Merge pull request #8489 from valeriosetti/issue8482
Make CCM* and CCM independent
diff --git a/ChangeLog.d/8482.txt b/ChangeLog.d/8482.txt
new file mode 100644
index 0000000..a392232
--- /dev/null
+++ b/ChangeLog.d/8482.txt
@@ -0,0 +1,6 @@
+Changes
+ * PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG are no more synonyms and
+ they are now treated separately. This means that they should be
+ individually enabled in order to enable respective support; also the
+ corresponding MBEDTLS_PSA_ACCEL symbol should be defined in case
+ acceleration is required.
diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h
index 6356bdd..bf87c36 100644
--- a/include/mbedtls/config_adjust_legacy_from_psa.h
+++ b/include/mbedtls/config_adjust_legacy_from_psa.h
@@ -847,11 +847,20 @@
defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
#define MBEDTLS_PSA_BUILTIN_ALG_CCM 1
-#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
#define MBEDTLS_CCM_C
#endif
#endif /* PSA_WANT_ALG_CCM */
+#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+#if !defined(MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG) || \
+ defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
+ defined(PSA_HAVE_SOFT_KEY_TYPE_ARIA) || \
+ defined(PSA_HAVE_SOFT_KEY_TYPE_CAMELLIA)
+#define MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG 1
+#define MBEDTLS_CCM_C
+#endif
+#endif /* PSA_WANT_ALG_CCM_STAR_NO_TAG */
+
#if defined(PSA_WANT_ALG_GCM)
#if !defined(MBEDTLS_PSA_ACCEL_ALG_GCM) || \
defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \
diff --git a/include/psa/crypto_adjust_config_synonyms.h b/include/psa/crypto_adjust_config_synonyms.h
index cf33465..332b622 100644
--- a/include/psa/crypto_adjust_config_synonyms.h
+++ b/include/psa/crypto_adjust_config_synonyms.h
@@ -24,12 +24,6 @@
#define PSA_WANT_ALG_ECDSA_ANY PSA_WANT_ALG_ECDSA
#endif
-#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && !defined(PSA_WANT_ALG_CCM)
-#define PSA_WANT_ALG_CCM PSA_WANT_ALG_CCM_STAR_NO_TAG
-#elif !defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && defined(PSA_WANT_ALG_CCM)
-#define PSA_WANT_ALG_CCM_STAR_NO_TAG PSA_WANT_ALG_CCM
-#endif
-
#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW) && !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
#define PSA_WANT_ALG_RSA_PKCS1V15_SIGN PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW
#elif !defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW) && defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
diff --git a/library/ssl_misc.h b/library/ssl_misc.h
index 4ddd9c4..8482ee1 100644
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@@ -255,8 +255,7 @@
#if defined(MBEDTLS_SSL_HAVE_CBC) && \
(defined(MBEDTLS_SSL_HAVE_AES) || \
defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \
- defined(MBEDTLS_SSL_HAVE_ARIA) || \
- defined(MBEDTLS_DES_C))
+ defined(MBEDTLS_SSL_HAVE_ARIA))
#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
#endif
diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h
index 5ee949a..768a9a6 100644
--- a/tests/include/test/drivers/crypto_config_test_driver_extension.h
+++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h
@@ -537,6 +537,14 @@
#endif
#endif
+#if defined(PSA_WANT_ALG_CCM_STAR_NO_TAG)
+#if defined(MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG)
+#undef MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG
+#else
+#define MBEDTLS_PSA_ACCEL_ALG_CCM_STAR_NO_TAG 1
+#endif
+#endif
+
#if defined(PSA_WANT_ALG_CBC_MAC)
#if defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC)
#undef MBEDTLS_PSA_ACCEL_ALG_CBC_MAC
diff --git a/tests/include/test/psa_exercise_key.h b/tests/include/test/psa_exercise_key.h
index 0f3ee3d..a658d17 100644
--- a/tests/include/test/psa_exercise_key.h
+++ b/tests/include/test/psa_exercise_key.h
@@ -46,12 +46,13 @@
*
* For simplicity's sake, stick to block ciphers with 16-byte blocks.
*/
-#if defined(MBEDTLS_AES_C)
+#if defined(PSA_WANT_KEY_TYPE_AES)
#define KNOWN_SUPPORTED_BLOCK_CIPHER PSA_KEY_TYPE_AES
-#elif defined(MBEDTLS_ARIA_C)
+#elif defined(PSA_WANT_KEY_TYPE_ARIA)
#define KNOWN_SUPPORTED_BLOCK_CIPHER PSA_KEY_TYPE_ARIA
-#elif defined(MBEDTLS_CAMELLIA_C)
+#elif defined(PSA_WANT_KEY_TYPE_CAMELLIA)
#define KNOWN_SUPPORTED_BLOCK_CIPHER PSA_KEY_TYPE_CAMELLIA
+#else
#undef KNOWN_SUPPORTED_BLOCK_CIPHER
#endif
@@ -81,13 +82,13 @@
*
* This is used in some smoke tests.
*/
-#if defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_CTR)
+#if defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_CTR)
#define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_CTR
-#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_CBC)
+#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
#define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_CBC_NO_PADDING
-#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_CFB)
+#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_CFB)
#define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_CFB
-#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(MBEDTLS_CIPHER_MODE_OFB)
+#elif defined(KNOWN_SUPPORTED_BLOCK_CIPHER) && defined(PSA_WANT_ALG_OFB)
#define KNOWN_SUPPORTED_BLOCK_CIPHER_ALG PSA_ALG_OFB
#else
#undef KNOWN_SUPPORTED_BLOCK_CIPHER_ALG
diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh
index b3bb3f1..929b093 100755
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@@ -1635,6 +1635,59 @@
common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER"
}
+component_test_full_no_ccm() {
+ msg "build: full no PSA_WANT_ALG_CCM"
+
+ # Full config enables:
+ # - USE_PSA_CRYPTO so that TLS code dispatches cipher/AEAD to PSA
+ # - CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
+ scripts/config.py full
+
+ # Disable PSA_WANT_ALG_CCM so that CCM is not supported in PSA. CCM_C is still
+ # enabled, but not used from TLS since USE_PSA is set.
+ # This is helpful to ensure that TLS tests below have proper dependencies.
+ #
+ # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause
+ # PSA_WANT_ALG_CCM to be re-enabled.
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
+
+ make
+
+ msg "test: full no PSA_WANT_ALG_CCM"
+ make test
+}
+
+component_test_full_no_ccm_star_no_tag() {
+ msg "build: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
+
+ # Full config enables CRYPTO_CONFIG so that PSA_WANT config symbols are evaluated
+ scripts/config.py full
+
+ # Disable CCM_STAR_NO_TAG, which is the target of this test, as well as all
+ # other components that enable MBEDTLS_PSA_BUILTIN_CIPHER internal symbol.
+ # This basically disables all unauthenticated ciphers on the PSA side, while
+ # keeping AEADs enabled.
+ #
+ # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause
+ # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled.
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
+
+ make
+
+ # Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
+ not grep mbedtls_psa_cipher library/psa_crypto_cipher.o
+
+ msg "test: full no PSA_WANT_ALG_CCM_STAR_NO_TAG"
+ make test
+}
+
component_test_full_no_bignum () {
msg "build: full minus bignum"
scripts/config.py full
@@ -3649,6 +3702,9 @@
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
+ # Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
+ scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
+
# Build
# -----
@@ -3694,7 +3750,7 @@
msg "build: full config with accelerated cipher and AEAD"
loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
- ALG_OFB ALG_XTS ALG_STREAM_CIPHER \
+ ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \
KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"