Crypto: Upgrade mbedtls to v3.0.0
- Remove deprecated macros and functions
- Enable SHA-224 cryptographic hash algorithm by 'define
MBEDTLS_SHA224_C'
- Enable SHA-384 cryptographic hash algorithm by 'define
MBEDTLS_SHA384_C'
- 'psa_cipher_encrypt' and 'psa_cipher_decrypt' is supported by
mbedtls-3.0.0
- 'psa_mac_compute' and 'psa_mac_verify' is supported by mbedtls-3.0.0
- mbedtls-3.0.0 changes some internal mbedtls apis' name, mcuboot needs
to align.
Change-Id: Ia868c93deceee6c8042607acf35ce2f4c9c15e35
Signed-off-by: Summer Qin <summer.qin@arm.com>
diff --git a/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch b/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
new file mode 100644
index 0000000..565a92e
--- /dev/null
+++ b/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
@@ -0,0 +1,54 @@
+From e109c8ed57457a2bd62afcf21b5b99dd2a30edea Mon Sep 17 00:00:00 2001
+From: Summer Qin <summer.qin@arm.com>
+Date: Tue, 13 Jul 2021 17:46:47 +0800
+Subject: [PATCH] Disable export MbedTLSTargets
+
+Disable install MbedTLSConfig.cmake, MbedTLSConfigVersion.cmake and
+MbedTLSTargets.cmake. And Disable export MbedTLSTargets since this
+needs to configure some tfm target which for mbedtls to be exported.
+
+Signed-off-by: Summer Qin <summer.qin@arm.com>
+---
+ CMakeLists.txt | 26 --------------------------
+ 1 file changed, 26 deletions(-)
+
+diff --git a/CMakeLists.txt b/CMakeLists.txt
+index 3eef42ec..5ad56c81 100644
+--- a/CMakeLists.txt
++++ b/CMakeLists.txt
+@@ -307,32 +307,6 @@ if(ENABLE_TESTING)
+ endif()
+ endif()
+
+-configure_package_config_file(
+- "cmake/MbedTLSConfig.cmake.in"
+- "cmake/MbedTLSConfig.cmake"
+- INSTALL_DESTINATION "cmake")
+-
+-write_basic_package_version_file(
+- "cmake/MbedTLSConfigVersion.cmake"
+- COMPATIBILITY SameMajorVersion
+- VERSION 3.0.0)
+-
+-install(
+- FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
+- "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfigVersion.cmake"
+- DESTINATION "cmake")
+-
+-export(
+- EXPORT MbedTLSTargets
+- NAMESPACE MbedTLS::
+- FILE "cmake/MbedTLSTargets.cmake")
+-
+-install(
+- EXPORT MbedTLSTargets
+- NAMESPACE MbedTLS::
+- DESTINATION "cmake"
+- FILE "MbedTLSTargets.cmake")
+-
+ if(CMAKE_VERSION VERSION_GREATER 3.14)
+ # Do not export the package by default
+ cmake_policy(SET CMP0090 NEW)
+--
+2.17.1
+
diff --git a/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch b/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch
deleted file mode 100644
index 6e127b9..0000000
--- a/lib/ext/mbedcrypto/0003-Fix-4162-Return-correct-error-type-for-invalid-key.patch
+++ /dev/null
@@ -1,64 +0,0 @@
-From 374c93c43f8c299adcee91cfbc90a15037317d18 Mon Sep 17 00:00:00 2001
-From: Maulik Patel <Maulik.Patel@arm.com>
-Date: Mon, 15 Mar 2021 14:48:14 +0000
-Subject: [PATCH 3/3] Fix:4162 Return correct error type for invalid key
-
-Return PSA_ERROR_INVALID_HANDLE instead of
-PSA_ERROR_DOES_NOT_EXIST if invalid key is passed for some key
-operations.
-
-Signed-off-by: Maulik Patel <Maulik.Patel@arm.com>
----
- library/psa_crypto_slot_management.c | 17 +++++++++++++----
- 1 file changed, 13 insertions(+), 4 deletions(-)
-
-diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c
-index dcbee31aa..b7e3442fb 100644
---- a/library/psa_crypto_slot_management.c
-+++ b/library/psa_crypto_slot_management.c
-@@ -305,13 +305,15 @@ psa_status_t psa_get_and_lock_key_slot( mbedtls_svc_key_id_t key,
-
- status = psa_load_persistent_key_into_slot( *p_slot );
- if( status != PSA_SUCCESS )
-+ {
- psa_wipe_key_slot( *p_slot );
--
-+ if( status == PSA_ERROR_DOES_NOT_EXIST )
-+ status = PSA_ERROR_INVALID_HANDLE;
-+ }
- return( status );
- #else
-- return( PSA_ERROR_DOES_NOT_EXIST );
-+ return( PSA_ERROR_INVALID_HANDLE );
- #endif /* defined(MBEDTLS_PSA_CRYPTO_STORAGE_C) */
--
- }
-
- psa_status_t psa_unlock_key_slot( psa_key_slot_t *slot )
-@@ -399,6 +401,9 @@ psa_status_t psa_open_key( mbedtls_svc_key_id_t key, psa_key_handle_t *handle )
- if( status != PSA_SUCCESS )
- {
- *handle = PSA_KEY_HANDLE_INIT;
-+ if( status == PSA_ERROR_INVALID_HANDLE )
-+ status = PSA_ERROR_DOES_NOT_EXIST;
-+
- return( status );
- }
-
-@@ -423,8 +428,12 @@ psa_status_t psa_close_key( psa_key_handle_t handle )
-
- status = psa_get_and_lock_key_slot_in_memory( handle, &slot );
- if( status != PSA_SUCCESS )
-- return( status );
-+ {
-+ if( status == PSA_ERROR_DOES_NOT_EXIST )
-+ status = PSA_ERROR_INVALID_HANDLE;
-
-+ return( status );
-+ }
- if( slot->lock_count <= 1 )
- return( psa_wipe_key_slot( slot ) );
- else
---
-2.25.1
-
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
index 60c42c2..b96670d 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_default.h
@@ -1784,6 +1784,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1798,6 +1814,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
index b9738e6..d4e1875 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_large.h
@@ -1779,6 +1779,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1793,6 +1809,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
index c1663d0..dd2d390 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_medium.h
@@ -1779,6 +1779,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1793,6 +1809,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+//#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.
diff --git a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
index bbdc060..5b2feaf 100644
--- a/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
+++ b/lib/ext/mbedcrypto/mbedcrypto_config/tfm_mbedcrypto_config_profile_small.h
@@ -1779,6 +1779,22 @@
//#define MBEDTLS_SHA1_C
/**
+ * \def MBEDTLS_SHA224_C
+ *
+ * Enable the SHA-224 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA256_C. The library does not currently support enabling
+ * SHA-224 without SHA-256.
+ *
+ * Module: library/sha256.c
+ * Caller: library/md.c
+ * library/ssl_cookie.c
+ *
+ * This module adds support for SHA-224.
+ */
+#define MBEDTLS_SHA224_C
+
+/**
* \def MBEDTLS_SHA256_C
*
* Enable the SHA-224 and SHA-256 cryptographic hash algorithms.
@@ -1793,6 +1809,22 @@
#define MBEDTLS_SHA256_C
/**
+ * \def MBEDTLS_SHA384_C
+ *
+ * Enable the SHA-384 cryptographic hash algorithm.
+ *
+ * Requires: MBEDTLS_SHA512_C
+ *
+ * Module: library/sha512.c
+ * Caller: library/md.c
+ * library/ssl_cli.c
+ * library/ssl_srv.c
+ *
+ * Comment to disable SHA-384
+ */
+//#define MBEDTLS_SHA384_C
+
+/**
* \def MBEDTLS_SHA512_C
*
* Enable the SHA-384 and SHA-512 cryptographic hash algorithms.