From 36cd3f9f8ef6edbf9c7ba16a442117ddfa506748 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 11 Aug 2023 10:06:42 +0200 Subject: [PATCH] Add tentative definition of Cipher light MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- .../psa-migration/md-cipher-dispatch.md | 51 +++++++++++++++++++ 1 file changed, 51 insertions(+) diff --git a/docs/architecture/psa-migration/md-cipher-dispatch.md b/docs/architecture/psa-migration/md-cipher-dispatch.md index ba76f494b6..488cf20db9 100644 --- a/docs/architecture/psa-migration/md-cipher-dispatch.md +++ b/docs/architecture/psa-migration/md-cipher-dispatch.md @@ -499,3 +499,54 @@ The architecture can be extended to support `MBEDTLS_PSA_CRYPTO_CLIENT` with a l * Compile-time dependencies: instead of checking `defined(MBEDTLS_PSA_CRYPTO_C)`, check `defined(MBEDTLS_PSA_CRYPTO_C) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)`. * Implementers of `MBEDTLS_PSA_CRYPTO_CLIENT` will need to provide `psa_can_do_hash()` (or a more general function `psa_can_do`) alongside `psa_crypto_init()`. Note that at this point, it will become a public interface, hence we won't be able to change it at a whim. + +### Cipher light + +#### Definition + +**Note:** this definition is tentative an may be refined when implementing and +testing, based and what's needed by internal users of Cipher light. + +Cipher light will be automatically enabled in `build_info.h` by modules that +need it. (Tentative list: PEM, PCKS12, PKCS5, CTR\_DRBG, CCM, CMAC, GCM, +NIS\_KW, PSA Crypto.) Note: some of these modules currently depend on the +full `CIPHER_C` (enforced by `check_config.h`); this hard dependency would be +replace by the above auto-enablement. + +Cipher light includes: +- info functions; +- support for block ciphers in ECB mode (to be confirmed: supporting one block + at a time could be enough); +- support for block ciphers in CBC mode with no padding (to be confirmed: do + we need a padding mode?); +- support for both the "one-shot" and "streaming" APIs for block ciphers. + +This excludes: +- the AEAD/KW API (both one-shot and streaming); +- support for stream ciphers; +- support for other modes of block ciphers (CTR, CFB, etc.); +- support for (other) padding modes of CBC. + +The following API functions, and supporting types, are candidates for +inclusion in the Cipher light API, with limited features as above: +``` +mbedtls_cipher_info_from_psa +mbedtls_cipher_info_from_type +mbedtls_cipher_info_from_values + +mbedtls_cipher_info_get_block_size +mbedtls_cipher_info_get_iv_size +mbedtls_cipher_info_get_key_bitlen + +mbedtls_cipher_init +mbedtls_cipher_setup +mbedtls_cipher_setkey +mbedtls_cipher_set_padding_mode +mbedtls_cipher_crypt +mbedtls_cipher_free + +mbedtls_cipher_set_iv +mbedtls_cipher_reset +mbedtls_cipher_update +mbedtls_cipher_finish +```