Merge pull request #10297 from ronald-cron-arm/remove-legacy-crypto-options-preparation-1
Remove legacy crypto options preparation-1
diff --git a/BRANCHES.md b/BRANCHES.md
index 78f8f69..8066297 100644
--- a/BRANCHES.md
+++ b/BRANCHES.md
@@ -25,8 +25,9 @@
We will make regular LTS releases on an 18-month cycle, each of which will have
a 3 year support lifetime. On this basis, 3.6 LTS (released March 2024) will be
-supported until March 2027. The next LTS release will be a 4.x release, which is
-planned for September 2025.
+supported until March 2027. The next LTS release will be a 4.x release. Due to
+the size and scope of the 4.0 release, the release date of the first 4.x LTS is
+yet to be determined.
## Backwards Compatibility for application code
diff --git a/programs/test/dlopen.c b/programs/test/dlopen.c
index bb7fba8..58a6af5 100644
--- a/programs/test/dlopen.c
+++ b/programs/test/dlopen.c
@@ -98,16 +98,41 @@
* "gcc -std=c99 -pedantic" complains about it, but it is perfectly
* fine on platforms that have dlsym(). */
#pragma GCC diagnostic ignored "-Wpedantic"
- const int *(*md_list)(void) =
- dlsym(crypto_so, "mbedtls_md_list");
+ psa_status_t (*dyn_psa_crypto_init)(void) =
+ dlsym(crypto_so, "psa_crypto_init");
+ psa_status_t (*dyn_psa_hash_compute)(psa_algorithm_t, const uint8_t *, size_t, uint8_t *,
+ size_t, size_t *) =
+ dlsym(crypto_so, "psa_hash_compute");
+
#pragma GCC diagnostic pop
- CHECK_DLERROR("dlsym", "mbedtls_md_list");
- const int *mds = md_list();
- for (n = 0; mds[n] != 0; n++) {/* nothing to do, we're just counting */
- ;
+ /* Demonstrate hashing a message with PSA Crypto */
+
+ CHECK_DLERROR("dlsym", "psa_crypto_init");
+ CHECK_DLERROR("dlsym", "psa_hash_compute");
+
+ psa_status_t status = dyn_psa_crypto_init();
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "psa_crypto_init failed: %d\n", (int) status);
+ mbedtls_exit(MBEDTLS_EXIT_FAILURE);
}
- mbedtls_printf("dlopen(%s): %u hashes\n",
- crypto_so_filename, n);
+
+ const uint8_t input[] = "hello world";
+ uint8_t hash[32]; // Buffer to hold the output hash
+ size_t hash_len = 0;
+
+ status = dyn_psa_hash_compute(PSA_ALG_SHA_256,
+ input, sizeof(input) - 1,
+ hash, sizeof(hash),
+ &hash_len);
+ if (status != PSA_SUCCESS) {
+ mbedtls_fprintf(stderr, "psa_hash_compute failed: %d\n", (int) status);
+ mbedtls_exit(MBEDTLS_EXIT_FAILURE);
+ }
+
+ mbedtls_printf("dlopen(%s): psa_hash_compute succeeded. SHA-256 output length: %zu\n",
+ crypto_so_filename, hash_len);
+
+
dlclose(crypto_so);
CHECK_DLERROR("dlclose", crypto_so_filename);
#endif /* MBEDTLS_MD_C */
diff --git a/programs/test/selftest.c b/programs/test/selftest.c
index 8516f3a..372a84d 100644
--- a/programs/test/selftest.c
+++ b/programs/test/selftest.c
@@ -21,7 +21,6 @@
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
#include "mbedtls/sha3.h"
-#include "mbedtls/des.h"
#include "mbedtls/aes.h"
#include "mbedtls/camellia.h"
#include "mbedtls/aria.h"
@@ -296,9 +295,6 @@
defined(PSA_WANT_ALG_SHA3_512)
{ "sha3", mbedtls_sha3_self_test },
#endif
-#if defined(MBEDTLS_DES_C)
- { "des", mbedtls_des_self_test },
-#endif
#if defined(MBEDTLS_AES_C)
{ "aes", mbedtls_aes_self_test },
#endif
@@ -448,7 +444,8 @@
} \
} else { \
mbedtls_printf("Padding checks only implemented for types of size 2, 4 or 8" \
- " - cannot check type '" #TYPE "' of size %" MBEDTLS_PRINTF_SIZET "\n", \
+ " - cannot check type '" #TYPE "' of size %" MBEDTLS_PRINTF_SIZET \
+ "\n", \
sizeof(TYPE)); \
mbedtls_exit(MBEDTLS_EXIT_FAILURE); \
} \
diff --git a/scripts/config.py b/scripts/config.py
index e5182a6..a61e9f6 100755
--- a/scripts/config.py
+++ b/scripts/config.py
@@ -75,7 +75,7 @@
#pylint: disable=line-too-long
'MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH', # interacts with CTR_DRBG_128_BIT_KEY
'MBEDTLS_AES_USE_HARDWARE_ONLY', # hardware dependency
- 'MBEDTLS_BLOCK_CIPHER_NO_DECRYPT', # incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES
+ 'MBEDTLS_BLOCK_CIPHER_NO_DECRYPT', # incompatible with ECB in PSA, CBC/XTS/NIST_KW
'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256
'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options
diff --git a/scripts/generate_errors.pl b/scripts/generate_errors.pl
index 6912679..dab3a0c 100755
--- a/scripts/generate_errors.pl
+++ b/scripts/generate_errors.pl
@@ -52,6 +52,10 @@
my @files = glob qq("$crypto_include_dir/*.h");
push(@files, glob qq("$tls_include_dir/*.h"));
+
+push(@files, glob qq("$crypto_include_dir/private/*.h"));
+push(@files, glob qq("$tls_include_dir/private/*.h"));
+
my @necessary_include_files;
my @matches;
foreach my $file (@files) {
@@ -85,7 +89,7 @@
$description =~ s/^\s+//;
$description =~ s/\n( *\*)? */ /g;
$description =~ s/\.?\s+$//;
- push @matches, [$name, $value, $description];
+ push @matches, [$name, $value, $description, scalar($file =~ /^.*private\/[^\/]+$/)];
++$found;
}
if ($found) {
@@ -109,7 +113,7 @@
foreach my $match (@matches)
{
- my ($error_name, $error_code, $description) = @$match;
+ my ($error_name, $error_code, $description, $is_private_header) = @$match;
die "Duplicated error code: $error_code ($error_name)\n"
if( $error_codes_seen{$error_code}++ );
@@ -203,6 +207,11 @@
if ($include_name ne "");
}
${$code_check} .= "\n";
+
+ if ($is_private_header) {
+ $include_name = "private/" . $include_name;
+ }
+
$headers .= "\n#include \"mbedtls/${include_name}.h\"\n".
"#endif\n\n" if ($include_name ne "");
${$old_define_name} = $define_name;
diff --git a/tests/compat.sh b/tests/compat.sh
index 975d8dc..a11fffd 100755
--- a/tests/compat.sh
+++ b/tests/compat.sh
@@ -599,11 +599,6 @@
*) O_SUPPORT_STATIC_ECDH="NO";;
esac
- case $($OPENSSL ciphers ALL) in
- *DES-CBC-*) O_SUPPORT_SINGLE_DES="YES";;
- *) O_SUPPORT_SINGLE_DES="NO";;
- esac
-
# OpenSSL <1.0.2 doesn't support DTLS 1.2. Check if OpenSSL
# supports -dtls1_2 from the s_server help. (The s_client
# help isn't accurate as of 1.0.2g: it supports DTLS 1.2
diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh
index b2ea2b3..bb0375a 100644
--- a/tests/scripts/components-configuration-crypto.sh
+++ b/tests/scripts/components-configuration-crypto.sh
@@ -1735,53 +1735,6 @@
make test
}
-component_test_psa_crypto_config_accel_des () {
- msg "test: accelerated DES"
-
- # Albeit this components aims at accelerating DES which should only support
- # CBC and ECB modes, we need to accelerate more than that otherwise DES_C
- # would automatically be re-enabled by "config_adjust_legacy_from_psa.c"
- loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \
- ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \
- KEY_TYPE_DES"
-
- # Note: we cannot accelerate all ciphers' key types otherwise we would also
- # have to either disable CCM/GCM or accelerate them, but that's out of scope
- # of this component. This limitation will be addressed by #8598.
-
- # Configure
- # ---------
-
- # Start from the full config
- helper_libtestdriver1_adjust_config "full"
-
- # Disable the things that are being accelerated
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
- scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
- scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
- scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
- scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
- scripts/config.py unset MBEDTLS_DES_C
- scripts/config.py unset MBEDTLS_CMAC_C
-
- # Build
- # -----
-
- helper_libtestdriver1_make_drivers "$loc_accel_list"
-
- helper_libtestdriver1_make_main "$loc_accel_list"
-
- # Make sure this was not re-enabled by accident (additive config)
- not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
-
- # Run the tests
- # -------------
-
- msg "test: accelerated DES"
- make test
-}
-
component_test_psa_crypto_config_accel_aead () {
msg "test: accelerated AEAD"
@@ -1842,7 +1795,7 @@
loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
ALG_OFB ALG_XTS ALG_STREAM_CIPHER ALG_CCM_STAR_NO_TAG \
ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \
- KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"
+ KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA"
# Configure
# ---------
@@ -1867,6 +1820,10 @@
scripts/config.py unset MBEDTLS_CAMELLIA_C
scripts/config.py unset MBEDTLS_POLY1305_C
+ # Disable DES, if it still exists.
+ # This can be removed once we remove DES from the library.
+ scripts/config.py unset PSA_WANT_KEY_TYPE_DES
+
# Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
# does not depend on it.
scripts/config.py unset MBEDTLS_CIPHER_C
@@ -1880,7 +1837,6 @@
# Make sure this was not re-enabled by accident (additive config)
not grep mbedtls_cipher ${BUILTIN_SRC_PATH}/cipher.o
- not grep mbedtls_des ${BUILTIN_SRC_PATH}/des.o
not grep mbedtls_aes ${BUILTIN_SRC_PATH}/aes.o
not grep mbedtls_aria ${BUILTIN_SRC_PATH}/aria.o
not grep mbedtls_camellia ${BUILTIN_SRC_PATH}/camellia.o
@@ -1908,6 +1864,10 @@
msg "build: full config with non-accelerated cipher inc. AEAD and CMAC"
common_psa_crypto_config_accel_cipher_aead_cmac
+ # Disable DES, if it still exists.
+ # This can be removed once we remove DES from the library.
+ scripts/config.py unset PSA_WANT_KEY_TYPE_DES
+
make
msg "test: full config with non-accelerated cipher inc. AEAD and CMAC"
@@ -2173,7 +2133,7 @@
cd "$MBEDTLS_ROOT_DIR"
msg "build: aes.o for all combinations of relevant config options + BLOCK_CIPHER_NO_DECRYPT"
- # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW/DES,
+ # MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is incompatible with ECB in PSA, CBC/XTS/NIST_KW,
# manually set or unset those configurations to check
# MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh
index 6b3f9c2..ff83157 100644
--- a/tests/scripts/components-configuration-tls.sh
+++ b/tests/scripts/components-configuration-tls.sh
@@ -63,7 +63,7 @@
# Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
- # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Note: The unset below is to be removed for 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
@@ -96,7 +96,7 @@
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@@ -129,7 +129,7 @@
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
- # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
+ # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
diff --git a/tf-psa-crypto b/tf-psa-crypto
index 110b9a4..b1c98eb 160000
--- a/tf-psa-crypto
+++ b/tf-psa-crypto
@@ -1 +1 @@
-Subproject commit 110b9a44d79975c0eab61f46c65837abc5c9309a
+Subproject commit b1c98ebee82c1056cec0f64e24f1b780a5889a0d