From 5d9b00dddbd4acd1c9eb0a472bfd4a01bc136be4 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 10 Mar 2021 14:43:20 +0100 Subject: [PATCH] psa: cipher: Include Mbed TLS cipher driver only if necessary Signed-off-by: Ronald Cron --- include/psa/crypto_builtin_cipher.h | 11 +++++ library/psa_crypto_cipher.c | 39 ++++++++++++++--- library/psa_crypto_driver_wrappers.c | 42 ++++++++++++++++++- ...test_suite_psa_crypto_driver_wrappers.data | 6 +-- 4 files changed, 89 insertions(+), 9 deletions(-) diff --git a/include/psa/crypto_builtin_cipher.h b/include/psa/crypto_builtin_cipher.h index 1c6e4c5264..72d3e8d7a5 100644 --- a/include/psa/crypto_builtin_cipher.h +++ b/include/psa/crypto_builtin_cipher.h @@ -25,6 +25,17 @@ #include #include "mbedtls/cipher.h" +#if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_XTS) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) +#define MBEDTLS_PSA_BUILTIN_CIPHER 1 +#endif + typedef struct { /** Context structure for the Mbed TLS cipher implementation. */ psa_algorithm_t alg; diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index f47df9e294..ca91eaa365 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,6 +31,32 @@ #include +#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) || \ + ( defined(PSA_CRYPTO_DRIVER_TEST) && \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_DES) ) ) +#define BUILTIN_KEY_TYPE_DES 1 +#endif + +#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ + ( defined(PSA_CRYPTO_DRIVER_TEST) && \ + defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING) ) ) +#define BUILTIN_ALG_CBC_NO_PADDING 1 +#endif + +#if ( defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) || \ + ( defined(PSA_CRYPTO_DRIVER_TEST) && \ + defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7) ) ) +#define BUILTIN_ALG_CBC_PKCS7 1 +#endif + +#if ( defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20) || \ + ( defined(PSA_CRYPTO_DRIVER_TEST) && \ + defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) ) ) +#define BUILTIN_KEY_TYPE_CHACHA20 1 +#endif + +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) || defined(PSA_CRYPTO_DRIVER_TEST) + static psa_status_t cipher_setup( mbedtls_psa_cipher_operation_t *operation, const psa_key_attributes_t *attributes, @@ -60,7 +86,7 @@ static psa_status_t cipher_setup( if( ret != 0 ) goto exit; -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) +#if defined(BUILTIN_KEY_TYPE_DES) if( key_type == PSA_KEY_TYPE_DES && key_bits == 128 ) { /* Two-key Triple-DES is 3-key Triple-DES with K1=K3 */ @@ -80,8 +106,8 @@ static psa_status_t cipher_setup( if( ret != 0 ) goto exit; -#if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) || \ - defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) +#if defined(BUILTIN_ALG_CBC_NO_PADDING) || \ + defined(BUILTIN_ALG_CBC_PKCS7) switch( alg ) { case PSA_ALG_CBC_NO_PADDING: @@ -99,7 +125,7 @@ static psa_status_t cipher_setup( } if( ret != 0 ) goto exit; -#endif /* MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING || MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7 */ +#endif /* BUILTIN_ALG_CBC_NO_PADDING || BUILTIN_ALG_CBC_PKCS7 */ operation->block_size = ( PSA_ALG_IS_STREAM_CIPHER( alg ) ? 1 : PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ) ); @@ -108,7 +134,7 @@ static psa_status_t cipher_setup( { operation->iv_size = PSA_BLOCK_CIPHER_BLOCK_LENGTH( key_type ); } -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20) +#if defined(BUILTIN_KEY_TYPE_CHACHA20) else if( ( alg == PSA_ALG_STREAM_CIPHER ) && ( key_type == PSA_KEY_TYPE_CHACHA20 ) ) @@ -359,7 +385,9 @@ static psa_status_t cipher_abort( mbedtls_psa_cipher_operation_t *operation ) return( PSA_SUCCESS ); } +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER || PSA_CRYPTO_DRIVER_TEST */ +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) psa_status_t mbedtls_psa_cipher_encrypt_setup( mbedtls_psa_cipher_operation_t *operation, const psa_key_attributes_t *attributes, @@ -417,6 +445,7 @@ psa_status_t mbedtls_psa_cipher_abort( mbedtls_psa_cipher_operation_t *operation { return( cipher_abort( operation ) ); } +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ /* * BEYOND THIS POINT, TEST DRIVER ENTRY POINTS ONLY. diff --git a/library/psa_crypto_driver_wrappers.c b/library/psa_crypto_driver_wrappers.c index 75ea6f58be..765920fc8b 100644 --- a/library/psa_crypto_driver_wrappers.c +++ b/library/psa_crypto_driver_wrappers.c @@ -741,6 +741,7 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) /* Fell through, meaning no accelerator supports this operation */ status = mbedtls_psa_cipher_encrypt_setup( &operation->ctx.mbedtls_ctx, attributes, @@ -751,6 +752,8 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; return( status ); +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ + return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -771,6 +774,9 @@ psa_status_t psa_driver_wrapper_cipher_encrypt_setup( default: /* Key is declared with a lifetime not known to us */ (void)status; + (void)key_buffer; + (void)key_buffer_size; + (void)alg; return( PSA_ERROR_INVALID_ARGUMENT ); } } @@ -806,6 +812,7 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( return( status ); #endif /* PSA_CRYPTO_DRIVER_TEST */ #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) /* Fell through, meaning no accelerator supports this operation */ status = mbedtls_psa_cipher_decrypt_setup( &operation->ctx.mbedtls_ctx, attributes, @@ -816,6 +823,8 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( operation->id = PSA_CRYPTO_MBED_TLS_DRIVER_ID; return( status ); +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ + return( PSA_ERROR_NOT_SUPPORTED ); /* Add cases for opaque driver here */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) @@ -836,6 +845,9 @@ psa_status_t psa_driver_wrapper_cipher_decrypt_setup( default: /* Key is declared with a lifetime not known to us */ (void)status; + (void)key_buffer; + (void)key_buffer_size; + (void)alg; return( PSA_ERROR_INVALID_ARGUMENT ); } } @@ -848,11 +860,14 @@ psa_status_t psa_driver_wrapper_cipher_generate_iv( { switch( operation->id ) { +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_cipher_generate_iv( &operation->ctx.mbedtls_ctx, iv, iv_size, iv_length ) ); +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ + #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: @@ -870,6 +885,10 @@ psa_status_t psa_driver_wrapper_cipher_generate_iv( #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ } + (void)iv; + (void)iv_size; + (void)iv_length; + return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -880,10 +899,12 @@ psa_status_t psa_driver_wrapper_cipher_set_iv( { switch( operation->id ) { +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_cipher_set_iv( &operation->ctx.mbedtls_ctx, iv, iv_length ) ); +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) @@ -900,6 +921,9 @@ psa_status_t psa_driver_wrapper_cipher_set_iv( #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ } + (void)iv; + (void)iv_length; + return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -913,6 +937,7 @@ psa_status_t psa_driver_wrapper_cipher_update( { switch( operation->id ) { +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_cipher_update( &operation->ctx.mbedtls_ctx, input, @@ -920,6 +945,8 @@ psa_status_t psa_driver_wrapper_cipher_update( output, output_size, output_length ) ); +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ + #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) case PSA_CRYPTO_TRANSPARENT_TEST_DRIVER_ID: @@ -937,6 +964,12 @@ psa_status_t psa_driver_wrapper_cipher_update( #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ } + (void)input; + (void)input_length; + (void)output; + (void)output_size; + (void)output_length; + return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -948,12 +981,13 @@ psa_status_t psa_driver_wrapper_cipher_finish( { switch( operation->id ) { +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_cipher_finish( &operation->ctx.mbedtls_ctx, output, output_size, output_length ) ); - +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) @@ -970,6 +1004,10 @@ psa_status_t psa_driver_wrapper_cipher_finish( #endif /* PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT */ } + (void)output; + (void)output_size; + (void)output_length; + return( PSA_ERROR_INVALID_ARGUMENT ); } @@ -980,8 +1018,10 @@ psa_status_t psa_driver_wrapper_cipher_abort( switch( operation->id ) { +#if defined(MBEDTLS_PSA_BUILTIN_CIPHER) case PSA_CRYPTO_MBED_TLS_DRIVER_ID: return( mbedtls_psa_cipher_abort( &operation->ctx.mbedtls_ctx ) ); +#endif /* MBEDTLS_PSA_BUILTIN_CIPHER */ #if defined(PSA_CRYPTO_ACCELERATOR_DRIVER_PRESENT) #if defined(PSA_CRYPTO_DRIVER_TEST) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index b4ae8e56dd..07311e47ab 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -93,11 +93,11 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":"8f9408fe80a81d3e813da3c7b0b2bd":0:PSA_SUCCESS:PSA_SUCCESS PSA symmetric encrypt: AES-CTR, 16 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric encrypt: AES-CTR, 15 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER cipher_encrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":"8f9408fe80a81d3e813da3c7b0b2bd":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric encrypt: AES-CTR, 16 bytes, fake @@ -113,7 +113,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_decrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_SUCCESS:PSA_SUCCESS PSA symmetric decrypt: AES-CTR, 16 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES +depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER cipher_decrypt:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric decrypt: AES-CTR, 16 bytes, fake