Merge pull request #6283 from mpg/driver-only-hashes-wrap-up

Driver only hashes wrap-up

include/mbedtls/check_config.h

@@ -320,11 +320,20 @@
 #endif
 
 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
-    ( !defined(MBEDTLS_ECJPAKE_C) || !defined(MBEDTLS_SHA256_C) ||      \
+    ( !defined(MBEDTLS_ECJPAKE_C) ||                                    \
       !defined(MBEDTLS_ECP_DP_SECP256R1_ENABLED) )
 #error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
 #endif
 
+/* Use of EC J-PAKE in TLS requires SHA-256.
+ * This will be taken from MD if it is present, or from PSA if MD is absent.
+ * Note: ECJPAKE_C depends on MD_C || PSA_CRYPTO_C. */
+#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) &&                    \
+    !( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) &&          \
+    !( !defined(MBEDTLS_MD_C) && defined(PSA_WANT_ALG_SHA_256) )
+#error "MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED defined, but not all prerequisites"
+#endif
+
 #if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) &&        \
     !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) &&              \
     ( !defined(MBEDTLS_SHA256_C) &&                             \

include/mbedtls/legacy_or_psa.h

@@ -0,0 +1,212 @@
+/**
+ *  Macros to express dependencies for code and tests that may use either the
+ *  legacy API or PSA in various builds; mostly for internal use.
+ *
+ *  Copyright The Mbed TLS Contributors
+ *  SPDX-License-Identifier: Apache-2.0
+ *
+ *  Licensed under the Apache License, Version 2.0 (the "License"); you may
+ *  not use this file except in compliance with the License.
+ *  You may obtain a copy of the License at
+ *
+ *  http://www.apache.org/licenses/LICENSE-2.0
+ *
+ *  Unless required by applicable law or agreed to in writing, software
+ *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
+ *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ *  See the License for the specific language governing permissions and
+ *  limitations under the License.
+ */
+
+/*
+ * Note: applications that are targeting a specific configuration do not need
+ * to use these macros; instead they should directly use the functions they
+ * know are available in their configuration.
+ *
+ * Note: code that is purely based on PSA Crypto (psa_xxx() functions)
+ * does not need to use these macros; instead it should use the relevant
+ * PSA_WANT_xxx macros.
+ *
+ * Note: code that is purely based on the legacy crypto APIs (mbedtls_xxx())
+ * does not need to use these macros; instead it should use the relevant
+ * MBEDTLS_xxx macros.
+ *
+ * These macros are for code that wants to use <crypto feature> and will do so
+ * using <legacy API> or PSA depending on <condition>, where:
+ * - <crypto feature> will generally be an algorithm (SHA-256, ECDH) but may
+ *   also be a key type (AES, RSA, EC) or domain parameters (elliptic curve);
+ * - <legacy API> will be either:
+ *      - low-level module API (aes.h, sha256.h), or
+ *      - an abstraction layer (md.h, cipher.h);
+ * - <condition> will be either:
+ *      - depending on what's available in the build:
+ *          legacy API used if available, PSA otherwise
+ *          (this is done to ensure backwards compatibility); or
+ *      - depending on whether MBEDTLS_USE_PSA_CRYPTO is defined.
+ *
+ * Examples:
+ * - TLS 1.2 will compute hashes using either mbedtls_md_xxx() (and
+ *   mbedtls_sha256_xxx()) or psa_aead_xxx() depending on whether
+ *   MBEDTLS_USE_PSA_CRYPTO is defined;
+ * - RSA PKCS#1 v2.1 will compute hashes (for padding) using either
+ *   `mbedtls_md()` if it's available, or `psa_hash_compute()` otherwise;
+ * - PEM decoding of PEM-encrypted keys will compute MD5 hashes using either
+ *   `mbedtls_md5_xxx()` if it's available, or `psa_hash_xxx()` otherwise.
+ *
+ * Note: the macros are essential to express test dependencies. Inside code,
+ * we could instead just use the equivalent pre-processor condition, but
+ * that's not possible in test dependencies where we need a single macro.
+ * Hopefully, using these macros in code will also help with consistency.
+ *
+ * The naming scheme for these macros is:
+ *      MBEDTLS_HAS_feature_VIA_legacy_OR_PSA(_condition)
+ * where:
+ * - feature is expressed the same way as in PSA_WANT macros, for example:
+ *   KEY_TYPE_AES, ALG_SHA_256, ECC_SECP_R1_256;
+ * - legacy is either LOWLEVEL or the name of the layer: MD, CIPHER;
+ * - condition is omitted if it's based on availability, else it's
+ *   BASED_ON_USE_PSA.
+ *
+ * Coming back to the examples above:
+ * - TLS 1.2 will determine if it can use SHA-256 using
+ *      MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+ *   for the purposes of negotiation, and in test dependencies;
+ * - RSA PKCS#1 v2.1 tests that used SHA-256 will depend on
+ *      MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA
+ * - PEM decoding code and its associated tests will depend on
+ *      MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA
+ *
+ * Note: every time it's possible to use, say SHA-256, via the MD API, then
+ * it's also possible to use it via the low-level API. So, code that wants to
+ * use SHA-256 via both APIs only needs to depend on the MD macro. Also, it
+ * just so happens that all the code choosing which API to use based on
+ * MBEDTLS_USE_PSA_CRYPTO (X.509, TLS 1.2/shared), always uses the abstraction
+ * layer (sometimes in addition to the low-level API), so we don't need the
+ * MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA_BASED_ON_USE_PSA macros.
+ * (PK, while obeying MBEDTLS_USE_PSA_CRYPTO, doesn't compute hashes itself,
+ * even less makes use of ciphers.)
+ *
+ * Note: the macros MBEDTLS_HAS_feature_VIA_LOWLEVEL_OR_PSA are the minimal
+ * condition for being able to use <feature> at all. As such, they should be
+ * used for guarding data about <feature>, such as OIDs or size. For example,
+ * OID values related to SHA-256 are only useful when SHA-256 can be used at
+ * least in some way.
+ */
+
+#ifndef MBEDTLS_OR_PSA_HELPERS_H
+#define MBEDTLS_OR_PSA_HELPERS_H
+
+#include "mbedtls/build_info.h"
+#if defined(MBEDTLS_PSA_CRYPTO_C)
+#include "psa/crypto.h"
+#endif /* MBEDTLS_PSA_CRYPTO_C */
+
+/*
+ * Hashes
+ */
+
+/* Hashes using low-level or PSA based on availability */
+#if defined(MBEDTLS_MD5_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_MD5) )
+#define MBEDTLS_HAS_ALG_MD5_VIA_LOWLEVEL_OR_PSA
+#endif
+#if defined(MBEDTLS_RIPEMD160_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_RIPEMD160) )
+#define MBEDTLS_HAS_ALG_RIPEMD160_VIA_LOWLEVEL_OR_PSA
+#endif
+#if defined(MBEDTLS_SHA1_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) )
+#define MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA
+#endif
+#if defined(MBEDTLS_SHA224_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_224) )
+#define MBEDTLS_HAS_ALG_SHA_224_VIA_LOWLEVEL_OR_PSA
+#endif
+#if defined(MBEDTLS_SHA256_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) )
+#define MBEDTLS_HAS_ALG_SHA_256_VIA_LOWLEVEL_OR_PSA
+#endif
+#if defined(MBEDTLS_SHA384_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384) )
+#define MBEDTLS_HAS_ALG_SHA_384_VIA_LOWLEVEL_OR_PSA
+#endif
+#if defined(MBEDTLS_SHA512_C) || \
+    ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512) )
+#define MBEDTLS_HAS_ALG_SHA_512_VIA_LOWLEVEL_OR_PSA
+#endif
+
+/* Hashes using MD or PSA based on availability */
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_MD5_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_MD5) )
+#define MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA
+#endif
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_RIPEMD160_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_RIPEMD160) )
+#define MBEDTLS_HAS_ALG_RIPEMD160_VIA_MD_OR_PSA
+#endif
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) )
+#define MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA
+#endif
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA224_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_224) )
+#define MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA
+#endif
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_256) )
+#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA
+#endif
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_384) )
+#define MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA
+#endif
+#if ( defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA512_C) ) || \
+    ( !defined(MBEDTLS_MD_C) && \
+        defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_512) )
+#define MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA
+#endif
+
+/* Hashes using MD or PSA based on MBEDTLS_USE_PSA_CRYPTO */
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_MD5_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_MD5) )
+#define MBEDTLS_HAS_ALG_MD5_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_RIPEMD160_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_RIPEMD160) )
+#define MBEDTLS_HAS_ALG_RIPEMD160_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA1_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_1) )
+#define MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA224_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_224) )
+#define MBEDTLS_HAS_ALG_SHA_224_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA256_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_256) )
+#define MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA384_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_384) )
+#define MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+#if ( !defined(MBEDTLS_USE_PSA_CRYPTO) && \
+        defined(MBEDTLS_MD_C) && defined(MBEDTLS_SHA512_C) ) || \
+    ( defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_SHA_512) )
+#define MBEDTLS_HAS_ALG_SHA_512_VIA_MD_OR_PSA_BASED_ON_USE_PSA
+#endif
+
+#endif /* MBEDTLS_OR_PSA_HELPERS_H */

include/mbedtls/mbedtls_config.h

@@ -958,7 +958,7 @@
  * might still happen. For this reason, this is disabled by default.
  *
  * Requires: MBEDTLS_ECJPAKE_C
- *           MBEDTLS_SHA256_C
+ *           SHA-256 (via MD if present, or via PSA, see MBEDTLS_ECJPAKE_C)
  *           MBEDTLS_ECP_DP_SECP256R1_ENABLED
  *
  * This enables the following ciphersuites (if other requisites are
@@ -1492,13 +1492,14 @@
  *
  * Enable support for TLS 1.2 (and DTLS 1.2 if DTLS is enabled).
  *
- * Requires: MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C
- *           (Depends on ciphersuites) when MBEDTLS_USE_PSA_CRYPTO
- *           is not defined, PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or
- *           PSA_WANT_ALG_SHA_512 when MBEDTLS_USE_PSA_CRYPTO is defined.
+ * Requires: Without MBEDTLS_USE_PSA_CRYPTO: MBEDTLS_MD_C and
+ *              (MBEDTLS_SHA1_C or MBEDTLS_SHA256_C or MBEDTLS_SHA512_C)
+ *           With MBEDTLS_USE_PSA_CRYPTO:
+ *              PSA_WANT_ALG_SHA_1 or PSA_WANT_ALG_SHA_256 or
+ *              PSA_WANT_ALG_SHA_512
  *
- * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
- * before doing any TLS operation.
+ * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
+ * psa_crypto_init() before doing any TLS operations.
  *
  * Comment this macro to disable support for TLS 1.2 / DTLS 1.2
  */
@@ -1517,11 +1518,11 @@
  * Requires: MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
  * Requires: MBEDTLS_PSA_CRYPTO_C
  *
- * Note: even though TLS 1.3 depends on PSA Crypto, if you want it to only use
- * PSA for all crypto operations, you need to also enable
- * MBEDTLS_USE_PSA_CRYPTO; otherwise X.509 operations, and functions that are
- * common with TLS 1.2 (record protection, running handshake hash) will still
- * use non-PSA crypto.
+ * Note: even though TLS 1.3 depends on PSA Crypto, and uses it unconditonally
+ * for most operations, if you want it to only use PSA for all crypto
+ * operations, you need to also enable MBEDTLS_USE_PSA_CRYPTO; otherwise X.509
+ * operations, and functions that are common with TLS 1.2 (record protection,
+ * running handshake hash) will still use non-PSA crypto.
  *
  * Uncomment this macro to enable the support for TLS 1.3.
  */
@@ -2357,7 +2358,7 @@
  * This module is used by the following key exchanges:
  *      ECJPAKE
  *
- * Requires: MBEDTLS_ECP_C, MBEDTLS_MD_C
+ * Requires: MBEDTLS_ECP_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C
  *
  * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
  * before doing any EC J-PAKE operations.
@@ -2674,7 +2675,10 @@
  *
  * Module:  library/pkcs5.c
  *
- * Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
+ * Requires: MBEDTLS_CIPHER_C and either MBEDTLS_MD_C or MBEDTLS_PSA_CRYPTO_C.
+ *
+ * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
+ * before doing any PKCS5 operation.
  *
  * This module adds support for the PKCS#5 functions.
  */
@@ -3156,8 +3160,8 @@
  * Requires: MBEDTLS_ASN1_PARSE_C, MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
  *           (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
  *
- * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
- * before doing any X.509 operation.
+ * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
+ * psa_crypto_init() before doing any X.509 operation.
  *
  * This module is required for the X.509 parsing modules.
  */
@@ -3217,8 +3221,8 @@
  * Requires: MBEDTLS_BIGNUM_C, MBEDTLS_OID_C, MBEDTLS_PK_PARSE_C,
  *           (MBEDTLS_MD_C or MBEDTLS_USE_PSA_CRYPTO)
  *
- * \warning If building without MBEDTLS_MD_C, you must call psa_crypto_init()
- * before doing any X.509 create operation.
+ * \warning If building with MBEDTLS_USE_PSA_CRYPTO, you must call
+ * psa_crypto_init() before doing any X.509 create operation.
  *
  * This module is the basis for creating X.509 certificates and CSRs.
  */

include/mbedtls/ssl.h

@@ -52,9 +52,7 @@
 #include "mbedtls/platform_time.h"
 #endif
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #include "psa/crypto.h"
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 /*
  * SSL Error codes
@@ -629,11 +627,7 @@ union mbedtls_ssl_premaster_secret
 
 #define MBEDTLS_PREMASTER_SIZE     sizeof( union mbedtls_ssl_premaster_secret )
 
-#if defined(MBEDTLS_USE_PSA_CRYPTO)
 #define MBEDTLS_TLS1_3_MD_MAX_SIZE         PSA_HASH_MAX_SIZE
-#else
-#define MBEDTLS_TLS1_3_MD_MAX_SIZE         MBEDTLS_MD_MAX_SIZE
-#endif /* MBEDTLS_USE_PSA_CRYPTO */
 
 
 /* Length in number of bytes of the TLS sequence number */

include/mbedtls/x509_crt.h

@@ -24,6 +24,7 @@
 #include "mbedtls/private_access.h"
 
 #include "mbedtls/build_info.h"
+#include "mbedtls/legacy_or_psa.h"
 
 #include "mbedtls/x509.h"
 #include "mbedtls/x509_crl.h"
@@ -1108,7 +1109,7 @@ int mbedtls_x509write_crt_set_extension( mbedtls_x509write_cert *ctx,
 int mbedtls_x509write_crt_set_basic_constraints( mbedtls_x509write_cert *ctx,
                                          int is_ca, int max_pathlen );
 
-#if defined(MBEDTLS_SHA1_C) || ( defined(MBEDTLS_PSA_CRYPTO_C) && defined(PSA_WANT_ALG_SHA_1) )
+#if defined(MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA)
 /**
  * \brief           Set the subjectKeyIdentifier extension for a CRT
  *                  Requires that mbedtls_x509write_crt_set_subject_key() has been
@@ -1130,7 +1131,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier( mbedtls_x509write_cert *ct
  * \return          0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED
  */
 int mbedtls_x509write_crt_set_authority_key_identifier( mbedtls_x509write_cert *ctx );
-#endif /* MBEDTLS_SHA1_C || (MBEDTLS_PSA_CRYPTO_C && PSA_WANT_ALG_SHA_1)*/
+#endif /* MBEDTLS_HAS_ALG_SHA_1_VIA_LOWLEVEL_OR_PSA */
 
 /**
  * \brief           Set the Key Usage Extension flags