY_TYPE_HMAC 1 #endif +#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_ALG_CMAC 1 +#endif + #endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8158c8d97..802a77abf 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1731,6 +1731,7 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES else @@ -4076,6 +4077,7 @@ common_block_cipher_dispatch() { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 # Disable direct dependency on AES_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -5276,9 +5278,11 @@ component_build_psa_config_file () { make clean msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s - # In the user config, disable one feature, which will reflect on the - # mbedtls configuration so we can query it with query_compile_time_config. + # In the user config, disable one feature and its dependencies, which will + # reflect on the mbedtls configuration so we can query it with + # query_compile_time_config. echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h + echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h scripts/config.py unset MBEDTLS_CMAC_C make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" not programs/test/query_compile_time_config MBEDTLS_CMAC_C From 1f95ede98c707b53caac198a04ef75d58864bdad Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 15 May 2024 12:49:02 +0200 Subject: [PATCH 18/23] Fix "maybe-uninitialized" warning with GCC 11.3 Signed-off-by: Ronald Cron --- tests/suites/test_suite_pk.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index ad7da3222..1188137b3 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1818,7 +1818,7 @@ void pk_psa_sign(int psa_type, int bits, int rsa_padding) int ret; #endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */ #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) - mbedtls_ecp_group_id ecp_grp_id; + mbedtls_ecp_group_id ecp_grp_id = MBEDTLS_ECP_DP_NONE; #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ /* From 97f0ea761197e62230656ca7334e8d6e3173ef00 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 May 2024 11:19:57 +0200 Subject: [PATCH 19/23] Fix the resolution of dependencies on HMAC The Mbed TLS implementations of ALG_TLS12_PRF, ALG_TLS12_PSK_TO_MS, ALG_HKDF, ALG_HKDF_EXTRACT, ALG_HKDF_EXPAND and ALG_PBKDF2 rely on HMAC operations through the driver interface. Thus if one of these algorithms is enabled and not accelerated, we need ALG_HMAC to be enabled (PSA_WANT_ALG_HMAC and PSA_WANT_KEY_TYPE_HMAC defined). As HMAC operations occur through the driver interface, HMAC operations can be accelerated even if the caller algorithm is not. Signed-off-by: Ronald Cron --- .../mbedtls/config_adjust_legacy_from_psa.h | 6 ------ .../psa/crypto_adjust_config_dependencies.h | 18 ++++++++++++------ 2 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 0091e246b..0e4759de7 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -498,7 +498,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */ #endif /* PSA_WANT_ALG_HKDF */ @@ -509,7 +508,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */ #endif /* PSA_WANT_ALG_HKDF_EXTRACT */ @@ -520,7 +518,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */ #endif /* PSA_WANT_ALG_HKDF_EXPAND */ @@ -630,9 +627,6 @@ #if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC) #define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1 #define PSA_HAVE_SOFT_PBKDF2_HMAC 1 -#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 -#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */ #endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ #endif /* PSA_WANT_ALG_PBKDF2_HMAC */ diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h index ffca8ca37..ac6344d89 100644 --- a/include/psa/crypto_adjust_config_dependencies.h +++ b/include/psa/crypto_adjust_config_dependencies.h @@ -14,12 +14,18 @@ #ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H #define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H -#if defined(PSA_WANT_ALG_TLS12_PRF) || \ - defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) || \ - defined(PSA_WANT_ALG_HKDF) || \ - defined(PSA_WANT_ALG_HKDF_EXTRACT) || \ - defined(PSA_WANT_ALG_HKDF_EXPAND) || \ - defined(PSA_WANT_ALG_PBKDF2_HMAC) +#if (defined(PSA_WANT_ALG_TLS12_PRF) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \ + (defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \ + (defined(PSA_WANT_ALG_HKDF) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \ + (defined(PSA_WANT_ALG_HKDF_EXTRACT) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \ + (defined(PSA_WANT_ALG_HKDF_EXPAND) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \ + (defined(PSA_WANT_ALG_PBKDF2_HMAC) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)) #define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_KEY_TYPE_HMAC 1 #endif From c4c8bdf32e60a3592b17d6da013e9d779bbc3bff Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 May 2024 13:11:24 +0200 Subject: [PATCH 20/23] Fix PBKDF2_AES_CMAC_PRF_128 dependencies Signed-off-by: Ronald Cron --- include/psa/crypto_adjust_config_dependencies.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h index ac6344d89..aeedf681b 100644 --- a/include/psa/crypto_adjust_config_dependencies.h +++ b/include/psa/crypto_adjust_config_dependencies.h @@ -30,7 +30,8 @@ #define PSA_WANT_KEY_TYPE_HMAC 1 #endif -#if defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) +#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)) #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_ALG_CMAC 1 #endif From b48c8704e61e04ba8dc93cc1cb22f9a6e71119ad Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 May 2024 13:18:52 +0200 Subject: [PATCH 21/23] Fix crypto_adjust_config_dependencies.h documentation Signed-off-by: Ronald Cron --- include/psa/crypto_adjust_config_dependencies.h | 8 ++++++-- 1 file changed, 6 insertions(+), 2 deletions(-) diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h index aeedf681b..5a22205bf 100644 --- a/include/psa/crypto_adjust_config_dependencies.h +++ b/include/psa/crypto_adjust_config_dependencies.h @@ -2,9 +2,13 @@ * \file psa/crypto_adjust_config_dependencies.h * \brief Adjust PSA configuration by resolving some dependencies. * + * This is an internal header. Do not include it directly. + * * See docs/proposed/psa-conditional-inclusion-c.md. - * If a cryptographic mechanism A depends on a cryptographic mechanism B and - * A is enabled then enable B. + * If the Mbed TLS implementation of a cryptographic mechanism A depends on a + * cryptographic mechanism B then if the cryptographic mechanism A is enabled + * and not accelerated enable B. Note that if A is enabled and accelerated, it + * is not necessary to enable B for A support. */ /* * Copyright The Mbed TLS Contributors From ca6b1e9df3596bbc88291582c65ccf382b0498f0 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 May 2024 13:25:12 +0200 Subject: [PATCH 22/23] Adjust crypto-config-thread.h Signed-off-by: Ronald Cron --- configs/crypto-config-thread.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index 4ba8b5eb4..3c5fe247c 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -16,6 +16,8 @@ * - no RSA or classic DH, fully based on ECC * - no X.509 * - support for experimental EC J-PAKE key exchange + * - support for PBKDF2-AES-CMAC-PRF-128 password-hashing or key-stretching + * algorithm. * * To be used in conjunction with configs/config-thread.h. * See README.txt for usage instructions. @@ -25,10 +27,10 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_CMAC 1 #define PSA_WANT_ALG_ECB_NO_PADDING 1 #define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_JPAKE 1 +#define PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS 1 @@ -41,4 +43,5 @@ #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT 1 #define PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE 1 + #endif /* PSA_CRYPTO_CONFIG_H */ From b30cd3bb8f57e0c478a6dc14d4785fa08541a61d Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Fri, 17 May 2024 14:11:31 +0200 Subject: [PATCH 23/23] Improve test-ref-configs.pl Signed-off-by: Ronald Cron --- tests/scripts/test-ref-configs.pl | 13 +++---------- 1 file changed, 3 insertions(+), 10 deletions(-) diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index edd778a11..5557de327 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -142,16 +142,9 @@ sub perform_test { } foreach my $conf ( @configs_to_test ) { - my $test_with_psa = 0; - - open(CONFIG_FILE, "<", "configs/$conf") or die "Opening config file '$conf': $!"; - while (my $line = ) { - if ($line =~ /^\/\/#define MBEDTLS_USE_PSA_CRYPTO/) { - $test_with_psa = 1; - last; - } - } - close(CONFIG_FILE); + system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null"); + die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100; + my $test_with_psa = $? == 0; if ( $test_with_psa ) {