Crypto: Upgrade Mbed TLS to v3.1.0
Update TF-M to migrate to Mbed TLS v3.1.0. And cherry-picks from
the feature-cc-psa-crypto-drivers branch the following patches:
* [2a233b8] CC312: Access curve info members w/o private suffixes
* [330b0ba] CC312: Stub multipart CCM APIs
Change-Id: I850cc171fd8c8857150cfef0f2366a4564b27959
Signed-off-by: Summer Qin <summer.qin@arm.com>
Signed-off-by: Abbas Bracken Ziad <abbas.brackenziad@arm.com>
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
diff --git a/config/config_default.cmake b/config/config_default.cmake
index 54a9354..a8a710f 100755
--- a/config/config_default.cmake
+++ b/config/config_default.cmake
@@ -1,5 +1,5 @@
#-------------------------------------------------------------------------------
-# Copyright (c) 2020-2021, Arm Limited. All rights reserved.
+# Copyright (c) 2020-2022, Arm Limited. All rights reserved.
#
# SPDX-License-Identifier: BSD-3-Clause
#
@@ -143,7 +143,7 @@
################################## Dependencies ################################
set(MBEDCRYPTO_PATH "DOWNLOAD" CACHE PATH "Path to Mbed Crypto (or DOWNLOAD to fetch automatically")
-set(MBEDCRYPTO_VERSION "mbedtls-3.0.0" CACHE STRING "The version of Mbed Crypto to use")
+set(MBEDCRYPTO_VERSION "mbedtls-3.1.0" CACHE STRING "The version of Mbed Crypto to use")
set(MBEDCRYPTO_GIT_REMOTE "https://github.com/ARMmbed/mbedtls.git" CACHE STRING "The URL (or path) to retrieve MbedTLS from.")
set(MBEDCRYPTO_BUILD_TYPE "${CMAKE_BUILD_TYPE}" CACHE STRING "Build type of Mbed Crypto library")
set(TFM_MBEDCRYPTO_CONFIG_PATH
diff --git a/interface/include/psa/crypto.h b/interface/include/psa/crypto.h
index 5ccc5e7..c4a103d 100644
--- a/interface/include/psa/crypto.h
+++ b/interface/include/psa/crypto.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -2928,7 +2928,9 @@
* \param key Identifier of the key to use for the operation.
* It must be an asymmetric key pair. The key must
* allow the usage #PSA_KEY_USAGE_SIGN_HASH.
- * \param alg A signature algorithm that is compatible with
+ * \param alg A signature algorithm (PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ * is true), that is compatible with
* the type of \p key.
* \param[in] hash The hash or message to sign.
* \param hash_length Size of the \p hash buffer in bytes.
@@ -2981,7 +2983,9 @@
* must be a public key or an asymmetric key pair. The
* key must allow the usage
* #PSA_KEY_USAGE_VERIFY_HASH.
- * \param alg A signature algorithm that is compatible with
+ * \param alg A signature algorithm (PSA_ALG_XXX
+ * value such that #PSA_ALG_IS_SIGN_HASH(\p alg)
+ * is true), that is compatible with
* the type of \p key.
* \param[in] hash The hash or message whose signature is to be
* verified.
diff --git a/interface/include/psa/crypto_extra.h b/interface/include/psa/crypto_extra.h
index b8a4d7e..ad0e8cc 100644
--- a/interface/include/psa/crypto_extra.h
+++ b/interface/include/psa/crypto_extra.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2020, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -18,6 +18,7 @@
#ifndef PSA_CRYPTO_EXTRA_H
#define PSA_CRYPTO_EXTRA_H
+#include "psa/crypto_types.h"
#include "psa/crypto_compat.h"
#ifdef __cplusplus
diff --git a/interface/include/psa/crypto_sizes.h b/interface/include/psa/crypto_sizes.h
index 1e282e2..2f60e61 100644
--- a/interface/include/psa/crypto_sizes.h
+++ b/interface/include/psa/crypto_sizes.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -65,6 +65,38 @@
PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 64 : \
0)
+/** The input block size of a hash algorithm, in bytes.
+ *
+ * Hash algorithms process their input data in blocks. Hash operations will
+ * retain any partial blocks until they have enough input to fill the block or
+ * until the operation is finished.
+ * This affects the output from psa_hash_suspend().
+ *
+ * \param alg A hash algorithm (\c PSA_ALG_XXX value such that
+ * PSA_ALG_IS_HASH(\p alg) is true).
+ *
+ * \return The block size in bytes for the specified hash algorithm.
+ * If the hash algorithm is not recognized, return 0.
+ * An implementation can return either 0 or the correct size for a
+ * hash algorithm that it recognizes, but does not support.
+ */
+#define PSA_HASH_BLOCK_LENGTH(alg) \
+ ( \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_MD5 ? 64 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_RIPEMD160 ? 64 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_1 ? 64 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_224 ? 64 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_256 ? 64 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_384 ? 128 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512 ? 128 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_224 ? 128 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA_512_256 ? 128 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_224 ? 144 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_256 ? 136 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_384 ? 104 : \
+ PSA_ALG_HMAC_GET_HASH(alg) == PSA_ALG_SHA3_512 ? 72 : \
+ 0)
+
/** \def PSA_HASH_MAX_SIZE
*
* Maximum size of a hash.
@@ -75,7 +107,7 @@
/* Note: for HMAC-SHA-3, the block size is 144 bytes for HMAC-SHA3-226,
* 136 bytes for HMAC-SHA3-256, 104 bytes for SHA3-384, 72 bytes for
* HMAC-SHA3-512. */
-#if defined(MBEDTLS_SHA512_C)
+#if defined(PSA_WANT_ALG_SHA_512) || defined(PSA_WANT_ALG_SHA_384)
#define PSA_HASH_MAX_SIZE 64
#define PSA_HMAC_MAX_HASH_BLOCK_SIZE 128
#else
@@ -917,7 +949,8 @@
(alg) == PSA_ALG_CBC_PKCS7) ? PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) : \
(key_type) == PSA_KEY_TYPE_CHACHA20 && \
(alg) == PSA_ALG_STREAM_CIPHER ? 12 : \
- 0)
+ (alg) == PSA_ALG_CCM_STAR_NO_TAG ? 13 : \
+ 0)
/** The maximum IV size for all supported cipher algorithms, in bytes.
*
@@ -950,9 +983,10 @@
*/
#define PSA_CIPHER_ENCRYPT_OUTPUT_SIZE(key_type, alg, input_length) \
(alg == PSA_ALG_CBC_PKCS7 ? \
+ (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ? \
PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \
(input_length) + 1) + \
- PSA_CIPHER_IV_LENGTH((key_type), (alg)) : \
+ PSA_CIPHER_IV_LENGTH((key_type), (alg)) : 0) : \
(PSA_ALG_IS_CIPHER(alg) ? \
(input_length) + PSA_CIPHER_IV_LENGTH((key_type), (alg)) : \
0))
@@ -1031,12 +1065,13 @@
*/
#define PSA_CIPHER_UPDATE_OUTPUT_SIZE(key_type, alg, input_length) \
(PSA_ALG_IS_CIPHER(alg) ? \
+ (PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) != 0 ? \
(((alg) == PSA_ALG_CBC_PKCS7 || \
(alg) == PSA_ALG_CBC_NO_PADDING || \
(alg) == PSA_ALG_ECB_NO_PADDING) ? \
PSA_ROUND_UP_TO_MULTIPLE(PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type), \
input_length) : \
- (input_length)) : \
+ (input_length)) : 0) : \
0)
/** A sufficient output buffer size for psa_cipher_update(), for any of the
diff --git a/interface/include/psa/crypto_struct.h b/interface/include/psa/crypto_struct.h
index e0ceb2f..7f90a77 100644
--- a/interface/include/psa/crypto_struct.h
+++ b/interface/include/psa/crypto_struct.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -163,9 +163,19 @@
return( attributes->lifetime );
}
+static inline void psa_extend_key_usage_flags(psa_key_usage_t *usage_flags)
+{
+ if (*usage_flags & PSA_KEY_USAGE_SIGN_HASH)
+ *usage_flags |= PSA_KEY_USAGE_SIGN_MESSAGE;
+
+ if (*usage_flags & PSA_KEY_USAGE_VERIFY_HASH)
+ *usage_flags |= PSA_KEY_USAGE_VERIFY_MESSAGE;
+}
+
static inline void psa_set_key_usage_flags(psa_key_attributes_t *attributes,
psa_key_usage_t usage_flags)
{
+ psa_extend_key_usage_flags(&usage_flags);
attributes->usage = usage_flags;
}
diff --git a/interface/include/psa/crypto_values.h b/interface/include/psa/crypto_values.h
index dc8d81a..769bc7d 100644
--- a/interface/include/psa/crypto_values.h
+++ b/interface/include/psa/crypto_values.h
@@ -1,5 +1,5 @@
/*
- * Copyright (c) 2018-2021, Arm Limited. All rights reserved.
+ * Copyright (c) 2018-2022, Arm Limited. All rights reserved.
*
* SPDX-License-Identifier: BSD-3-Clause
*
@@ -457,6 +457,11 @@
*/
#define PSA_KEY_TYPE_AES ((psa_key_type_t)0x2400)
+/** Key for a cipher, AEAD or MAC algorithm based on the
+ * ARIA block cipher.
+ */
+#define PSA_KEY_TYPE_ARIA ((psa_key_type_t)0x2406)
+
/** Key for a cipher or MAC algorithm based on DES or 3DES (Triple-DES).
*
* The size of the key can be 64 bits (single DES), 128 bits (2-key 3DES) or
@@ -469,7 +474,8 @@
#define PSA_KEY_TYPE_DES ((psa_key_type_t)0x2301)
/** Key for a cipher, AEAD or MAC algorithm based on the
- * Camellia block cipher. */
+ * Camellia block cipher.
+ */
#define PSA_KEY_TYPE_CAMELLIA ((psa_key_type_t)0x2403)
/** Key for the ChaCha20 stream cipher or the Chacha20-Poly1305 AEAD algorithm.
@@ -834,6 +840,9 @@
(PSA_ALG_IS_KEY_DERIVATION(alg) && \
(alg) & PSA_ALG_KEY_DERIVATION_STRETCHING_FLAG)
+/** An invalid algorithm identifier value. */
+#define PSA_ALG_NONE ((psa_algorithm_t)0)
+
#define PSA_ALG_HASH_MASK ((psa_algorithm_t)0x000000ff)
/** MD5 */
#define PSA_ALG_MD5 ((psa_algorithm_t)0x02000003)
@@ -877,7 +886,7 @@
* algorithm parametrized with any supported hash.
*
* That is, suppose that `PSA_xxx_SIGNATURE` is one of the following macros:
- * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS,
+ * - #PSA_ALG_RSA_PKCS1V15_SIGN, #PSA_ALG_RSA_PSS, #PSA_ALG_RSA_PSS_ANY_SALT,
* - #PSA_ALG_ECDSA, #PSA_ALG_DETERMINISTIC_ECDSA.
* Then you may create and use a key as follows:
* - Set the key usage field using #PSA_ALG_ANY_HASH, for example:
@@ -1186,6 +1195,17 @@
*/
#define PSA_ALG_CCM ((psa_algorithm_t)0x05500100)
+/** The CCM* cipher mode without authentication.
+ *
+ * This is CCM* as specified in IEEE 802.15.4 §7, with a tag length of 0.
+ * For CCM* with a nonzero tag length, use the AEAD algorithm #PSA_ALG_CCM.
+ *
+ * The underlying block cipher is determined by the key type.
+ *
+ * Currently only 13-byte long IV's are supported.
+ */
+#define PSA_ALG_CCM_STAR_NO_TAG ((psa_algorithm_t)0x04c01300)
+
/** The GCM authenticated encryption algorithm.
*
* The underlying block cipher is determined by the key type.
@@ -1332,6 +1352,7 @@
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PKCS1V15_SIGN_BASE)
#define PSA_ALG_RSA_PSS_BASE ((psa_algorithm_t)0x06000300)
+#define PSA_ALG_RSA_PSS_ANY_SALT_BASE ((psa_algorithm_t)0x06001300)
/** RSA PSS signature with hashing.
*
* This is the signature scheme defined by RFC 8017
@@ -1352,9 +1373,72 @@
*/
#define PSA_ALG_RSA_PSS(hash_alg) \
(PSA_ALG_RSA_PSS_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
-#define PSA_ALG_IS_RSA_PSS(alg) \
+
+/** RSA PSS signature with hashing with relaxed verification.
+ *
+ * This algorithm has the same behavior as #PSA_ALG_RSA_PSS when signing,
+ * but allows an arbitrary salt length (including \c 0) when verifying a
+ * signature.
+ *
+ * \param hash_alg A hash algorithm (\c PSA_ALG_XXX value such that
+ * #PSA_ALG_IS_HASH(\p hash_alg) is true).
+ * This includes #PSA_ALG_ANY_HASH
+ * when specifying the algorithm in a usage policy.
+ *
+ * \return The corresponding RSA PSS signature algorithm.
+ * \return Unspecified if \p hash_alg is not a supported
+ * hash algorithm.
+ */
+#define PSA_ALG_RSA_PSS_ANY_SALT(hash_alg) \
+ (PSA_ALG_RSA_PSS_ANY_SALT_BASE | ((hash_alg) & PSA_ALG_HASH_MASK))
+
+/** Whether the specified algorithm is RSA PSS with standard salt.
+ *
+ * \param alg An algorithm value or an algorithm policy wildcard.
+ *
+ * \return 1 if \p alg is of the form
+ * #PSA_ALG_RSA_PSS(\c hash_alg),
+ * where \c hash_alg is a hash algorithm or
+ * #PSA_ALG_ANY_HASH. 0 otherwise.
+ * This macro may return either 0 or 1 if \p alg is not
+ * a supported algorithm identifier or policy.
+ */
+#define PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) \
(((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_BASE)
+/** Whether the specified algorithm is RSA PSS with any salt.
+ *
+ * \param alg An algorithm value or an algorithm policy wildcard.
+ *
+ * \return 1 if \p alg is of the form
+ * #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
+ * where \c hash_alg is a hash algorithm or
+ * #PSA_ALG_ANY_HASH. 0 otherwise.
+ * This macro may return either 0 or 1 if \p alg is not
+ * a supported algorithm identifier or policy.
+ */
+#define PSA_ALG_IS_RSA_PSS_ANY_SALT(alg) \
+ (((alg) & ~PSA_ALG_HASH_MASK) == PSA_ALG_RSA_PSS_ANY_SALT_BASE)
+
+/** Whether the specified algorithm is RSA PSS.
+ *
+ * This includes any of the RSA PSS algorithm variants, regardless of the
+ * constraints on salt length.
+ *
+ * \param alg An algorithm value or an algorithm policy wildcard.
+ *
+ * \return 1 if \p alg is of the form
+ * #PSA_ALG_RSA_PSS(\c hash_alg) or
+ * #PSA_ALG_RSA_PSS_ANY_SALT_BASE(\c hash_alg),
+ * where \c hash_alg is a hash algorithm or
+ * #PSA_ALG_ANY_HASH. 0 otherwise.
+ * This macro may return either 0 or 1 if \p alg is not
+ * a supported algorithm identifier or policy.
+ */
+#define PSA_ALG_IS_RSA_PSS(alg) \
+ (PSA_ALG_IS_RSA_PSS_STANDARD_SALT(alg) || \
+ PSA_ALG_IS_RSA_PSS_ANY_SALT(alg))
+
#define PSA_ALG_ECDSA_BASE ((psa_algorithm_t)0x06000600)
/** ECDSA signature with hashing.
*
@@ -1512,20 +1596,24 @@
* file. */
#define PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg) 0
-/** Whether the specified algorithm is a hash-and-sign algorithm.
+/** Whether the specified algorithm is a signature algorithm that can be used
+ * with psa_sign_hash() and psa_verify_hash().
*
- * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
- * structured in two parts: first the calculation of a hash in a way that
- * does not depend on the key, then the calculation of a signature from the
- * hash value and the key.
+ * This encompasses all strict hash-and-sign algorithms categorized by
+ * PSA_ALG_IS_HASH_AND_SIGN(), as well as algorithms that follow the
+ * paradigm more loosely:
+ * - #PSA_ALG_RSA_PKCS1V15_SIGN_RAW (expects its input to be an encoded hash)
+ * - #PSA_ALG_ECDSA_ANY (doesn't specify what kind of hash the input is)
*
- * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ * \param alg An algorithm identifier (value of type psa_algorithm_t).
*
- * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
- * This macro may return either 0 or 1 if \p alg is not a supported
- * algorithm identifier.
+ * \return 1 if alg is a signature algorithm that can be used to sign a
+ * hash. 0 if alg is a signature algorithm that can only be used
+ * to sign a message. 0 if alg is not a signature algorithm.
+ * This macro can return either 0 or 1 if alg is not a
+ * supported algorithm identifier.
*/
-#define PSA_ALG_IS_HASH_AND_SIGN(alg) \
+#define PSA_ALG_IS_SIGN_HASH(alg) \
(PSA_ALG_IS_RSA_PSS(alg) || PSA_ALG_IS_RSA_PKCS1V15_SIGN(alg) || \
PSA_ALG_IS_ECDSA(alg) || PSA_ALG_IS_HASH_EDDSA(alg) || \
PSA_ALG_IS_VENDOR_HASH_AND_SIGN(alg))
@@ -1542,7 +1630,37 @@
* supported algorithm identifier.
*/
#define PSA_ALG_IS_SIGN_MESSAGE(alg) \
- (PSA_ALG_IS_HASH_AND_SIGN(alg) || (alg) == PSA_ALG_PURE_EDDSA )
+ (PSA_ALG_IS_SIGN_HASH(alg) || (alg) == PSA_ALG_PURE_EDDSA)
+
+/** Whether the specified algorithm is a hash-and-sign algorithm.
+ *
+ * Hash-and-sign algorithms are asymmetric (public-key) signature algorithms
+ * structured in two parts: first the calculation of a hash in a way that
+ * does not depend on the key, then the calculation of a signature from the
+ * hash value and the key. Hash-and-sign algorithms encode the hash
+ * used for the hashing step, and you can call #PSA_ALG_SIGN_GET_HASH
+ * to extract this algorithm.
+ *
+ * Thus, for a hash-and-sign algorithm,
+ * `psa_sign_message(key, alg, input, ...)` is equivalent to
+ * ```
+ * psa_hash_compute(PSA_ALG_SIGN_GET_HASH(alg), input, ..., hash, ...);
+ * psa_sign_hash(key, alg, hash, ..., signature, ...);
+ * ```
+ * Most usefully, separating the hash from the signature allows the hash
+ * to be calculated in multiple steps with psa_hash_setup(), psa_hash_update()
+ * and psa_hash_finish(). Likewise psa_verify_message() is equivalent to
+ * calculating the hash and then calling psa_verify_hash().
+ *
+ * \param alg An algorithm identifier (value of type #psa_algorithm_t).
+ *
+ * \return 1 if \p alg is a hash-and-sign algorithm, 0 otherwise.
+ * This macro may return either 0 or 1 if \p alg is not a supported
+ * algorithm identifier.
+ */
+#define PSA_ALG_IS_HASH_AND_SIGN(alg) \
+ (PSA_ALG_IS_SIGN_HASH(alg) && \
+ ((alg) & PSA_ALG_HASH_MASK) != 0)
/** Get the hash used by a hash-and-sign signature algorithm.
*
@@ -1564,7 +1682,6 @@
*/
#define PSA_ALG_SIGN_GET_HASH(alg) \
(PSA_ALG_IS_HASH_AND_SIGN(alg) ? \
- ((alg) & PSA_ALG_HASH_MASK) == 0 ? /*"raw" algorithm*/ 0 : \
((alg) & PSA_ALG_HASH_MASK) | PSA_ALG_CATEGORY_HASH : \
0)
@@ -2055,6 +2172,9 @@
#define PSA_KEY_LOCATION_VENDOR_FLAG ((psa_key_location_t)0x800000)
+/** The null key identifier.
+ */
+#define PSA_KEY_ID_NULL ((psa_key_id_t)0)
/** The minimum value for a key identifier chosen by the application.
*/
#define PSA_KEY_ID_USER_MIN ((psa_key_id_t)0x00000001)
diff --git a/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ccm_alt.c b/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ccm_alt.c
index 93074e9..78a3907 100644
--- a/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ccm_alt.c
+++ b/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ccm_alt.c
@@ -22,6 +22,7 @@
#include "mbedtls_ccm_internal.h"
#include "mbedtls_ccm_common.h"
+#define MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED -0x0020 /**< API is NOT supported. */
/************************ Public Functions **********************/
/*
@@ -113,6 +114,66 @@
}
+int mbedtls_ccm_starts( mbedtls_ccm_context *ctx,
+ int mode,
+ const unsigned char *iv,
+ size_t iv_len )
+{
+ CC_UNUSED_PARAM(ctx);
+ CC_UNUSED_PARAM(mode);
+ CC_UNUSED_PARAM(iv);
+ CC_UNUSED_PARAM(iv_len);
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx,
+ size_t total_ad_len,
+ size_t plaintext_len,
+ size_t tag_len )
+{
+ CC_UNUSED_PARAM(ctx);
+ CC_UNUSED_PARAM(total_ad_len);
+ CC_UNUSED_PARAM(plaintext_len);
+ CC_UNUSED_PARAM(tag_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx,
+ const unsigned char *ad,
+ size_t ad_len )
+{
+ CC_UNUSED_PARAM(ctx);
+ CC_UNUSED_PARAM(ad);
+ CC_UNUSED_PARAM(ad_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_update( mbedtls_ccm_context *ctx,
+ const unsigned char *input, size_t input_len,
+ unsigned char *output, size_t output_size,
+ size_t *output_len )
+{
+ CC_UNUSED_PARAM(ctx);
+ CC_UNUSED_PARAM(input);
+ CC_UNUSED_PARAM(input_len);
+ CC_UNUSED_PARAM(output);
+ CC_UNUSED_PARAM(output_size);
+ CC_UNUSED_PARAM(output_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_finish( mbedtls_ccm_context *ctx,
+ unsigned char *tag, size_t tag_len )
+{
+ CC_UNUSED_PARAM(ctx);
+ CC_UNUSED_PARAM(tag);
+ CC_UNUSED_PARAM(tag_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
#endif /* defined(MBEDTLS_CCM_C) && defined (MBEDTLS_CCM_ALT) */
diff --git a/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ecdh_alt.c b/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ecdh_alt.c
index 087f704..d97f4b2 100644
--- a/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ecdh_alt.c
+++ b/lib/ext/cryptocell-312-runtime/codesafe/src/mbedtls_api/ecdh_alt.c
@@ -108,8 +108,8 @@
/*
* Next two bytes are the namedcurve value
*/
- buf[0] = curve_info->MBEDTLS_PRIVATE(tls_id) >> 8;
- buf[1] = curve_info->MBEDTLS_PRIVATE(tls_id) & 0xFF;
+ buf[0] = curve_info->tls_id >> 8;
+ buf[1] = curve_info->tls_id & 0xFF;
return( 0 );
}
@@ -181,10 +181,10 @@
tls_id <<= 8;
tls_id |= *(*buf)++;
- if (curve_info->MBEDTLS_PRIVATE(tls_id) != tls_id){
+ if (curve_info->tls_id != tls_id){
return( MBEDTLS_ERR_ECP_BAD_INPUT_DATA );
}
- return mbedtls_ecp_group_load( grp, curve_info->MBEDTLS_PRIVATE(grp_id) );
+ return mbedtls_ecp_group_load( grp, curve_info->grp_id );
}
/*
diff --git a/lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch b/lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch
index 47c6448..e5bd70f 100644
--- a/lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch
+++ b/lib/ext/mbedcrypto/0001-BUILD-Update-IAR-support-in-CMakeLists.txt.patch
@@ -1,7 +1,7 @@
-From 2d0f9e77a1165aa78f78436a2f5c185cc65ad6c1 Mon Sep 17 00:00:00 2001
+From 4497e653fb8ed68efd0c4a9cdac82e93490f4e4e Mon Sep 17 00:00:00 2001
From: TTornblom <thomas.tornblom@iar.com>
Date: Thu, 16 Apr 2020 13:53:38 +0200
-Subject: [PATCH 4/4] BUILD: Update IAR support in CMakeLists.txt
+Subject: [PATCH 1/3] BUILD: Update IAR support in CMakeLists.txt
Applied the same change as in mbed-crypto for using this as a sub
project with the IAR toolchain.
@@ -12,10 +12,10 @@
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
-index a671575b7..3e59a47ba 100644
+index 6debe35d..fd1c07ca 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
-@@ -193,7 +193,10 @@ if(CMAKE_COMPILER_IS_CLANG)
+@@ -209,7 +209,10 @@ if(CMAKE_COMPILER_IS_CLANG)
endif(CMAKE_COMPILER_IS_CLANG)
if(CMAKE_COMPILER_IS_IAR)
@@ -28,5 +28,5 @@
if(CMAKE_COMPILER_IS_MSVC)
--
-2.20.1
+2.17.1
diff --git a/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch b/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
index 3c220b4..d789d59 100644
--- a/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
+++ b/lib/ext/mbedcrypto/0002-Enable-crypto-code-sharing-between-independent-binar.patch
@@ -1,7 +1,7 @@
-From 8355985e8f739daaa2e243d28dc49a2d6971a383 Mon Sep 17 00:00:00 2001
+From 5de1387b7c433dc0a81960ba1243b63fb8310ad4 Mon Sep 17 00:00:00 2001
From: Tamas Ban <tamas.ban@arm.com>
Date: Tue, 27 Oct 2020 08:55:37 +0000
-Subject: [PATCH] Enable crypto code sharing between independent binaries
+Subject: [PATCH 2/3] Enable crypto code sharing between independent binaries
Signed-off-by: Tamas Ban <tamas.ban@arm.com>
---
@@ -13,7 +13,7 @@
diff --git a/library/code_share.c b/library/code_share.c
new file mode 100644
-index 0000000..2bf67fb
+index 00000000..2bf67fb4
--- /dev/null
+++ b/library/code_share.c
@@ -0,0 +1,3 @@
@@ -21,10 +21,10 @@
+ * extensive crypto code sharing was already applied on the mbedtls library.
+ */
diff --git a/library/platform.c b/library/platform.c
-index 420d09e..b3a135c 100644
+index e742fde7..c309dc0c 100644
--- a/library/platform.c
+++ b/library/platform.c
-@@ -59,8 +59,8 @@ static void platform_free_uninit( void *ptr )
+@@ -53,8 +53,8 @@ static void platform_free_uninit( void *ptr )
#define MBEDTLS_PLATFORM_STD_FREE platform_free_uninit
#endif /* !MBEDTLS_PLATFORM_STD_FREE */
@@ -36,10 +36,10 @@
void * mbedtls_calloc( size_t nmemb, size_t size )
{
diff --git a/library/platform_util.c b/library/platform_util.c
-index b1f7450..29b4403 100644
+index 3d5cb5ba..277ec70b 100644
--- a/library/platform_util.c
+++ b/library/platform_util.c
-@@ -68,7 +68,7 @@
+@@ -62,7 +62,7 @@
* mbedtls_platform_zeroize() to use a suitable implementation for their
* platform and needs.
*/
@@ -49,5 +49,5 @@
void mbedtls_platform_zeroize( void *buf, size_t len )
{
--
-2.7.4
+2.17.1
diff --git a/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch b/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
index 565a92e..e7e70d7 100644
--- a/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
+++ b/lib/ext/mbedcrypto/0003-Disable-export-MbedTLSTargets.patch
@@ -1,7 +1,7 @@
-From e109c8ed57457a2bd62afcf21b5b99dd2a30edea Mon Sep 17 00:00:00 2001
+From 0eac701c20e719599e5f30e260b7b0420d92af49 Mon Sep 17 00:00:00 2001
From: Summer Qin <summer.qin@arm.com>
-Date: Tue, 13 Jul 2021 17:46:47 +0800
-Subject: [PATCH] Disable export MbedTLSTargets
+Date: Wed, 5 Jan 2022 15:00:49 +0800
+Subject: [PATCH 3/3] Disable export MbedTLSTargets
Disable install MbedTLSConfig.cmake, MbedTLSConfigVersion.cmake and
MbedTLSTargets.cmake. And Disable export MbedTLSTargets since this
@@ -13,10 +13,10 @@
1 file changed, 26 deletions(-)
diff --git a/CMakeLists.txt b/CMakeLists.txt
-index 3eef42ec..5ad56c81 100644
+index fd1c07ca..3f32a8f3 100644
--- a/CMakeLists.txt
+++ b/CMakeLists.txt
-@@ -307,32 +307,6 @@ if(ENABLE_TESTING)
+@@ -328,32 +328,6 @@ if(ENABLE_TESTING)
endif()
endif()
@@ -28,7 +28,7 @@
-write_basic_package_version_file(
- "cmake/MbedTLSConfigVersion.cmake"
- COMPATIBILITY SameMajorVersion
-- VERSION 3.0.0)
+- VERSION 3.1.0)
-
-install(
- FILES "${CMAKE_CURRENT_BINARY_DIR}/cmake/MbedTLSConfig.cmake"
@@ -46,7 +46,7 @@
- DESTINATION "cmake"
- FILE "MbedTLSTargets.cmake")
-
- if(CMAKE_VERSION VERSION_GREATER 3.14)
+ if(CMAKE_VERSION VERSION_GREATER 3.15 OR CMAKE_VERSION VERSION_EQUAL 3.15)
# Do not export the package by default
cmake_policy(SET CMP0090 NEW)
--
diff --git a/platform/ext/target/stm/common/hal/accelerator/ccm_alt.c b/platform/ext/target/stm/common/hal/accelerator/ccm_alt.c
index 8325d8a..d8e5180 100644
--- a/platform/ext/target/stm/common/hal/accelerator/ccm_alt.c
+++ b/platform/ext/target/stm/common/hal/accelerator/ccm_alt.c
@@ -45,6 +45,8 @@
#define CCM_VALIDATE( cond ) \
MBEDTLS_INTERNAL_VALIDATE( cond )
+/* API is NOT supported. */
+#define MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED -0x0020
/* Private typedef -----------------------------------------------------------*/
/* Private define ------------------------------------------------------------*/
@@ -467,5 +469,67 @@
add_len, input, output, tag, tag_len ) );
}
+int mbedtls_ccm_starts( mbedtls_ccm_context *ctx,
+ int mode,
+ const unsigned char *iv,
+ size_t iv_len )
+{
+ UNUSED(ctx);
+ UNUSED(mode);
+ UNUSED(iv);
+ UNUSED(iv_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_set_lengths( mbedtls_ccm_context *ctx,
+ size_t total_ad_len,
+ size_t plaintext_len,
+ size_t tag_len )
+{
+ UNUSED(ctx);
+ UNUSED(total_ad_len);
+ UNUSED(plaintext_len);
+ UNUSED(tag_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_update_ad( mbedtls_ccm_context *ctx,
+ const unsigned char *ad,
+ size_t ad_len )
+{
+ UNUSED(ctx);
+ UNUSED(ad);
+ UNUSED(ad_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_update( mbedtls_ccm_context *ctx,
+ const unsigned char *input, size_t input_len,
+ unsigned char *output, size_t output_size,
+ size_t *output_len )
+{
+ UNUSED(ctx);
+ UNUSED(input);
+ UNUSED(input_len);
+ UNUSED(output);
+ UNUSED(output_size);
+ UNUSED(output_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
+int mbedtls_ccm_finish( mbedtls_ccm_context *ctx,
+ unsigned char *tag, size_t tag_len )
+{
+ UNUSED(ctx);
+ UNUSED(tag);
+ UNUSED(tag_len);
+
+ return (MBEDTLS_ERR_CCM_API_IS_NOT_SUPPORTED);
+}
+
#endif /*MBEDTLS_CCM_ALT*/
#endif /*MBEDTLS_CCM_C*/
diff --git a/platform/ext/target/stm/common/hal/accelerator/ecp_alt.c b/platform/ext/target/stm/common/hal/accelerator/ecp_alt.c
index 0542ab1..e039972 100644
--- a/platform/ext/target/stm/common/hal/accelerator/ecp_alt.c
+++ b/platform/ext/target/stm/common/hal/accelerator/ecp_alt.c
@@ -432,10 +432,10 @@
const mbedtls_ecp_curve_info *curve_info;
for( curve_info = mbedtls_ecp_curve_list();
- curve_info->MBEDTLS_PRIVATE(grp_id) != MBEDTLS_ECP_DP_NONE;
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
curve_info++ )
{
- ecp_supported_grp_id[i++] = curve_info->MBEDTLS_PRIVATE(grp_id);
+ ecp_supported_grp_id[i++] = curve_info->grp_id;
}
ecp_supported_grp_id[i] = MBEDTLS_ECP_DP_NONE;
@@ -453,10 +453,10 @@
const mbedtls_ecp_curve_info *curve_info;
for( curve_info = mbedtls_ecp_curve_list();
- curve_info->MBEDTLS_PRIVATE(grp_id) != MBEDTLS_ECP_DP_NONE;
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
curve_info++ )
{
- if( curve_info->MBEDTLS_PRIVATE(grp_id) == grp_id )
+ if( curve_info->grp_id == grp_id )
return( curve_info );
}
@@ -471,10 +471,10 @@
const mbedtls_ecp_curve_info *curve_info;
for( curve_info = mbedtls_ecp_curve_list();
- curve_info->MBEDTLS_PRIVATE(grp_id) != MBEDTLS_ECP_DP_NONE;
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
curve_info++ )
{
- if( curve_info->MBEDTLS_PRIVATE(tls_id) == tls_id )
+ if( curve_info->tls_id == tls_id )
return( curve_info );
}
@@ -492,10 +492,10 @@
return( NULL );
for( curve_info = mbedtls_ecp_curve_list();
- curve_info->MBEDTLS_PRIVATE(grp_id) != MBEDTLS_ECP_DP_NONE;
+ curve_info->grp_id != MBEDTLS_ECP_DP_NONE;
curve_info++ )
{
- if( strcmp( curve_info->MBEDTLS_PRIVATE(name), name ) == 0 )
+ if( strcmp( curve_info->name, name ) == 0 )
return( curve_info );
}
@@ -1021,7 +1021,7 @@
if( ( curve_info = mbedtls_ecp_curve_info_from_tls_id( tls_id ) ) == NULL )
return( MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE );
- *grp = curve_info->MBEDTLS_PRIVATE(grp_id);
+ *grp = curve_info->grp_id;
return( 0 );
}
@@ -1055,8 +1055,8 @@
/*
* Next two bytes are the namedcurve value
*/
- buf[0] = curve_info->MBEDTLS_PRIVATE(tls_id) >> 8;
- buf[1] = curve_info->MBEDTLS_PRIVATE(tls_id) & 0xFF;
+ buf[0] = curve_info->tls_id >> 8;
+ buf[1] = curve_info->tls_id & 0xFF;
return( 0 );
}
@@ -2478,7 +2478,7 @@
#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED)
MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, MBEDTLS_ECP_DP_SECP192R1 ) );
#else
- MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, mbedtls_ecp_curve_list()->MBEDTLS_PRIVATE(grp_id) ) );
+ MBEDTLS_MPI_CHK( mbedtls_ecp_group_load( &grp, mbedtls_ecp_curve_list()->grp_id ) );
#endif
if( verbose != 0 )
diff --git a/platform/ext/target/stm/common/hal/accelerator/gcm_alt.c b/platform/ext/target/stm/common/hal/accelerator/gcm_alt.c
index 8a48115..c113ba3 100644
--- a/platform/ext/target/stm/common/hal/accelerator/gcm_alt.c
+++ b/platform/ext/target/stm/common/hal/accelerator/gcm_alt.c
@@ -32,8 +32,8 @@
extern psa_status_t tfm_crypto_get_caller_id(int32_t *id);
#endif
-#define MBEDTLS_ERR_GCM_API_IS_NOT_SUPPORTED -0x0016 /**< API is NOT supported. */
-#define CC_UNUSED_PARAM(prm) ((void)prm)
+/* API is NOT supported. */
+#define MBEDTLS_ERR_GCM_API_IS_NOT_SUPPORTED -0x0016
#include <string.h>
#include "mbedtls/platform.h"
@@ -648,10 +648,10 @@
const unsigned char *iv,
size_t iv_len)
{
- CC_UNUSED_PARAM(ctx);
- CC_UNUSED_PARAM(mode);
- CC_UNUSED_PARAM(iv);
- CC_UNUSED_PARAM(iv_len);
+ UNUSED(ctx);
+ UNUSED(mode);
+ UNUSED(iv);
+ UNUSED(iv_len);
return (MBEDTLS_ERR_GCM_API_IS_NOT_SUPPORTED);
}
@@ -663,12 +663,12 @@
size_t output_size,
size_t *output_length)
{
- CC_UNUSED_PARAM(ctx);
- CC_UNUSED_PARAM(input);
- CC_UNUSED_PARAM(input_length);
- CC_UNUSED_PARAM(output);
- CC_UNUSED_PARAM(output_size);
- CC_UNUSED_PARAM(output_length);
+ UNUSED(ctx);
+ UNUSED(input);
+ UNUSED(input_length);
+ UNUSED(output);
+ UNUSED(output_size);
+ UNUSED(output_length);
return (MBEDTLS_ERR_GCM_API_IS_NOT_SUPPORTED);
}
@@ -680,12 +680,12 @@
unsigned char *tag,
size_t tag_len)
{
- CC_UNUSED_PARAM(ctx);
- CC_UNUSED_PARAM(output);
- CC_UNUSED_PARAM(output_size);
- CC_UNUSED_PARAM(output_length);
- CC_UNUSED_PARAM(tag);
- CC_UNUSED_PARAM(tag_len);
+ UNUSED(ctx);
+ UNUSED(output);
+ UNUSED(output_size);
+ UNUSED(output_length);
+ UNUSED(tag);
+ UNUSED(tag_len);
return (MBEDTLS_ERR_GCM_API_IS_NOT_SUPPORTED);
}
@@ -694,9 +694,9 @@
const unsigned char *add,
size_t add_len)
{
- CC_UNUSED_PARAM(ctx);
- CC_UNUSED_PARAM(add);
- CC_UNUSED_PARAM(add_len);
+ UNUSED(ctx);
+ UNUSED(add);
+ UNUSED(add_len);
return (MBEDTLS_ERR_GCM_API_IS_NOT_SUPPORTED);
}