Merge pull request #3712 from jdurkop/psa-crypto-config-ecdsa-3670
Introduce MBEDTLS_PSA_CRYPTO_CONFIG and use it for ECDSA
diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h
index b77b34b..48e8855 100644
--- a/include/mbedtls/config.h
+++ b/include/mbedtls/config.h
@@ -864,7 +864,7 @@
* may result in a compromise of the long-term signing key. This is avoided by
* the deterministic variant.
*
- * Requires: MBEDTLS_HMAC_DRBG_C
+ * Requires: MBEDTLS_HMAC_DRBG_C, MBEDTLS_ECDSA_C
*
* Comment this macro to disable deterministic ECDSA.
*/
@@ -1330,7 +1330,7 @@
*
* Enable support for the experimental PSA crypto driver interface.
*
- * Requires: MBEDTLS_PSA_CRYPTO_C.
+ * Requires: MBEDTLS_PSA_CRYPTO_C
*
* \warning This interface is experimental and may change or be removed
* without notice.
@@ -2020,6 +2020,20 @@
//#define MBEDTLS_USE_PSA_CRYPTO
/**
+ * \def MBEDTLS_PSA_CRYPTO_CONFIG
+ *
+ * This setting allows support for cryptographic mechanisms through the PSA
+ * API to be configured separately from support through the mbedtls API.
+ *
+ * Uncomment this to enable use of PSA Crypto configuration settings which
+ * can be found in include/psa/crypto_config.h
+ *
+ * This feature is still experimental and is not ready for production since
+ * it is not completed.
+ */
+//#define MBEDTLS_PSA_CRYPTO_CONFIG
+
+/**
* \def MBEDTLS_VERSION_FEATURES
*
* Allow run-time checking of compile-time enabled features. Thus allowing users
@@ -3811,6 +3825,8 @@
#include MBEDTLS_USER_CONFIG_FILE
#endif
+#include "mbedtls/config_psa.h"
+
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_CONFIG_H */
diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h
new file mode 100644
index 0000000..6af4d19
--- /dev/null
+++ b/include/mbedtls/config_psa.h
@@ -0,0 +1,82 @@
+/**
+ * \file mbedtls/config_psa.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ * This set of compile-time options takes settings defined in
+ * include/mbedtls/config.h and include/psa/crypto_config.h and uses
+ * those definitions to define symbols used in the library code.
+ *
+ * Users and integrators should not edit this file, please edit
+ * include/mbedtls/config.h for MBETLS_XXX settings or
+ * include/psa/crypto_config.h for PSA_WANT_XXX settings.
+ */
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef MBEDTLS_CONFIG_PSA_H
+#define MBEDTLS_CONFIG_PSA_H
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+#include "psa/crypto_config.h"
+#endif /* defined(MBEDTLS_PSA_CRYPTO_CONFIG) */
+
+#ifdef __cplusplus
+extern "C" {
+#endif
+
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+
+#if defined(PSA_WANT_ALG_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA 1
+#define MBEDTLS_ECDSA_C
+#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDSA */
+#endif /* PSA_WANT_ALG_ECDSA */
+
+#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA 1
+#define MBEDTLS_ECDSA_DETERMINISTIC
+#define MBEDTLS_ECDSA_C
+#define MBEDTLS_HMAC_DRBG_C
+#define MBEDTLS_MD_C
+#endif /* MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA */
+#endif /* PSA_WANT_ALG_DETERMINISTIC_ECDSA */
+
+#else /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+/*
+ * Ensure PSA_WANT_* defines are setup properly if MBEDTLS_PSA_CRYPTO_CONFIG
+ * is not defined
+ */
+#if defined(MBEDTLS_ECDSA_C)
+#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
+
+// Only add in DETERMINISTIC support if ECDSA is also enabled
+#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
+#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+
+#endif /* MBEDTLS_ECDSA_C */
+
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
+#ifdef __cplusplus
+}
+#endif
+
+#endif /* MBEDTLS_CONFIG_PSA_H */
diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h
new file mode 100644
index 0000000..8dbb18d
--- /dev/null
+++ b/include/psa/crypto_config.h
@@ -0,0 +1,56 @@
+/**
+ * \file psa/crypto_config.h
+ * \brief PSA crypto configuration options (set of defines)
+ *
+ */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+/**
+ * When #MBEDTLS_PSA_CRYPTO_CONFIG is enabled in config.h,
+ * this file determines which cryptographic mechanisms are enabled
+ * through the PSA Cryptography API (\c psa_xxx() functions).
+ *
+ * To enable a cryptographic mechanism, uncomment the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * To disable a cryptographic mechanism, comment out the definition of
+ * the corresponding \c PSA_WANT_xxx preprocessor symbol.
+ * The names of cryptographic mechanisms correspond to values
+ * defined in psa/crypto_values.h, with the prefix \c PSA_WANT_ instead
+ * of \c PSA_.
+ *
+ * Note that many cryptographic mechanisms involve two symbols: one for
+ * the key type (\c PSA_WANT_KEY_TYPE_xxx) and one for the algorithm
+ * (\c PSA_WANT_ALG_xxx). Mechanisms with additional parameters may involve
+ * additional symbols.
+ */
+#else
+/**
+ * When \c MBEDTLS_PSA_CRYPTO_CONFIG is disabled in config.h,
+ * this file is not used, and cryptographic mechanisms are supported
+ * through the PSA API if and only if they are supported through the
+ * mbedtls_xxx API.
+ */
+#endif
+/*
+ * Copyright The Mbed TLS Contributors
+ * SPDX-License-Identifier: Apache-2.0
+ *
+ * Licensed under the Apache License, Version 2.0 (the "License"); you may
+ * not use this file except in compliance with the License.
+ * You may obtain a copy of the License at
+ *
+ * http://www.apache.org/licenses/LICENSE-2.0
+ *
+ * Unless required by applicable law or agreed to in writing, software
+ * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ * See the License for the specific language governing permissions and
+ * limitations under the License.
+ */
+
+#ifndef PSA_CRYPTO_CONFIG_H
+#define PSA_CRYPTO_CONFIG_H
+
+#define PSA_WANT_ALG_ECDSA 1
+#define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1
+
+#endif /* PSA_CRYPTO_CONFIG_H */
diff --git a/library/psa_crypto.c b/library/psa_crypto.c
index ddb03fc..b69658c 100644
--- a/library/psa_crypto.c
+++ b/library/psa_crypto.c
@@ -2261,7 +2261,7 @@
/* Message digests */
/****************************************************************/
-#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
{
switch( alg )
@@ -2304,7 +2304,7 @@
return( NULL );
}
}
-#endif
+#endif /* defined(MBEDTLS_RSA_C) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
psa_status_t psa_hash_abort( psa_hash_operation_t *operation )
{
@@ -3535,7 +3535,7 @@
}
#endif /* MBEDTLS_RSA_C */
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
/* `ecp` cannot be const because `ecp->grp` needs to be non-const
* for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
* (even though these functions don't modify it). */
@@ -3559,7 +3559,7 @@
goto cleanup;
}
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
{
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
@@ -3572,7 +3572,7 @@
&global_data.ctr_drbg ) );
}
else
-#endif /* MBEDTLS_ECDSA_DETERMINISTIC */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
{
(void) alg;
MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
@@ -3634,7 +3634,7 @@
mbedtls_mpi_free( &s );
return( mbedtls_to_psa_error( ret ) );
}
-#endif /* MBEDTLS_ECDSA_C */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA */
psa_status_t psa_sign_hash( psa_key_handle_t handle,
psa_algorithm_t alg,
@@ -3703,9 +3703,9 @@
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA)
if(
-#if defined(MBEDTLS_ECDSA_DETERMINISTIC)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
PSA_ALG_IS_ECDSA( alg )
#else
PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
@@ -3728,7 +3728,7 @@
mbedtls_free( ecp );
}
else
-#endif /* defined(MBEDTLS_ECDSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) */
{
status = PSA_ERROR_INVALID_ARGUMENT;
}
@@ -3804,7 +3804,7 @@
#if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{
-#if defined(MBEDTLS_ECDSA_C)
+#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA)
if( PSA_ALG_IS_ECDSA( alg ) )
{
mbedtls_ecp_keypair *ecp = NULL;
@@ -3822,7 +3822,7 @@
return( status );
}
else
-#endif /* defined(MBEDTLS_ECDSA_C) */
+#endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) */
{
return( PSA_ERROR_INVALID_ARGUMENT );
}
diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c
index f19f559..d653137 100644
--- a/library/psa_crypto_driver_wrappers.c
+++ b/library/psa_crypto_driver_wrappers.c
@@ -617,7 +617,7 @@
#endif /* PSA_CRYPTO_DRIVER_TEST */
default:
/* Key is declared with a lifetime not known to us */
- return( PSA_ERROR_BAD_STATE );
+ return( PSA_ERROR_NOT_SUPPORTED );
}
#else /* PSA_CRYPTO_DRIVER_PRESENT */
(void)slot;
@@ -698,7 +698,7 @@
#endif /* PSA_CRYPTO_DRIVER_TEST */
default:
/* Key is declared with a lifetime not known to us */
- return( PSA_ERROR_BAD_STATE );
+ return( PSA_ERROR_NOT_SUPPORTED );
}
#else /* PSA_CRYPTO_DRIVER_PRESENT */
(void)slot;
diff --git a/library/version_features.c b/library/version_features.c
index 478d8fa..62b0553 100644
--- a/library/version_features.c
+++ b/library/version_features.c
@@ -576,6 +576,9 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
"MBEDTLS_USE_PSA_CRYPTO",
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+ "MBEDTLS_PSA_CRYPTO_CONFIG",
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
#if defined(MBEDTLS_VERSION_FEATURES)
"MBEDTLS_VERSION_FEATURES",
#endif /* MBEDTLS_VERSION_FEATURES */
diff --git a/programs/test/query_config.c b/programs/test/query_config.c
index 8873734..c35502f 100644
--- a/programs/test/query_config.c
+++ b/programs/test/query_config.c
@@ -1592,6 +1592,14 @@
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
+#if defined(MBEDTLS_PSA_CRYPTO_CONFIG)
+ if( strcmp( "MBEDTLS_PSA_CRYPTO_CONFIG", config ) == 0 )
+ {
+ MACRO_EXPANSION_TO_STR( MBEDTLS_PSA_CRYPTO_CONFIG );
+ return( 0 );
+ }
+#endif /* MBEDTLS_PSA_CRYPTO_CONFIG */
+
#if defined(MBEDTLS_VERSION_FEATURES)
if( strcmp( "MBEDTLS_VERSION_FEATURES", config ) == 0 )
{
diff --git a/scripts/config.py b/scripts/config.py
index 017bba0..6c29981 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -184,6 +184,7 @@
'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum
'MBEDTLS_PKCS11_C', # build dependency (libpkcs11-helper)
'MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', # removes a feature
+ 'MBEDTLS_PSA_CRYPTO_CONFIG', # toggles old/new style PSA config
'MBEDTLS_PSA_CRYPTO_SPM', # platform dependency (PSA SPM)
'MBEDTLS_PSA_INJECT_ENTROPY', # build dependency (hook functions)
'MBEDTLS_REMOVE_3DES_CIPHERSUITES', # removes a feature
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index 0072d34..757a9ec 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1290,6 +1290,51 @@
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
}
+component_test_psa_crypto_config_basic() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG
+ msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG"
+ make test
+}
+
+component_test_psa_crypto_config_no_driver() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG
+ msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py unset MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS"
+
+ msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS"
+ make test
+}
+
+# This should be renamed to test and updated once the accelerator ECDSA code is in place and ready to test.
+component_build_psa_want_ecdsa_disabled_software() {
+ # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_ECDSA
+ # without MBEDTLS_ECDSA_C
+ # PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_DETERMINISTIC_ECDSA are already
+ # set in include/psa/crypto_config.h
+ msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDSA without MBEDTLS_ECDSA_C"
+ scripts/config.py full
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
+ scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
+ scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
+ scripts/config.py unset MBEDTLS_ECDSA_C
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+ scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
+ # Need to define the correct symbol and include the test driver header path in order to build with the test driver
+ make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DMBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
+}
+
component_test_check_params_functionality () {
msg "build+test: MBEDTLS_CHECK_PARAMS functionality"
scripts/config.py full # includes CHECK_PARAMS
diff --git a/tests/scripts/list-macros.sh b/tests/scripts/list-macros.sh
index 15d2590..a8617a0 100755
--- a/tests/scripts/list-macros.sh
+++ b/tests/scripts/list-macros.sh
@@ -30,4 +30,10 @@
| egrep -v '^(asm|inline|EMIT|_CRT_SECURE_NO_DEPRECATE)$|^MULADDC_' \
| sort -u > macros
+# For include/mbedtls/config_psa.h need to ignore the MBEDTLS_xxx define
+# in that file since they may not be defined in include/psa/crypto_config.h
+# This line renames the potentially missing defines to ones that should
+# be present.
+sed -ne 's/^MBEDTLS_PSA_BUILTIN_/MBEDTLS_PSA_ACCEL_/p' <macros >>macros
+
wc -l macros
diff --git a/tests/src/drivers/signature.c b/tests/src/drivers/signature.c
index 028d24a..cea0351 100644
--- a/tests/src/drivers/signature.c
+++ b/tests/src/drivers/signature.c
@@ -262,6 +262,8 @@
(void) alg;
(void) hash;
(void) hash_length;
+ (void) signature;
+ (void) signature_length;
#endif /* defined(MBEDTLS_ECDSA_C) && defined(MBEDTLS_ECDSA_DETERMINISTIC) && \
defined(MBEDTLS_SHA256_C) */
diff --git a/visualc/VS2010/mbedTLS.vcxproj b/visualc/VS2010/mbedTLS.vcxproj
index 3e9d14a..8870cc0 100644
--- a/visualc/VS2010/mbedTLS.vcxproj
+++ b/visualc/VS2010/mbedTLS.vcxproj
@@ -162,6 +162,7 @@
<ClInclude Include="..\..\include\mbedtls\cmac.h" />
<ClInclude Include="..\..\include\mbedtls\compat-1.3.h" />
<ClInclude Include="..\..\include\mbedtls\config.h" />
+ <ClInclude Include="..\..\include\mbedtls\config_psa.h" />
<ClInclude Include="..\..\include\mbedtls\ctr_drbg.h" />
<ClInclude Include="..\..\include\mbedtls\debug.h" />
<ClInclude Include="..\..\include\mbedtls\des.h" />
@@ -223,6 +224,7 @@
<ClInclude Include="..\..\include\psa\crypto.h" />
<ClInclude Include="..\..\include\psa\crypto_accel_driver.h" />
<ClInclude Include="..\..\include\psa\crypto_compat.h" />
+ <ClInclude Include="..\..\include\psa\crypto_config.h" />
<ClInclude Include="..\..\include\psa\crypto_driver_common.h" />
<ClInclude Include="..\..\include\psa\crypto_entropy_driver.h" />
<ClInclude Include="..\..\include\psa\crypto_extra.h" />