From 2d0e00fca8b020bab80b43bd5c511c0f630b46d9 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Wed, 7 Nov 2018 18:46:41 +0000 Subject: [PATCH 01/10] all.sh: Cleanup CMakeFiles all.sh's cleanup function would not entirely remove CMakeFiles due to a missing -o in its fine command. Add a -o after prune, so that the find for CMakeFiles can succeed. --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 19baf5e8a0..c00f421f0a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -156,7 +156,7 @@ cleanup() command make clean # Remove CMake artefacts - find . -name .git -prune \ + find . -name .git -prune -o \ -iname CMakeFiles -exec rm -rf {} \+ -o \ \( -iname cmake_install.cmake -o \ -iname CTestTestfile.cmake -o \ From 4cb814e3a78054d5d22483085696e89bddbaa62e Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Mon, 29 Oct 2018 12:20:24 +0000 Subject: [PATCH 02/10] cmake: Use finer grained include directory Using finer grained control over include directories will allow differnt targets to use different include files. This will be useful when the `crypto` subcomponent wants to use its own include files instead of or in addition to the top level ones. --- CMakeLists.txt | 2 -- library/CMakeLists.txt | 6 ++++++ 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 99bf31f1f6..06f897e13d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -167,8 +167,6 @@ else() set(LIB_INSTALL_DIR lib) endif() -include_directories(include/) - if(ENABLE_ZLIB_SUPPORT) find_package(ZLIB) diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index ea5136339e..da1eb64264 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -143,14 +143,17 @@ if(USE_STATIC_MBEDTLS_LIBRARY) add_library(${mbedcrypto_static_target} STATIC ${src_crypto}) set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto) target_link_libraries(${mbedcrypto_static_target} ${libs}) + target_include_directories(${mbedcrypto_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) add_library(${mbedx509_static_target} STATIC ${src_x509}) set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509) target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target}) + target_include_directories(${mbedx509_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) add_library(${mbedtls_static_target} STATIC ${src_tls}) set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls) target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target}) + target_include_directories(${mbedtls_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target} DESTINATION ${LIB_INSTALL_DIR} @@ -161,14 +164,17 @@ if(USE_SHARED_MBEDTLS_LIBRARY) add_library(mbedcrypto SHARED ${src_crypto}) set_target_properties(mbedcrypto PROPERTIES VERSION 2.14.0 SOVERSION 3) target_link_libraries(mbedcrypto ${libs}) + target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/) add_library(mbedx509 SHARED ${src_x509}) set_target_properties(mbedx509 PROPERTIES VERSION 2.14.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) + target_include_directories(mbedx509 PUBLIC ${CMAKE_SOURCE_DIR}/include/) add_library(mbedtls SHARED ${src_tls}) set_target_properties(mbedtls PROPERTIES VERSION 2.14.0 SOVERSION 12) target_link_libraries(mbedtls ${libs} mbedx509) + target_include_directories(mbedtls PUBLIC ${CMAKE_SOURCE_DIR}/include/) install(TARGETS mbedtls mbedx509 mbedcrypto DESTINATION ${LIB_INSTALL_DIR} From 30b340a760031efe87e400f6a749dcce5125c038 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 25 Oct 2018 17:37:00 +0100 Subject: [PATCH 03/10] crypto: Add mbedtls-psa as a submodule mbedtls-psa contains an implementation of libmbedcrypto, including the PSA Crypto API. --- .gitmodules | 4 ++ CMakeLists.txt | 5 +++ Makefile | 12 ++++++ crypto | 1 + library/CMakeLists.txt | 74 +++++++++++++++++++++++--------- library/Makefile | 16 ++++++- programs/Makefile | 4 ++ tests/Makefile | 11 ++++- tests/scripts/run-test-suites.pl | 4 +- 9 files changed, 105 insertions(+), 26 deletions(-) create mode 100644 .gitmodules create mode 160000 crypto diff --git a/.gitmodules b/.gitmodules new file mode 100644 index 0000000000..d25c9a6b68 --- /dev/null +++ b/.gitmodules @@ -0,0 +1,4 @@ +[submodule "crypto"] + path = crypto + url = git@github.com:ARMmbed/mbedtls-psa.git + branch = feature-psa diff --git a/CMakeLists.txt b/CMakeLists.txt index 06f897e13d..19ab4eb5fd 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -9,6 +9,7 @@ option(USE_PKCS11_HELPER_LIBRARY "Build mbed TLS with the pkcs11-helper library. option(ENABLE_ZLIB_SUPPORT "Build mbed TLS with zlib library." OFF) option(ENABLE_PROGRAMS "Build mbed TLS programs." ON) +option(USE_CRYPTO_SUBMODULE "Build and use libmbedcrypto from the crypto submodule." OFF) option(UNSAFE_BUILD "Allow unsafe builds. These builds ARE NOT SECURE." OFF) @@ -177,6 +178,10 @@ endif(ENABLE_ZLIB_SUPPORT) add_subdirectory(library) add_subdirectory(include) +if(USE_CRYPTO_SUBMODULE) + add_subdirectory(crypto/library) + add_subdirectory(crypto/include) +endif() if(ENABLE_PROGRAMS) add_subdirectory(programs) diff --git a/Makefile b/Makefile index f4c0a00215..87b5a0c0f1 100644 --- a/Makefile +++ b/Makefile @@ -28,7 +28,13 @@ install: no_test mkdir -p $(DESTDIR)/lib cp -RP library/libmbedtls.* $(DESTDIR)/lib cp -RP library/libmbedx509.* $(DESTDIR)/lib +ifdef USE_CRYPTO_SUBMODULE + mkdir -p $(DESTDIR)/include/psa + cp -rp crypto/include/psa $(DESTDIR)/include + cp -RP crypto/library/libmbedcrypto.* $(DESTDIR)/lib +else cp -RP library/libmbedcrypto.* $(DESTDIR)/lib +endif mkdir -p $(DESTDIR)/bin for p in programs/*/* ; do \ @@ -44,6 +50,9 @@ uninstall: rm -f $(DESTDIR)/lib/libmbedtls.* rm -f $(DESTDIR)/lib/libmbedx509.* rm -f $(DESTDIR)/lib/libmbedcrypto.* +ifdef USE_CRYPTO_SUBMODULE + $(MAKE) -C crypto uninstall +endif for p in programs/*/* ; do \ if [ -x $$p ] && [ ! -d $$p ] ; \ @@ -85,6 +94,9 @@ clean: $(MAKE) -C library clean $(MAKE) -C programs clean $(MAKE) -C tests clean +ifdef USE_CRYPTO_SUBMODULE + $(MAKE) -C crypto clean +endif ifndef WINDOWS find . \( -name \*.gcno -o -name \*.gcda -o -name \*.info \) -exec rm {} + endif diff --git a/crypto b/crypto new file mode 160000 index 0000000000..dbb83ac5f7 --- /dev/null +++ b/crypto @@ -0,0 +1 @@ +Subproject commit dbb83ac5f7b96077b21fc9fe72b2687986acf963 diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index da1eb64264..cab8c27c48 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -140,48 +140,80 @@ elseif(USE_STATIC_MBEDTLS_LIBRARY) endif() if(USE_STATIC_MBEDTLS_LIBRARY) - add_library(${mbedcrypto_static_target} STATIC ${src_crypto}) - set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto) - target_link_libraries(${mbedcrypto_static_target} ${libs}) - target_include_directories(${mbedcrypto_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) + if(NOT USE_CRYPTO_SUBMODULE) + add_library(${mbedcrypto_static_target} STATIC ${src_crypto}) + set_target_properties(${mbedcrypto_static_target} PROPERTIES OUTPUT_NAME mbedcrypto) + target_link_libraries(${mbedcrypto_static_target} ${libs}) + target_include_directories(${mbedcrypto_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) + endif() add_library(${mbedx509_static_target} STATIC ${src_x509}) set_target_properties(${mbedx509_static_target} PROPERTIES OUTPUT_NAME mbedx509) target_link_libraries(${mbedx509_static_target} ${libs} ${mbedcrypto_static_target}) - target_include_directories(${mbedx509_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) + target_include_directories(${mbedx509_static_target} + PUBLIC ${CMAKE_SOURCE_DIR}/include/ + PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) add_library(${mbedtls_static_target} STATIC ${src_tls}) set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls) target_link_libraries(${mbedtls_static_target} ${libs} ${mbedx509_static_target}) - target_include_directories(${mbedtls_static_target} PUBLIC ${CMAKE_SOURCE_DIR}/include/) + target_include_directories(${mbedtls_static_target} + PUBLIC ${CMAKE_SOURCE_DIR}/include/ + PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/ + ) - install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target} - DESTINATION ${LIB_INSTALL_DIR} - PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + if(USE_CRYPTO_SUBMODULE) + install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} + DESTINATION ${LIB_INSTALL_DIR} + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + else() + install(TARGETS ${mbedtls_static_target} ${mbedx509_static_target} ${mbedcrypto_static_target} + DESTINATION ${LIB_INSTALL_DIR} + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + endif() endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) - add_library(mbedcrypto SHARED ${src_crypto}) - set_target_properties(mbedcrypto PROPERTIES VERSION 2.14.0 SOVERSION 3) - target_link_libraries(mbedcrypto ${libs}) - target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/) + if(NOT USE_CRYPTO_SUBMODULE) + add_library(mbedcrypto SHARED ${src_crypto}) + set_target_properties(mbedcrypto PROPERTIES VERSION 2.14.0 SOVERSION 3) + target_link_libraries(mbedcrypto ${libs}) + target_include_directories(mbedcrypto PUBLIC ${CMAKE_SOURCE_DIR}/include/) + endif() add_library(mbedx509 SHARED ${src_x509}) set_target_properties(mbedx509 PROPERTIES VERSION 2.14.0 SOVERSION 0) target_link_libraries(mbedx509 ${libs} mbedcrypto) - target_include_directories(mbedx509 PUBLIC ${CMAKE_SOURCE_DIR}/include/) + target_include_directories(mbedx509 + PUBLIC ${CMAKE_SOURCE_DIR}/include/ + PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) add_library(mbedtls SHARED ${src_tls}) set_target_properties(mbedtls PROPERTIES VERSION 2.14.0 SOVERSION 12) target_link_libraries(mbedtls ${libs} mbedx509) - target_include_directories(mbedtls PUBLIC ${CMAKE_SOURCE_DIR}/include/) + target_include_directories(mbedtls + PUBLIC ${CMAKE_SOURCE_DIR}/include/ + PUBLIC ${CMAKE_SOURCE_DIR}/crypto/include/) - install(TARGETS mbedtls mbedx509 mbedcrypto - DESTINATION ${LIB_INSTALL_DIR} - PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + if(USE_CRYPTO_SUBMODULE) + install(TARGETS mbedtls mbedx509 + DESTINATION ${LIB_INSTALL_DIR} + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + else() + install(TARGETS mbedtls mbedx509 mbedcrypto + DESTINATION ${LIB_INSTALL_DIR} + PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) + endif() endif(USE_SHARED_MBEDTLS_LIBRARY) -add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls) -if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) - add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static) +if(USE_CRYPTO_SUBMODULE) + add_custom_target(lib DEPENDS mbedx509 mbedtls) + if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) + add_dependencies(lib mbedx509_static mbedtls_static) + endif() +else() + add_custom_target(lib DEPENDS mbedcrypto mbedx509 mbedtls) + if(USE_STATIC_MBEDTLS_LIBRARY AND USE_SHARED_MBEDTLS_LIBRARY) + add_dependencies(lib mbedcrypto_static mbedx509_static mbedtls_static) + endif() endif() diff --git a/library/Makefile b/library/Makefile index 430c598812..f01b1a1502 100644 --- a/library/Makefile +++ b/library/Makefile @@ -63,6 +63,13 @@ DLEXT = dylib endif endif + +ifdef USE_CRYPTO_SUBMODULE +# Look in crypto for libmbedcrypto. +LOCAL_LDFLAGS += -L../crypto/library +LOCAL_CFLAGS += -I../crypto/include +CRYPTO := ../crypto/library/ +else OBJS_CRYPTO= aes.o aesni.o arc4.o \ aria.o asn1parse.o asn1write.o \ base64.o bignum.o blowfish.o \ @@ -85,6 +92,8 @@ OBJS_CRYPTO= aes.o aesni.o arc4.o \ sha1.o sha256.o sha512.o \ threading.o timing.o version.o \ version_features.o xtea.o +CRYPTO := +endif OBJS_X509= certs.o pkcs11.o x509.o \ x509_create.o x509_crl.o x509_crt.o \ @@ -148,7 +157,7 @@ ifneq ($(APPLE_BUILD),0) endif endif -libmbedx509.$(SOEXT_X509): $(OBJS_X509) libmbedcrypto.so +libmbedx509.$(SOEXT_X509): $(OBJS_X509) $(CRYPTO)libmbedcrypto.so echo " LD $@" $(CC) -shared -Wl,-soname,$@ -L. -lmbedcrypto $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ $(OBJS_X509) @@ -165,6 +174,10 @@ libmbedx509.dll: $(OBJS_X509) libmbedcrypto.dll $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_X509) -lws2_32 -lwinmm -lgdi32 -L. -lmbedcrypto -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS) # crypto +ifdef USE_CRYPTO_SUBMODULE +libmbedcrypto.%: + $(MAKE) CRYPTO_INCLUDES:="-I../../include -I../include" -C ../crypto/library $@ +else libmbedcrypto.a: $(OBJS_CRYPTO) echo " AR $@" $(AR) $(ARFLAGS) $@ $(OBJS_CRYPTO) @@ -190,6 +203,7 @@ libmbedcrypto.dylib: $(OBJS_CRYPTO) libmbedcrypto.dll: $(OBJS_CRYPTO) echo " LD $@" $(CC) -shared -Wl,-soname,$@ -Wl,--out-implib,$@.a -o $@ $(OBJS_CRYPTO) -lws2_32 -lwinmm -lgdi32 -static-libgcc $(LOCAL_LDFLAGS) $(LDFLAGS) +endif .c.o: echo " CC $<" diff --git a/programs/Makefile b/programs/Makefile index b6d1fa25b5..d379ddf20a 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -14,6 +14,10 @@ LOCAL_LDFLAGS = -L../library \ -lmbedx509$(SHARED_SUFFIX) \ -lmbedcrypto$(SHARED_SUFFIX) +ifdef USE_CRYPTO_SUBMODULE +LOCAL_LDFLAGS += -L../crypto/library +endif + ifndef SHARED DEP=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a else diff --git a/tests/Makefile b/tests/Makefile index b6e49bf8a6..4118c14399 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -12,15 +12,22 @@ LOCAL_LDFLAGS = -L../library \ -lmbedx509$(SHARED_SUFFIX) \ -lmbedcrypto$(SHARED_SUFFIX) +ifdef USE_CRYPTO_SUBMODULE +LOCAL_LDFLAGS += -L../crypto/library +CRYPTO := ../crypto/library/ +else +CRYPTO := ../library/ +endif + # Enable definition of various functions used throughout the testsuite # (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless # on non-POSIX platforms. LOCAL_CFLAGS += -D_POSIX_C_SOURCE=200809L ifndef SHARED -DEP=../library/libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a +DEP=$(CRYPTO)libmbedcrypto.a ../library/libmbedx509.a ../library/libmbedtls.a else -DEP=../library/libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT) +DEP=$(CRYPTO)libmbedcrypto.$(DLEXT) ../library/libmbedx509.$(DLEXT) ../library/libmbedtls.$(DLEXT) endif ifdef DEBUG diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl index 6fe6abfa5d..4e576582f6 100755 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -41,8 +41,8 @@ my @suites = grep { -x $_ || /\.exe$/ } glob 'test_suite_*'; die "$0: no test suite found\n" unless @suites; # in case test suites are linked dynamically -$ENV{'LD_LIBRARY_PATH'} = '../library'; -$ENV{'DYLD_LIBRARY_PATH'} = '../library'; +$ENV{'LD_LIBRARY_PATH'} = '../library:../crypto/library'; +$ENV{'DYLD_LIBRARY_PATH'} = '../library:../crypto/library'; my $prefix = $^O eq "MSWin32" ? '' : './'; From 484ee33c359b6a8fe8b53009355842b0efd3c023 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 25 Oct 2018 17:38:05 +0100 Subject: [PATCH 04/10] psa: Add PSA Crypto configuration Add an option that can enable the exposure of PSA Crypto APIs from libmbedcrypto. --- include/mbedtls/check_config.h | 6 ++++++ include/mbedtls/config.h | 19 +++++++++++++++++++ library/version_features.c | 3 +++ scripts/config.pl | 2 ++ 4 files changed, 30 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 425e3ea589..a41277f8d7 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -496,6 +496,12 @@ #error "MBEDTLS_PLATFORM_NV_SEED_WRITE_MACRO and MBEDTLS_PLATFORM_STD_NV_SEED_WRITE cannot be defined simultaneously" #endif +#if defined(MBEDTLS_PSA_CRYPTO_C) && \ + !( defined(MBEDTLS_CTR_DRBG_C) && \ + defined(MBEDTLS_ENTROPY_C) ) +#error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_RSA_C) && ( !defined(MBEDTLS_BIGNUM_C) || \ !defined(MBEDTLS_OID_C) ) #error "MBEDTLS_RSA_C defined, but not all prerequisites" diff --git a/include/mbedtls/config.h b/include/mbedtls/config.h index 16ed503ca9..0242bd8ca5 100644 --- a/include/mbedtls/config.h +++ b/include/mbedtls/config.h @@ -2590,6 +2590,25 @@ */ #define MBEDTLS_POLY1305_C +/** + * \def MBEDTLS_PSA_CRYPTO_C + * + * Enable the Platform Security Architecture cryptography API. + * + * \note This option only has an effect when the build option + * USE_CRYPTO_SUBMODULE is also in use. + * + * \warning This feature is experimental and available on an opt-in basis only. + * PSA APIs are subject to change at any time. The implementation comes with + * less assurance and support than the rest of Mbed TLS. + * + * Module: crypto/library/psa_crypto.c + * + * Requires: MBEDTLS_CTR_DRBG_C, MBEDTLS_ENTROPY_C + * + */ +//#define MBEDTLS_PSA_CRYPTO_C + /** * \def MBEDTLS_RIPEMD160_C * diff --git a/library/version_features.c b/library/version_features.c index f1798a7ff8..53cf0a52c0 100644 --- a/library/version_features.c +++ b/library/version_features.c @@ -681,6 +681,9 @@ static const char *features[] = { #if defined(MBEDTLS_POLY1305_C) "MBEDTLS_POLY1305_C", #endif /* MBEDTLS_POLY1305_C */ +#if defined(MBEDTLS_PSA_CRYPTO_C) + "MBEDTLS_PSA_CRYPTO_C", +#endif /* MBEDTLS_PSA_CRYPTO_C */ #if defined(MBEDTLS_RIPEMD160_C) "MBEDTLS_RIPEMD160_C", #endif /* MBEDTLS_RIPEMD160_C */ diff --git a/scripts/config.pl b/scripts/config.pl index 3d2884cc9d..085fc2c46b 100755 --- a/scripts/config.pl +++ b/scripts/config.pl @@ -28,6 +28,7 @@ # MBEDTLS_ECP_DP_M511_ENABLED # MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES # MBEDTLS_NO_PLATFORM_ENTROPY +# MBEDTLS_PSA_CRYPTO_C # MBEDTLS_REMOVE_ARC4_CIPHERSUITES # MBEDTLS_SSL_HW_RECORD_ACCEL # MBEDTLS_RSA_NO_CRT @@ -87,6 +88,7 @@ MBEDTLS_ECP_DP_M383_ENABLED MBEDTLS_ECP_DP_M511_ENABLED MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES MBEDTLS_NO_PLATFORM_ENTROPY +MBEDTLS_PSA_CRYPTO_C MBEDTLS_RSA_NO_CRT MBEDTLS_REMOVE_ARC4_CIPHERSUITES MBEDTLS_SSL_HW_RECORD_ACCEL From 7acb0cf01e02b736117a2cbdaecfb728f7ef50d6 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 16:22:37 +0000 Subject: [PATCH 05/10] abi_check: Allow checking current checkout Without a "--detach" option, git worktree will refuse to checkout a branch that's already checked out. This makes the abi_check.py script not very useful for checking the currently checked out branch, as git will error that the branch is already checked out. Add the "--detach" option to check out the new temporary worktree in detached head mode. This is acceptable because we aren't planning on working on the branch and just want a checkout to do ABI checking from. --- scripts/abi_check.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/abi_check.py b/scripts/abi_check.py index 8f9cd0f43f..056c1169a8 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -64,7 +64,7 @@ class AbiChecker(object): ) git_worktree_path = tempfile.mkdtemp() worktree_process = subprocess.Popen( - [self.git_command, "worktree", "add", git_worktree_path, git_rev], + [self.git_command, "worktree", "add", "--detach", git_worktree_path, git_rev], cwd=self.repo_path, stdout=subprocess.PIPE, stderr=subprocess.STDOUT From ffeb1b8ab68fe0b440e8c8de8fc15d62033824f0 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 16:35:09 +0000 Subject: [PATCH 06/10] abi_check: Update submodules When grabbing a fresh copy of a branch, it's required to also fetch the submodule. Add fetching the submodule to abi_check.py. --- scripts/abi_check.py | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/scripts/abi_check.py b/scripts/abi_check.py index 056c1169a8..fe5dd3f21c 100755 --- a/scripts/abi_check.py +++ b/scripts/abi_check.py @@ -75,6 +75,18 @@ class AbiChecker(object): raise Exception("Checking out worktree failed, aborting") return git_worktree_path + def update_git_submodules(self, git_worktree_path): + process = subprocess.Popen( + [self.git_command, "submodule", "update", "--init", '--recursive'], + cwd=git_worktree_path, + stdout=subprocess.PIPE, + stderr=subprocess.STDOUT + ) + output, _ = process.communicate() + self.log.info(output.decode("utf-8")) + if process.returncode != 0: + raise Exception("git submodule update failed, aborting") + def build_shared_libraries(self, git_worktree_path): my_environment = os.environ.copy() my_environment["CFLAGS"] = "-g -Og" @@ -131,6 +143,7 @@ class AbiChecker(object): def get_abi_dump_for_ref(self, git_rev): git_worktree_path = self.get_clean_worktree_for_git_revision(git_rev) + self.update_git_submodules(git_worktree_path) self.build_shared_libraries(git_worktree_path) abi_dumps = self.get_abi_dumps_from_shared_libraries( git_rev, git_worktree_path From ed93bdc8aa8387a3052ec09be23c24a431a6ffd9 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 2 Nov 2018 16:57:24 +0000 Subject: [PATCH 07/10] crypto: Test with crypto as a submodule - Check that libmbedcrypto was not built at the top level. - Check that we've built libmbedcrypto with the correct files. Build libmbedcrypto with debug symbols and verify that files used are from the crypto submodule. - Check that config.h is handled properly. Enable a feature at the top level that the crypto library submodule has disabled in its config.h, and check that the library symboles indicate that the feature is present in libmbedcrypto. - Ensure basic functionality of the resulting build with a run of `make test` and `ssl-opt.sh`. --- tests/scripts/all.sh | 50 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 50 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c00f421f0a..c13e127408 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -88,6 +88,11 @@ elif [ -d library -a -d include -a -d tests ]; then :; else exit 1 fi +if ! [ -f crypto/Makefile ]; then + echo "Please initialize the crypto submodule" >&2 + exit 1 +fi + CONFIG_H='include/mbedtls/config.h' CONFIG_BAK="$CONFIG_H.bak" @@ -154,6 +159,9 @@ cleanup() fi command make clean + cd crypto + command make clean + cd .. # Remove CMake artefacts find . -name .git -prune -o \ @@ -165,6 +173,11 @@ cleanup() rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile + cd crypto + rm -f include/Makefile include/mbedtls/Makefile programs/*/Makefile + git update-index --no-skip-worktree Makefile library/Makefile programs/Makefile tests/Makefile + git checkout -- Makefile library/Makefile programs/Makefile tests/Makefile + cd .. if [ -f "$CONFIG_BAK" ]; then mv "$CONFIG_BAK" "$CONFIG_H" @@ -574,6 +587,43 @@ if_build_succeeded env OPENSSL_CMD="$OPENSSL_LEGACY" GNUTLS_CLI="$GNUTLS_LEGACY_ msg "test: compat.sh ARIA + ChachaPoly" if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' +# USE_CRYPTO_SUBMODULE: check that the build works with CMake +msg "build: cmake, full config + USE_CRYPTO_SUBMODULE, gcc+debug" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl full # enables md4 and submodule doesn't enable md4 +scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests +CC=gcc cmake -D USE_CRYPTO_SUBMODULE=1 -D CMAKE_BUILD_TYPE=Debug . +make +msg "test: top-level libmbedcrypto wasn't built (USE_CRYPTO_SUBMODULE, cmake)" +if_build_succeeded not test -f library/libmbedcrypto.a +msg "test: libmbedcrypto symbols are from crypto files (USE_CRYPTO_SUBMODULE, cmake)" +if_build_succeeded objdump -g crypto/library/libmbedcrypto.a | grep -E 'crypto/library$' > /dev/null +msg "test: libmbedcrypto uses top-level config (USE_CRYPTO_SUBMODULE, cmake)" +if_build_succeeded objdump -g crypto/library/libmbedcrypto.a | grep 'md4.c' > /dev/null +msg "test: main suites (USE_CRYPTO_SUBMODULE, cmake)" +make test +msg "test: ssl-opt.sh (USE_CRYPTO_SUBMODULE, cmake)" +if_build_succeeded tests/ssl-opt.sh + +# USE_CRYPTO_SUBMODULE: check that the build works with make +msg "build: make, full config + USE_CRYPTO_SUBMODULE, gcc+debug" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl full # enables md4 and submodule doesn't enable md4 +scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests +make CC=gcc CFLAGS='-g' USE_CRYPTO_SUBMODULE=1 +msg "test: top-level libmbedcrypto wasn't built (USE_CRYPTO_SUBMODULE, make)" +if_build_succeeded not test -f library/libmbedcrypto.a +msg "test: libmbedcrypto symbols are from crypto files (USE_CRYPTO_SUBMODULE, make)" +if_build_succeeded objdump -g crypto/library/libmbedcrypto.a | grep -E 'crypto/library$' > /dev/null +msg "test: libmbedcrypto uses top-level config (USE_CRYPTO_SUBMODULE, make)" +if_build_succeeded objdump -g crypto/library/libmbedcrypto.a | grep 'md4.c' > /dev/null +msg "test: main suites (USE_CRYPTO_SUBMODULE, make)" +make CC=gcc USE_CRYPTO_SUBMODULE=1 test +msg "test: ssl-opt.sh (USE_CRYPTO_SUBMODULE, make)" +if_build_succeeded tests/ssl-opt.sh + msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s cleanup cp "$CONFIG_H" "$CONFIG_BAK" From acaabe796eaa7ba09262f78c433f14e42292a532 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Wed, 7 Nov 2018 11:52:52 +0000 Subject: [PATCH 08/10] crypto: Test without crypto as a submodule Add a test to ensure that when the crypto submodule is not used, the crypto library is not created and that libmbedcrypto.a does not contain symbols from files contained within the crypto submodule. --- tests/scripts/all.sh | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c13e127408..27f78ecd9e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -624,6 +624,29 @@ make CC=gcc USE_CRYPTO_SUBMODULE=1 test msg "test: ssl-opt.sh (USE_CRYPTO_SUBMODULE, make)" if_build_succeeded tests/ssl-opt.sh +# Don't USE_CRYPTO_SUBMODULE: check that the submodule is not used with make +msg "build: make, full config - USE_CRYPTO_SUBMODULE, gcc+debug" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl full +make CC=gcc CFLAGS='-g' +msg "test: submodule libmbedcrypto wasn't built (USE_CRYPTO_SUBMODULE, make)" +if_build_succeeded not test -f crypto/library/libmbedcrypto.a +msg "test: libmbedcrypto symbols are from library files (USE_CRYPTO_SUBMODULE, make)" +if_build_succeeded objdump -g library/libmbedcrypto.a | grep -E 'library$' | not grep 'crypto' > /dev/null + +# Don't USE_CRYPTO_SUBMODULE: check that the submodule is not used with CMake +msg "build: cmake, full config - USE_CRYPTO_SUBMODULE, gcc+debug" +cleanup +cp "$CONFIG_H" "$CONFIG_BAK" +scripts/config.pl full +CC=gcc cmake -D CMAKE_BUILD_TYPE=Debug . +make +msg "test: submodule libmbedcrypto wasn't built (USE_CRYPTO_SUBMODULE, cmake)" +if_build_succeeded not test -f crypto/library/libmbedcrypto.a +msg "test: libmbedcrypto symbols are from library files (USE_CRYPTO_SUBMODULE, cmake)" +if_build_succeeded objdump -g library/libmbedcrypto.a | grep -E 'library$' | not grep 'crypto' > /dev/null + msg "build: make, full config + DEPRECATED_WARNING, gcc -O" # ~ 30s cleanup cp "$CONFIG_H" "$CONFIG_BAK" From 3f6470a5172f790831740b352aef7b334c3170a6 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Thu, 8 Nov 2018 11:15:01 +0000 Subject: [PATCH 09/10] psa: Add ChangeLog entry for adding Mbed Crypto --- ChangeLog | 9 +++++++++ 1 file changed, 9 insertions(+) diff --git a/ChangeLog b/ChangeLog index 8f0e8c1c79..d387815664 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,14 @@ mbed TLS ChangeLog (Sorted per branch, date) += mbed TLS x.xx.x branch released xxxx-xx-xx + +Features + * Add an experimental build option, USE_CRYPTO_SUBMODULE, to enable use of + Mbed Crypto as the source of the cryptography implementation. + * Add an experimental configuration option, MBEDTLS_PSA_CRYPTO_C, to enable + the PSA Crypto API from Mbed Crypto when additionally used with the + USE_CRYPTO_SUBMODULE build option. + = mbed TLS 2.14.0 branch released 2018-11-19 Security From bc554f66ef3e932c8eb9ea694e0dd896c0fafd61 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 21 Nov 2018 12:34:47 +0100 Subject: [PATCH 10/10] Document Mbed Crypto and the PSA API Briefly explain that this is experimental, and document how to try it out. --- README.md | 37 +++++++++++++++++++++++++++++++++++++ 1 file changed, 37 insertions(+) diff --git a/README.md b/README.md index d7a0e9d6bb..58e5273e22 100644 --- a/README.md +++ b/README.md @@ -158,6 +158,43 @@ Configurations We provide some non-standard configurations focused on specific use cases in the `configs/` directory. You can read more about those in `configs/README.txt` +Using Mbed Crypto as a submodule +-------------------------------- + +As an experimental feature, you can use Mbed Crypto as the source of the cryptography implementation, with Mbed TLS providing the X.509 and TLS parts of the library. Mbed Crypto is currently provided for evaluation only and should not be used in production. At this point, you should only use this option if you want to try out the experimental PSA Crypto API. + +To enable the use of Mbed Crypto as a submodule: + +1. Check out the `crypto` submodule and update it. + + git submodule init crypto + git submodule update crypto + +2. (Optional) TO enable the PSA Crypto API, set the build configuration option `MBEDTLS_PSA_CRYPTO_C`. You can either edit `include/mbedtls/config.h` directly or use the configuration script: + + scripts/config.pl set MBEDTLS_PSA_CRYPTO_C + +3. Activate the build option `USE_CRYPTO_SUBMODULE`. With GNU make, set `USE_CRYPTO_SUBMODULE=1` on each make invocation: + + make USE_CRYPTO_SUBMODULE=1 + make USE_CRYPTO_SUBMODULE=1 test + tests/ssl-opt.sh -f Default + + Note that you need to pass `USE_CRYPTO_SUBMODULE=1` even to `make clean`. For example, if you change `config.h`, run this before rebuilding: + + make USE_CRYPTO_SUBMODULE=1 clean + + With CMake, create a build directory (recommended) and pass `-DUSE_CRYPTO_SUBMODULE=1` to `cmake`: + + mkdir build + cd build + cmake -DUSE_CRYPTO_SUBMODULE=1 .. + make + make test + tests/ssl-opt.sh -f Default + +Note that this does not enable the PSA-specific tests and utility programs. To use these programs, use Mbed Crypto as a standalone project. + Porting Mbed TLS ----------------