diff --git a/configs/config-symmetric-only.h b/configs/config-symmetric-only.h index 512dd7616c..f73db3a7d7 100644 --- a/configs/config-symmetric-only.h +++ b/configs/config-symmetric-only.h @@ -65,13 +65,11 @@ #define MBEDTLS_PSA_ITS_FILE_C #define MBEDTLS_RIPEMD160_C #define MBEDTLS_SHA1_C -/* The library does not currently support enabling SHA-224 without SHA-256. - * A future version of the library will have this option disabled - * by default. */ #define MBEDTLS_SHA224_C #define MBEDTLS_SHA256_C #define MBEDTLS_SHA384_C #define MBEDTLS_SHA512_C +#define MBEDTLS_SHA3_C //#define MBEDTLS_THREADING_C #define MBEDTLS_TIMING_C #define MBEDTLS_VERSION_C diff --git a/configs/crypto-config-ccm-aes-sha256.h b/configs/crypto-config-ccm-aes-sha256.h index 7f8d58768c..68a9c0a539 100644 --- a/configs/crypto-config-ccm-aes-sha256.h +++ b/configs/crypto-config-ccm-aes-sha256.h @@ -2,7 +2,7 @@ * \file configs/crypto-config-ccm-aes-sha256.h * * \brief PSA crypto configuration with only symmetric cryptography: CCM-AES, - * SHA-256, HMAC and key derivation + * SHA-256 and key derivation (uses HMAC). */ /* * Copyright The Mbed TLS Contributors @@ -13,12 +13,10 @@ #define PSA_CRYPTO_CONFIG_H #define PSA_WANT_ALG_CCM 1 -#define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_SHA_256 1 #define PSA_WANT_ALG_TLS12_PRF 1 #define PSA_WANT_ALG_TLS12_PSK_TO_MS 1 #define PSA_WANT_KEY_TYPE_DERIVE 1 -#define PSA_WANT_KEY_TYPE_HMAC 1 #define PSA_WANT_KEY_TYPE_AES 1 #define PSA_WANT_KEY_TYPE_RAW_DATA 1 diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 0091e246b2..0e4759de74 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -498,7 +498,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */ #endif /* PSA_WANT_ALG_HKDF */ @@ -509,7 +508,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXTRACT 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT */ #endif /* PSA_WANT_ALG_HKDF_EXTRACT */ @@ -520,7 +518,6 @@ * The PSA implementation has its own implementation of HKDF, separate from * hkdf.c. No need to enable MBEDTLS_HKDF_C here. */ -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_PSA_BUILTIN_ALG_HKDF_EXPAND 1 #endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND */ #endif /* PSA_WANT_ALG_HKDF_EXPAND */ @@ -630,9 +627,6 @@ #if !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC) #define MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC 1 #define PSA_HAVE_SOFT_PBKDF2_HMAC 1 -#if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) -#define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 -#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */ #endif /* !MBEDTLS_PSA_BUILTIN_ALG_PBKDF2_HMAC */ #endif /* PSA_WANT_ALG_PBKDF2_HMAC */ diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 17da61b3e8..de961ec0f8 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -22,6 +22,8 @@ #include "psa/crypto_adjust_config_synonyms.h" +#include "psa/crypto_adjust_config_dependencies.h" + #include "mbedtls/config_adjust_psa_superset_legacy.h" #if defined(MBEDTLS_PSA_CRYPTO_CONFIG) diff --git a/include/psa/crypto_adjust_config_dependencies.h b/include/psa/crypto_adjust_config_dependencies.h new file mode 100644 index 0000000000..5a22205bf3 --- /dev/null +++ b/include/psa/crypto_adjust_config_dependencies.h @@ -0,0 +1,43 @@ +/** + * \file psa/crypto_adjust_config_dependencies.h + * \brief Adjust PSA configuration by resolving some dependencies. + * + * This is an internal header. Do not include it directly. + * + * See docs/proposed/psa-conditional-inclusion-c.md. + * If the Mbed TLS implementation of a cryptographic mechanism A depends on a + * cryptographic mechanism B then if the cryptographic mechanism A is enabled + * and not accelerated enable B. Note that if A is enabled and accelerated, it + * is not necessary to enable B for A support. + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#ifndef PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H +#define PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H + +#if (defined(PSA_WANT_ALG_TLS12_PRF) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PRF)) || \ + (defined(PSA_WANT_ALG_TLS12_PSK_TO_MS) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_TLS12_PSK_TO_MS)) || \ + (defined(PSA_WANT_ALG_HKDF) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF)) || \ + (defined(PSA_WANT_ALG_HKDF_EXTRACT) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT)) || \ + (defined(PSA_WANT_ALG_HKDF_EXPAND) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF_EXPAND)) || \ + (defined(PSA_WANT_ALG_PBKDF2_HMAC) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_HMAC)) +#define PSA_WANT_ALG_HMAC 1 +#define PSA_WANT_KEY_TYPE_HMAC 1 +#endif + +#if (defined(PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128) && \ + !defined(MBEDTLS_PSA_ACCEL_ALG_PBKDF2_AES_CMAC_PRF_128)) +#define PSA_WANT_KEY_TYPE_AES 1 +#define PSA_WANT_ALG_CMAC 1 +#endif + +#endif /* PSA_CRYPTO_ADJUST_CONFIG_DEPENDENCIES_H */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index bfc57668b2..d0dcc99c3d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1725,6 +1725,7 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES else @@ -4090,6 +4091,7 @@ common_block_cipher_dispatch() { scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 # Disable direct dependency on AES_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -5538,9 +5540,11 @@ component_build_psa_config_file () { make clean msg "build: make with MBEDTLS_PSA_CRYPTO_CONFIG_FILE + MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE" # ~40s - # In the user config, disable one feature, which will reflect on the - # mbedtls configuration so we can query it with query_compile_time_config. + # In the user config, disable one feature and its dependencies, which will + # reflect on the mbedtls configuration so we can query it with + # query_compile_time_config. echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h + echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h scripts/config.py unset MBEDTLS_CMAC_C make CFLAGS="-I '$PWD' -DMBEDTLS_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DMBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'" not programs/test/query_compile_time_config MBEDTLS_CMAC_C diff --git a/tests/scripts/test-ref-configs.pl b/tests/scripts/test-ref-configs.pl index 055023a5f2..5557de3276 100755 --- a/tests/scripts/test-ref-configs.pl +++ b/tests/scripts/test-ref-configs.pl @@ -17,32 +17,26 @@ use strict; my %configs = ( 'config-ccm-psk-tls1_2.h' => { - 'compat' => '-m tls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', - 'test_again_with_use_psa' => 1 + 'compat' => '-m tls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', }, 'config-ccm-psk-dtls1_2.h' => { - 'compat' => '-m dtls12 -f \'^TLS-PSK-WITH-AES-...-CCM-8\'', + 'compat' => '-m dtls12 -f \'^TLS_PSK_WITH_AES_..._CCM_8\'', 'opt' => ' ', 'opt_needs_debug' => 1, - 'test_again_with_use_psa' => 1 }, 'config-no-entropy.h' => { }, 'config-suite-b.h' => { - 'compat' => "-m tls12 -f 'ECDHE-ECDSA.*AES.*GCM' -p mbedTLS", - 'test_again_with_use_psa' => 1, + 'compat' => "-m tls12 -f 'ECDHE_ECDSA.*AES.*GCM' -p mbedTLS", 'opt' => ' ', 'opt_needs_debug' => 1, }, 'config-symmetric-only.h' => { - 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, 'config-tfm.h' => { - 'test_again_with_use_psa' => 0, # Uses PSA by default, no need to test it twice }, 'config-thread.h' => { 'opt' => '-f ECJPAKE.*nolog', - 'test_again_with_use_psa' => 1, }, ); @@ -148,7 +142,10 @@ sub perform_test { } foreach my $conf ( @configs_to_test ) { - my $test_with_psa = $configs{$conf}{'test_again_with_use_psa'}; + system("grep '//#define MBEDTLS_USE_PSA_CRYPTO' configs/$conf > /dev/null"); + die "grep ... configs/$conf: $!" if $? != 0 && $? != 0x100; + my $test_with_psa = $? == 0; + if ( $test_with_psa ) { perform_test( $conf, $configs{$conf}, $test_with_psa ); diff --git a/tests/suites/test_suite_pk.function b/tests/suites/test_suite_pk.function index ad7da32222..1188137b33 100644 --- a/tests/suites/test_suite_pk.function +++ b/tests/suites/test_suite_pk.function @@ -1818,7 +1818,7 @@ void pk_psa_sign(int psa_type, int bits, int rsa_padding) int ret; #endif /* MBEDTLS_RSA_C || MBEDTLS_PK_WRITE_C */ #if defined(MBEDTLS_PK_CAN_ECDSA_SIGN) - mbedtls_ecp_group_id ecp_grp_id; + mbedtls_ecp_group_id ecp_grp_id = MBEDTLS_ECP_DP_NONE; #endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */ /*