From fe8e1358166c676c7394176ffde5c8f2ea88c099 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 5 Jan 2023 19:15:45 +0100 Subject: [PATCH 1/9] psa: Remove unnecessary headers Signed-off-by: Ronald Cron --- include/psa/crypto_extra.h | 2 -- include/psa/crypto_platform.h | 4 ---- library/alignment.h | 2 -- 3 files changed, 8 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 4920508d7b..7ff90ebe3a 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -29,8 +29,6 @@ #define PSA_CRYPTO_EXTRA_H #include "mbedtls/private_access.h" -#include "mbedtls/platform_util.h" - #include "crypto_types.h" #include "crypto_compat.h" diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index e8d241bc7a..28534966fb 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -38,10 +38,6 @@ * in each of its header files. */ #include "mbedtls/build_info.h" -/* Translate between classic MBEDTLS_xxx feature symbols and PSA_xxx - * feature symbols. */ -#include "mbedtls/config_psa.h" - /* PSA requires several types which C99 provides in stdint.h. */ #include diff --git a/library/alignment.h b/library/alignment.h index a518a8a3ae..41823485ad 100644 --- a/library/alignment.h +++ b/library/alignment.h @@ -27,8 +27,6 @@ #include #include -#include "mbedtls/build_info.h" - /* * Define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS for architectures where unaligned memory * accesses are known to be efficient. From e7cde181ea393d20f08da845efb0b3f54b25d6ae Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 5 Jan 2023 19:06:58 +0100 Subject: [PATCH 2/9] psa: include: Move some Mbed TLS headers The structures related to CMAC, GCM, CCM and CHACHAPOLY operations are defined in crypto_builtin_composites.h not in crypto_struct.h. Thus move the cmac.h, gcm.h, ccm.h and chachapoly.h header inclusions from crypto_struct.h to crypto_builtin_composites.h. Signed-off-by: Ronald Cron --- include/psa/crypto_builtin_composites.h | 7 +++++-- include/psa/crypto_struct.h | 5 ----- 2 files changed, 5 insertions(+), 7 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 932c503667..3ba18b3977 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -36,6 +36,11 @@ #include +#include "mbedtls/cmac.h" +#include "mbedtls/gcm.h" +#include "mbedtls/ccm.h" +#include "mbedtls/chachapoly.h" + /* * MAC multi-part operation definitions. */ @@ -57,8 +62,6 @@ typedef struct { #define MBEDTLS_PSA_HMAC_OPERATION_INIT { 0, PSA_HASH_OPERATION_INIT, { 0 } } #endif /* MBEDTLS_PSA_BUILTIN_ALG_HMAC */ -#include "mbedtls/cmac.h" - typedef struct { psa_algorithm_t MBEDTLS_PRIVATE(alg); union { diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index 934bc176ef..ba9875fa92 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -70,11 +70,6 @@ extern "C" { * in each of its header files. */ #include "mbedtls/build_info.h" -#include "mbedtls/cmac.h" -#include "mbedtls/gcm.h" -#include "mbedtls/ccm.h" -#include "mbedtls/chachapoly.h" - /* Include the context definition for the compiled-in drivers for the primitive * algorithms. */ #include "psa/crypto_driver_contexts_primitives.h" From 2f10fceccd60b69179980e657d2e20af1868db08 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 11 Jan 2023 09:21:47 +0100 Subject: [PATCH 3/9] psa: include: Move key derivation builtin and driver contexts Move key derivation builtin and driver contexts to specific header files as key derivation contexts depend both on primitive and composite crypto algorithms contexts. Signed-off-by: Ronald Cron --- include/psa/crypto_builtin_key_derivation.h | 109 ++++++++++++++++++ .../crypto_driver_contexts_key_derivation.h | 61 ++++++++++ include/psa/crypto_struct.h | 89 +------------- 3 files changed, 174 insertions(+), 85 deletions(-) create mode 100644 include/psa/crypto_builtin_key_derivation.h create mode 100644 include/psa/crypto_driver_contexts_key_derivation.h diff --git a/include/psa/crypto_builtin_key_derivation.h b/include/psa/crypto_builtin_key_derivation.h new file mode 100644 index 0000000000..a9b81eba3f --- /dev/null +++ b/include/psa/crypto_builtin_key_derivation.h @@ -0,0 +1,109 @@ +/* + * Context structure declaration of the Mbed TLS software-based PSA drivers + * called through the PSA Crypto driver dispatch layer. + * This file contains the context structures of key derivation algorithms + * which need to rely on other algorithms. + * + * \note This file may not be included directly. Applications must + * include psa/crypto.h. + * + * \note This header and its content is not part of the Mbed TLS API and + * applications must not depend on it. Its main purpose is to define the + * multi-part state objects of the Mbed TLS software-based PSA drivers. The + * definition of these objects are then used by crypto_struct.h to define the + * implementation-defined types of PSA multi-part state objects. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H +#define PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H +#include "mbedtls/private_access.h" + +#include + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) +typedef struct { + uint8_t *MBEDTLS_PRIVATE(info); + size_t MBEDTLS_PRIVATE(info_length); +#if PSA_HASH_MAX_SIZE > 0xff +#error "PSA_HASH_MAX_SIZE does not fit in uint8_t" +#endif + uint8_t MBEDTLS_PRIVATE(offset_in_block); + uint8_t MBEDTLS_PRIVATE(block_number); + unsigned int MBEDTLS_PRIVATE(state) : 2; + unsigned int MBEDTLS_PRIVATE(info_set) : 1; + uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; + uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE]; + struct psa_mac_operation_s MBEDTLS_PRIVATE(hmac); +} psa_hkdf_key_derivation_t; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF || + MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || + MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) +typedef struct { + uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE]; +} psa_tls12_ecjpake_to_pms_t; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ + +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) +typedef enum { + PSA_TLS12_PRF_STATE_INIT, /* no input provided */ + PSA_TLS12_PRF_STATE_SEED_SET, /* seed has been set */ + PSA_TLS12_PRF_STATE_OTHER_KEY_SET, /* other key has been set - optional */ + PSA_TLS12_PRF_STATE_KEY_SET, /* key has been set */ + PSA_TLS12_PRF_STATE_LABEL_SET, /* label has been set */ + PSA_TLS12_PRF_STATE_OUTPUT /* output has been started */ +} psa_tls12_prf_key_derivation_state_t; + +typedef struct psa_tls12_prf_key_derivation_s { +#if PSA_HASH_MAX_SIZE > 0xff +#error "PSA_HASH_MAX_SIZE does not fit in uint8_t" +#endif + + /* Indicates how many bytes in the current HMAC block have + * not yet been read by the user. */ + uint8_t MBEDTLS_PRIVATE(left_in_block); + + /* The 1-based number of the block. */ + uint8_t MBEDTLS_PRIVATE(block_number); + + psa_tls12_prf_key_derivation_state_t MBEDTLS_PRIVATE(state); + + uint8_t *MBEDTLS_PRIVATE(secret); + size_t MBEDTLS_PRIVATE(secret_length); + uint8_t *MBEDTLS_PRIVATE(seed); + size_t MBEDTLS_PRIVATE(seed_length); + uint8_t *MBEDTLS_PRIVATE(label); + size_t MBEDTLS_PRIVATE(label_length); +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) + uint8_t *MBEDTLS_PRIVATE(other_secret); + size_t MBEDTLS_PRIVATE(other_secret_length); +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ + + uint8_t MBEDTLS_PRIVATE(Ai)[PSA_HASH_MAX_SIZE]; + + /* `HMAC_hash( prk, A( i ) + seed )` in the notation of RFC 5246, Sect. 5. */ + uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; +} psa_tls12_prf_key_derivation_t; +#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || + * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ + +#endif /* PSA_CRYPTO_BUILTIN_KEY_DERIVATION_H */ diff --git a/include/psa/crypto_driver_contexts_key_derivation.h b/include/psa/crypto_driver_contexts_key_derivation.h new file mode 100644 index 0000000000..dc09136b59 --- /dev/null +++ b/include/psa/crypto_driver_contexts_key_derivation.h @@ -0,0 +1,61 @@ +/* + * Declaration of context structures for use with the PSA driver wrapper + * interface. This file contains the context structures for key derivation + * operations. + * + * Warning: This file will be auto-generated in the future. + * + * \note This file may not be included directly. Applications must + * include psa/crypto.h. + * + * \note This header and its content is not part of the Mbed TLS API and + * applications must not depend on it. Its main purpose is to define the + * multi-part state objects of the PSA drivers included in the cryptographic + * library. The definition of these objects are then used by crypto_struct.h + * to define the implementation-defined types of PSA multi-part state objects. + */ +/* Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H +#define PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H + +#include "psa/crypto_driver_common.h" + +/* Include the context structure definitions for the Mbed TLS software drivers */ +#include "psa/crypto_builtin_key_derivation.h" + +/* Include the context structure definitions for those drivers that were + * declared during the autogeneration process. */ + +typedef union { + unsigned dummy; /* Make sure this union is always non-empty */ +#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) + psa_hkdf_key_derivation_t MBEDTLS_PRIVATE(hkdf); +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) + psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf); +#endif +#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) + psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms); +#endif +} psa_driver_key_derivation_context_t; + +#endif /* PSA_CRYPTO_DRIVER_CONTEXTS_KEY_DERIVATION_H */ +/* End of automatically generated file. */ diff --git a/include/psa/crypto_struct.h b/include/psa/crypto_struct.h index ba9875fa92..125a73dd0e 100644 --- a/include/psa/crypto_struct.h +++ b/include/psa/crypto_struct.h @@ -172,96 +172,15 @@ static inline struct psa_aead_operation_s psa_aead_operation_init(void) return v; } -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) -typedef struct { - uint8_t *MBEDTLS_PRIVATE(info); - size_t MBEDTLS_PRIVATE(info_length); -#if PSA_HASH_MAX_SIZE > 0xff -#error "PSA_HASH_MAX_SIZE does not fit in uint8_t" -#endif - uint8_t MBEDTLS_PRIVATE(offset_in_block); - uint8_t MBEDTLS_PRIVATE(block_number); - unsigned int MBEDTLS_PRIVATE(state) : 2; - unsigned int MBEDTLS_PRIVATE(info_set) : 1; - uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; - uint8_t MBEDTLS_PRIVATE(prk)[PSA_HASH_MAX_SIZE]; - struct psa_mac_operation_s MBEDTLS_PRIVATE(hmac); -} psa_hkdf_key_derivation_t; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_HKDF || - MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT || - MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND */ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) -typedef struct { - uint8_t MBEDTLS_PRIVATE(data)[PSA_TLS12_ECJPAKE_TO_PMS_DATA_SIZE]; -} psa_tls12_ecjpake_to_pms_t; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS */ - -#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) -typedef enum { - PSA_TLS12_PRF_STATE_INIT, /* no input provided */ - PSA_TLS12_PRF_STATE_SEED_SET, /* seed has been set */ - PSA_TLS12_PRF_STATE_OTHER_KEY_SET, /* other key has been set - optional */ - PSA_TLS12_PRF_STATE_KEY_SET, /* key has been set */ - PSA_TLS12_PRF_STATE_LABEL_SET, /* label has been set */ - PSA_TLS12_PRF_STATE_OUTPUT /* output has been started */ -} psa_tls12_prf_key_derivation_state_t; - -typedef struct psa_tls12_prf_key_derivation_s { -#if PSA_HASH_MAX_SIZE > 0xff -#error "PSA_HASH_MAX_SIZE does not fit in uint8_t" -#endif - - /* Indicates how many bytes in the current HMAC block have - * not yet been read by the user. */ - uint8_t MBEDTLS_PRIVATE(left_in_block); - - /* The 1-based number of the block. */ - uint8_t MBEDTLS_PRIVATE(block_number); - - psa_tls12_prf_key_derivation_state_t MBEDTLS_PRIVATE(state); - - uint8_t *MBEDTLS_PRIVATE(secret); - size_t MBEDTLS_PRIVATE(secret_length); - uint8_t *MBEDTLS_PRIVATE(seed); - size_t MBEDTLS_PRIVATE(seed_length); - uint8_t *MBEDTLS_PRIVATE(label); - size_t MBEDTLS_PRIVATE(label_length); -#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) - uint8_t *MBEDTLS_PRIVATE(other_secret); - size_t MBEDTLS_PRIVATE(other_secret_length); -#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ - - uint8_t MBEDTLS_PRIVATE(Ai)[PSA_HASH_MAX_SIZE]; - - /* `HMAC_hash( prk, A( i ) + seed )` in the notation of RFC 5246, Sect. 5. */ - uint8_t MBEDTLS_PRIVATE(output_block)[PSA_HASH_MAX_SIZE]; -} psa_tls12_prf_key_derivation_t; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || - * MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS */ +/* Include the context definition for the compiled-in drivers for the key + * derivation algorithms. */ +#include "psa/crypto_driver_contexts_key_derivation.h" struct psa_key_derivation_s { psa_algorithm_t MBEDTLS_PRIVATE(alg); unsigned int MBEDTLS_PRIVATE(can_output_key) : 1; size_t MBEDTLS_PRIVATE(capacity); - union { - /* Make the union non-empty even with no supported algorithms. */ - uint8_t MBEDTLS_PRIVATE(dummy); -#if defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND) - psa_hkdf_key_derivation_t MBEDTLS_PRIVATE(hkdf); -#endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PRF) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_PSK_TO_MS) - psa_tls12_prf_key_derivation_t MBEDTLS_PRIVATE(tls12_prf); -#endif -#if defined(MBEDTLS_PSA_BUILTIN_ALG_TLS12_ECJPAKE_TO_PMS) - psa_tls12_ecjpake_to_pms_t MBEDTLS_PRIVATE(tls12_ecjpake_to_pms); -#endif - } MBEDTLS_PRIVATE(ctx); + psa_driver_key_derivation_context_t MBEDTLS_PRIVATE(ctx); }; /* This only zeroes out the first byte in the union, the rest is unspecified. */ From e6e6b75ad3925d098fc51a3c1d12bd8a8159246c Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 16 Jan 2023 16:56:51 +0100 Subject: [PATCH 4/9] psa: Remove MBEDTLS_PSA_CRYPTO_DRIVERS configuration option The support for the PSA crypto driver interface is not optional anymore as the implementation of the PSA cryptography interface has been restructured around the PSA crypto driver interface (see psa-crypto-implementation-structure.md). There is thus no purpose for the configuration options MBEDTLS_PSA_CRYPTO_DRIVERS anymore. Signed-off-by: Ronald Cron --- .../mbed-crypto-storage-specification.md | 2 +- docs/proposed/psa-driver-developer-guide.md | 2 +- docs/proposed/psa-driver-integration-guide.md | 13 +--- include/mbedtls/mbedtls_config.h | 16 +--- library/psa_crypto_slot_management.c | 6 -- .../psa_crypto_driver_wrappers.c.jinja | 2 - tests/scripts/all.sh | 77 ++++++++----------- tests/src/drivers/hash.c | 4 +- tests/src/drivers/test_driver_aead.c | 4 +- .../test_driver_asymmetric_encryption.c | 4 +- tests/src/drivers/test_driver_cipher.c | 4 +- tests/src/drivers/test_driver_key_agreement.c | 4 +- .../src/drivers/test_driver_key_management.c | 4 +- tests/src/drivers/test_driver_mac.c | 4 +- tests/src/drivers/test_driver_pake.c | 4 +- tests/src/drivers/test_driver_signature.c | 4 +- tests/suites/test_suite_psa_crypto.data | 4 - ..._suite_psa_crypto_driver_wrappers.function | 6 +- 18 files changed, 62 insertions(+), 102 deletions(-) diff --git a/docs/architecture/mbed-crypto-storage-specification.md b/docs/architecture/mbed-crypto-storage-specification.md index 60203a0aa0..d46139449d 100644 --- a/docs/architecture/mbed-crypto-storage-specification.md +++ b/docs/architecture/mbed-crypto-storage-specification.md @@ -354,7 +354,7 @@ Supported features: * [Persistent keys](#key-file-format-for-mbed-tls-2.25.0) designated by a [key identifier and owner](#key-names-for-mbed-tls-2.25.0). Keys can be: * Transparent, stored in the export format. - * Opaque, using the unified driver interface with statically registered drivers (`MBEDTLS_PSA_CRYPTO_DRIVERS`). The driver determines the content of the opaque key blob. + * Opaque, using the PSA driver interface with statically registered drivers. The driver determines the content of the opaque key blob. * Opaque, using the deprecated secure element interface with dynamically registered drivers (`MBEDTLS_PSA_CRYPTO_SE_C`). The driver picks a slot number which is stored in the place of the key material. * [Nonvolatile random seed](#nonvolatile-random-seed-file-format-for-mbed-tls-2.25.0) on ITS only. diff --git a/docs/proposed/psa-driver-developer-guide.md b/docs/proposed/psa-driver-developer-guide.md index b39f5599e3..d004483f91 100644 --- a/docs/proposed/psa-driver-developer-guide.md +++ b/docs/proposed/psa-driver-developer-guide.md @@ -7,7 +7,7 @@ This document describes how to write drivers of cryptoprocessors such as acceler This document focuses on behavior that is specific to Mbed TLS. For a reference of the interface between Mbed TLS and drivers, refer to the [PSA Cryptoprocessor Driver Interface specification](psa-driver-interface.html). -The interface is not fully implemented in Mbed TLS yet and is disabled by default. You can enable the experimental work in progress by setting `MBEDTLS_PSA_CRYPTO_DRIVERS` in the compile-time configuration. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code when `MBEDTLS_PSA_CRYPTO_DRIVERS` is enabled. +The interface is not fully implemented in Mbed TLS yet. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code. ## Introduction diff --git a/docs/proposed/psa-driver-integration-guide.md b/docs/proposed/psa-driver-integration-guide.md index bfd765ea54..3d12ec66c8 100644 --- a/docs/proposed/psa-driver-integration-guide.md +++ b/docs/proposed/psa-driver-integration-guide.md @@ -5,7 +5,7 @@ Building Mbed TLS with PSA cryptoprocessor drivers This document describes how to build Mbed TLS with additional cryptoprocessor drivers that follow the PSA cryptoprocessor driver interface. -The interface is not fully implemented in Mbed TLS yet and is disabled by default. You can enable the experimental work in progress by setting `MBEDTLS_PSA_CRYPTO_DRIVERS` in the compile-time configuration. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code when `MBEDTLS_PSA_CRYPTO_DRIVERS` is enabled. +The interface is not fully implemented in Mbed TLS yet. Please note that the interface may still change: until further notice, we do not guarantee backward compatibility with existing driver code. ## Introduction @@ -19,21 +19,14 @@ Concretely speaking, a driver consists of one or more **driver description files To build Mbed TLS with drivers: -1. Activate `MBEDTLS_PSA_CRYPTO_DRIVERS` in the library configuration. - - ``` - cd /path/to/mbedtls - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS - ``` - -2. Pass the driver description files through the Make variable `PSA_DRIVERS` when building the library. +1. Pass the driver description files through the Make variable `PSA_DRIVERS` when building the library. ``` cd /path/to/mbedtls make PSA_DRIVERS="/path/to/acme/driver.json /path/to/nadir/driver.json" lib ``` -3. Link your application with the implementation of the driver functions. +2. Link your application with the implementation of the driver functions. ``` cd /path/to/application diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 0ad6dccb99..5e4c73753a 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1229,18 +1229,6 @@ */ //#define MBEDTLS_PSA_CRYPTO_CLIENT -/** \def MBEDTLS_PSA_CRYPTO_DRIVERS - * - * Enable support for the experimental PSA crypto driver interface. - * - * Requires: MBEDTLS_PSA_CRYPTO_C - * - * \warning This interface is experimental. We intend to maintain backward - * compatibility with application code that relies on drivers, - * but the driver interfaces may change without notice. - */ -//#define MBEDTLS_PSA_CRYPTO_DRIVERS - /** \def MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG * * Make the PSA Crypto module use an external random generator provided @@ -2981,8 +2969,8 @@ * Enable dynamic secure element support in the Platform Security Architecture * cryptography API. * - * \deprecated This feature is deprecated. Please switch to the driver - * interface enabled by #MBEDTLS_PSA_CRYPTO_DRIVERS. + * \deprecated This feature is deprecated. Please switch to the PSA driver + * interface. * * Module: library/psa_crypto_se.c * diff --git a/library/psa_crypto_slot_management.c b/library/psa_crypto_slot_management.c index cb7fa59c0b..a7cb9b513a 100644 --- a/library/psa_crypto_slot_management.c +++ b/library/psa_crypto_slot_management.c @@ -438,14 +438,8 @@ psa_status_t psa_validate_key_location(psa_key_lifetime_t lifetime, (void) p_drv; #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) /* Key location for external keys gets checked by the wrapper */ return PSA_SUCCESS; -#else /* MBEDTLS_PSA_CRYPTO_DRIVERS */ - /* No support for external lifetimes at all, or dynamic interface - * did not find driver for requested lifetime. */ - return PSA_ERROR_INVALID_ARGUMENT; -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ } else { /* Local/internal keys are always valid */ return PSA_SUCCESS; diff --git a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja index 08da774d36..32e6bfe8ed 100644 --- a/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja +++ b/scripts/data_files/driver_templates/psa_crypto_driver_wrappers.c.jinja @@ -37,7 +37,6 @@ #if defined(MBEDTLS_PSA_CRYPTO_C) /* BEGIN-driver headers */ -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) {% for driver in drivers -%} /* Headers for {{driver.prefix}} {{driver.type}} driver */ {% if driver['mbedtls/h_condition'] is defined -%} @@ -50,7 +49,6 @@ #endif {% endif -%} {% endfor %} -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS */ /* END-driver headers */ /* Auto-generated values depending on which drivers are registered. diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 23ad16e12d..faa9b730b4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2078,7 +2078,6 @@ component_test_psa_crypto_config_accel_ecdsa () { # -------------------------------------- # Start from default config (no USE_PSA) + driver support + TLS 1.3 - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py set MBEDTLS_SSL_PROTO_TLS1_3 @@ -2123,8 +2122,7 @@ component_test_psa_crypto_config_accel_ecdh () { # Configure and build the main libraries # -------------------------------------- - # Start from default config (no USE_PSA or TLS 1.3) + driver support - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + # Start from default config (no USE_PSA or TLS 1.3) scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Disable the module that's accelerated @@ -2166,7 +2164,6 @@ component_test_psa_crypto_config_accel_pake() { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Make build-in fallback not available @@ -2200,7 +2197,6 @@ config_psa_crypto_config_all_ec_algs_use_psa () { scripts/config.py full # enable support for drivers and configuring PSA-only algorithms scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS if [ "$DRIVER_ONLY" -eq 1 ]; then # Disable modules that are accelerated scripts/config.py unset MBEDTLS_ECDSA_C @@ -2333,7 +2329,6 @@ component_test_psa_crypto_config_accel_rsa_signature () { make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" # Mbed TLS library build - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # Remove RSA support and its dependencies @@ -2375,7 +2370,6 @@ component_test_psa_crypto_config_accel_hash () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_MD5_C scripts/config.py unset MBEDTLS_RIPEMD160_C @@ -2413,7 +2407,6 @@ component_test_psa_crypto_config_accel_hash_keep_builtins () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" @@ -2429,7 +2422,6 @@ config_psa_crypto_hash_use_psa () { scripts/config.py full # enable support for drivers and configuring PSA-only algorithms scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS if [ "$DRIVER_ONLY" -eq 1 ]; then # disable the built-in implementation of hashes scripts/config.py unset MBEDTLS_MD5_C @@ -2519,7 +2511,6 @@ component_test_psa_crypto_config_accel_cipher () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG # There is no intended accelerator support for ALG STREAM_CIPHER and @@ -2560,7 +2551,6 @@ component_test_psa_crypto_config_accel_aead () { loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG scripts/config.py unset MBEDTLS_GCM_C @@ -2583,17 +2573,37 @@ component_test_psa_crypto_config_accel_aead () { make test } -component_test_psa_crypto_config_no_driver() { - # full plus MBEDTLS_PSA_CRYPTO_CONFIG - msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" - scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py unset MBEDTLS_PSA_CRYPTO_DRIVERS - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - make CC=gcc CFLAGS="$ASAN_CFLAGS -O2" LDFLAGS="$ASAN_CFLAGS" +component_test_psa_crypto_config_accel_pake() { + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" - msg "test: full + MBEDTLS_PSA_CRYPTO_CONFIG minus MBEDTLS_PSA_CRYPTO_DRIVERS" + # Start with full + scripts/config.py full + + # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having + # partial support for cipher operations in the driver test library. + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_ECB_NO_PADDING + + loc_accel_list="ALG_JPAKE" + loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' ) + make -C tests libtestdriver1.a CFLAGS="$ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" + + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + + # Make build-in fallback not available + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED + + # Dynamic secure element support is a deprecated feature and needs to be disabled here. + # This is done to have the same form of psa_key_attributes_s for libdriver and library. + scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C + + loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )" + make CFLAGS="$ASAN_CFLAGS -Werror -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" + + not grep mbedtls_ecjpake_init library/ecjpake.o + + msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated PAKE" make test } @@ -2617,7 +2627,6 @@ component_build_psa_accel_alg_ecdh() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_ECDH without MBEDTLS_ECDH_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_ECDH_C @@ -2636,7 +2645,6 @@ component_build_psa_accel_key_type_ecc_key_pair() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_KEY_PAIR" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_KEY_PAIR 1 @@ -2651,7 +2659,6 @@ component_build_psa_accel_key_type_ecc_public_key() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 1 @@ -2666,7 +2673,6 @@ component_build_psa_accel_alg_hmac() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HMAC" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Need to define the correct symbol and include the test driver header path in order to build with the test driver @@ -2680,7 +2686,6 @@ component_build_psa_accel_alg_hkdf() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_HKDF without MBEDTLS_HKDF_C" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py unset MBEDTLS_HKDF_C @@ -2696,7 +2701,6 @@ component_build_psa_accel_alg_md5() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_MD5 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_RIPEMD160 @@ -2718,7 +2722,6 @@ component_build_psa_accel_alg_ripemd160() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RIPEMD160 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 @@ -2740,7 +2743,6 @@ component_build_psa_accel_alg_sha1() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_1 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 @@ -2762,7 +2764,6 @@ component_build_psa_accel_alg_sha224() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_224 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 @@ -2781,7 +2782,6 @@ component_build_psa_accel_alg_sha256() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_256 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 @@ -2800,7 +2800,6 @@ component_build_psa_accel_alg_sha384() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_384 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 @@ -2821,7 +2820,6 @@ component_build_psa_accel_alg_sha512() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_SHA_512 - other hashes" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h unset PSA_WANT_ALG_MD5 @@ -2843,7 +2841,6 @@ component_build_psa_accel_alg_rsa_pkcs1v15_crypt() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_CRYPT + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_CRYPT 1 @@ -2860,7 +2857,6 @@ component_build_psa_accel_alg_rsa_pkcs1v15_sign() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PKCS1V15_SIGN + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PKCS1V15_SIGN 1 @@ -2877,7 +2873,6 @@ component_build_psa_accel_alg_rsa_oaep() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_OAEP + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_OAEP 1 @@ -2894,7 +2889,6 @@ component_build_psa_accel_alg_rsa_pss() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ALG_RSA_PSS + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1 @@ -2911,7 +2905,6 @@ component_build_psa_accel_key_type_rsa_key_pair() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR + PSA_WANT_ALG_RSA_PSS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1 @@ -2926,7 +2919,6 @@ component_build_psa_accel_key_type_rsa_public_key() { msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY + PSA_WANT_ALG_RSA_PSS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 scripts/config.py -f include/psa/crypto_config.h set PSA_WANT_ALG_RSA_PSS 1 @@ -3253,10 +3245,9 @@ component_test_se_default () { make test } -component_test_psa_crypto_drivers () { - msg "build: MBEDTLS_PSA_CRYPTO_DRIVERS w/ driver hooks" +component_test_psa_crypto_builtin_keys () { + msg "build: full + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS" scripts/config.py full - scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS scripts/config.py set MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" @@ -3264,7 +3255,7 @@ component_test_psa_crypto_drivers () { make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + MBEDTLS_PSA_CRYPTO_DRIVERS" + msg "test: full + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS" make test } diff --git a/tests/src/drivers/hash.c b/tests/src/drivers/hash.c index 7487e84500..8fb1982779 100644 --- a/tests/src/drivers/hash.c +++ b/tests/src/drivers/hash.c @@ -19,7 +19,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_hash.h" #include "test/drivers/hash.h" @@ -208,4 +208,4 @@ psa_status_t mbedtls_test_transparent_hash_abort( return mbedtls_test_driver_hash_hooks.driver_status; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_aead.c b/tests/src/drivers/test_driver_aead.c index 4bf2a86e25..8eb5547f47 100644 --- a/tests/src/drivers/test_driver_aead.c +++ b/tests/src/drivers/test_driver_aead.c @@ -19,7 +19,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_aead.h" #include "psa_crypto_core.h" @@ -469,4 +469,4 @@ psa_status_t mbedtls_test_transparent_aead_abort( return mbedtls_test_driver_aead_hooks.driver_status; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_asymmetric_encryption.c b/tests/src/drivers/test_driver_asymmetric_encryption.c index 8c5e207adf..cf0e90caef 100644 --- a/tests/src/drivers/test_driver_asymmetric_encryption.c +++ b/tests/src/drivers/test_driver_asymmetric_encryption.c @@ -19,7 +19,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "mbedtls/rsa.h" #include "psa_crypto_rsa.h" @@ -160,4 +160,4 @@ psa_status_t mbedtls_test_opaque_asymmetric_decrypt( return PSA_ERROR_NOT_SUPPORTED; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_cipher.c b/tests/src/drivers/test_driver_cipher.c index f0cb6b262f..42e79c4903 100644 --- a/tests/src/drivers/test_driver_cipher.c +++ b/tests/src/drivers/test_driver_cipher.c @@ -20,7 +20,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "psa_crypto_cipher.h" #include "psa_crypto_core.h" @@ -433,4 +433,4 @@ psa_status_t mbedtls_test_opaque_cipher_finish( (void) output_length; return PSA_ERROR_NOT_SUPPORTED; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_key_agreement.c b/tests/src/drivers/test_driver_key_agreement.c index d1fd891e79..b60c412031 100644 --- a/tests/src/drivers/test_driver_key_agreement.c +++ b/tests/src/drivers/test_driver_key_agreement.c @@ -19,7 +19,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "psa_crypto_core.h" @@ -123,4 +123,4 @@ psa_status_t mbedtls_test_opaque_key_agreement( return PSA_ERROR_NOT_SUPPORTED; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_key_management.c b/tests/src/drivers/test_driver_key_management.c index 4e340aae6e..a3ff2ddea6 100644 --- a/tests/src/drivers/test_driver_key_management.c +++ b/tests/src/drivers/test_driver_key_management.c @@ -20,7 +20,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "psa_crypto_core.h" #include "psa_crypto_ecp.h" @@ -748,4 +748,4 @@ psa_status_t mbedtls_test_opaque_copy_key( return PSA_SUCCESS; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_mac.c b/tests/src/drivers/test_driver_mac.c index ea09cf43f7..96c1685f59 100644 --- a/tests/src/drivers/test_driver_mac.c +++ b/tests/src/drivers/test_driver_mac.c @@ -19,7 +19,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_mac.h" #include "test/drivers/mac.h" @@ -431,4 +431,4 @@ psa_status_t mbedtls_test_opaque_mac_abort( return mbedtls_test_driver_mac_hooks.driver_status; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_pake.c b/tests/src/drivers/test_driver_pake.c index 9c72483084..a8cf0d8608 100644 --- a/tests/src/drivers/test_driver_pake.c +++ b/tests/src/drivers/test_driver_pake.c @@ -19,7 +19,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa_crypto_pake.h" #include "test/drivers/pake.h" @@ -209,4 +209,4 @@ psa_status_t mbedtls_test_transparent_pake_abort( return mbedtls_test_driver_pake_hooks.driver_status; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/src/drivers/test_driver_signature.c b/tests/src/drivers/test_driver_signature.c index 11815b03f3..c312477c8a 100644 --- a/tests/src/drivers/test_driver_signature.c +++ b/tests/src/drivers/test_driver_signature.c @@ -21,7 +21,7 @@ #include -#if defined(MBEDTLS_PSA_CRYPTO_DRIVERS) && defined(PSA_CRYPTO_DRIVER_TEST) +#if defined(PSA_CRYPTO_DRIVER_TEST) #include "psa/crypto.h" #include "psa_crypto_core.h" #include "psa_crypto_ecp.h" @@ -414,4 +414,4 @@ psa_status_t mbedtls_test_opaque_signature_verify_hash( return PSA_ERROR_NOT_SUPPORTED; } -#endif /* MBEDTLS_PSA_CRYPTO_DRIVERS && PSA_CRYPTO_DRIVER_TEST */ +#endif /* PSA_CRYPTO_DRIVER_TEST */ diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index c1d266782a..b3ba8a8b18 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -1436,10 +1436,6 @@ Copy fail: AES, invalid persistent key identifier in attributes depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_CRYPTO_STORAGE_C copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:0:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":PSA_KEY_TYPE_AES:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:0:PSA_KEY_LIFETIME_PERSISTENT:PSA_ERROR_INVALID_ARGUMENT -Copy fail: AES, invalid lifetime (unknown location) in attributes -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_CRYPTO_STORAGE_C:!MBEDTLS_PSA_CRYPTO_DRIVERS -copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:0:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":PSA_KEY_TYPE_AES:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:1:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION(PSA_KEY_PERSISTENCE_DEFAULT, 11):PSA_ERROR_INVALID_ARGUMENT - Copy fail: AES, copy to a readonly lifetime in attributes depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_CRYPTO_STORAGE_C copy_fail:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:0:PSA_KEY_TYPE_AES:"404142434445464748494a4b4c4d4e4f":PSA_KEY_TYPE_AES:0:PSA_KEY_USAGE_COPY | PSA_KEY_USAGE_ENCRYPT | PSA_KEY_USAGE_EXPORT:PSA_ALG_CTR:0:1:PSA_KEY_LIFETIME_FROM_PERSISTENCE_AND_LOCATION( PSA_KEY_PERSISTENCE_READ_ONLY, 0 ):PSA_ERROR_INVALID_ARGUMENT diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.function b/tests/suites/test_suite_psa_crypto_driver_wrappers.function index 5105ef5673..00ea6a561f 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.function +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.function @@ -484,7 +484,7 @@ exit: /* END_HEADER */ /* BEGIN_DEPENDENCIES - * depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_PSA_CRYPTO_DRIVERS:PSA_CRYPTO_DRIVER_TEST + * depends_on:MBEDTLS_PSA_CRYPTO_C:PSA_CRYPTO_DRIVER_TEST * END_DEPENDENCIES */ @@ -2130,7 +2130,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_CRYPTO_DRIVER_TEST:MBEDTLS_PSA_CRYPTO_DRIVERS:MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ +/* BEGIN_CASE depends_on:PSA_CRYPTO_DRIVER_TEST:MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ void builtin_key_export(int builtin_key_id_arg, int builtin_key_type_arg, int builtin_key_bits_arg, @@ -2181,7 +2181,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:PSA_CRYPTO_DRIVER_TEST:MBEDTLS_PSA_CRYPTO_DRIVERS:MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ +/* BEGIN_CASE depends_on:PSA_CRYPTO_DRIVER_TEST:MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS */ void builtin_pubkey_export(int builtin_key_id_arg, int builtin_key_type_arg, int builtin_key_bits_arg, From f6236f032a9cb8890dcc5d63427e6c7251be80b7 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 26 Jan 2023 16:22:25 +0100 Subject: [PATCH 5/9] psa: Introduce psa/build_info.h The PSA cryptography repository is based to start with on the PSA cryptography implementation in Mbed TLS but with a different directority structure, build system and build configuration. The build-time configuration information in the PSA cryptography repository is psa/build_info.h. This commit introduces this file in Mbed TLS to be used in place of mbedtls/build_info.h (but basically just an alias to it) in PSA headers. This is to ease the update of the PSA cryptography repository. Signed-off-by: Ronald Cron --- include/psa/build_info.h | 32 ++++++++++++++++++++++++++++++++ include/psa/crypto_platform.h | 11 ++++++++--- include/psa/crypto_sizes.h | 11 ++++++++--- 3 files changed, 48 insertions(+), 6 deletions(-) create mode 100644 include/psa/build_info.h diff --git a/include/psa/build_info.h b/include/psa/build_info.h new file mode 100644 index 0000000000..ce278552bd --- /dev/null +++ b/include/psa/build_info.h @@ -0,0 +1,32 @@ +/** + * \file build_info.h + * + * \brief Build-time PSA configuration info + * + * Include this file if you need to depend on the + * configuration options defined in mbedtls_config.h or MBEDTLS_CONFIG_FILE + * in PSA cryptography core specific files. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_BUILD_INFO_H +#define PSA_CRYPTO_BUILD_INFO_H + +#include "mbedtls/build_info.h" + +#endif /* PSA_CRYPTO_BUILD_INFO_H */ diff --git a/include/psa/crypto_platform.h b/include/psa/crypto_platform.h index 28534966fb..ee41c897f6 100644 --- a/include/psa/crypto_platform.h +++ b/include/psa/crypto_platform.h @@ -34,9 +34,14 @@ #define PSA_CRYPTO_PLATFORM_H #include "mbedtls/private_access.h" -/* Include the Mbed TLS configuration file, the way Mbed TLS does it - * in each of its header files. */ -#include "mbedtls/build_info.h" +/* + * Include the build-time configuration information file. Here, we do not + * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which + * is basically just an alias to it. This is to ease the maintenance of the + * PSA cryptography repository which has a different build system and + * configuration. + */ +#include "psa/build_info.h" /* PSA requires several types which C99 provides in stdint.h. */ #include diff --git a/include/psa/crypto_sizes.h b/include/psa/crypto_sizes.h index 3d6bb2c1e8..54b57f51fc 100644 --- a/include/psa/crypto_sizes.h +++ b/include/psa/crypto_sizes.h @@ -40,9 +40,14 @@ #ifndef PSA_CRYPTO_SIZES_H #define PSA_CRYPTO_SIZES_H -/* Include the Mbed TLS configuration file, the way Mbed TLS does it - * in each of its header files. */ -#include "mbedtls/build_info.h" +/* + * Include the build-time configuration information file. Here, we do not + * include `"mbedtls/build_info.h"` directly but `"psa/build_info.h"`, which + * is basically just an alias to it. This is to ease the maintenance of the + * PSA cryptography repository which has a different build system and + * configuration. + */ +#include "psa/build_info.h" #define PSA_BITS_TO_BYTES(bits) (((bits) + 7) / 8) #define PSA_BYTES_TO_BITS(bytes) ((bytes) * 8) From 135f2ae312df0e7a707176647fc78b4387c4b180 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 8 Feb 2023 12:25:38 +0100 Subject: [PATCH 6/9] Pacify doxygen.sh Signed-off-by: Ronald Cron --- include/mbedtls/build_info.h | 2 +- include/psa/build_info.h | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 8ffa51a312..12a8544f27 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -1,5 +1,5 @@ /** - * \file build_info.h + * \file mbedtls/build_info.h * * \brief Build-time configuration info * diff --git a/include/psa/build_info.h b/include/psa/build_info.h index ce278552bd..34a138d72c 100644 --- a/include/psa/build_info.h +++ b/include/psa/build_info.h @@ -1,5 +1,5 @@ /** - * \file build_info.h + * \file psa/build_info.h * * \brief Build-time PSA configuration info * From afbc7eda650369c99bb3f15d64316641ebf8aa6a Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 24 Jan 2023 16:02:04 +0100 Subject: [PATCH 7/9] psa: Introduce PSA crypto core common symbols When compiling some PSA core files of the PSA cryptography repository, both the Mbed TLS library and the PSA cryptography core common.h are included and if they define the same inline functions (same name), the compilation fails. Thus, inline functions prefixed by psa_crypto_ instead of mbedtls_ are defined in the PSA cryptography core common.h header. To ease the maintenance of the PSA cryptography repository, introduce those symbols in Mbed TLS as well and use them in PSA crypto core code files instead of their Mbed TLS equivalent. Signed-off-by: Ronald Cron --- library/psa_crypto.c | 3 +- library/psa_crypto_core_common.h | 64 ++++++++++++++++++++++++++++++++ 2 files changed, 66 insertions(+), 1 deletion(-) create mode 100644 library/psa_crypto_core_common.h diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 1609c74dfb..9cccf53c3a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -19,6 +19,7 @@ */ #include "common.h" +#include "psa_crypto_core_common.h" #if defined(MBEDTLS_PSA_CRYPTO_C) @@ -4226,7 +4227,7 @@ psa_status_t psa_cipher_encrypt(mbedtls_svc_key_id_t key, status = psa_driver_wrapper_cipher_encrypt( &attributes, slot->key.data, slot->key.bytes, alg, local_iv, default_iv_length, input, input_length, - mbedtls_buffer_offset(output, default_iv_length), + psa_crypto_buffer_offset(output, default_iv_length), output_size - default_iv_length, output_length); exit: diff --git a/library/psa_crypto_core_common.h b/library/psa_crypto_core_common.h new file mode 100644 index 0000000000..dd72ab1629 --- /dev/null +++ b/library/psa_crypto_core_common.h @@ -0,0 +1,64 @@ +/** + * \file psa_crypto_core_common.h + * + * \brief Utility macros for internal use in the PSA cryptography core. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 + * + * Licensed under the Apache License, Version 2.0 (the "License"); you may + * not use this file except in compliance with the License. + * You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, software + * distributed under the License is distributed on an "AS IS" BASIS, WITHOUT + * WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + * See the License for the specific language governing permissions and + * limitations under the License. + */ + +#ifndef PSA_CRYPTO_CORE_COMMON_H +#define PSA_CRYPTO_CORE_COMMON_H + +/** Return an offset into a buffer. + * + * This is just the addition of an offset to a pointer, except that this + * function also accepts an offset of 0 into a buffer whose pointer is null. + * (`p + n` has undefined behavior when `p` is null, even when `n == 0`. + * A null pointer is a valid buffer pointer when the size is 0, for example + * as the result of `malloc(0)` on some platforms.) + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline unsigned char *psa_crypto_buffer_offset( + unsigned char *p, size_t n) +{ + return p == NULL ? NULL : p + n; +} + +/** Return an offset into a read-only buffer. + * + * Similar to mbedtls_buffer_offset(), but for const pointers. + * + * \param p Pointer to a buffer of at least n bytes. + * This may be \p NULL if \p n is zero. + * \param n An offset in bytes. + * \return Pointer to offset \p n in the buffer \p p. + * Note that this is only a valid pointer if the size of the + * buffer is at least \p n + 1. + */ +static inline const unsigned char *psa_crypto_buffer_offset_const( + const unsigned char *p, size_t n) +{ + return p == NULL ? NULL : p + n; +} + +#endif /* PSA_CRYPTO_CORE_COMMON_H */ From 789cef87f88db12d6fe81be548aa55bc96ddd5df Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Mon, 27 Mar 2023 16:31:19 +0200 Subject: [PATCH 8/9] Fix documentation Signed-off-by: Ronald Cron --- include/psa/crypto_builtin_composites.h | 4 ++-- include/psa/crypto_builtin_key_derivation.h | 4 ++-- include/psa/crypto_builtin_primitives.h | 4 ++-- include/psa/crypto_driver_contexts_composites.h | 4 ++-- include/psa/crypto_driver_contexts_key_derivation.h | 4 ++-- include/psa/crypto_driver_contexts_primitives.h | 4 ++-- 6 files changed, 12 insertions(+), 12 deletions(-) diff --git a/include/psa/crypto_builtin_composites.h b/include/psa/crypto_builtin_composites.h index 3ba18b3977..c28036090b 100644 --- a/include/psa/crypto_builtin_composites.h +++ b/include/psa/crypto_builtin_composites.h @@ -7,10 +7,10 @@ * \note This file may not be included directly. Applications must * include psa/crypto.h. * - * \note This header and its content is not part of the Mbed TLS API and + * \note This header and its content are not part of the Mbed TLS API and * applications must not depend on it. Its main purpose is to define the * multi-part state objects of the Mbed TLS software-based PSA drivers. The - * definition of these objects are then used by crypto_struct.h to define the + * definitions of these objects are then used by crypto_struct.h to define the * implementation-defined types of PSA multi-part state objects. */ /* diff --git a/include/psa/crypto_builtin_key_derivation.h b/include/psa/crypto_builtin_key_derivation.h index a9b81eba3f..1913a9b548 100644 --- a/include/psa/crypto_builtin_key_derivation.h +++ b/include/psa/crypto_builtin_key_derivation.h @@ -7,10 +7,10 @@ * \note This file may not be included directly. Applications must * include psa/crypto.h. * - * \note This header and its content is not part of the Mbed TLS API and + * \note This header and its content are not part of the Mbed TLS API and * applications must not depend on it. Its main purpose is to define the * multi-part state objects of the Mbed TLS software-based PSA drivers. The - * definition of these objects are then used by crypto_struct.h to define the + * definitions of these objects are then used by crypto_struct.h to define the * implementation-defined types of PSA multi-part state objects. */ /* diff --git a/include/psa/crypto_builtin_primitives.h b/include/psa/crypto_builtin_primitives.h index c76bc78143..f3e438dd77 100644 --- a/include/psa/crypto_builtin_primitives.h +++ b/include/psa/crypto_builtin_primitives.h @@ -7,10 +7,10 @@ * \note This file may not be included directly. Applications must * include psa/crypto.h. * - * \note This header and its content is not part of the Mbed TLS API and + * \note This header and its content are not part of the Mbed TLS API and * applications must not depend on it. Its main purpose is to define the * multi-part state objects of the Mbed TLS software-based PSA drivers. The - * definition of these objects are then used by crypto_struct.h to define the + * definitions of these objects are then used by crypto_struct.h to define the * implementation-defined types of PSA multi-part state objects. */ /* diff --git a/include/psa/crypto_driver_contexts_composites.h b/include/psa/crypto_driver_contexts_composites.h index 6c56a51dbc..068a193bcc 100644 --- a/include/psa/crypto_driver_contexts_composites.h +++ b/include/psa/crypto_driver_contexts_composites.h @@ -9,10 +9,10 @@ * \note This file may not be included directly. Applications must * include psa/crypto.h. * - * \note This header and its content is not part of the Mbed TLS API and + * \note This header and its content are not part of the Mbed TLS API and * applications must not depend on it. Its main purpose is to define the * multi-part state objects of the PSA drivers included in the cryptographic - * library. The definition of these objects are then used by crypto_struct.h + * library. The definitions of these objects are then used by crypto_struct.h * to define the implementation-defined types of PSA multi-part state objects. */ /* Copyright The Mbed TLS Contributors diff --git a/include/psa/crypto_driver_contexts_key_derivation.h b/include/psa/crypto_driver_contexts_key_derivation.h index dc09136b59..39754cc010 100644 --- a/include/psa/crypto_driver_contexts_key_derivation.h +++ b/include/psa/crypto_driver_contexts_key_derivation.h @@ -8,10 +8,10 @@ * \note This file may not be included directly. Applications must * include psa/crypto.h. * - * \note This header and its content is not part of the Mbed TLS API and + * \note This header and its content are not part of the Mbed TLS API and * applications must not depend on it. Its main purpose is to define the * multi-part state objects of the PSA drivers included in the cryptographic - * library. The definition of these objects are then used by crypto_struct.h + * library. The definitions of these objects are then used by crypto_struct.h * to define the implementation-defined types of PSA multi-part state objects. */ /* Copyright The Mbed TLS Contributors diff --git a/include/psa/crypto_driver_contexts_primitives.h b/include/psa/crypto_driver_contexts_primitives.h index 620a4b3a77..7f81f62406 100644 --- a/include/psa/crypto_driver_contexts_primitives.h +++ b/include/psa/crypto_driver_contexts_primitives.h @@ -8,10 +8,10 @@ * \note This file may not be included directly. Applications must * include psa/crypto.h. * - * \note This header and its content is not part of the Mbed TLS API and + * \note This header and its content are not part of the Mbed TLS API and * applications must not depend on it. Its main purpose is to define the * multi-part state objects of the PSA drivers included in the cryptographic - * library. The definition of these objects are then used by crypto_struct.h + * library. The definitions of these objects are then used by crypto_struct.h * to define the implementation-defined types of PSA multi-part state objects. */ /* Copyright The Mbed TLS Contributors From 32a432af95a48fc1544fada199edc8fa39457172 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Mar 2023 09:19:04 +0200 Subject: [PATCH 9/9] all.sh: Fix test component name The component_test_psa_crypto_drivers was renamed component_test_psa_crypto_builtin_keys in a previous commit. This was misleading as the goal of the component is not to test the builtin keys but to run the PSA unit tests with the test drivers doing the cryptographic operations. Signed-off-by: Ronald Cron --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index faa9b730b4..64140ee7ca 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3245,8 +3245,8 @@ component_test_se_default () { make test } -component_test_psa_crypto_builtin_keys () { - msg "build: full + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS" +component_test_psa_crypto_drivers () { + msg "build: full + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS + test drivers" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS loc_cflags="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST_ALL" @@ -3255,7 +3255,7 @@ component_test_psa_crypto_builtin_keys () { make CC=gcc CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS" + msg "test: full + MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS + test drivers" make test }