From f4c4cb008c845492ae672c98d920da09a02ac19e Mon Sep 17 00:00:00 2001 From: John Durkop Date: Wed, 28 Oct 2020 20:09:55 -0700 Subject: [PATCH] Added additional support for ECP for PSA_CRYPTO_CONFIG The KEY_TYPE_ECC_KEY_PAIR and KEY_TYPE_ECC_PUBLIC_KEY were previously being guarded by MBEDTLS_ECP_C in the PSA crypto library code. This change moves it to the new MBEDTLS_PSA_BUILTIN_xxx and separates KEY_PAIR and PUBLIC_KEY as needed. Tests have also been added to validate the new settings. Signed-off-by: John Durkop --- include/mbedtls/config_psa.h | 35 ++++++++++++++++++++++++++--------- include/psa/crypto_config.h | 2 ++ library/psa_crypto.c | 36 ++++++++++++++++++------------------ tests/scripts/all.sh | 24 ++++++++++++++++++++++++ 4 files changed, 70 insertions(+), 27 deletions(-) diff --git a/include/mbedtls/config_psa.h b/include/mbedtls/config_psa.h index 8f90630da..c5d284cc9 100644 --- a/include/mbedtls/config_psa.h +++ b/include/mbedtls/config_psa.h @@ -63,23 +63,35 @@ extern "C" { #define MBEDTLS_ECDH_C #define MBEDTLS_ECP_C #define MBEDTLS_BIGNUM_C -#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) */ -#endif /* defined(PSA_WANT_ALG_ECDH) */ +#endif /* !MBEDTLS_PSA_ACCEL_ALG_ECDH */ +#endif /* PSA_WANT_ALG_ECDH */ + +#if defined(PSA_WANT_ECC_KEY_PAIR) +#if !defined(MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR) +#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR 1 +#endif /* !MBEDTLS_PSA_ACCEL_ECC_KEY_PAIR */ +#endif /* PSA_WANT_ECC_KEY_PAIR */ + +#if defined(PSA_WANT_ECC_PUBLIC_KEY) +#if !defined(MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY) +#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY 1 +#endif /* !MBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY */ +#endif /* PSA_WANT_ECC_PUBLIC_KEY */ #if defined(PSA_WANT_ALG_HMAC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) #define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #define MBEDTLS_MD_C -#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HMAC) */ -#endif /* defined(PSA_WANT_ALG_HMAC) */ +#endif /* !MBEDTLS_PSA_ACCEL_ALG_HMAC */ +#endif /* PSA_WANT_ALG_HMAC */ #if defined(PSA_WANT_ALG_HKDF) #if !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) #define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1 #define MBEDTLS_HKDF_C #define MBEDTLS_MD_C -#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_HKDF) */ -#endif /* defined(PSA_WANT_ALG_HKDF) */ +#endif /* !MBEDTLS_PSA_ACCEL_ALG_HKDF */ +#endif /* PSA_WANT_ALG_HKDF */ #if defined(PSA_WANT_ALG_RSA) #if !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) @@ -87,8 +99,8 @@ extern "C" { #define MBEDTLS_RSA_C #define MBEDTLS_BIGNUM_C #define MBEDTLS_OID_C -#endif /* !defined(MBEDTLS_PSA_ACCEL_ALG_RSA) */ -#endif /* defined(PSA_WANT_ALG_RSA) */ +#endif /* !MBEDTLS_PSA_ACCEL_ALG_RSA */ +#endif /* PSA_WANT_ALG_RSA */ #else /* MBEDTLS_PSA_CRYPTO_CONFIG */ @@ -110,6 +122,11 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_ECDH 1 #endif /* MBEDTLS_ECDH_C */ +#if defined(MBEDTLS_ECP_C) +#define MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR 1 +#define MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY 1 +#endif /* MBEDTLS_ECP_C */ + #if defined(MBEDTLS_MD_C) #define MBEDTLS_PSA_BUILTIN_ALG_HMAC 1 #endif /* MBEDTLS_MD_C */ @@ -118,7 +135,7 @@ extern "C" { #define MBEDTLS_PSA_BUILTIN_ALG_HKDF 1 #endif /* MBEDTLS_HKDF_C */ -#ifdef MBEDTLS_RSA_C +#if defined(MBEDTLS_RSA_C) #define MBEDTLS_PSA_BUILTIN_ALG_RSA 1 #endif /* MBEDTLS_RSA_C */ diff --git a/include/psa/crypto_config.h b/include/psa/crypto_config.h index 854981314..c7605aa2c 100644 --- a/include/psa/crypto_config.h +++ b/include/psa/crypto_config.h @@ -53,6 +53,8 @@ #define PSA_WANT_ALG_ECDSA 1 #define PSA_WANT_ALG_DETERMINISTIC_ECDSA 1 #define PSA_WANT_ALG_ECDH 1 +#define PSA_WANT_ECC_KEY_PAIR 1 +#define PSA_WANT_ECC_PUBLIC_KEY 1 #define PSA_WANT_ALG_HMAC 1 #define PSA_WANT_ALG_HKDF 1 #define PSA_WANT_ALG_RSA 1 diff --git a/library/psa_crypto.c b/library/psa_crypto.c index f349ff5c1..c45d0ee60 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -370,7 +370,7 @@ static inline int psa_key_slot_is_external( const psa_key_slot_t *slot ) } #endif /* MBEDTLS_PSA_CRYPTO_SE_C */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, size_t byte_length ) { @@ -438,7 +438,7 @@ mbedtls_ecp_group_id mbedtls_ecc_group_of_psa( psa_ecc_family_t curve, return( MBEDTLS_ECP_DP_NONE ); } } -#endif /* defined(MBEDTLS_ECP_C) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */ static psa_status_t validate_unstructured_key_bit_size( psa_key_type_t type, size_t bits ) @@ -711,7 +711,7 @@ exit: } #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) /** Load the contents of a key buffer into an internal ECP representation * * \param[in] type The type of key contained in \p data. @@ -930,7 +930,7 @@ exit: return( PSA_SUCCESS ); } -#endif /* defined(MBEDTLS_ECP_C) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */ /** Return the size of the key in the given slot, in bits. * @@ -1069,12 +1069,12 @@ static psa_status_t psa_import_key_into_slot( psa_key_slot_t *slot, /* Key format is not supported by any accelerator, try software fallback * if present. */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { return( psa_import_ecp_key( slot, data, data_length ) ); } -#endif /* defined(MBEDTLS_ECP_C) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) if( PSA_KEY_TYPE_IS_RSA( slot->attr.type ) ) { @@ -1647,7 +1647,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot, } else { -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) mbedtls_ecp_keypair *ecp = NULL; psa_status_t status = psa_load_ecp_representation( slot->attr.type, @@ -1671,7 +1671,7 @@ static psa_status_t psa_internal_export_key( const psa_key_slot_t *slot, #else /* We don't know how to convert a private ECC key to public */ return( PSA_ERROR_NOT_SUPPORTED ); -#endif +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */ } } else @@ -3728,7 +3728,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, } else #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) @@ -3762,7 +3762,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle, } } else -#endif /* defined(MBEDTLS_ECP_C) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */ { status = PSA_ERROR_NOT_SUPPORTED; } @@ -3829,7 +3829,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, } else #endif /* defined(MBEDTLS_PSA_BUILTIN_ALG_RSA) */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDSA) || defined(MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA) @@ -3856,7 +3856,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle, } } else -#endif /* defined(MBEDTLS_ECP_C) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) || defined(MBEDTLS_PSA_BUILTIN_ECC_PUBLIC_KEY) */ { return( PSA_ERROR_NOT_SUPPORTED ); } @@ -5782,7 +5782,7 @@ psa_status_t psa_key_derivation_input_key( /* Key agreement */ /****************************************************************/ -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) static psa_status_t psa_key_agreement_ecdh( const uint8_t *peer_key, size_t peer_key_length, const mbedtls_ecp_keypair *our_key, @@ -5833,7 +5833,7 @@ exit: return( status ); } -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */ #define PSA_KEY_AGREEMENT_MAX_SHARED_SECRET_SIZE MBEDTLS_ECP_MAX_BYTES @@ -5847,7 +5847,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, { switch( alg ) { -#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) +#if defined(MBEDTLS_PSA_BUILTIN_ALG_ECDH) && defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) case PSA_ALG_ECDH: if( ! PSA_KEY_TYPE_IS_ECC_KEY_PAIR( private_key->attr.type ) ) return( PSA_ERROR_INVALID_ARGUMENT ); @@ -5866,7 +5866,7 @@ static psa_status_t psa_key_agreement_raw_internal( psa_algorithm_t alg, mbedtls_ecp_keypair_free( ecp ); mbedtls_free( ecp ); return( status ); -#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH */ +#endif /* MBEDTLS_PSA_BUILTIN_ALG_ECDH && MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR */ default: (void) private_key; (void) peer_key; @@ -6144,7 +6144,7 @@ static psa_status_t psa_generate_key_internal( else #endif /* MBEDTLS_PSA_BUILTIN_ALG_RSA && MBEDTLS_GENPRIME */ -#if defined(MBEDTLS_ECP_C) +#if defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) if ( PSA_KEY_TYPE_IS_ECC( type ) && PSA_KEY_TYPE_IS_KEY_PAIR( type ) ) { psa_ecc_family_t curve = PSA_KEY_TYPE_ECC_GET_FAMILY( type ); @@ -6189,7 +6189,7 @@ static psa_status_t psa_generate_key_internal( return( status ); } else -#endif /* MBEDTLS_ECP_C */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_ECC_KEY_PAIR) */ { return( PSA_ERROR_NOT_SUPPORTED ); } diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a99dd4fe5..7ad4c497e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1354,6 +1354,30 @@ component_build_psa_want_ecdh_disabled_software() { make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" } +# This should be renamed to test and updated once the accelerator ECC key pair code is in place and ready to test. +component_build_psa_want_ecc_key_pair_disabled_software() { + # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_KEY_PAIR + msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_KEY_PAIR" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_KEY_PAIR -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" +} + +# This should be renamed to test and updated once the accelerator ECC public key code is in place and ready to test. +component_build_psa_want_ecc_public_key_disabled_software() { + # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ECC_PUBLIC_KEY + msg "build: full + MBEDTLS_PSA_CRYPTO_CONFIG + PSA_WANT_ECC_PUBLIC_KEY" + scripts/config.py full + scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG + scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + # Need to define the correct symbol and include the test driver header path in order to build with the test driver + make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ECC_PUBLIC_KEY -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS" +} + # This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test. component_build_psa_want_hmac_disabled_software() { # full plus MBEDTLS_PSA_CRYPTO_CONFIG with PSA_WANT_ALG_HMAC