From 0b74434e2af40743f8ac051d7df0ed80e68310e6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Jun 2023 11:28:00 +0200 Subject: [PATCH 001/175] SSL programs: group options processing in 1 place MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- programs/ssl/ssl_client2.c | 50 +++++++++++++++++++------------------- programs/ssl/ssl_server2.c | 50 +++++++++++++++++++------------------- 2 files changed, 50 insertions(+), 50 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 12a1068f97..f4914ec406 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -867,31 +867,6 @@ int main(int argc, char *argv[]) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ - if (argc < 2) { -usage: - if (ret == 0) { - ret = 1; - } - - mbedtls_printf(USAGE1); - mbedtls_printf(USAGE2); - mbedtls_printf(USAGE3); - mbedtls_printf(USAGE4); - - list = mbedtls_ssl_list_ciphersuites(); - while (*list) { - mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - if (!*list) { - break; - } - mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - } - mbedtls_printf("\n"); - goto exit; - } - opt.server_name = DFL_SERVER_NAME; opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; @@ -976,6 +951,31 @@ usage: opt.key_opaque_alg1 = DFL_KEY_OPAQUE_ALG; opt.key_opaque_alg2 = DFL_KEY_OPAQUE_ALG; + if (argc < 2) { +usage: + if (ret == 0) { + ret = 1; + } + + mbedtls_printf(USAGE1); + mbedtls_printf(USAGE2); + mbedtls_printf(USAGE3); + mbedtls_printf(USAGE4); + + list = mbedtls_ssl_list_ciphersuites(); + while (*list) { + mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list)); + list++; + if (!*list) { + break; + } + mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); + list++; + } + mbedtls_printf("\n"); + goto exit; + } + for (i = 1; i < argc; i++) { p = argv[i]; if ((q = strchr(p, '=')) == NULL) { diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 5f8bea93ca..a3e95ccd5c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1643,31 +1643,6 @@ int main(int argc, char *argv[]) signal(SIGINT, term_handler); #endif - if (argc < 2) { -usage: - if (ret == 0) { - ret = 1; - } - - mbedtls_printf(USAGE1); - mbedtls_printf(USAGE2); - mbedtls_printf(USAGE3); - mbedtls_printf(USAGE4); - - list = mbedtls_ssl_list_ciphersuites(); - while (*list) { - mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - if (!*list) { - break; - } - mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - } - mbedtls_printf("\n"); - goto exit; - } - opt.buffer_size = DFL_IO_BUF_LEN; opt.server_addr = DFL_SERVER_ADDR; opt.server_port = DFL_SERVER_PORT; @@ -1766,6 +1741,31 @@ usage: opt.key2_opaque_alg1 = DFL_KEY_OPAQUE_ALG; opt.key2_opaque_alg2 = DFL_KEY_OPAQUE_ALG; + if (argc < 2) { +usage: + if (ret == 0) { + ret = 1; + } + + mbedtls_printf(USAGE1); + mbedtls_printf(USAGE2); + mbedtls_printf(USAGE3); + mbedtls_printf(USAGE4); + + list = mbedtls_ssl_list_ciphersuites(); + while (*list) { + mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list)); + list++; + if (!*list) { + break; + } + mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); + list++; + } + mbedtls_printf("\n"); + goto exit; + } + for (i = 1; i < argc; i++) { p = argv[i]; if ((q = strchr(p, '=')) == NULL) { From 3eea9a461cfbffb27f3ca5d95b4ea988b8799b4b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 26 Jun 2023 11:29:35 +0200 Subject: [PATCH 002/175] SSL programs: allow invoking without arguments MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit All options have reasonable default so the programs don't need arguments to do something useful. It is widely accepted for programs that can work without arguments need not insist on the user passing arguments, see 'ls', 'wc', 'sort', 'more' and any number of POSIX utilities that all work without arguments. It is also the historical behaviour of those programs, and something relied one by at least a few team members. Signed-off-by: Manuel Pégourié-Gonnard --- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index f4914ec406..d84333436c 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -951,7 +951,7 @@ int main(int argc, char *argv[]) opt.key_opaque_alg1 = DFL_KEY_OPAQUE_ALG; opt.key_opaque_alg2 = DFL_KEY_OPAQUE_ALG; - if (argc < 2) { + if (argc < 1) { usage: if (ret == 0) { ret = 1; diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index a3e95ccd5c..b305bc5345 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -1741,7 +1741,7 @@ int main(int argc, char *argv[]) opt.key2_opaque_alg1 = DFL_KEY_OPAQUE_ALG; opt.key2_opaque_alg2 = DFL_KEY_OPAQUE_ALG; - if (argc < 2) { + if (argc < 1) { usage: if (ret == 0) { ret = 1; From 39a0a76fcc3f8aa0ebae8ee02d8d7966d0cfe062 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 27 Jun 2023 09:28:24 +0200 Subject: [PATCH 003/175] SSL programs: improve command-line error reporting MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Every now and then, I see of these programs failing with a super-long usage message that gives no clue as to what went wrong. (Recently it happened with a test case in ssl-opt.sh with a fairly long command line that was entirely correct, except some options were not valid in this config - the test should have been skipped but wasn't due to some other bug. It took me longer to figure out than it should have, and could have if the program had simply reported which param was not recognized.) Also, have an explicit "help" command, separate "help_ciphersuites", and have default usage message that's not multiple screens long. Signed-off-by: Manuel Pégourié-Gonnard --- programs/ssl/ssl_client2.c | 60 ++++++++++++++++++++++++++------------ programs/ssl/ssl_server2.c | 60 ++++++++++++++++++++++++++------------ 2 files changed, 84 insertions(+), 36 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d84333436c..0e0e9cee7e 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -464,7 +464,7 @@ int main(void) " otherwise. The expansion of the macro\n" \ " is printed if it is defined\n" \ USAGE_SERIALIZATION \ - " acceptable ciphersuite names:\n" + "\n" #define ALPN_LIST_SIZE 10 #define CURVE_LIST_SIZE 20 @@ -951,34 +951,54 @@ int main(int argc, char *argv[]) opt.key_opaque_alg1 = DFL_KEY_OPAQUE_ALG; opt.key_opaque_alg2 = DFL_KEY_OPAQUE_ALG; + p = q = NULL; if (argc < 1) { usage: + if (p != NULL && q != NULL) { + printf("unrecognized value for '%s': '%s'\n", p, q); + } else if (p != NULL && q == NULL) { + printf("unrecognized param: '%s'\n", p); + } + + mbedtls_printf("usage: ssl_client2 [param=value] [...]\n"); + mbedtls_printf(" ssl_client2 help[_theme]\n"); + mbedtls_printf("'help' lists acceptable 'param' and 'value'\n"); + mbedtls_printf("'help_ciphersuites' lists available ciphersuites\n"); + mbedtls_printf("\n"); + if (ret == 0) { ret = 1; } - - mbedtls_printf(USAGE1); - mbedtls_printf(USAGE2); - mbedtls_printf(USAGE3); - mbedtls_printf(USAGE4); - - list = mbedtls_ssl_list_ciphersuites(); - while (*list) { - mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - if (!*list) { - break; - } - mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - } - mbedtls_printf("\n"); goto exit; } for (i = 1; i < argc; i++) { p = argv[i]; + + if (strcmp(p, "help") == 0) { + mbedtls_printf(USAGE1); + mbedtls_printf(USAGE2); + mbedtls_printf(USAGE3); + mbedtls_printf(USAGE4); + + ret = 0; + goto exit; + } + if (strcmp(p, "help_ciphersuites") == 0) { + mbedtls_printf(" acceptable ciphersuite names:\n"); + for (list = mbedtls_ssl_list_ciphersuites(); + *list != 0; + list++) { + mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); + } + + ret = 0; + goto exit; + } + if ((q = strchr(p, '=')) == NULL) { + mbedtls_printf("param requires a value: '%s'\n", p); + p = NULL; // avoid "unrecnognized param" message goto usage; } *q++ = '\0'; @@ -1375,9 +1395,13 @@ usage: goto usage; } } else { + /* This signals that the problem is with p not q */ + q = NULL; goto usage; } } + /* This signals that any further errors are not with a single option */ + p = q = NULL; if (opt.nss_keylog != 0 && opt.eap_tls != 0) { mbedtls_printf("Error: eap_tls and nss_keylog options cannot be used together.\n"); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index b305bc5345..769a56a50c 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -584,7 +584,7 @@ int main(void) " otherwise. The expansion of the macro\n" \ " is printed if it is defined\n" \ USAGE_SERIALIZATION \ - " acceptable ciphersuite names:\n" + "\n" #define ALPN_LIST_SIZE 10 #define CURVE_LIST_SIZE 20 @@ -1741,34 +1741,54 @@ int main(int argc, char *argv[]) opt.key2_opaque_alg1 = DFL_KEY_OPAQUE_ALG; opt.key2_opaque_alg2 = DFL_KEY_OPAQUE_ALG; + p = q = NULL; if (argc < 1) { usage: + if (p != NULL && q != NULL) { + printf("unrecognized value for '%s': '%s'\n", p, q); + } else if (p != NULL && q == NULL) { + printf("unrecognized param: '%s'\n", p); + } + + mbedtls_printf("usage: ssl_client2 [param=value] [...]\n"); + mbedtls_printf(" ssl_client2 help[_theme]\n"); + mbedtls_printf("'help' lists acceptable 'param' and 'value'\n"); + mbedtls_printf("'help_ciphersuites' lists available ciphersuites\n"); + mbedtls_printf("\n"); + if (ret == 0) { ret = 1; } - - mbedtls_printf(USAGE1); - mbedtls_printf(USAGE2); - mbedtls_printf(USAGE3); - mbedtls_printf(USAGE4); - - list = mbedtls_ssl_list_ciphersuites(); - while (*list) { - mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - if (!*list) { - break; - } - mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); - list++; - } - mbedtls_printf("\n"); goto exit; } for (i = 1; i < argc; i++) { p = argv[i]; + + if (strcmp(p, "help") == 0) { + mbedtls_printf(USAGE1); + mbedtls_printf(USAGE2); + mbedtls_printf(USAGE3); + mbedtls_printf(USAGE4); + + ret = 0; + goto exit; + } + if (strcmp(p, "help_ciphersuites") == 0) { + mbedtls_printf(" acceptable ciphersuite names:\n"); + for (list = mbedtls_ssl_list_ciphersuites(); + *list != 0; + list++) { + mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list)); + } + + ret = 0; + goto exit; + } + if ((q = strchr(p, '=')) == NULL) { + mbedtls_printf("param requires a value: '%s'\n", p); + p = NULL; // avoid "unrecnognized param" message goto usage; } *q++ = '\0'; @@ -2233,9 +2253,13 @@ usage: goto usage; } } else { + /* This signals that the problem is with p not q */ + q = NULL; goto usage; } } + /* This signals that any further erorrs are not with a single option */ + p = q = NULL; if (opt.nss_keylog != 0 && opt.eap_tls != 0) { mbedtls_printf("Error: eap_tls and nss_keylog options cannot be used together.\n"); From 5ed7b2dec246ac27ce303884089c8e4e3ef4524c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 3 Oct 2023 18:00:44 +0100 Subject: [PATCH 004/175] Introduce MBEDTLS_ARCH_IS_ARMV8 Signed-off-by: Dave Rodgman --- include/mbedtls/build_info.h | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 533e076e0a..9b9f5f2ac9 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -74,6 +74,17 @@ #define MBEDTLS_ARCH_IS_X86 #endif +/* This is defined if the architecture is Armv8, or higher */ +#if !defined(MBEDTLS_ARCH_IS_ARMV8) +#if defined(__ARM_ARCH) +#if __ARM_ARCH >= 8 +#define MBEDTLS_ARCH_IS_ARMV8 +#endif +#elif defined(MBEDTLS_ARCH_IS_ARM64) +#define MBEDTLS_ARCH_IS_ARMV8 +#endif +#endif + #if defined(_MSC_VER) && !defined(_CRT_SECURE_NO_DEPRECATE) #define _CRT_SECURE_NO_DEPRECATE 1 #endif From cc5bf4946f9376f9410ca145953f4d77ed7b3044 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 3 Oct 2023 18:02:56 +0100 Subject: [PATCH 005/175] Make SHA256 depend on Armv8, not aarch64 Signed-off-by: Dave Rodgman --- include/mbedtls/check_config.h | 5 ++--- library/sha256.c | 2 +- 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index e18e9a5fc6..1580707832 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -865,9 +865,8 @@ #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && \ - !defined(__aarch64__) && !defined(_M_ARM64) -#error "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system" +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8) +#error "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY defined on non-Armv8 system" #endif /* TLS 1.3 requires separate HKDF parts from PSA, diff --git a/library/sha256.c b/library/sha256.c index 223badf00f..83dcc81564 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -56,7 +56,7 @@ #include "mbedtls/platform.h" -#if defined(__aarch64__) +#if defined(MBEDTLS_ARCH_IS_ARMV8) # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) From d9e8083d262c9cfa24cd70bdb17c70ce04391632 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 4 Oct 2023 17:17:46 +0100 Subject: [PATCH 006/175] Add tests for SHA256 on ARMCE for thumb, arm and aarch64 Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 21 +++++++++++++++++++++ 1 file changed, 21 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9e1d84f5de..1d9f32d9d5 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4354,6 +4354,27 @@ component_build_aes_aesce_armcc () { armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" } +component_build_sha_armce () { + # Test variations of SHA256 Armv8 crypto extensions + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, aarch64" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" + + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, arm" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" + + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + + scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, aarch64" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" +} + # For timebeing, no VIA Padlock platform available. component_build_aes_via_padlock () { From 793e264fbbd2ea57213f0d577d42d22cb50880b7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 4 Oct 2023 17:36:20 +0100 Subject: [PATCH 007/175] Fix indentation Signed-off-by: Dave Rodgman --- library/sha256.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/sha256.c b/library/sha256.c index 83dcc81564..55f8d635cc 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -69,7 +69,7 @@ # error "Target does not support NEON instructions" # endif -# if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) +# if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION <= 6090000 # error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*" From ebe4292a9ce6fda09f061fb6c4c2977efb739a34 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 4 Oct 2023 17:36:44 +0100 Subject: [PATCH 008/175] Improve behaviour on gcc targetting arm or thumb Signed-off-by: Dave Rodgman --- library/sha256.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/library/sha256.c b/library/sha256.c index 55f8d635cc..f0eb6ad58c 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -101,6 +101,10 @@ # endif # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_COMPILER_IS_GCC) && !defined(MBEDTLS_ARCH_IS_ARM64) +# warning "GCC only supports aarch64 for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT, using C code only" +# undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +# endif # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ From 86908590977819e18bea5b3e097d00ab47fe65e0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 4 Oct 2023 17:40:25 +0100 Subject: [PATCH 009/175] Improve docs Signed-off-by: Dave Rodgman --- include/mbedtls/mbedtls_config.h | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index af07613954..14d19aeb6f 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3280,7 +3280,8 @@ * for a non-Aarch64 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 4.0, - * armclang 6.6 or GCC 6.0. + * armclang 6.6 or GCC 6.0. Targetting Thumb or 32-bit arm with GCC is not + * supported. * * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for * armclang <= 6.9 From d30728cf5e3e6fde80a082976cffe6493c6a300c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 4 Oct 2023 18:04:39 +0100 Subject: [PATCH 010/175] Add Changelog Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/sha256-armce-arm.txt diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt new file mode 100644 index 0000000000..aaa6e39dbf --- /dev/null +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -0,0 +1,4 @@ +Features + * Support Armv8 Crypto Extension acceleration for SHA-256 + when compiling for Thumb or 32-bit Arm. + From 04d0d06e83729d991a5deb90163f911c8b8c10c1 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 4 Oct 2023 18:05:08 +0100 Subject: [PATCH 011/175] Code style Signed-off-by: Dave Rodgman --- library/sha256.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/sha256.c b/library/sha256.c index f0eb6ad58c..00a01ea3d6 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -102,7 +102,8 @@ # endif # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) # if defined(MBEDTLS_COMPILER_IS_GCC) && !defined(MBEDTLS_ARCH_IS_ARM64) -# warning "GCC only supports aarch64 for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT, using C code only" +# warning \ + "GCC only supports aarch64 for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT, using C code only" # undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT # endif # if defined(__unix__) From 9ed1853093cf1bf748a84b112a90e100a6307f8f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 00:06:47 +0100 Subject: [PATCH 012/175] require clang 4 for testing Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1d9f32d9d5..b7f4f4df63 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4354,6 +4354,12 @@ component_build_aes_aesce_armcc () { armc6_build_test "-O1 --target=aarch64-arm-none-eabi -march=armv8-a+crypto" } +support_build_sha_armce() { + # clang >= 4 is required to build with SHA extensions + ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" + [ "${ver}" -ge 4 ] +} + component_build_sha_armce () { # Test variations of SHA256 Armv8 crypto extensions scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT From ca92f50e124abea85870ece48d5ee2fe365ce859 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 08:24:55 +0100 Subject: [PATCH 013/175] Update docs for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT Signed-off-by: Dave Rodgman --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 14d19aeb6f..3d44b075cd 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3277,7 +3277,7 @@ * If not, the library will fall back to the C implementation. * * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building - * for a non-Aarch64 build it will be silently ignored. + * for a non-Armv8 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 4.0, * armclang 6.6 or GCC 6.0. Targetting Thumb or 32-bit arm with GCC is not From bfe6021e8541e3643e97e3e7b254c53900ceb06e Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 08:31:22 +0100 Subject: [PATCH 014/175] Improve docs Signed-off-by: Dave Rodgman --- include/mbedtls/mbedtls_config.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 3d44b075cd..2b9e29ba20 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3280,8 +3280,11 @@ * for a non-Armv8 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 4.0, - * armclang 6.6 or GCC 6.0. Targetting Thumb or 32-bit arm with GCC is not - * supported. + * armclang 6.6 or GCC 6.0. + * + * \note GCC for Thumb or 32-bit Armv8 targets supports accelerated SHA-256 + * via #MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY, but does not support runtime + * detection via #MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. * * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for * armclang <= 6.9 From 7ed619d3fa0d4d80df7eec1cd1e90abf861a2941 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 09:39:56 +0100 Subject: [PATCH 015/175] Enable run-time detection for Thumb and Arm Signed-off-by: Dave Rodgman --- include/mbedtls/mbedtls_config.h | 4 ---- library/sha256.c | 12 +++++++----- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 2b9e29ba20..a104114b4d 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3282,10 +3282,6 @@ * \note Minimum compiler versions for this feature are Clang 4.0, * armclang 6.6 or GCC 6.0. * - * \note GCC for Thumb or 32-bit Armv8 targets supports accelerated SHA-256 - * via #MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY, but does not support runtime - * detection via #MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. - * * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for * armclang <= 6.9 * diff --git a/library/sha256.c b/library/sha256.c index 00a01ea3d6..b603b86c98 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -44,6 +44,9 @@ #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG #endif +/* Ensure that SIG_SETMASK is defined when -std=c99 is used. */ +#define _GNU_SOURCE + #include "common.h" #if defined(MBEDTLS_SHA256_C) || defined(MBEDTLS_SHA224_C) @@ -101,11 +104,6 @@ # endif # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) -# if defined(MBEDTLS_COMPILER_IS_GCC) && !defined(MBEDTLS_ARCH_IS_ARM64) -# warning \ - "GCC only supports aarch64 for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT, using C code only" -# undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT -# endif # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ @@ -185,7 +183,11 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) if (setjmp(return_from_sigill) == 0) { /* First return only */ /* If this traps, we will return a second time from setjmp() with 1 */ +#if defined(MBEDTLS_ARCH_IS_ARM64) asm ("sha256h q0, q0, v0.4s" : : : "v0"); +#else + asm ("sha256h.32 q0, q0, q0" : : : "q0"); +#endif ret = 1; } From cd65400c48ca10020f948c87f78cdd71fcc9a6a8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 09:40:07 +0100 Subject: [PATCH 016/175] Add tests for runtime detection Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b7f4f4df63..32d1a1527a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4379,6 +4379,13 @@ component_build_sha_armce () { msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, aarch64" make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" + + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" + + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + } # For timebeing, no VIA Padlock platform available. From 3ba9ce3c1def3278791704fe40d6cc38be201c97 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 09:58:33 +0100 Subject: [PATCH 017/175] Warn if using runtime detection and no Neon Signed-off-by: Dave Rodgman --- library/sha256.c | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index b603b86c98..8315b71f39 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -61,17 +61,24 @@ #if defined(MBEDTLS_ARCH_IS_ARMV8) -# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) - /* *INDENT-OFF* */ -# ifdef __ARM_NEON -# include -# else -# error "Target does not support NEON instructions" +# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +# ifdef __ARM_NEON +# include +# else +# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +# warning "Target does not support NEON instructions" +# undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +# else +# error "Target does not support NEON instructions" +# endif +# endif # endif +# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION <= 6090000 From 790370b3924779f5f1cc015359df13a3484e8ba1 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 11:01:31 +0100 Subject: [PATCH 018/175] code style Signed-off-by: Dave Rodgman --- library/sha256.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index 8315b71f39..c6a118d92c 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -61,8 +61,6 @@ #if defined(MBEDTLS_ARCH_IS_ARMV8) -/* *INDENT-OFF* */ - # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) # ifdef __ARM_NEON @@ -79,6 +77,8 @@ # if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +/* *INDENT-OFF* */ + # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION <= 6090000 From 9a36f4cb97a887ab3f654538b04ce59820b7d504 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 11:25:52 +0100 Subject: [PATCH 019/175] Fix cast errors on IAR Signed-off-by: Dave Rodgman --- library/sha256.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index c6a118d92c..37f68c743e 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -336,10 +336,10 @@ static size_t mbedtls_internal_sha256_process_many_a64_crypto( uint32x4_t abcd_orig = abcd; uint32x4_t efgh_orig = efgh; - uint32x4_t sched0 = (uint32x4_t) vld1q_u8(msg + 16 * 0); - uint32x4_t sched1 = (uint32x4_t) vld1q_u8(msg + 16 * 1); - uint32x4_t sched2 = (uint32x4_t) vld1q_u8(msg + 16 * 2); - uint32x4_t sched3 = (uint32x4_t) vld1q_u8(msg + 16 * 3); + uint32x4_t sched0 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 0)); + uint32x4_t sched1 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 1)); + uint32x4_t sched2 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 2)); + uint32x4_t sched3 = vreinterpretq_u32_u8(vld1q_u8(msg + 16 * 3)); #if __BYTE_ORDER__ == __ORDER_LITTLE_ENDIAN__ /* Will be true if not defined */ /* Untested on BE */ From bc2d2179beb74b70d6d4e497438bd9a554703fa6 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 5 Oct 2023 11:36:26 +0100 Subject: [PATCH 020/175] Update baremetal config to exclude MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT Signed-off-by: Dave Rodgman --- scripts/config.py | 2 ++ 1 file changed, 2 insertions(+) diff --git a/scripts/config.py b/scripts/config.py index 17fbe653a3..1a71cb35f9 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -278,6 +278,8 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_THREADING_C', # requires a threading interface 'MBEDTLS_THREADING_PTHREAD', # requires pthread 'MBEDTLS_TIMING_C', # requires a clock + 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection ]) def keep_in_baremetal(name): From 21bff21575e75381be8749993e629c1826f041df Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 2 Oct 2023 20:09:35 +0200 Subject: [PATCH 021/175] Support running unit tests from another directory When running a test suite, try to change to the directory containing the executable. This allows running a test suite from any directory, and still allow it to access its .datax file as well as data files (generally in tests/data_files) used by individual test cases. Only implemented on Unix-like systems and on Windows. Signed-off-by: Gilles Peskine --- tests/suites/host_test.function | 33 +++++++++++++++++++++++++++++++++ tests/suites/main_test.function | 15 +++++++++++++++ 2 files changed, 48 insertions(+) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 06f391fa4f..3a3cb3414e 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -432,6 +432,39 @@ static void write_outcome_result(FILE *outcome_file, fflush(outcome_file); } +#if defined(__unix__) || \ + (defined(__APPLE__) && defined(__MACH__)) || \ + defined(_WIN32) +#define MBEDTLS_HAVE_CHDIR +#endif + +#if defined(MBEDTLS_HAVE_CHDIR) +/** Try chdir to the directory containing argv0. + * + * Failures are silent. + */ +static void try_chdir(const char *argv0) +{ + const char *slash = strrchr(argv0, '/'); + if (slash == NULL) { + return; + } + size_t path_size = slash - argv0 + 1; + char *path = mbedtls_calloc(1, path_size); + if (path == NULL) { + return; + } + memcpy(path, argv0, path_size - 1); + path[path_size - 1] = 0; +#if defined(_WIN32) + (void) _chdir(path); +#else + (void) chdir(path); +#endif + mbedtls_free(path); +} +#endif /* MBEDTLS_HAVE_CHDIR */ + /** * \brief Desktop implementation of execute_tests(). * Parses command line and executes tests from diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 6c8d98e8b9..eb74e8f0cc 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -237,6 +237,21 @@ int main(int argc, const char *argv[]) #endif #endif +#ifdef MBEDTLS_HAVE_CHDIR + /* Try changing to the directory containing the executable, if + * using the default data file. This allows running the executable + * from another directory (e.g. the project root) and still access + * the .datax file as well as data files used by test cases + * (typically from tests/data_files). + * + * Note that we do this before the platform setup (which may access + * files such as a random seed). We also do this before accessing + * test-specific files such as the outcome file, which is arguably + * not desirable and should be fixed later. + */ + try_chdir(argv[0]); +#endif /* MBEDTLS_HAVE_CHDIR */ + int ret = mbedtls_test_platform_setup(); if (ret != 0) { mbedtls_fprintf(stderr, From ca26082ab7cac79268b98920632656d0c39ff18c Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 3 Oct 2023 10:01:43 +0200 Subject: [PATCH 022/175] Print a notice if chdir fails Fixes -Wunused-result warning. Signed-off-by: Gilles Peskine --- tests/suites/host_test.function | 13 ++++++------- 1 file changed, 6 insertions(+), 7 deletions(-) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 3a3cb3414e..1f95fb4b54 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -433,8 +433,7 @@ static void write_outcome_result(FILE *outcome_file, } #if defined(__unix__) || \ - (defined(__APPLE__) && defined(__MACH__)) || \ - defined(_WIN32) + (defined(__APPLE__) && defined(__MACH__)) #define MBEDTLS_HAVE_CHDIR #endif @@ -456,11 +455,11 @@ static void try_chdir(const char *argv0) } memcpy(path, argv0, path_size - 1); path[path_size - 1] = 0; -#if defined(_WIN32) - (void) _chdir(path); -#else - (void) chdir(path); -#endif + int ret = chdir(path); + if (ret != 0) { + mbedtls_fprintf(stderr, "%s: note: chdir(\"%s\") failed.\n", + __func__, path); + } mbedtls_free(path); } #endif /* MBEDTLS_HAVE_CHDIR */ From c760019dd5495cd19a318a0d468f990758bf654e Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Thu, 5 Oct 2023 17:23:58 +0200 Subject: [PATCH 023/175] Note about the lack of Windows support Signed-off-by: Gilles Peskine --- tests/suites/host_test.function | 5 +++++ 1 file changed, 5 insertions(+) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 1f95fb4b54..736883fe10 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -444,6 +444,11 @@ static void write_outcome_result(FILE *outcome_file, */ static void try_chdir(const char *argv0) { + /* We might want to allow backslash as well, for Windows. But then we also + * need to consider chdir() vs _chdir(), and different conventions + * regarding paths in argv[0] (naively enabling this code with + * backslash support on Windows leads to chdir into the wrong directory + * on the CI). */ const char *slash = strrchr(argv0, '/'); if (slash == NULL) { return; From 8ba9f42acd43520fc5577724e7e44ae2c2cbbf7d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Sun, 8 Oct 2023 10:46:25 +0100 Subject: [PATCH 024/175] Fix arch detection for auto setting of clang flags Signed-off-by: Dave Rodgman --- library/sha256.c | 15 +++++++++++++-- 1 file changed, 13 insertions(+), 2 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index 37f68c743e..e655cf8b91 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -22,8 +22,17 @@ * http://csrc.nist.gov/publications/fips/fips180-2/fips180-2.pdf */ -#if defined(__aarch64__) && !defined(__ARM_FEATURE_CRYPTO) && \ - defined(__clang__) && __clang_major__ >= 4 +#if defined(__clang__) && (__clang_major__ >= 4) + +/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8 in the following #if, + * but that is defined by build_info.h, and we need this block to happen first. */ +#if defined(__ARM_ARCH) +#if __ARM_ARCH >= 8 +#define MBEDTLS_SHA256_ARCH_IS_ARMV8 +#endif +#endif + +#if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8) && !defined(__ARM_FEATURE_CRYPTO) /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. * * The intrinsic declaration are guarded by predefined ACLE macros in clang: @@ -44,6 +53,8 @@ #define MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG #endif +#endif /* defined(__clang__) && (__clang_major__ >= 4) */ + /* Ensure that SIG_SETMASK is defined when -std=c99 is used. */ #define _GNU_SOURCE From 78d78462ac9ba048d026647dd2cdfbd0eaffd561 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 09:53:44 +0100 Subject: [PATCH 025/175] Make asm without side-effects not optimisable-out Signed-off-by: Dave Rodgman --- library/sha256.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index e655cf8b91..18be8a4b9f 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -202,9 +202,9 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) if (setjmp(return_from_sigill) == 0) { /* First return only */ /* If this traps, we will return a second time from setjmp() with 1 */ #if defined(MBEDTLS_ARCH_IS_ARM64) - asm ("sha256h q0, q0, v0.4s" : : : "v0"); + asm volatile ("sha256h q0, q0, v0.4s" : : : "v0"); #else - asm ("sha256h.32 q0, q0, q0" : : : "q0"); + asm volatile ("sha256h.32 q0, q0, q0" : : : "q0"); #endif ret = 1; } From 88d806254535a1430527655488be7102b3518008 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 10:14:26 +0100 Subject: [PATCH 026/175] Fix excess newline Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 1 - 1 file changed, 1 deletion(-) diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt index aaa6e39dbf..c1211f0c9e 100644 --- a/ChangeLog.d/sha256-armce-arm.txt +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -1,4 +1,3 @@ Features * Support Armv8 Crypto Extension acceleration for SHA-256 when compiling for Thumb or 32-bit Arm. - From 308cb232bf30316105e3419930e385649eeba384 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 10 Oct 2023 17:56:12 +0800 Subject: [PATCH 027/175] aesni: support cpuid on WIN32 `__cpuid` has two kinds of signatures in different headers depending on the target OS. We make it consistent between the usages ang the included header. Signed-off-by: Pengyu Lv --- library/aesni.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aesni.c b/library/aesni.c index 5f25a8249f..7eb11aff55 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -53,7 +53,7 @@ int mbedtls_aesni_has_support(unsigned int what) if (!done) { #if MBEDTLS_AESNI_HAVE_CODE == 2 static unsigned info[4] = { 0, 0, 0, 0 }; -#if defined(_MSC_VER) +#if defined(_WIN32) __cpuid(info, 1); #else __cpuid(1, info[0], info[1], info[2], info[3]); From e8c4bf180b9ab6631d80e138bcf57fd8f3019a6a Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 10 Oct 2023 18:12:43 +0800 Subject: [PATCH 028/175] aesni: declare cpuinfo as int Change the type of array that stores the cpuinfo data to int[4] to match the signature of `__cpuinfo` in `intrin.h` header file. Signed-off-by: Pengyu Lv --- library/aesni.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/aesni.c b/library/aesni.c index 7eb11aff55..322a255335 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -52,7 +52,7 @@ int mbedtls_aesni_has_support(unsigned int what) if (!done) { #if MBEDTLS_AESNI_HAVE_CODE == 2 - static unsigned info[4] = { 0, 0, 0, 0 }; + static int info[4] = { 0, 0, 0, 0 }; #if defined(_WIN32) __cpuid(info, 1); #else From 94a634db96d692a470e3c7d0098fca7ab6b8680d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 12:59:29 +0100 Subject: [PATCH 029/175] Rename A64 config options Signed-off-by: Dave Rodgman --- include/mbedtls/config_adjust_legacy_crypto.h | 15 ++++ include/mbedtls/mbedtls_config.h | 86 ++++++++++++++----- library/sha256.c | 72 ++++++++-------- library/sha512.c | 70 +++++++-------- tests/scripts/all.sh | 53 +++++++----- 5 files changed, 181 insertions(+), 115 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 65bea1a6e6..78a5bb1d80 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -184,4 +184,19 @@ #define MBEDTLS_PK_HAVE_ECC_KEYS #endif /* MBEDTLS_PK_USE_PSA_EC_DATA || MBEDTLS_ECP_C */ +/* Backwards compatibility for some macros which were renamed to reflect that + * they are related to Armv8, not aarch64. */ +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT +#endif +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY +#endif +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT +#endif +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY +#endif + #endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index a104114b4d..f9ad2b6f9a 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3270,13 +3270,13 @@ #define MBEDTLS_SHA256_C /** - * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * \def MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT * * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms * with the ARMv8 cryptographic extensions if they are available at runtime. * If not, the library will fall back to the C implementation. * - * \note If MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT is defined when building + * \note If MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT is defined when building * for a non-Armv8 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 4.0, @@ -3285,27 +3285,38 @@ * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for * armclang <= 6.9 * - * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the - * same time as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. + * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. + * That name is deprecated, but may still be used as an alternative form for this + * option. + * + * \warning MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY. * * Requires: MBEDTLS_SHA256_C. * * Module: library/sha256.c * - * Uncomment to have the library check for the A64 SHA-256 crypto extensions + * Uncomment to have the library check for the Armv8 SHA-256 crypto extensions * and use them if available. */ +//#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + +/* + * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT. + * This name is now deprecated, but may still be used as an alternative form for + * this option. + */ //#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT /** - * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + * \def MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY * * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms * with the ARMv8 cryptographic extensions, which must be available at runtime * or else an illegal instruction fault will occur. * * \note This allows builds with a smaller code size than with - * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT * * \note Minimum compiler versions for this feature are Clang 4.0, * armclang 6.6 or GCC 6.0. @@ -3313,17 +3324,28 @@ * \note \c CFLAGS must be set to a minimum of \c -march=armv8-a+crypto for * armclang <= 6.9 * - * \warning MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY cannot be defined at the same - * time as MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT. + * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. + * That name is deprecated, but may still be used as an alternative form for this + * option. + * + * \warning MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT. * * Requires: MBEDTLS_SHA256_C. * * Module: library/sha256.c * - * Uncomment to have the library use the A64 SHA-256 crypto extensions + * Uncomment to have the library use the Armv8 SHA-256 crypto extensions * unconditionally. */ -//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY +//#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + +/* + * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY. + * This name is now deprecated, but may still be used as an alternative form for + * this option. + */ +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT /** * \def MBEDTLS_SHA384_C @@ -3368,13 +3390,13 @@ #define MBEDTLS_SHA3_C /** - * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + * \def MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT * * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms * with the ARMv8 cryptographic extensions if they are available at runtime. * If not, the library will fall back to the C implementation. * - * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building + * \note If MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT is defined when building * for a non-Aarch64 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 7.0, @@ -3383,27 +3405,38 @@ * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for * armclang 6.9 * - * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the - * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. + * \note This was previously known as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. + * That name is deprecated, but may still be used as an alternative form for this + * option. + * + * \warning MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY. * * Requires: MBEDTLS_SHA512_C. * * Module: library/sha512.c * - * Uncomment to have the library check for the A64 SHA-512 crypto extensions + * Uncomment to have the library check for the Armv8 SHA-512 crypto extensions * and use them if available. */ +//#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + +/* + * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT. + * This name is now deprecated, but may still be used as an alternative form for + * this option. + */ //#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT /** - * \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + * \def MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY * * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms * with the ARMv8 cryptographic extensions, which must be available at runtime * or else an illegal instruction fault will occur. * * \note This allows builds with a smaller code size than with - * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + * MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT * * \note Minimum compiler versions for this feature are Clang 7.0, * armclang 6.9 or GCC 8.0. @@ -3411,16 +3444,27 @@ * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for * armclang 6.9 * - * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same - * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. + * \note This was previously known as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. + * That name is deprecated, but may still be used as an alternative form for this + * option. + * + * \warning MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT. * * Requires: MBEDTLS_SHA512_C. * * Module: library/sha512.c * - * Uncomment to have the library use the A64 SHA-512 crypto extensions + * Uncomment to have the library use the Armv8 SHA-512 crypto extensions * unconditionally. */ +//#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY + +/* + * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY. + * This name is now deprecated, but may still be used as an alternative form for + * this option. + */ //#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY /** diff --git a/library/sha256.c b/library/sha256.c index 18be8a4b9f..96aa25e591 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -72,34 +72,34 @@ #if defined(MBEDTLS_ARCH_IS_ARMV8) -# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) # ifdef __ARM_NEON # include # else -# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) # warning "Target does not support NEON instructions" -# undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT # else # error "Target does not support NEON instructions" # endif # endif # endif -# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) /* *INDENT-OFF* */ # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION <= 6090000 -# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" # endif # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # elif defined(__clang__) # if __clang_major__ < 4 -# error "A more recent Clang is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" # endif # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA @@ -108,20 +108,20 @@ * intrinsics are missing. Missing intrinsics could be worked around. */ # if __GNUC__ < 6 -# error "A more recent GCC is required for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" # else # pragma GCC push_options # pragma GCC target ("arch=armv8-a+crypto") # define MBEDTLS_POP_TARGET_PRAGMA # endif # else -# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_A64_CRYPTO_*" +# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" # endif # endif /* *INDENT-ON* */ # endif -# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ @@ -132,19 +132,19 @@ # endif # endif #elif defined(_M_ARM64) -# if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) # include # endif #else -# undef MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY -# undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY +# undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) /* * Capability detection code comes early, so we can disable - * MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found + * MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT if no detection mechanism found */ #if defined(HWCAP_SHA2) static int mbedtls_a64_crypto_sha256_determine_support(void) @@ -174,7 +174,7 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) static jmp_buf return_from_sigill; /* - * A64 SHA256 support detection via SIGILL + * Armv8 SHA256 support detection via SIGILL */ static void sigill_handler(int signal) { @@ -215,11 +215,11 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) return ret; } #else -#warning "No mechanism to detect A64_CRYPTO found, using C code only" -#undef MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" +#undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */ -#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT */ #if !defined(MBEDTLS_SHA256_ALT) @@ -321,10 +321,10 @@ static const uint32_t K[] = #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process #endif @@ -424,9 +424,9 @@ static size_t mbedtls_internal_sha256_process_many_a64_crypto( return processed; } -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and A64 + * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() */ static @@ -439,7 +439,7 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, SHA256_BLOCK_SIZE) ? 0 : -1; } -#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY */ #if defined(MBEDTLS_POP_TARGET_PRAGMA) #if defined(__clang__) @@ -450,14 +450,14 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, #undef MBEDTLS_POP_TARGET_PRAGMA #endif -#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#if !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process #endif #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \ - !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) + !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n)) #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n)))) @@ -485,9 +485,9 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, (d) += local.temp1; (h) = local.temp1 + local.temp2; \ } while (0) -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and A64 + * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() */ static @@ -577,10 +577,10 @@ int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx, return 0; } -#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY */ -#if !defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) static size_t mbedtls_internal_sha256_process_many_c( mbedtls_sha256_context *ctx, const uint8_t *data, size_t len) @@ -601,10 +601,10 @@ static size_t mbedtls_internal_sha256_process_many_c( return processed; } -#endif /* !MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) static int mbedtls_a64_crypto_sha256_has_support(void) { @@ -639,7 +639,7 @@ int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx, } } -#endif /* MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT */ /* diff --git a/library/sha512.c b/library/sha512.c index e739af2546..14c9343e34 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -57,8 +57,8 @@ #include "mbedtls/platform.h" #if defined(__aarch64__) -# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) /* *INDENT-OFF* */ # ifdef __ARM_NEON # include @@ -83,35 +83,35 @@ /* Test Clang first, as it defines __GNUC__ */ # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION < 6090000 -# error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# error "A more recent armclang is required for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" # elif __ARMCOMPILER_VERSION == 6090000 -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" # else # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif # elif defined(__clang__) # if __clang_major__ < 7 -# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# error "A more recent Clang is required for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" # else # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif # elif defined(__GNUC__) # if __GNUC__ < 8 -# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# error "A more recent GCC is required for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" # else # pragma GCC push_options # pragma GCC target ("arch=armv8.2-a+sha3") # define MBEDTLS_POP_TARGET_PRAGMA # endif # else -# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" +# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" # endif # endif /* *INDENT-ON* */ # endif -# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ @@ -122,19 +122,19 @@ # endif # endif #elif defined(_M_ARM64) -# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) # include # endif #else -# undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY -# undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY +# undef MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) /* * Capability detection code comes early, so we can disable - * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found + * MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT if no detection mechanism found */ #if defined(HWCAP_SHA512) static int mbedtls_a64_crypto_sha512_determine_support(void) @@ -161,9 +161,9 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) * SHA-512 support. So we fall back to the C code only. */ #if defined(_MSC_VER) -#pragma message "No mechanism to detect A64_CRYPTO found, using C code only" +#pragma message "No mechanism to detect ARMV8_CRYPTO found, using C code only" #else -#warning "No mechanism to detect A64_CRYPTO found, using C code only" +#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" #endif #elif defined(__unix__) && defined(SIG_SETMASK) /* Detection with SIGILL, setjmp() and longjmp() */ @@ -173,7 +173,7 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) static jmp_buf return_from_sigill; /* - * A64 SHA512 support detection via SIGILL + * Armv8 SHA512 support detection via SIGILL */ static void sigill_handler(int signal) { @@ -210,11 +210,11 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) return ret; } #else -#warning "No mechanism to detect A64_CRYPTO found, using C code only" -#undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT +#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" +#undef MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT #endif /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */ -#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT */ #if !defined(MBEDTLS_SHA512_ALT) @@ -352,10 +352,10 @@ static const uint64_t K[80] = }; #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) # define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many # define mbedtls_internal_sha512_process_a64_crypto mbedtls_internal_sha512_process #endif @@ -567,9 +567,9 @@ static size_t mbedtls_internal_sha512_process_many_a64_crypto( return processed; } -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and A64 + * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() */ static @@ -582,7 +582,7 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, SHA512_BLOCK_SIZE) ? 0 : -1; } -#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ #if defined(MBEDTLS_POP_TARGET_PRAGMA) #if defined(__clang__) @@ -594,17 +594,17 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, #endif -#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#if !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) #define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many #define mbedtls_internal_sha512_process_c mbedtls_internal_sha512_process #endif -#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and A64 + * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() */ static @@ -701,10 +701,10 @@ int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx, return 0; } -#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ -#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) static size_t mbedtls_internal_sha512_process_many_c( mbedtls_sha512_context *ctx, const uint8_t *data, size_t len) @@ -725,10 +725,10 @@ static size_t mbedtls_internal_sha512_process_many_c( return processed; } -#endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) static int mbedtls_a64_crypto_sha512_has_support(void) { @@ -763,7 +763,7 @@ int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx, } } -#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT */ /* * SHA-512 process buffer diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 32d1a1527a..1892ef869a 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2245,12 +2245,12 @@ component_build_module_alt () { # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields # directly and assumes the implementation works with partial groups. scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED - # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY + # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable # MBEDTLS_XXX_YYY_ALT which are for single functions. @@ -3464,10 +3464,10 @@ config_psa_crypto_hash_use_psa () { scripts/config.py unset MBEDTLS_SHA1_C scripts/config.py unset MBEDTLS_SHA224_C scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA3_C fi } @@ -4332,7 +4332,7 @@ component_build_aes_aesce_armcc () { scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, @@ -4340,7 +4340,7 @@ component_build_aes_aesce_armcc () { # unavailable, and the user is notified via a #warning. So enabling # this feature would prevent us from building with -Werror on # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM msg "AESCE, build with default configuration." @@ -4362,30 +4362,37 @@ support_build_sha_armce() { component_build_sha_armce () { # Test variations of SHA256 Armv8 crypto extensions - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, aarch64" + msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY clang, aarch64" make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, arm" + msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY clang, arm" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" + # test the deprecated form of the config option + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + + msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY clang, thumb" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, aarch64" + msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT clang, aarch64" make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" + # test the deprecated form of the config option + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + + msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT clang, arm" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" + msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT clang, thumb" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - } # For timebeing, no VIA Padlock platform available. @@ -4929,7 +4936,7 @@ component_build_armcc () { msg "build: ARM Compiler 5" scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, @@ -4937,7 +4944,7 @@ component_build_armcc () { # unavailable, and the user is notified via a #warning. So enabling # this feature would prevent us from building with -Werror on # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM From 5d4ef83e01645a40d07b945f8b70501f190ffd90 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 13:04:07 +0100 Subject: [PATCH 030/175] Fix hwcap detection on 32-bit Arm Signed-off-by: Dave Rodgman --- library/sha256.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/library/sha256.c b/library/sha256.c index 96aa25e591..fe343e7a43 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -126,6 +126,7 @@ # if defined(__linux__) /* Our preferred method of detection is getauxval() */ # include +# include # endif /* Use SIGILL on Unix, and fall back to it on Linux */ # include @@ -146,11 +147,16 @@ * Capability detection code comes early, so we can disable * MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT if no detection mechanism found */ -#if defined(HWCAP_SHA2) +#if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2) static int mbedtls_a64_crypto_sha256_determine_support(void) { return (getauxval(AT_HWCAP) & HWCAP_SHA2) ? 1 : 0; } +#elif defined(MBEDTLS_ARCH_IS_ARM32) && defined(HWCAP2_SHA2) +static int mbedtls_a64_crypto_sha256_determine_support(void) +{ + return (getauxval(AT_HWCAP2) & HWCAP2_SHA2) ? 1 : 0; +} #elif defined(__APPLE__) static int mbedtls_a64_crypto_sha256_determine_support(void) { From 6ab314f71d0fe0f4c39d78cdd57e0b65ea1a10b8 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 14:00:17 +0100 Subject: [PATCH 031/175] More config option renaming Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 4 ++ include/mbedtls/check_config.h | 38 +++++++++---------- include/mbedtls/config_adjust_legacy_crypto.h | 8 ++-- include/mbedtls/mbedtls_config.h | 2 +- scripts/config.py | 4 ++ 5 files changed, 32 insertions(+), 24 deletions(-) diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt index c1211f0c9e..13d4dda1ad 100644 --- a/ChangeLog.d/sha256-armce-arm.txt +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -1,3 +1,7 @@ Features * Support Armv8 Crypto Extension acceleration for SHA-256 when compiling for Thumb or 32-bit Arm. +New deprecations + * Rename the SHAxxx_USE_A64_CRYPTO_yyy config options to + SHAxxx_USE_ARMV8_CRYPTO_yyy. The old names may still be + used, but are deprecated. diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1580707832..24b3e03e21 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -829,44 +829,44 @@ #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) -#error "Must only define one of MBEDTLS_SHA512_USE_A64_CRYPTO_*" +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) && \ + defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +#error "Must only define one of MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) #if !defined(MBEDTLS_SHA512_C) -#error "MBEDTLS_SHA512_USE_A64_CRYPTO_* defined without MBEDTLS_SHA512_C" +#error "MBEDTLS_SHA512_USE_ARMV8_CRYPTO_* defined without MBEDTLS_SHA512_C" #endif #if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT) -#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*" +#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" #endif -#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(__aarch64__) -#error "MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system" +#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) && !defined(__aarch64__) +#error "MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY defined on non-Aarch64 system" #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) -#error "Must only define one of MBEDTLS_SHA256_USE_A64_CRYPTO_*" +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) && \ + defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +#error "Must only define one of MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) #if !defined(MBEDTLS_SHA256_C) -#error "MBEDTLS_SHA256_USE_A64_CRYPTO_* defined without MBEDTLS_SHA256_C" +#error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_* defined without MBEDTLS_SHA256_C" #endif #if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT) -#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_A64_CRYPTO_*" +#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" #endif #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8) -#error "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY defined on non-Armv8 system" +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8) +#error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY defined on non-Armv8 system" #endif /* TLS 1.3 requires separate HKDF parts from PSA, diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 78a5bb1d80..bd356da592 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -186,16 +186,16 @@ /* Backwards compatibility for some macros which were renamed to reflect that * they are related to Armv8, not aarch64. */ -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) #define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) #define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) #define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) #define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f9ad2b6f9a..0cbb0ee41a 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3345,7 +3345,7 @@ * This name is now deprecated, but may still be used as an alternative form for * this option. */ -//#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY /** * \def MBEDTLS_SHA384_C diff --git a/scripts/config.py b/scripts/config.py index 1a71cb35f9..619782b892 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -215,6 +215,8 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT 'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) @@ -280,6 +282,8 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_TIMING_C', # requires a clock 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection ]) def keep_in_baremetal(name): From c5861d5bf254bd991dd266cdab295216c36ca578 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 14:01:54 +0100 Subject: [PATCH 032/175] Code style Signed-off-by: Dave Rodgman --- include/mbedtls/config_adjust_legacy_crypto.h | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index bd356da592..9144c4963d 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -186,13 +186,15 @@ /* Backwards compatibility for some macros which were renamed to reflect that * they are related to Armv8, not aarch64. */ -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \ + !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) #define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT #endif #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) #define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && \ + !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) #define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT #endif #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) From f097bef6ea9a8a83d08281c5435cf43946fe375d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 14:56:35 +0100 Subject: [PATCH 033/175] Refer to Armv8-A (not Armv8) in docs Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 2 +- include/mbedtls/check_config.h | 2 +- include/mbedtls/mbedtls_config.h | 10 +++++----- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt index 13d4dda1ad..bff70f5000 100644 --- a/ChangeLog.d/sha256-armce-arm.txt +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -1,5 +1,5 @@ Features - * Support Armv8 Crypto Extension acceleration for SHA-256 + * Support Armv8-A Crypto Extension acceleration for SHA-256 when compiling for Thumb or 32-bit Arm. New deprecations * Rename the SHAxxx_USE_A64_CRYPTO_yyy config options to diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 24b3e03e21..0dba0a872e 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -866,7 +866,7 @@ #endif #if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8) -#error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY defined on non-Armv8 system" +#error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY defined on non-Armv8-A system" #endif /* TLS 1.3 requires separate HKDF parts from PSA, diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 0cbb0ee41a..595b8cd890 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3277,7 +3277,7 @@ * If not, the library will fall back to the C implementation. * * \note If MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT is defined when building - * for a non-Armv8 build it will be silently ignored. + * for a non-Armv8-A build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 4.0, * armclang 6.6 or GCC 6.0. @@ -3296,7 +3296,7 @@ * * Module: library/sha256.c * - * Uncomment to have the library check for the Armv8 SHA-256 crypto extensions + * Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions * and use them if available. */ //#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT @@ -3335,7 +3335,7 @@ * * Module: library/sha256.c * - * Uncomment to have the library use the Armv8 SHA-256 crypto extensions + * Uncomment to have the library use the Armv8-A SHA-256 crypto extensions * unconditionally. */ //#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY @@ -3416,7 +3416,7 @@ * * Module: library/sha512.c * - * Uncomment to have the library check for the Armv8 SHA-512 crypto extensions + * Uncomment to have the library check for the Armv8-A SHA-512 crypto extensions * and use them if available. */ //#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT @@ -3455,7 +3455,7 @@ * * Module: library/sha512.c * - * Uncomment to have the library use the Armv8 SHA-512 crypto extensions + * Uncomment to have the library use the Armv8-A SHA-512 crypto extensions * unconditionally. */ //#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY From fe9fda81aabf178eb241670d1aced3810e7be7b2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 14:51:06 +0100 Subject: [PATCH 034/175] Rename MBEDTLS_ARCH_IS_ARMV8 to MBEDTLS_ARCH_IS_ARMV8_A Signed-off-by: Dave Rodgman --- include/mbedtls/build_info.h | 19 ++++++++++++------- include/mbedtls/check_config.h | 2 +- library/sha256.c | 10 +++++----- 3 files changed, 18 insertions(+), 13 deletions(-) diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 9b9f5f2ac9..b09c5dd096 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -74,14 +74,19 @@ #define MBEDTLS_ARCH_IS_X86 #endif -/* This is defined if the architecture is Armv8, or higher */ -#if !defined(MBEDTLS_ARCH_IS_ARMV8) -#if defined(__ARM_ARCH) -#if __ARM_ARCH >= 8 -#define MBEDTLS_ARCH_IS_ARMV8 +/* This is defined if the architecture is Armv8-A, or higher */ +#if !defined(MBEDTLS_ARCH_IS_ARMV8_A) +#if defined(__ARM_ARCH) && defined(__ARM_ARCH_PROFILE) +#if (__ARM_ARCH >= 8) && (__ARM_ARCH_PROFILE == 'A') +/* GCC, clang, armclang and IAR */ +#define MBEDTLS_ARCH_IS_ARMV8_A #endif -#elif defined(MBEDTLS_ARCH_IS_ARM64) -#define MBEDTLS_ARCH_IS_ARMV8 +#elif defined(__ARM_ARCH_8A) +/* Alternative defined by clang */ +#define MBEDTLS_ARCH_IS_ARMV8_A +#elif defined(_M_ARM64) || defined(_M_ARM64EC) +/* MSVC ARM64 is at least Armv8.0-A */ +#define MBEDTLS_ARCH_IS_ARMV8_A #endif #endif diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 0dba0a872e..eac2266187 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -865,7 +865,7 @@ #endif -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8) +#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8_A) #error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY defined on non-Armv8-A system" #endif diff --git a/library/sha256.c b/library/sha256.c index fe343e7a43..763c71076b 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -24,15 +24,15 @@ #if defined(__clang__) && (__clang_major__ >= 4) -/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8 in the following #if, +/* Ideally, we would simply use MBEDTLS_ARCH_IS_ARMV8_A in the following #if, * but that is defined by build_info.h, and we need this block to happen first. */ -#if defined(__ARM_ARCH) +#if defined(__ARM_ARCH) && (__ARM_ARCH_PROFILE == 'A') #if __ARM_ARCH >= 8 -#define MBEDTLS_SHA256_ARCH_IS_ARMV8 +#define MBEDTLS_SHA256_ARCH_IS_ARMV8_A #endif #endif -#if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8) && !defined(__ARM_FEATURE_CRYPTO) +#if defined(MBEDTLS_SHA256_ARCH_IS_ARMV8_A) && !defined(__ARM_FEATURE_CRYPTO) /* TODO: Re-consider above after https://reviews.llvm.org/D131064 merged. * * The intrinsic declaration are guarded by predefined ACLE macros in clang: @@ -70,7 +70,7 @@ #include "mbedtls/platform.h" -#if defined(MBEDTLS_ARCH_IS_ARMV8) +#if defined(MBEDTLS_ARCH_IS_ARMV8_A) # if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) From 5b89c55bb853aab5936e5845d61eb58e91a324f2 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 10 Oct 2023 14:59:02 +0100 Subject: [PATCH 035/175] Rename MBEDTLS_SHAxxx_USE_ARMV8_yyy to MBEDTLS_SHAxxx_USE_ARMV8_A_yyy Signed-off-by: Dave Rodgman --- include/mbedtls/check_config.h | 38 +++++------ include/mbedtls/config_adjust_legacy_crypto.h | 16 ++--- include/mbedtls/mbedtls_config.h | 48 +++++++------- library/sha256.c | 64 +++++++++---------- library/sha512.c | 58 ++++++++--------- scripts/config.py | 8 +-- tests/scripts/all.sh | 48 +++++++------- 7 files changed, 140 insertions(+), 140 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index eac2266187..b346f1f6ea 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -829,44 +829,44 @@ #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) && \ - defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) -#error "Must only define one of MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \ + defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#error "Must only define one of MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) #if !defined(MBEDTLS_SHA512_C) -#error "MBEDTLS_SHA512_USE_ARMV8_CRYPTO_* defined without MBEDTLS_SHA512_C" +#error "MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA512_C" #endif #if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT) -#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" #endif -#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) && !defined(__aarch64__) -#error "MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY defined on non-Aarch64 system" +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) && !defined(__aarch64__) +#error "MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY defined on non-Aarch64 system" #endif -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) && \ - defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) -#error "Must only define one of MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \ + defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) +#error "Must only define one of MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" #endif -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) #if !defined(MBEDTLS_SHA256_C) -#error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_* defined without MBEDTLS_SHA256_C" +#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA256_C" #endif #if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT) -#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" +#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" #endif #endif -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8_A) -#error "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY defined on non-Armv8-A system" +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) && !defined(MBEDTLS_ARCH_IS_ARMV8_A) +#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY defined on non-Armv8-A system" #endif /* TLS 1.3 requires separate HKDF parts from PSA, diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index 9144c4963d..c8791fc63e 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -187,18 +187,18 @@ /* Backwards compatibility for some macros which were renamed to reflect that * they are related to Armv8, not aarch64. */ #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT) && \ - !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) -#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) -#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY +#if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) +#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY #endif #if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && \ - !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) -#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) -#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY #endif #endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 595b8cd890..49ae7218e0 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3270,13 +3270,13 @@ #define MBEDTLS_SHA256_C /** - * \def MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT * * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms * with the ARMv8 cryptographic extensions if they are available at runtime. * If not, the library will fall back to the C implementation. * - * \note If MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT is defined when building + * \note If MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building * for a non-Armv8-A build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 4.0, @@ -3289,8 +3289,8 @@ * That name is deprecated, but may still be used as an alternative form for this * option. * - * \warning MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT cannot be defined at the - * same time as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY. + * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY. * * Requires: MBEDTLS_SHA256_C. * @@ -3299,24 +3299,24 @@ * Uncomment to have the library check for the Armv8-A SHA-256 crypto extensions * and use them if available. */ -//#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT /* - * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT. + * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT. * This name is now deprecated, but may still be used as an alternative form for * this option. */ //#define MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT /** - * \def MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + * \def MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY * * Enable acceleration of the SHA-256 and SHA-224 cryptographic hash algorithms * with the ARMv8 cryptographic extensions, which must be available at runtime * or else an illegal instruction fault will occur. * * \note This allows builds with a smaller code size than with - * MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT * * \note Minimum compiler versions for this feature are Clang 4.0, * armclang 6.6 or GCC 6.0. @@ -3328,8 +3328,8 @@ * That name is deprecated, but may still be used as an alternative form for this * option. * - * \warning MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY cannot be defined at the same - * time as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT. + * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT. * * Requires: MBEDTLS_SHA256_C. * @@ -3338,10 +3338,10 @@ * Uncomment to have the library use the Armv8-A SHA-256 crypto extensions * unconditionally. */ -//#define MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY +//#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY /* - * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY. + * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY. * This name is now deprecated, but may still be used as an alternative form for * this option. */ @@ -3390,13 +3390,13 @@ #define MBEDTLS_SHA3_C /** - * \def MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + * \def MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT * * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms * with the ARMv8 cryptographic extensions if they are available at runtime. * If not, the library will fall back to the C implementation. * - * \note If MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT is defined when building + * \note If MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building * for a non-Aarch64 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 7.0, @@ -3409,8 +3409,8 @@ * That name is deprecated, but may still be used as an alternative form for this * option. * - * \warning MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT cannot be defined at the - * same time as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY. + * \warning MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY. * * Requires: MBEDTLS_SHA512_C. * @@ -3419,24 +3419,24 @@ * Uncomment to have the library check for the Armv8-A SHA-512 crypto extensions * and use them if available. */ -//#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT +//#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT /* - * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT. + * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT. * This name is now deprecated, but may still be used as an alternative form for * this option. */ //#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT /** - * \def MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY + * \def MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY * * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms * with the ARMv8 cryptographic extensions, which must be available at runtime * or else an illegal instruction fault will occur. * * \note This allows builds with a smaller code size than with - * MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + * MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT * * \note Minimum compiler versions for this feature are Clang 7.0, * armclang 6.9 or GCC 8.0. @@ -3448,8 +3448,8 @@ * That name is deprecated, but may still be used as an alternative form for this * option. * - * \warning MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY cannot be defined at the same - * time as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT. + * \warning MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT. * * Requires: MBEDTLS_SHA512_C. * @@ -3458,10 +3458,10 @@ * Uncomment to have the library use the Armv8-A SHA-512 crypto extensions * unconditionally. */ -//#define MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY +//#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY /* - * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY. + * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY. * This name is now deprecated, but may still be used as an alternative form for * this option. */ diff --git a/library/sha256.c b/library/sha256.c index 763c71076b..726f5fb565 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -72,34 +72,34 @@ #if defined(MBEDTLS_ARCH_IS_ARMV8_A) -# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) # ifdef __ARM_NEON # include # else -# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) # warning "Target does not support NEON instructions" -# undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT # else # error "Target does not support NEON instructions" # endif # endif # endif -# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) /* *INDENT-OFF* */ # if !defined(__ARM_FEATURE_CRYPTO) || defined(MBEDTLS_ENABLE_ARM_CRYPTO_EXTENSIONS_COMPILER_FLAG) # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION <= 6090000 -# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" +# error "Must use minimum -march=armv8-a+crypto for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" # endif # pragma clang attribute push (__attribute__((target("sha2"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # elif defined(__clang__) # if __clang_major__ < 4 -# error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" +# error "A more recent Clang is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" # endif # pragma clang attribute push (__attribute__((target("crypto"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA @@ -108,20 +108,20 @@ * intrinsics are missing. Missing intrinsics could be worked around. */ # if __GNUC__ < 6 -# error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" +# error "A more recent GCC is required for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" # else # pragma GCC push_options # pragma GCC target ("arch=armv8-a+crypto") # define MBEDTLS_POP_TARGET_PRAGMA # endif # else -# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_CRYPTO_*" +# error "Only GCC and Clang supported for MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*" # endif # endif /* *INDENT-ON* */ # endif -# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ @@ -133,19 +133,19 @@ # endif # endif #elif defined(_M_ARM64) -# if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) # include # endif #else -# undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY -# undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY +# undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* * Capability detection code comes early, so we can disable - * MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT if no detection mechanism found + * MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found */ #if defined(MBEDTLS_ARCH_IS_ARM64) && defined(HWCAP_SHA2) static int mbedtls_a64_crypto_sha256_determine_support(void) @@ -222,10 +222,10 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) } #else #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" -#undef MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT +#undef MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT #endif /* HWCAP_SHA2, __APPLE__, __unix__ && SIG_SETMASK */ -#endif /* MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */ #if !defined(MBEDTLS_SHA256_ALT) @@ -327,10 +327,10 @@ static const uint32_t K[] = #endif -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) # define mbedtls_internal_sha256_process_many_a64_crypto mbedtls_internal_sha256_process_many # define mbedtls_internal_sha256_process_a64_crypto mbedtls_internal_sha256_process #endif @@ -430,7 +430,7 @@ static size_t mbedtls_internal_sha256_process_many_a64_crypto( return processed; } -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() @@ -445,7 +445,7 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, SHA256_BLOCK_SIZE) ? 0 : -1; } -#endif /* MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ #if defined(MBEDTLS_POP_TARGET_PRAGMA) #if defined(__clang__) @@ -456,14 +456,14 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, #undef MBEDTLS_POP_TARGET_PRAGMA #endif -#if !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) #define mbedtls_internal_sha256_process_many_c mbedtls_internal_sha256_process_many #define mbedtls_internal_sha256_process_c mbedtls_internal_sha256_process #endif #if !defined(MBEDTLS_SHA256_PROCESS_ALT) && \ - !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) + !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) #define SHR(x, n) (((x) & 0xFFFFFFFF) >> (n)) #define ROTR(x, n) (SHR(x, n) | ((x) << (32 - (n)))) @@ -491,7 +491,7 @@ int mbedtls_internal_sha256_process_a64_crypto(mbedtls_sha256_context *ctx, (d) += local.temp1; (h) = local.temp1 + local.temp2; \ } while (0) -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() @@ -583,10 +583,10 @@ int mbedtls_internal_sha256_process_c(mbedtls_sha256_context *ctx, return 0; } -#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA256_PROCESS_ALT && !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ -#if !defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) static size_t mbedtls_internal_sha256_process_many_c( mbedtls_sha256_context *ctx, const uint8_t *data, size_t len) @@ -607,10 +607,10 @@ static size_t mbedtls_internal_sha256_process_many_c( return processed; } -#endif /* !MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) static int mbedtls_a64_crypto_sha256_has_support(void) { @@ -645,7 +645,7 @@ int mbedtls_internal_sha256_process(mbedtls_sha256_context *ctx, } } -#endif /* MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT */ /* diff --git a/library/sha512.c b/library/sha512.c index 14c9343e34..ab13e841eb 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -57,8 +57,8 @@ #include "mbedtls/platform.h" #if defined(__aarch64__) -# if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) /* *INDENT-OFF* */ # ifdef __ARM_NEON # include @@ -83,35 +83,35 @@ /* Test Clang first, as it defines __GNUC__ */ # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION < 6090000 -# error "A more recent armclang is required for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +# error "A more recent armclang is required for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" # elif __ARMCOMPILER_VERSION == 6090000 -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" # else # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif # elif defined(__clang__) # if __clang_major__ < 7 -# error "A more recent Clang is required for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +# error "A more recent Clang is required for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" # else # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif # elif defined(__GNUC__) # if __GNUC__ < 8 -# error "A more recent GCC is required for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +# error "A more recent GCC is required for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" # else # pragma GCC push_options # pragma GCC target ("arch=armv8.2-a+sha3") # define MBEDTLS_POP_TARGET_PRAGMA # endif # else -# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_ARMV8_CRYPTO_*" +# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" # endif # endif /* *INDENT-ON* */ # endif -# if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ @@ -122,19 +122,19 @@ # endif # endif #elif defined(_M_ARM64) -# if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) # include # endif #else -# undef MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY -# undef MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY +# undef MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* * Capability detection code comes early, so we can disable - * MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT if no detection mechanism found + * MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found */ #if defined(HWCAP_SHA512) static int mbedtls_a64_crypto_sha512_determine_support(void) @@ -211,10 +211,10 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) } #else #warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" -#undef MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT +#undef MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT #endif /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */ -#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT */ #if !defined(MBEDTLS_SHA512_ALT) @@ -352,10 +352,10 @@ static const uint64_t K[80] = }; #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) # define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many # define mbedtls_internal_sha512_process_a64_crypto mbedtls_internal_sha512_process #endif @@ -567,7 +567,7 @@ static size_t mbedtls_internal_sha512_process_many_a64_crypto( return processed; } -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() @@ -582,7 +582,7 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, SHA512_BLOCK_SIZE) ? 0 : -1; } -#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ #if defined(MBEDTLS_POP_TARGET_PRAGMA) #if defined(__clang__) @@ -594,15 +594,15 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, #endif -#if !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +#if !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) #define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many #define mbedtls_internal_sha512_process_c mbedtls_internal_sha512_process #endif -#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* * This function is for internal use only if we are building both C and Armv8 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() @@ -701,10 +701,10 @@ int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx, return 0; } -#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ -#if !defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) static size_t mbedtls_internal_sha512_process_many_c( mbedtls_sha512_context *ctx, const uint8_t *data, size_t len) @@ -725,10 +725,10 @@ static size_t mbedtls_internal_sha512_process_many_c( return processed; } -#endif /* !MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) static int mbedtls_a64_crypto_sha512_has_support(void) { @@ -763,7 +763,7 @@ int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx, } } -#endif /* MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT */ /* * SHA-512 process buffer diff --git a/scripts/config.py b/scripts/config.py index 619782b892..6e32e3db23 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -215,8 +215,8 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT - 'MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT - 'MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT 'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) @@ -282,8 +282,8 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_TIMING_C', # requires a clock 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection - 'MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection - 'MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection ]) def keep_in_baremetal(name): diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1892ef869a..5be96a5868 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2245,12 +2245,12 @@ component_build_module_alt () { # The SpecifiedECDomain parsing code accesses mbedtls_ecp_group fields # directly and assumes the implementation works with partial groups. scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED - # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY - # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_ONLY + # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable # MBEDTLS_XXX_YYY_ALT which are for single functions. @@ -3464,10 +3464,10 @@ config_psa_crypto_hash_use_psa () { scripts/config.py unset MBEDTLS_SHA1_C scripts/config.py unset MBEDTLS_SHA224_C scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA3_C fi } @@ -4332,7 +4332,7 @@ component_build_aes_aesce_armcc () { scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, @@ -4340,7 +4340,7 @@ component_build_aes_aesce_armcc () { # unavailable, and the user is notified via a #warning. So enabling # this feature would prevent us from building with -Werror on # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM msg "AESCE, build with default configuration." @@ -4362,36 +4362,36 @@ support_build_sha_armce() { component_build_sha_armce () { # Test variations of SHA256 Armv8 crypto extensions - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT - scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY clang, aarch64" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64" make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" - msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY clang, arm" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" # test the deprecated form of the config option - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY clang, thumb" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, thumb" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_ONLY + scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT clang, aarch64" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64" make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" # test the deprecated form of the config option - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT clang, arm" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, arm" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" - msg "MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT clang, thumb" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, thumb" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" } @@ -4936,7 +4936,7 @@ component_build_armcc () { msg "build: ARM Compiler 5" scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, @@ -4944,7 +4944,7 @@ component_build_armcc () { # unavailable, and the user is notified via a #warning. So enabling # this feature would prevent us from building with -Werror on # armclang. Tracked in #7198. - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_HAVE_ASM From 28b4da954bcdefe2d7e8b0d4a433d69f69f1e9ac Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 3 Oct 2023 17:32:50 +0100 Subject: [PATCH 036/175] Add PSA threading design Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 70 ++++++++++++++++++++++++-- 1 file changed, 67 insertions(+), 3 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 06bdcc056d..0724307620 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -53,7 +53,7 @@ We need to define clear policies so that driver implementers know what to expect * Driver entry points may be called concurrently from multiple threads, even if they're using the same key, and even including destroying a key while an operation is in progress on it. * At most one driver entry point is active at any given time. -A more reasonable policy could be: +Combining the two we arrive at the following policy: * By default, each driver only has at most one entry point active at any given time. In other words, each driver has its own exclusive lock. * Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver. @@ -293,8 +293,72 @@ There is currently no indication of when a slot is in the WRITING state. This on ### Destruction of a key in use -Problem: a key slot is destroyed (by `psa_wipe_key_slot`) while it's in use (READING or WRITING). +Problem: In #key-destruction-long-term-requirements we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (READING or WRITING). -TODO: how do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock). +How do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock). Solution: after some team discussion, we've decided to rely on a new threading abstraction which mimics C11 (i.e. `mbedtls_fff` where `fff` is the C11 function name, having the same parameters and return type, with default implementations for C11, pthreads and Windows). We'll likely use condition variables in addition to mutexes. + +#### Mutex only + +When calling `psa_wipe_key_slot` it is the callers responsibility to set the slot state to WRITING first. For most functions this is a clean UNUSED -> WRITING transition: psa_get_empty_key_slot, psa_get_and_lock_key_slot, psa_close_key, psa_purge_key. + +`psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This opens up the way for an untrusted application to launch a DoS attack against the crypto service, but this is still better than compromising confidentiality or integrity and this is the most we can do with mutexes only. Also, this is the current behaviour. + +`psa_destroy_key` marks the slot as deleted, deletes persistent keys and opaque keys and returns. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). When the last reading operation finishes, it wipes the key slot. This will free the key ID, but the slot might be still in use. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it. + +These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the #key-destruction-short-term-requirements. + +Variations: + +1. As a first step the multipart operations would lock the keys for reading on setup and release on free +2. In a later stage this would be improved by locking the keys on entry into multi-part API calls and released before exiting. + +The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must left unsupported in the first variant. + +### Condition variables + +Clean UNUSED -> WRITING transition works as before. + +`psa_wipe_all_key_slots` and `psa_destroy_key` mark the slot as deleted and go to sleep until the slot state becomes UNUSED. When waking up, they wipe the slot, and return. + +If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy #key-destruction-long-term-requirements none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been whiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again. + +To resolve this, we can either: + +1. Depend on the deletion marker. If the slot has been reused and is marked for deletion again, the threads keep waiting until the second deletion completes. +2. Introduce a uuid (eg a global counter plus a slot ID), which is recorded by the thread waiting for deletion and checks whether it matches. If it doesn't, the function can return as the slot was already reallocated. If it does match, it can check whether it is still marked for deletion, if it is, the thread goes back to sleep, if it isn't, the function can return. + +#### Platform abstraction + +Introducing condition variables to the platform abstraction layer would be best done in a major version. If we can't wait until that, we will need to introduce a new compile time flag. Considering that this only will be needed on the PSA Crypto side and the upcoming split, it makes sense to make this flag responsible for the entire PSA Crypto threading support. Therefore if we want to keep the option open for implementing this in a backward compatible manner, we need to introduce and use this new flag already when implementing #mutex-only. (If we keep the abstraction layer for mutexes the same, this shouldn't mean increase in code size and would mean only minimal effort on the porting side.) + +### Operation contexts + +Concurrent access to the same operation context can compromise the crypto service for example if the operation context has a pointer (depending on the compiler and the platform, the pointer assignment may or may not be atomic). This violates the functional correctness requirement. (Concurrent calls to operations is undefined behaviour, but still should not compromise the CIA of the crypto service.) + +Operations will have a status field protected by a global mutex similarly to key slots. On entry, API calls check the state and return an error if it is already ACTIVE. Otherwise they set it to ACTIVE and restore it to INACTIVE before returning. + +### Drivers + +Each driver that hasn’t got the "thread_safe” property set has a dedicated mutex. + +Implementing "thread_safe” drivers depends on the condition variable protection in the key store, as we must guarantee that the core never starts the destruction of a key while there are operations in progress on it. + +Start with implementing threading for drivers without the "thread_safe” property (all drivers behave like the property wasn't set). Add "thread_safe" drivers at some point after the #condition-variables approach is implemented in the core. + +### Global Data + +PSA Crypto makes use of a `global_data` variable that will be accessible from multiple threads and needs to be protected. Any function accessing this variable (or its members) must take the corresponding lock first. Since `global_data` holds the RNG state, these will involve relatively expensive operations and therefore ideally `global_data` should be protected by its own, dedicated lock (different from the one protecting the key store). + +Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, which is guaranteed to be thread-safe when `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is disabled. Still, doing so is conceptually simpler and we probably will want to remove the lower level mutex in the long run, since the corresponding interface will be removed from the public API. The two mutexes are different and are always taken in the same order, there is no risk of deadlock. + +The purpose of `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is very similar to the driver interface (and might even be added to it in the long run), therefore it makes sense to handle it the same way. In particular, we can use the `global_data` mutex to protect it as a default and when we implement the "thread_safe” property for drivers, we implement it for `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` as well. + +### Implementation notes + +Since we only have simple mutexes, locking the same mutex from the same thread is a deadlock. Therefore functions taking the global mutex must not be called while holding the same mutex. Functions taking the mutex will document this fact and the implications. + +Releasing the mutex before a function call might introduce race conditions. Therefore might not be practical to take the mutex in low level access functions. If functions like that don't take the mutex, they need to rely on the caller to take it for them. These functions will document that the caller is required to hold the mutex. + +To avoid performance degradation, functions must not start expensive operations (eg. doing cryptography) while holding the mutex. From 0ecb635ca5a41fee0af01f5cd5aeb85622a0a1f3 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Wed, 11 Oct 2023 10:36:55 +0800 Subject: [PATCH 037/175] aesni: select `__cpuid` impl based on compiler type MinGW provides both kinds of implementations of `__cpuid`, but since `cpuid.h` is provided by GNUC, so we should choose the implementation by the compiler type instead of OS type. Signed-off-by: Pengyu Lv --- library/aesni.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/aesni.c b/library/aesni.c index 322a255335..b90e7f9a3c 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -33,10 +33,12 @@ #if defined(MBEDTLS_AESNI_HAVE_CODE) #if MBEDTLS_AESNI_HAVE_CODE == 2 -#if !defined(_WIN32) +#if defined(__GNUC__) #include -#else +#elif defined(_MSC_VER) #include +#else +#error "`__cpuid` required by MBEDTLS_AESNI_C is not supported by the compiler" #endif #include #endif @@ -53,7 +55,7 @@ int mbedtls_aesni_has_support(unsigned int what) if (!done) { #if MBEDTLS_AESNI_HAVE_CODE == 2 static int info[4] = { 0, 0, 0, 0 }; -#if defined(_WIN32) +#if defined(_MSC_VER) __cpuid(info, 1); #else __cpuid(1, info[0], info[1], info[2], info[3]); From 64cca2f3eadfbf9665f50d82348bc254f35932fe Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Tue, 10 Oct 2023 18:22:24 +0800 Subject: [PATCH 038/175] all.sh: Re-enable MBEDTLS_AESNI_C in some components Signed-off-by: Pengyu Lv --- tests/scripts/all.sh | 18 +++++++----------- 1 file changed, 7 insertions(+), 11 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7e6c95c62c..ca84040491 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4626,8 +4626,7 @@ component_test_m32_o0 () { # build) and not the i386-specific inline assembly. msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s scripts/config.py full - scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0 -maes -msse2 -mpclmul" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, make, gcc -O0 (ASan build)" make test @@ -4644,8 +4643,7 @@ component_test_m32_o2 () { # and go faster for tests. msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s scripts/config.py full - scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2 -maes -msse2 -mpclmul" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, make, gcc -O2 (ASan build)" make test @@ -4660,8 +4658,7 @@ support_test_m32_o2 () { component_test_m32_everest () { msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2 -maes -msse2 -mpclmul" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s make test @@ -5114,16 +5111,15 @@ component_test_tls13_only_record_size_limit () { component_build_mingw () { msg "build: Windows cross build - mingw64, make (Link Library)" # ~ 30s - scripts/config.py unset MBEDTLS_AESNI_C # AESNI depends on cpu modifiers - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 lib programs # note Make tests only builds the tests, but doesn't run them - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -maes -msse2 -mpclmul' WINDOWS_BUILD=1 tests make WINDOWS_BUILD=1 clean msg "build: Windows cross build - mingw64, make (DLL)" # ~ 30s - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests make WINDOWS_BUILD=1 clean } support_build_mingw() { From be7915aa6ceddaaf81652c0072ea5fd2b2466932 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 11 Oct 2023 10:46:38 +0100 Subject: [PATCH 039/175] Revert renaming of SHA512 options Signed-off-by: Dave Rodgman --- include/mbedtls/check_config.h | 20 +++--- include/mbedtls/config_adjust_legacy_crypto.h | 7 -- include/mbedtls/mbedtls_config.h | 42 +++-------- library/sha512.c | 70 +++++++++---------- scripts/config.py | 8 +-- tests/scripts/all.sh | 12 ++-- 6 files changed, 64 insertions(+), 95 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index b346f1f6ea..3df6ede441 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -829,24 +829,24 @@ #error "MBEDTLS_X509_RSASSA_PSS_SUPPORT defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \ - defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) -#error "Must only define one of MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) +#error "Must only define one of MBEDTLS_SHA512_USE_A64_CRYPTO_*" #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) #if !defined(MBEDTLS_SHA512_C) -#error "MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA512_C" +#error "MBEDTLS_SHA512_USE_A64_CRYPTO_* defined without MBEDTLS_SHA512_C" #endif #if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT) -#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*" #endif -#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) && !defined(__aarch64__) -#error "MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY defined on non-Aarch64 system" +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(__aarch64__) +#error "MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY defined on non-Aarch64 system" #endif #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) && \ diff --git a/include/mbedtls/config_adjust_legacy_crypto.h b/include/mbedtls/config_adjust_legacy_crypto.h index c8791fc63e..9bb1f88f4e 100644 --- a/include/mbedtls/config_adjust_legacy_crypto.h +++ b/include/mbedtls/config_adjust_legacy_crypto.h @@ -193,12 +193,5 @@ #if defined(MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY) #define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY #endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) && \ - !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) -#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT -#endif -#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) && !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) -#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY -#endif #endif /* MBEDTLS_CONFIG_ADJUST_LEGACY_CRYPTO_H */ diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 49ae7218e0..b5c0d58798 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3390,13 +3390,13 @@ #define MBEDTLS_SHA3_C /** - * \def MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT * * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms * with the ARMv8 cryptographic extensions if they are available at runtime. * If not, the library will fall back to the C implementation. * - * \note If MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT is defined when building + * \note If MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT is defined when building * for a non-Aarch64 build it will be silently ignored. * * \note Minimum compiler versions for this feature are Clang 7.0, @@ -3405,38 +3405,27 @@ * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for * armclang 6.9 * - * \note This was previously known as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. - * That name is deprecated, but may still be used as an alternative form for this - * option. - * - * \warning MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT cannot be defined at the - * same time as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY. + * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT cannot be defined at the + * same time as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. * * Requires: MBEDTLS_SHA512_C. * * Module: library/sha512.c * - * Uncomment to have the library check for the Armv8-A SHA-512 crypto extensions + * Uncomment to have the library check for the A64 SHA-512 crypto extensions * and use them if available. */ -//#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT - -/* - * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT. - * This name is now deprecated, but may still be used as an alternative form for - * this option. - */ //#define MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT /** - * \def MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY + * \def MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY * * Enable acceleration of the SHA-512 and SHA-384 cryptographic hash algorithms * with the ARMv8 cryptographic extensions, which must be available at runtime * or else an illegal instruction fault will occur. * * \note This allows builds with a smaller code size than with - * MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT + * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT * * \note Minimum compiler versions for this feature are Clang 7.0, * armclang 6.9 or GCC 8.0. @@ -3444,27 +3433,16 @@ * \note \c CFLAGS must be set to a minimum of \c -march=armv8.2-a+sha3 for * armclang 6.9 * - * \note This was previously known as MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. - * That name is deprecated, but may still be used as an alternative form for this - * option. - * - * \warning MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same - * time as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT. + * \warning MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY cannot be defined at the same + * time as MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT. * * Requires: MBEDTLS_SHA512_C. * * Module: library/sha512.c * - * Uncomment to have the library use the Armv8-A SHA-512 crypto extensions + * Uncomment to have the library use the A64 SHA-512 crypto extensions * unconditionally. */ -//#define MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY - -/* - * \deprecated This is now known as MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY. - * This name is now deprecated, but may still be used as an alternative form for - * this option. - */ //#define MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY /** diff --git a/library/sha512.c b/library/sha512.c index ab13e841eb..e739af2546 100644 --- a/library/sha512.c +++ b/library/sha512.c @@ -57,8 +57,8 @@ #include "mbedtls/platform.h" #if defined(__aarch64__) -# if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) /* *INDENT-OFF* */ # ifdef __ARM_NEON # include @@ -83,35 +83,35 @@ /* Test Clang first, as it defines __GNUC__ */ # if defined(__ARMCOMPILER_VERSION) # if __ARMCOMPILER_VERSION < 6090000 -# error "A more recent armclang is required for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +# error "A more recent armclang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" # elif __ARMCOMPILER_VERSION == 6090000 -# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +# error "Must use minimum -march=armv8.2-a+sha3 for MBEDTLS_SHA512_USE_A64_CRYPTO_*" # else # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif # elif defined(__clang__) # if __clang_major__ < 7 -# error "A more recent Clang is required for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +# error "A more recent Clang is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" # else # pragma clang attribute push (__attribute__((target("sha3"))), apply_to=function) # define MBEDTLS_POP_TARGET_PRAGMA # endif # elif defined(__GNUC__) # if __GNUC__ < 8 -# error "A more recent GCC is required for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +# error "A more recent GCC is required for MBEDTLS_SHA512_USE_A64_CRYPTO_*" # else # pragma GCC push_options # pragma GCC target ("arch=armv8.2-a+sha3") # define MBEDTLS_POP_TARGET_PRAGMA # endif # else -# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_*" +# error "Only GCC and Clang supported for MBEDTLS_SHA512_USE_A64_CRYPTO_*" # endif # endif /* *INDENT-ON* */ # endif -# if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) # if defined(__unix__) # if defined(__linux__) /* Our preferred method of detection is getauxval() */ @@ -122,19 +122,19 @@ # endif # endif #elif defined(_M_ARM64) -# if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +# if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) # include # endif #else -# undef MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY -# undef MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT +# undef MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY +# undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) /* * Capability detection code comes early, so we can disable - * MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT if no detection mechanism found + * MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT if no detection mechanism found */ #if defined(HWCAP_SHA512) static int mbedtls_a64_crypto_sha512_determine_support(void) @@ -161,9 +161,9 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) * SHA-512 support. So we fall back to the C code only. */ #if defined(_MSC_VER) -#pragma message "No mechanism to detect ARMV8_CRYPTO found, using C code only" +#pragma message "No mechanism to detect A64_CRYPTO found, using C code only" #else -#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" +#warning "No mechanism to detect A64_CRYPTO found, using C code only" #endif #elif defined(__unix__) && defined(SIG_SETMASK) /* Detection with SIGILL, setjmp() and longjmp() */ @@ -173,7 +173,7 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) static jmp_buf return_from_sigill; /* - * Armv8 SHA512 support detection via SIGILL + * A64 SHA512 support detection via SIGILL */ static void sigill_handler(int signal) { @@ -210,11 +210,11 @@ static int mbedtls_a64_crypto_sha512_determine_support(void) return ret; } #else -#warning "No mechanism to detect ARMV8_CRYPTO found, using C code only" -#undef MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT +#warning "No mechanism to detect A64_CRYPTO found, using C code only" +#undef MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT #endif /* HWCAP_SHA512, __APPLE__, __unix__ && SIG_SETMASK */ -#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ #if !defined(MBEDTLS_SHA512_ALT) @@ -352,10 +352,10 @@ static const uint64_t K[80] = }; #endif -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) || \ - defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) || \ + defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) # define mbedtls_internal_sha512_process_many_a64_crypto mbedtls_internal_sha512_process_many # define mbedtls_internal_sha512_process_a64_crypto mbedtls_internal_sha512_process #endif @@ -567,9 +567,9 @@ static size_t mbedtls_internal_sha512_process_many_a64_crypto( return processed; } -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and Armv8 + * This function is for internal use only if we are building both C and A64 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() */ static @@ -582,7 +582,7 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, SHA512_BLOCK_SIZE) ? 0 : -1; } -#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ +#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ #if defined(MBEDTLS_POP_TARGET_PRAGMA) #if defined(__clang__) @@ -594,17 +594,17 @@ int mbedtls_internal_sha512_process_a64_crypto(mbedtls_sha512_context *ctx, #endif -#if !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) #define mbedtls_internal_sha512_process_many_c mbedtls_internal_sha512_process_many #define mbedtls_internal_sha512_process_c mbedtls_internal_sha512_process #endif -#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA512_PROCESS_ALT) && !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and Armv8 + * This function is for internal use only if we are building both C and A64 * versions, otherwise it is renamed to be the public mbedtls_internal_sha512_process() */ static @@ -701,10 +701,10 @@ int mbedtls_internal_sha512_process_c(mbedtls_sha512_context *ctx, return 0; } -#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA512_PROCESS_ALT && !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ -#if !defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY) +#if !defined(MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY) static size_t mbedtls_internal_sha512_process_many_c( mbedtls_sha512_context *ctx, const uint8_t *data, size_t len) @@ -725,10 +725,10 @@ static size_t mbedtls_internal_sha512_process_many_c( return processed; } -#endif /* !MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY */ +#endif /* !MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */ -#if defined(MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT) +#if defined(MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT) static int mbedtls_a64_crypto_sha512_has_support(void) { @@ -763,7 +763,7 @@ int mbedtls_internal_sha512_process(mbedtls_sha512_context *ctx, } } -#endif /* MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT */ +#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT */ /* * SHA-512 process buffer diff --git a/scripts/config.py b/scripts/config.py index 6e32e3db23..eeda6e18dd 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -214,9 +214,8 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_PSA_INJECT_ENTROPY', # conflicts with platform entropy sources 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT - 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT - 'MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT 'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) @@ -280,10 +279,9 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_THREADING_C', # requires a threading interface 'MBEDTLS_THREADING_PTHREAD', # requires pthread 'MBEDTLS_TIMING_C', # requires a clock - 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection - 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA256_USE_A64_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection - 'MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection ]) def keep_in_baremetal(name): diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 5be96a5868..49492651d8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -2248,9 +2248,9 @@ component_build_module_alt () { # MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_* - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_ONLY + # MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_* + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY # Enable all MBEDTLS_XXX_ALT for whole modules. Do not enable # MBEDTLS_XXX_YYY_ALT which are for single functions. @@ -3467,7 +3467,7 @@ config_psa_crypto_hash_use_psa () { scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA384_C scripts/config.py unset MBEDTLS_SHA512_C - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT scripts/config.py unset MBEDTLS_SHA3_C fi } @@ -4332,7 +4332,7 @@ component_build_aes_aesce_armcc () { scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, @@ -4936,7 +4936,7 @@ component_build_armcc () { msg "build: ARM Compiler 5" scripts/config.py baremetal # armc[56] don't support SHA-512 intrinsics - scripts/config.py unset MBEDTLS_SHA512_USE_ARMV8_A_CRYPTO_IF_PRESENT + scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT # Stop armclang warning about feature detection for A64_CRYPTO. # With this enabled, the library does build correctly under armclang, From d680d4fbf909f78ff6a163a3206d8dd2ef1c83d7 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 11 Oct 2023 11:05:22 +0100 Subject: [PATCH 040/175] SHA256 renaming - fix some missed things Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 4 ++-- tests/scripts/depends.py | 8 ++++---- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt index bff70f5000..46b2ca2a2e 100644 --- a/ChangeLog.d/sha256-armce-arm.txt +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -2,6 +2,6 @@ Features * Support Armv8-A Crypto Extension acceleration for SHA-256 when compiling for Thumb or 32-bit Arm. New deprecations - * Rename the SHAxxx_USE_A64_CRYPTO_yyy config options to - SHAxxx_USE_ARMV8_CRYPTO_yyy. The old names may still be + * Rename the SHA256_USE_A64_CRYPTO_xxx config options to + SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still be used, but are deprecated. diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index e925641519..96529de7da 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -262,16 +262,16 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], 'MBEDTLS_SHA256_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', - 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', 'MBEDTLS_LMS_PRIVATE'], 'MBEDTLS_SHA512_C': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'], 'MBEDTLS_SHA224_C': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', 'MBEDTLS_ENTROPY_FORCE_SHA256', - 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', - 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY'], + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], 'MBEDTLS_X509_RSASSA_PSS_SUPPORT': [] } From 830dc3dc71667a85fc09ae56c3c876998eaef53f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 11 Oct 2023 11:20:16 +0100 Subject: [PATCH 041/175] Improve Changelog Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt index 46b2ca2a2e..0f9754460a 100644 --- a/ChangeLog.d/sha256-armce-arm.txt +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -2,6 +2,6 @@ Features * Support Armv8-A Crypto Extension acceleration for SHA-256 when compiling for Thumb or 32-bit Arm. New deprecations - * Rename the SHA256_USE_A64_CRYPTO_xxx config options to - SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still be - used, but are deprecated. + * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to + MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still + be used, but are deprecated. From 9be3cf077624e44eea551cb65866272fdbb76453 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 11 Oct 2023 14:47:55 +0100 Subject: [PATCH 042/175] Fix a couple of typos related to renaming options Signed-off-by: Dave Rodgman --- scripts/config.py | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/scripts/config.py b/scripts/config.py index eeda6e18dd..3173be483b 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -214,7 +214,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_PSA_INJECT_ENTROPY', # conflicts with platform entropy sources 'MBEDTLS_RSA_NO_CRT', # influences the use of RSA in X.509 and TLS 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT - 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_A_CRYPTO_IF_PRESENT 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT 'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) @@ -279,7 +279,7 @@ EXCLUDE_FROM_BAREMETAL = frozenset([ 'MBEDTLS_THREADING_C', # requires a threading interface 'MBEDTLS_THREADING_PTHREAD', # requires pthread 'MBEDTLS_TIMING_C', # requires a clock - 'MBEDTLS_SHA256_USE_A64_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection + 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection 'MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT', # requires an OS for runtime-detection ]) From c20d8992662d92604954bd5692efa636b8016b25 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 11 Oct 2023 15:01:35 +0100 Subject: [PATCH 043/175] Adjust messages in all.sh Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 4c96f8688a..ce06c11c82 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4360,7 +4360,7 @@ component_build_sha_armce () { scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, thumb" + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT @@ -4373,10 +4373,10 @@ component_build_sha_armce () { scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, arm" + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, thumb" + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" } From f4b415c369d1ae35655c8de36a4e6e4ff243eb0a Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 11 Oct 2023 16:11:42 +0100 Subject: [PATCH 044/175] Test instructions built/not built Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 67 ++++++++++++++++++++++++++++++++------------ 1 file changed, 49 insertions(+), 18 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ce06c11c82..253f6c0fa1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4346,38 +4346,69 @@ support_build_sha_armce() { } component_build_sha_armce () { - # Test variations of SHA256 Armv8 crypto extensions scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT + + + # Test variations of SHA256 Armv8 crypto extensions scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, aarch64" - make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" - - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY clang, arm" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm" # test the deprecated form of the config option - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY + msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" + scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64" - make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a" # test the deprecated form of the config option - scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" + msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" - make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" + # examine the disassembly for presence of SHA instructions + for opt in MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT; do + scripts/config.py set ${opt} + msg "${opt} clang, test A32 crypto instructions built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" + grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "${opt} clang, test T32 crypto instructions built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" + grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "${opt} clang, test aarch64 crypto instructions built" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" + grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o + scripts/config.py unset ${opt} + done + + + # examine the disassembly for absence of SHA instructions + msg "clang, test A32 crypto instructions not built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -S" + not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "clang, test T32 crypto instructions not built" + make -B library/sha256.o CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb -S" + not grep -E 'sha256[a-z0-9]+.32\s+[qv]' library/sha256.o + + msg "clang, test aarch64 crypto instructions not built" + make -B library/sha256.o CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a -S" + not grep -E 'sha256[a-z0-9]+\s+[qv]' library/sha256.o } # For timebeing, no VIA Padlock platform available. From 7a799ccacd852e6fcaa222a64b9149fb91f584b7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 13:47:47 +0800 Subject: [PATCH 045/175] Share `early_data_status` between server and client Signed-off-by: Jerry Yu --- include/mbedtls/ssl.h | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index debb1cc2c1..03a8b1f142 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -1840,7 +1840,7 @@ struct mbedtls_ssl_context { * and #MBEDTLS_SSL_CID_DISABLED. */ #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_SSL_EARLY_DATA) && defined(MBEDTLS_SSL_CLI_C) +#if defined(MBEDTLS_SSL_EARLY_DATA) int MBEDTLS_PRIVATE(early_data_status); #endif /* MBEDTLS_SSL_EARLY_DATA && MBEDTLS_SSL_CLI_C */ @@ -5013,6 +5013,10 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); #if defined(MBEDTLS_SSL_EARLY_DATA) +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1 +#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 + #if defined(MBEDTLS_SSL_SRV_C) /** * \brief Read at most 'len' application data bytes while performing @@ -5122,9 +5126,6 @@ int mbedtls_ssl_read_early_data(mbedtls_ssl_context *ssl, int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len); -#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT 0 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED 1 -#define MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED 2 /** * \brief Get the status of the negotiation of the use of early data. * From 1eb0bd557dcd9d709d993e9e42bf2a08d30e840f Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 13:49:43 +0800 Subject: [PATCH 046/175] Add not-received status Signed-off-by: Jerry Yu --- library/ssl_misc.h | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/library/ssl_misc.h b/library/ssl_misc.h index a99bb33439..2d78fd47c9 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -2129,6 +2129,12 @@ int mbedtls_ssl_tls13_write_early_data_ext(mbedtls_ssl_context *ssl, unsigned char *buf, const unsigned char *end, size_t *out_len); + +#if defined(MBEDTLS_SSL_SRV_C) +#define MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED \ + MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_SENT +#endif /* MBEDTLS_SSL_SRV_C */ + #endif /* MBEDTLS_SSL_EARLY_DATA */ #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ From ab0da370a431b2aab896fa9c0be1a91f7d3c213a Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 13:55:24 +0800 Subject: [PATCH 047/175] Add early data status update Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 40 ++++++++++++++++++++++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index b8201f086e..dad07817ad 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1749,6 +1749,40 @@ static int ssl_tls13_parse_client_hello(mbedtls_ssl_context *ssl, return hrr_required ? SSL_CLIENT_HELLO_HRR_REQUIRED : SSL_CLIENT_HELLO_OK; } +#if defined(MBEDTLS_SSL_EARLY_DATA) +static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl) +{ + mbedtls_ssl_handshake_params *handshake = ssl->handshake; + + if ((handshake->received_extensions & + MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("EarlyData: early data extension is not received.")); + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED; + return; + } + + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; + + if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { + MBEDTLS_SSL_DEBUG_MSG( + 1, ("EarlyData: rejected. configured disabled.")); + return; + } + + MBEDTLS_SSL_DEBUG_MSG( + 3, ("EarlyData: conf->max_early_data_size = %u", + (unsigned int) ssl->conf->max_early_data_size)); + + /* TODO: Add more checks here. */ + + MBEDTLS_SSL_DEBUG_MSG( + 1, ("EarlyData: For time being, it should not happen.")); + ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; + +} +#endif /* MBEDTLS_SSL_EARLY_DATA */ + /* Update the handshake state machine */ MBEDTLS_CHECK_RETURN_CRITICAL @@ -1775,6 +1809,12 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) return ret; } +#if defined(MBEDTLS_SSL_EARLY_DATA) + /* There is enough information, update early data state. */ + ssl_tls13_update_early_data_status(ssl); + +#endif /* MBEDTLS_SSL_EARLY_DATA */ + return 0; } From e649cecb4355d03be583a93db0c7fbfcbbae72dc Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 13:58:57 +0800 Subject: [PATCH 048/175] Add data file for early data input Signed-off-by: Jerry Yu --- tests/data_files/early_data.txt | 3 +++ tests/ssl-opt.sh | 1 + 2 files changed, 4 insertions(+) create mode 100644 tests/data_files/early_data.txt diff --git a/tests/data_files/early_data.txt b/tests/data_files/early_data.txt new file mode 100644 index 0000000000..f0084c3ef0 --- /dev/null +++ b/tests/data_files/early_data.txt @@ -0,0 +1,3 @@ +EarlyData context: line 0 lf +EarlyData context: line 1 lf +EarlyData context: If it appear, that means early_data success diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index efcbd26862..2ff097ff1e 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -72,6 +72,7 @@ guess_config_name() { : ${MBEDTLS_TEST_OUTCOME_FILE=} : ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"} : ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"} +: ${EARLY_DATA_INPUT:=data_files/early_data.txt} O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client" From bc57e86390aa0868c7f418478c8ef5323b8e8163 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 8 Feb 2023 14:05:53 +0800 Subject: [PATCH 049/175] Add early data disable tests Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-misc.sh | 32 +++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index f30384d39f..78b466f0b6 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -493,3 +493,35 @@ run_test "TLS 1.3 m->m: Resumption with ticket flags, psk_all/psk_all." \ -S "No suitable key exchange mode" \ -s "found matched identity" +requires_gnutls_next +requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +run_test "TLS 1.3 G->m: EarlyData: ephemeral: feature is disabled, fail." \ + "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1 $(get_srv_psk_list)" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL -d 10 -r --earlydata $EARLY_DATA_INPUT" \ + 1 \ + -c "Resume Handshake was completed" \ + -s "ClientHello: early_data(42) extension exists." \ + -S "EncryptedExtensions: early_data(42) extension exists." \ + -s "NewSessionTicket: early_data(42) extension does not exist." + +requires_gnutls_next +requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ + MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE +requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ + MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED +run_test "TLS 1.3 G->m: EarlyData: psk*: feature is disabled, fail." \ + "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1 $(get_srv_psk_list)" \ + "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK \ + -d 10 -r --earlydata $EARLY_DATA_INPUT \ + --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \ + 1 \ + -c "Resume Handshake was completed" \ + -s "ClientHello: early_data(42) extension exists." \ + -S "EncryptedExtensions: early_data(42) extension exists." \ + -s "NewSessionTicket: early_data(42) extension does not exist." From bd4dd81606639ea461110acd6999ceefcf9386ac Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 14 Aug 2023 17:15:42 +0800 Subject: [PATCH 050/175] fix test fail when ecp disabled Gnutls-cli send ecp algorithm as key share algorithm and we do not known how to change that. Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-misc.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 78b466f0b6..9845717aae 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -497,7 +497,7 @@ requires_gnutls_next requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_ECP_LIGHT requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m: EarlyData: ephemeral: feature is disabled, fail." \ @@ -512,7 +512,7 @@ run_test "TLS 1.3 G->m: EarlyData: ephemeral: feature is disabled, fail." \ requires_gnutls_next requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_ECP_LIGHT requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m: EarlyData: psk*: feature is disabled, fail." \ From 4fd868e4b1786b07af1500d5edc264353a460169 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 12 Oct 2023 09:09:42 +0100 Subject: [PATCH 051/175] Refer to Armv8-A (not Armv8) in comments Co-authored-by: Jerry Yu Signed-off-by: Dave Rodgman --- library/sha256.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index 726f5fb565..a6d0a7a46d 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -180,7 +180,7 @@ static int mbedtls_a64_crypto_sha256_determine_support(void) static jmp_buf return_from_sigill; /* - * Armv8 SHA256 support detection via SIGILL + * Armv8-A SHA256 support detection via SIGILL */ static void sigill_handler(int signal) { @@ -432,7 +432,7 @@ static size_t mbedtls_internal_sha256_process_many_a64_crypto( #if defined(MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT) /* - * This function is for internal use only if we are building both C and Armv8 + * This function is for internal use only if we are building both C and Armv8-A * versions, otherwise it is renamed to be the public mbedtls_internal_sha256_process() */ static From 0d3fe733cc6835bac635ce2f2c4ed25ce526a77b Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 12 Oct 2023 11:00:49 +0100 Subject: [PATCH 052/175] Clarify changelog Co-authored-by: Tom Cosgrove Signed-off-by: Dave Rodgman --- ChangeLog.d/sha256-armce-arm.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/sha256-armce-arm.txt b/ChangeLog.d/sha256-armce-arm.txt index 0f9754460a..5b18eb3fc6 100644 --- a/ChangeLog.d/sha256-armce-arm.txt +++ b/ChangeLog.d/sha256-armce-arm.txt @@ -1,6 +1,6 @@ Features * Support Armv8-A Crypto Extension acceleration for SHA-256 - when compiling for Thumb or 32-bit Arm. + when compiling for Thumb (T32) or 32-bit Arm (A32). New deprecations * Rename the MBEDTLS_SHA256_USE_A64_CRYPTO_xxx config options to MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_xxx. The old names may still From 7cb635a56340785bcf2b61caef9ac70df6e014ca Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Thu, 12 Oct 2023 16:14:51 +0100 Subject: [PATCH 053/175] Adjust the full config Signed-off-by: Dave Rodgman --- scripts/config.py | 1 + 1 file changed, 1 insertion(+) diff --git a/scripts/config.py b/scripts/config.py index 3173be483b..5f49f2d8c1 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -216,6 +216,7 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', # interacts with *_USE_ARMV8_A_CRYPTO_IF_PRESENT 'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY', # interacts with *_USE_A64_CRYPTO_IF_PRESENT + 'MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT', # setting *_USE_ARMV8_A_CRYPTO is sufficient 'MBEDTLS_SSL_RECORD_SIZE_LIMIT', # in development, currently breaks other tests 'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan) 'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers) From d85277c62e3618681f8d2d2d5921b73d143cdf8d Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 13 Oct 2023 09:22:54 +0100 Subject: [PATCH 054/175] Doxygen fixes Signed-off-by: Dave Rodgman --- include/mbedtls/mbedtls_config.h | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index b5c0d58798..f2451cb4c6 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3301,7 +3301,9 @@ */ //#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT -/* +/** + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT + * * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT. * This name is now deprecated, but may still be used as an alternative form for * this option. @@ -3325,7 +3327,7 @@ * armclang <= 6.9 * * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. - * That name is deprecated, but may still be used as an alternative form for this + * That name is \deprecated, but may still be used as an alternative form for this * option. * * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same @@ -3340,7 +3342,9 @@ */ //#define MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY -/* +/** + * \def MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY + * * \deprecated This is now known as MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY. * This name is now deprecated, but may still be used as an alternative form for * this option. From ab0cff5b4e3215c7c5b4541a10a6397fd59bb4ff Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 13 Oct 2023 09:32:04 +0100 Subject: [PATCH 055/175] Require asm/hwcap.h for testing Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 253f6c0fa1..aec54c1668 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4341,8 +4341,13 @@ component_build_aes_aesce_armcc () { support_build_sha_armce() { # clang >= 4 is required to build with SHA extensions - ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" - [ "${ver}" -ge 4 ] + clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" + + # we need asm/hwcap.h available for runtime detection + echo '#include ' | clang -E - >/dev/null 2>&1 + have_hwcap=$? + + [[ "${clang_ver}" -ge 4 && "${have_hwcap}" -eq 0 ]] } component_build_sha_armce () { From 7821df3e8baab741b6753223d1d971078609cfa9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 13 Oct 2023 09:38:44 +0100 Subject: [PATCH 056/175] Adjust use of deprecated in Doxygen Signed-off-by: Dave Rodgman --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index f2451cb4c6..73229ea912 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -3327,7 +3327,7 @@ * armclang <= 6.9 * * \note This was previously known as MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY. - * That name is \deprecated, but may still be used as an alternative form for this + * That name is deprecated, but may still be used as an alternative form for this * option. * * \warning MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY cannot be defined at the same From 768bc143ad8aad064bdee6033bdcc69b2cb362a4 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 13 Oct 2023 10:15:55 +0100 Subject: [PATCH 057/175] Fix hwcap test for CI Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index aec54c1668..22289e5432 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4344,10 +4344,9 @@ support_build_sha_armce() { clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" # we need asm/hwcap.h available for runtime detection - echo '#include ' | clang -E - >/dev/null 2>&1 - have_hwcap=$? + echo '#include ' | clang -E - >/dev/null 2>&1 && no_hwcap=0 || no_hwcap=1 - [[ "${clang_ver}" -ge 4 && "${have_hwcap}" -eq 0 ]] + [[ "${clang_ver}" -ge 4 && "${no_hwcap}" -eq 0 ]] } component_build_sha_armce () { From 515af1d80dce7effa946bb31a91c3b5f19189872 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 13 Oct 2023 14:40:14 +0100 Subject: [PATCH 058/175] Stop IAR warning about goto skipping variable definition Signed-off-by: Dave Rodgman --- library/pkcs12.c | 27 ++++++++++++++------------- library/pkcs5.c | 32 +++++++++++++++++--------------- library/x509_create.c | 42 ++++++++++++++++++++++-------------------- 3 files changed, 53 insertions(+), 48 deletions(-) diff --git a/library/pkcs12.c b/library/pkcs12.c index 4db2a4bbf4..42e4fb4381 100644 --- a/library/pkcs12.c +++ b/library/pkcs12.c @@ -216,21 +216,22 @@ int mbedtls_pkcs12_pbe_ext(mbedtls_asn1_buf *pbe_params, int mode, } #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) - /* PKCS12 uses CBC with PKCS7 padding */ - - mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7; + { + /* PKCS12 uses CBC with PKCS7 padding */ + mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7; #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7) - /* For historical reasons, when decrypting, this function works when - * decrypting even when support for PKCS7 padding is disabled. In this - * case, it ignores the padding, and so will never report a - * password mismatch. - */ - if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) { - padding = MBEDTLS_PADDING_NONE; - } + /* For historical reasons, when decrypting, this function works when + * decrypting even when support for PKCS7 padding is disabled. In this + * case, it ignores the padding, and so will never report a + * password mismatch. + */ + if (mode == MBEDTLS_PKCS12_PBE_DECRYPT) { + padding = MBEDTLS_PADDING_NONE; + } #endif - if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) { - goto exit; + if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) { + goto exit; + } } #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ diff --git a/library/pkcs5.c b/library/pkcs5.c index 2756d058e0..d10a1937c5 100644 --- a/library/pkcs5.c +++ b/library/pkcs5.c @@ -242,23 +242,25 @@ int mbedtls_pkcs5_pbes2_ext(const mbedtls_asn1_buf *pbe_params, int mode, } #if defined(MBEDTLS_CIPHER_MODE_WITH_PADDING) - /* PKCS5 uses CBC with PKCS7 padding (which is the same as - * "PKCS5 padding" except that it's typically only called PKCS5 - * with 64-bit-block ciphers). - */ - mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7; + { + /* PKCS5 uses CBC with PKCS7 padding (which is the same as + * "PKCS5 padding" except that it's typically only called PKCS5 + * with 64-bit-block ciphers). + */ + mbedtls_cipher_padding_t padding = MBEDTLS_PADDING_PKCS7; #if !defined(MBEDTLS_CIPHER_PADDING_PKCS7) - /* For historical reasons, when decrypting, this function works when - * decrypting even when support for PKCS7 padding is disabled. In this - * case, it ignores the padding, and so will never report a - * password mismatch. - */ - if (mode == MBEDTLS_DECRYPT) { - padding = MBEDTLS_PADDING_NONE; - } + /* For historical reasons, when decrypting, this function works when + * decrypting even when support for PKCS7 padding is disabled. In this + * case, it ignores the padding, and so will never report a + * password mismatch. + */ + if (mode == MBEDTLS_DECRYPT) { + padding = MBEDTLS_PADDING_NONE; + } #endif - if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) { - goto exit; + if ((ret = mbedtls_cipher_set_padding_mode(&cipher_ctx, padding)) != 0) { + goto exit; + } } #endif /* MBEDTLS_CIPHER_MODE_WITH_PADDING */ if ((ret = mbedtls_cipher_crypt(&cipher_ctx, iv, enc_scheme_params.len, diff --git a/library/x509_create.c b/library/x509_create.c index 2583cdd0fd..62fb119ba9 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -254,31 +254,33 @@ static int parse_attribute_value_hex_der_encoded(const char *s, /* Step 3: decode the DER. */ /* We've checked that der_length >= 1 above. */ *tag = der[0]; - unsigned char *p = der + 1; - if (mbedtls_asn1_get_len(&p, der + der_length, data_len) != 0) { - goto error; - } - /* Now p points to the first byte of the payload inside der, - * and *data_len is the length of the payload. */ + { + unsigned char *p = der + 1; + if (mbedtls_asn1_get_len(&p, der + der_length, data_len) != 0) { + goto error; + } + /* Now p points to the first byte of the payload inside der, + * and *data_len is the length of the payload. */ - /* Step 4: payload validation */ - if (*data_len > MBEDTLS_X509_MAX_DN_NAME_SIZE) { - goto error; - } - /* Strings must not contain null bytes. */ - if (MBEDTLS_ASN1_IS_STRING_TAG(*tag)) { - for (size_t i = 0; i < *data_len; i++) { - if (p[i] == 0) { - goto error; + /* Step 4: payload validation */ + if (*data_len > MBEDTLS_X509_MAX_DN_NAME_SIZE) { + goto error; + } + /* Strings must not contain null bytes. */ + if (MBEDTLS_ASN1_IS_STRING_TAG(*tag)) { + for (size_t i = 0; i < *data_len; i++) { + if (p[i] == 0) { + goto error; + } } } - } - /* Step 5: output the payload. */ - if (*data_len > data_size) { - goto error; + /* Step 5: output the payload. */ + if (*data_len > data_size) { + goto error; + } + memcpy(data, p, *data_len); } - memcpy(data, p, *data_len); mbedtls_free(der); return 0; From 37801d714b6f72b349536a9ed1b5663edbb0524c Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Fri, 13 Oct 2023 16:06:55 +0100 Subject: [PATCH 059/175] Invert no_hwcap variable Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 22289e5432..91ed1a566d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4344,9 +4344,9 @@ support_build_sha_armce() { clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" # we need asm/hwcap.h available for runtime detection - echo '#include ' | clang -E - >/dev/null 2>&1 && no_hwcap=0 || no_hwcap=1 + echo '#include ' | clang -E - >/dev/null 2>&1 && have_hwcap=1 || have_hwcap=0 - [[ "${clang_ver}" -ge 4 && "${no_hwcap}" -eq 0 ]] + [[ "${clang_ver}" -ge 4 && "${have_hwcap}" -eq 1 ]] } component_build_sha_armce () { From 132261345d1fec20f629138cf74c8cf5fb5a744c Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Mon, 16 Oct 2023 14:03:29 +0800 Subject: [PATCH 060/175] all.sh: revert changes in test_m32* AESNI for x86 (32-bit) have been tested in a seperate component, we don't need to test twice. Signed-off-by: Pengyu Lv --- tests/scripts/all.sh | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index ca84040491..64bde15fd3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4626,7 +4626,8 @@ component_test_m32_o0 () { # build) and not the i386-specific inline assembly. msg "build: i386, make, gcc -O0 (ASan build)" # ~ 30s scripts/config.py full - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0 -maes -msse2 -mpclmul" LDFLAGS="-m32 $ASAN_CFLAGS" + scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O0" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, make, gcc -O0 (ASan build)" make test @@ -4643,7 +4644,8 @@ component_test_m32_o2 () { # and go faster for tests. msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s scripts/config.py full - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2 -maes -msse2 -mpclmul" LDFLAGS="-m32 $ASAN_CFLAGS" + scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, make, gcc -O2 (ASan build)" make test @@ -4658,7 +4660,8 @@ support_test_m32_o2 () { component_test_m32_everest () { msg "build: i386, Everest ECDH context (ASan build)" # ~ 6 min scripts/config.py set MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED - make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2 -maes -msse2 -mpclmul" LDFLAGS="-m32 $ASAN_CFLAGS" + scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32 + make CC=gcc CFLAGS="$ASAN_CFLAGS -m32 -O2" LDFLAGS="-m32 $ASAN_CFLAGS" msg "test: i386, Everest ECDH context - main suites (inc. selftests) (ASan build)" # ~ 50s make test From 4b0e8f0e2c67f88816f7ebfc314e725986fe6343 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Jul 2023 12:25:12 +0200 Subject: [PATCH 061/175] Remove redundant include MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit It's also included later, guarded by support for ECC keys, and actually that's the only case where we need it. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 1 - 1 file changed, 1 deletion(-) diff --git a/library/pkparse.c b/library/pkparse.c index e1422df771..687c2c0828 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -26,7 +26,6 @@ #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" #include "mbedtls/error.h" -#include "pk_internal.h" #include From da88c380bd9674efef64b91b9ff34057c6b537d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Jul 2023 12:31:43 +0200 Subject: [PATCH 062/175] Minimize key-type-related includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - we don't use any ECDSA function here - we only need to include ecp.h when supporting ECC keys Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 687c2c0828..1dd5653e24 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -29,16 +29,16 @@ #include +/* Key types */ #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" #endif -#include "mbedtls/ecp.h" #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) +#include "mbedtls/ecp.h" #include "pk_internal.h" #endif -#if defined(MBEDTLS_ECDSA_C) -#include "mbedtls/ecdsa.h" -#endif + +/* Extended formats */ #if defined(MBEDTLS_PEM_PARSE_C) #include "mbedtls/pem.h" #endif From 5fcbe4c1f802b5532a198f91d7cfa33f211c7cbc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 6 Jul 2023 13:02:51 +0200 Subject: [PATCH 063/175] Further rationalize includes MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - only include psa_util when we use PSA Crypto - re-order includes Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 16 ++++++---------- 1 file changed, 6 insertions(+), 10 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 1dd5653e24..3fca2c44f7 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -25,10 +25,16 @@ #include "mbedtls/asn1.h" #include "mbedtls/oid.h" #include "mbedtls/platform_util.h" +#include "mbedtls/platform.h" #include "mbedtls/error.h" #include +#if defined(MBEDTLS_USE_PSA_CRYPTO) +#include "mbedtls/psa_util.h" +#include "psa/crypto.h" +#endif + /* Key types */ #if defined(MBEDTLS_RSA_C) #include "mbedtls/rsa.h" @@ -49,16 +55,6 @@ #include "mbedtls/pkcs12.h" #endif -#if defined(MBEDTLS_PSA_CRYPTO_C) -#include "psa_util_internal.h" -#endif - -#if defined(MBEDTLS_USE_PSA_CRYPTO) -#include "psa/crypto.h" -#endif - -#include "mbedtls/platform.h" - /* Helper for Montgomery curves */ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) #define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \ From 2585852231fb4e895dc9471f547c0e81bd97f308 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 24 Jul 2023 11:44:55 +0200 Subject: [PATCH 064/175] Factor common code into a function MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit There were two places that were calling either pk_update_ecparams() or mbedtls_ecp_group_load() depending on the same guard. Factor this into a single function, that works in both configs, so that callers don't have to worry about guards. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 67 ++++++++++++++++++----------------------------- 1 file changed, 26 insertions(+), 41 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 3fca2c44f7..d5ffc862d8 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -453,28 +453,39 @@ cleanup: } #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) -/* Functions pk_use_ecparams() and pk_use_ecparams_rfc8410() update the - * ecp_keypair structure with proper group ID. The purpose of this helper - * function is to update ec_family and ec_bits accordingly. */ -static int pk_update_psa_ecparams(mbedtls_pk_context *pk, - mbedtls_ecp_group_id grp_id) +/* + * Set the group used by this key. + */ +static int pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) { - psa_ecc_family_t ec_family; - size_t bits; +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + size_t ec_bits; + psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits); - ec_family = mbedtls_ecc_group_to_psa(grp_id, &bits); - - if ((pk->ec_family != 0) && (pk->ec_family != ec_family)) { + /* group may already be initialized; if so, make sure IDs match */ + if ((pk->ec_family != 0 && pk->ec_family != ec_family) || + (pk->ec_bits != 0 && pk->ec_bits != ec_bits)) { return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; } + /* set group */ pk->ec_family = ec_family; - pk->ec_bits = bits; + pk->ec_bits = ec_bits; return 0; -} +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk); + + /* grp may already be initialized; if so, make sure IDs match */ + if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE && + mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) { + return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + } + + /* set group */ + return mbedtls_ecp_group_load(&(ecp->grp), grp_id); #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ +} /* * Use EC parameters to initialise an EC group @@ -503,22 +514,7 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *p #endif } -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - ret = pk_update_psa_ecparams(pk, grp_id); -#else - /* grp may already be initialized; if so, make sure IDs match */ - if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE && - mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) { - return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; - } - - if ((ret = mbedtls_ecp_group_load(&(mbedtls_pk_ec_rw(*pk)->grp), - grp_id)) != 0) { - return ret; - } -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - - return ret; + return pk_ecc_set_group(pk, grp_id); } /* @@ -588,22 +584,11 @@ static int pk_use_ecparams_rfc8410(const mbedtls_asn1_buf *params, mbedtls_ecp_group_id grp_id, mbedtls_pk_context *pk) { - int ret; - if (params->tag != 0 || params->len != 0) { return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; } -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - ret = pk_update_psa_ecparams(pk, grp_id); -#else - mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk); - ret = mbedtls_ecp_group_load(&(ecp->grp), grp_id); - if (ret != 0) { - return ret; - } -#endif - return ret; + return pk_ecc_set_group(pk, grp_id); } /* From d5b43720121916237f4474f13e27e288c62cb8f0 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 24 Jul 2023 12:06:22 +0200 Subject: [PATCH 065/175] Slightly simplify pk_derive_public_key() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - add a comment explain potentially surprising parameters - avoid nesting #if guards: I find the linear structure #if #elif #else makes the three cases clearer. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 24 +++++++++++++++--------- 1 file changed, 15 insertions(+), 9 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index d5ffc862d8..78155ba322 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -519,24 +519,32 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *p /* * Helper function for deriving a public key from its private counterpart. + * + * Note: the private key information is always available from pk, + * however for convenience the serialized version is also passed, + * as it's available at each calling site, and useful in some configs + * (as otherwise we're have to re-serialize it from the pk context). */ static int pk_derive_public_key(mbedtls_pk_context *pk, const unsigned char *d, size_t d_len, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { - int ret; -#if defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) psa_status_t status; (void) f_rng; (void) p_rng; -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) (void) d; (void) d_len; status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), &pk->pub_raw_len); - ret = psa_pk_status_to_mbedtls(status); -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + return psa_pk_status_to_mbedtls(status); +#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */ + int ret; + psa_status_t status; + (void) f_rng; + (void) p_rng; + mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; size_t key_len; @@ -563,16 +571,14 @@ static int pk_derive_public_key(mbedtls_pk_context *pk, } else if (destruction_status != PSA_SUCCESS) { return psa_pk_status_to_mbedtls(destruction_status); } - ret = mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len); -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len); #else /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; (void) d; (void) d_len; - ret = mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng); + return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng); #endif /* MBEDTLS_USE_PSA_CRYPTO */ - return ret; } #if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) From 6db11d5068d73c56ca8bfb2a7ca68b52cc258173 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Jul 2023 11:20:48 +0200 Subject: [PATCH 066/175] Group two versions of the same code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Just moving code around. The two blocks do morally the same thing: load the key, and grouping them makes the #if #else structure clearer. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 44 +++++++++++++++++++++----------------------- 1 file changed, 21 insertions(+), 23 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 78155ba322..edcc2e2912 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -1214,11 +1214,30 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, } -#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA) +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); + /* Setting largest masks for usage and key algorithms */ + psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | + PSA_KEY_USAGE_SIGN_MESSAGE | + PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE); +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) + psa_set_key_algorithm(&attributes, + PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); +#else + psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); +#endif + psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDH); + + status = psa_import_key(&attributes, d, d_len, &pk->priv_id); + if (status != PSA_SUCCESS) { + ret = psa_pk_status_to_mbedtls(status); + return ret; + } +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, d, d_len)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); } -#endif +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ if (p != end) { /* @@ -1255,27 +1274,6 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, } } -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); - /* Setting largest masks for usage and key algorithms */ - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | - PSA_KEY_USAGE_SIGN_MESSAGE | - PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE); -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) - psa_set_key_algorithm(&attributes, - PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); -#else - psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); -#endif - psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDH); - - status = psa_import_key(&attributes, d, d_len, &pk->priv_id); - if (status != PSA_SUCCESS) { - ret = psa_pk_status_to_mbedtls(status); - return ret; - } -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - if (!pubkey_done) { if ((ret = pk_derive_public_key(pk, d, d_len, f_rng, p_rng)) != 0) { return ret; From dcd98fffabeedfbff4dae473b8be368b728960af Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Jul 2023 11:58:31 +0200 Subject: [PATCH 067/175] Factor similar code into pk_ecc_set_key() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 100 ++++++++++++++++++++++++---------------------- 1 file changed, 52 insertions(+), 48 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index edcc2e2912..114a563895 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -487,6 +487,48 @@ static int pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ } +/* + * Set the private key material + * + * Must have already set the group with pk_ecc_set_group(). + * + * The 'key' argument points to the raw private key (no ASN.1 wrapping). + */ +static int pk_ecc_set_key(mbedtls_pk_context *pk, + unsigned char *key, size_t len) +{ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status; + + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); + psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); + psa_key_usage_t flags = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE; + if (pk->ec_family != PSA_ECC_FAMILY_MONTGOMERY) { + flags |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) + psa_set_key_enrollment_algorithm(&attributes, + PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); +#else + psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); +#endif + } + psa_set_key_usage_flags(&attributes, flags); + + status = psa_import_key(&attributes, key, len, &pk->priv_id); + return psa_pk_status_to_mbedtls(status); + +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + + mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk); + int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + } + return 0; +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ +} + /* * Use EC parameters to initialise an EC group * @@ -617,27 +659,13 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; } -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status; - - psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_EXPORT | - PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); - - status = psa_import_key(&attributes, key, len, &pk->priv_id); - if (status != PSA_SUCCESS) { - ret = psa_pk_status_to_mbedtls(status); + /* + * Load the private key + */ + ret = pk_ecc_set_key(pk, key, len); + if (ret != 0) { return ret; } -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk); - - if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); - } -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ /* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys, * which never contain a public key. As such, derive the public key @@ -1153,12 +1181,6 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, unsigned char *d; unsigned char *end = p + keylen; unsigned char *end2; -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status; -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk); -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ /* * RFC 5915, or SEC1 Appendix C.4 @@ -1213,31 +1235,13 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, } } - -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); - /* Setting largest masks for usage and key algorithms */ - psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH | - PSA_KEY_USAGE_SIGN_MESSAGE | - PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE); -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) - psa_set_key_algorithm(&attributes, - PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); -#else - psa_set_key_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); -#endif - psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDH); - - status = psa_import_key(&attributes, d, d_len, &pk->priv_id); - if (status != PSA_SUCCESS) { - ret = psa_pk_status_to_mbedtls(status); + /* + * Load the private key + */ + ret = pk_ecc_set_key(pk, d, d_len); + if (ret != 0) { return ret; } -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - if ((ret = mbedtls_ecp_read_key(eck->grp.id, eck, d, d_len)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); - } -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ if (p != end) { /* From 116175c5d7f2b44f5d3186e845b9881d519d53d6 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 25 Jul 2023 12:06:55 +0200 Subject: [PATCH 068/175] Use helper macro for (deterministic) ECDSA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - centralizes decision making about which version to use when - avoids nested #ifs in pk_ecc_set_key() Signed-off-by: Manuel Pégourié-Gonnard --- library/pk_internal.h | 9 +++++++-- library/pk_wrap.c | 9 ++------- library/pkparse.c | 7 ++----- 3 files changed, 11 insertions(+), 14 deletions(-) diff --git a/library/pk_internal.h b/library/pk_internal.h index 004660e094..9becbecd41 100644 --- a/library/pk_internal.h +++ b/library/pk_internal.h @@ -117,14 +117,19 @@ static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_cont #endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */ #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ -#if defined(MBEDTLS_TEST_HOOKS) +/* Helper for (deterministic) ECDSA */ +#if defined(MBEDTLS_ECDSA_DETERMINISTIC) +#define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET PSA_ALG_DETERMINISTIC_ECDSA +#else +#define MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET PSA_ALG_ECDSA +#endif +#if defined(MBEDTLS_TEST_HOOKS) MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( mbedtls_pk_context *pk, unsigned char *key, size_t keylen, const unsigned char *pwd, size_t pwdlen, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng); - #endif #endif /* MBEDTLS_PK_INTERNAL_H */ diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 436876a5d5..53e11d5cb9 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -1037,13 +1037,8 @@ static int ecdsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg, psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(ctx->grp.id, &curve_bits); size_t key_len = PSA_BITS_TO_BYTES(curve_bits); -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) - psa_algorithm_t psa_sig_md = - PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)); -#else - psa_algorithm_t psa_sig_md = - PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)); -#endif + psa_algorithm_t psa_hash = mbedtls_md_psa_alg_from_type(md_alg); + psa_algorithm_t psa_sig_md = MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(psa_hash); ((void) f_rng); ((void) p_rng); diff --git a/library/pkparse.c b/library/pkparse.c index 114a563895..3f67786e44 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -504,14 +504,11 @@ static int pk_ecc_set_key(mbedtls_pk_context *pk, psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); psa_key_usage_t flags = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE; + /* Montgomery allows only ECDH, others ECDSA too */ if (pk->ec_family != PSA_ECC_FAMILY_MONTGOMERY) { flags |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; -#if defined(MBEDTLS_ECDSA_DETERMINISTIC) psa_set_key_enrollment_algorithm(&attributes, - PSA_ALG_DETERMINISTIC_ECDSA(PSA_ALG_ANY_HASH)); -#else - psa_set_key_enrollment_algorithm(&attributes, PSA_ALG_ECDSA(PSA_ALG_ANY_HASH)); -#endif + MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH)); } psa_set_key_usage_flags(&attributes, flags); From e82fcd9c9e01cd3b63c76e792b9136834cc38f34 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 10:53:25 +0200 Subject: [PATCH 069/175] Avoid nested #ifs in body of pk_get_ecpubkey() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 17 ++++++++--------- 1 file changed, 8 insertions(+), 9 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 3f67786e44..72eed097f1 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -675,7 +675,7 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, } #endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) && defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) /* * Create a temporary ecp_keypair for converting an EC point in compressed * format to an uncompressed one @@ -685,6 +685,7 @@ static int pk_convert_compressed_ec(mbedtls_pk_context *pk, size_t *out_buf_len, unsigned char *out_buf, size_t out_buf_size) { +#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) mbedtls_ecp_keypair ecp_key; mbedtls_ecp_group_id ecp_group_id; int ret; @@ -708,8 +709,11 @@ static int pk_convert_compressed_ec(mbedtls_pk_context *pk, exit: mbedtls_ecp_keypair_free(&ecp_key); return ret; +#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; +#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ } -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA && MBEDTLS_PK_PARSE_EC_COMPRESSED */ +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ /* * EC public key is an EC point @@ -732,20 +736,15 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - /* Compressed point format are not supported yet by PSA crypto. As a - * consequence ecp functions are used to "convert" the point to - * uncompressed format */ if ((**p == 0x02) || (**p == 0x03)) { -#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) + /* Compressed format, not supported by PSA Crypto. + * Try converting using functions from ECP_LIGHT. */ ret = pk_convert_compressed_ec(pk, *p, len, &(pk->pub_raw_len), pk->pub_raw, PSA_EXPORT_PUBLIC_KEY_MAX_SIZE); if (ret != 0) { return ret; } -#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ - return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; -#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ } else { /* Uncompressed format */ if ((size_t) (end - *p) > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { From df151bbc37c47c9da99ecf7eca8e127e521038db Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 11:06:46 +0200 Subject: [PATCH 070/175] Minor improvements to pk_ecc_read_compressed() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - new name starting with pk_ecc for consistency - re-order params to match the PSA convention: buf, len, &size - add comment about input consumption Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 29 +++++++++++++++++------------ 1 file changed, 17 insertions(+), 12 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 72eed097f1..3fa1a84227 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -679,11 +679,14 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, /* * Create a temporary ecp_keypair for converting an EC point in compressed * format to an uncompressed one + * + * Consumes everything or fails - inherited from + * mbedtls_ecp_point_read_binary(). */ -static int pk_convert_compressed_ec(mbedtls_pk_context *pk, - const unsigned char *in_start, size_t in_len, - size_t *out_buf_len, unsigned char *out_buf, - size_t out_buf_size) +static int pk_ecc_read_compressed(mbedtls_pk_context *pk, + const unsigned char *in_start, size_t in_len, + unsigned char *out_buf, size_t out_buf_size, + size_t *out_buf_len) { #if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) mbedtls_ecp_keypair ecp_key; @@ -730,7 +733,7 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) mbedtls_svc_key_id_t key; psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT; - size_t len = (end - *p); + size_t len = (size_t) (end - *p); if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; @@ -739,19 +742,20 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, if ((**p == 0x02) || (**p == 0x03)) { /* Compressed format, not supported by PSA Crypto. * Try converting using functions from ECP_LIGHT. */ - ret = pk_convert_compressed_ec(pk, *p, len, - &(pk->pub_raw_len), pk->pub_raw, - PSA_EXPORT_PUBLIC_KEY_MAX_SIZE); + ret = pk_ecc_read_compressed(pk, *p, len, + pk->pub_raw, + PSA_EXPORT_PUBLIC_KEY_MAX_SIZE, + &pk->pub_raw_len); if (ret != 0) { return ret; } } else { /* Uncompressed format */ - if ((size_t) (end - *p) > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { + if (len > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; } - memcpy(pk->pub_raw, *p, (end - *p)); - pk->pub_raw_len = end - *p; + memcpy(pk->pub_raw, *p, len); + pk->pub_raw_len = len; } /* Validate the key by trying to importing it */ @@ -778,7 +782,8 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ /* - * We know mbedtls_ecp_point_read_binary consumed all bytes or failed + * We know mbedtls_ecp_point_read_binary and pk_ecc_read_compressed either + * consumed all bytes or failed, and memcpy consumed all bytes too. */ *p = (unsigned char *) end; From 212517b87d72fb96145e066535f3a895884ea701 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 12:05:38 +0200 Subject: [PATCH 071/175] Start re-ordering functions in pkparse MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The general order is low-level first, top-level last, for the sake of static function and avoiding forward declarations. The obvious exception was functions that parse files that were at the beginning; move them to the end. Also start defining sections in the file; this is incomplete as I don't have a clear view of the beginning of the file yet. Will continue in further commits. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 222 +++++++++++++++++++++++++--------------------- 1 file changed, 120 insertions(+), 102 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 3fa1a84227..fbf8cbfc11 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -61,108 +61,6 @@ ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448)) #endif /* MBEDTLS_PK_HAVE_ECC_KEYS && MBEDTLS_PK_HAVE_RFC8410_CURVES */ -#if defined(MBEDTLS_FS_IO) -/* - * Load all data from a file into a given buffer. - * - * The file is expected to contain either PEM or DER encoded data. - * A terminating null byte is always appended. It is included in the announced - * length only if the data looks like it is PEM encoded. - */ -int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n) -{ - FILE *f; - long size; - - if ((f = fopen(path, "rb")) == NULL) { - return MBEDTLS_ERR_PK_FILE_IO_ERROR; - } - - /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */ - mbedtls_setbuf(f, NULL); - - fseek(f, 0, SEEK_END); - if ((size = ftell(f)) == -1) { - fclose(f); - return MBEDTLS_ERR_PK_FILE_IO_ERROR; - } - fseek(f, 0, SEEK_SET); - - *n = (size_t) size; - - if (*n + 1 == 0 || - (*buf = mbedtls_calloc(1, *n + 1)) == NULL) { - fclose(f); - return MBEDTLS_ERR_PK_ALLOC_FAILED; - } - - if (fread(*buf, 1, *n, f) != *n) { - fclose(f); - - mbedtls_zeroize_and_free(*buf, *n); - - return MBEDTLS_ERR_PK_FILE_IO_ERROR; - } - - fclose(f); - - (*buf)[*n] = '\0'; - - if (strstr((const char *) *buf, "-----BEGIN ") != NULL) { - ++*n; - } - - return 0; -} - -/* - * Load and parse a private key - */ -int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx, - const char *path, const char *pwd, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t n; - unsigned char *buf; - - if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { - return ret; - } - - if (pwd == NULL) { - ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0, f_rng, p_rng); - } else { - ret = mbedtls_pk_parse_key(ctx, buf, n, - (const unsigned char *) pwd, strlen(pwd), f_rng, p_rng); - } - - mbedtls_zeroize_and_free(buf, n); - - return ret; -} - -/* - * Load and parse a public key - */ -int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - size_t n; - unsigned char *buf; - - if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { - return ret; - } - - ret = mbedtls_pk_parse_public_key(ctx, buf, n); - - mbedtls_zeroize_and_free(buf, n); - - return ret; -} -#endif /* MBEDTLS_FS_IO */ - #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf * @@ -1289,6 +1187,12 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, } #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ +/*********************************************************************** + * + * PKCS#8 parsing functions + * + **********************************************************************/ + /* * Parse an unencrypted PKCS#8 encoded private key * @@ -1524,6 +1428,12 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( } #endif /* MBEDTLS_PKCS12_C || MBEDTLS_PKCS5_C */ +/*********************************************************************** + * + * Top-level functions, with format auto-discovery + * + **********************************************************************/ + /* * Parse a private key */ @@ -1843,4 +1753,112 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx, return ret; } +/*********************************************************************** + * + * Top-level functions, with filesystem support + * + **********************************************************************/ + +#if defined(MBEDTLS_FS_IO) +/* + * Load all data from a file into a given buffer. + * + * The file is expected to contain either PEM or DER encoded data. + * A terminating null byte is always appended. It is included in the announced + * length only if the data looks like it is PEM encoded. + */ +int mbedtls_pk_load_file(const char *path, unsigned char **buf, size_t *n) +{ + FILE *f; + long size; + + if ((f = fopen(path, "rb")) == NULL) { + return MBEDTLS_ERR_PK_FILE_IO_ERROR; + } + + /* Ensure no stdio buffering of secrets, as such buffers cannot be wiped. */ + mbedtls_setbuf(f, NULL); + + fseek(f, 0, SEEK_END); + if ((size = ftell(f)) == -1) { + fclose(f); + return MBEDTLS_ERR_PK_FILE_IO_ERROR; + } + fseek(f, 0, SEEK_SET); + + *n = (size_t) size; + + if (*n + 1 == 0 || + (*buf = mbedtls_calloc(1, *n + 1)) == NULL) { + fclose(f); + return MBEDTLS_ERR_PK_ALLOC_FAILED; + } + + if (fread(*buf, 1, *n, f) != *n) { + fclose(f); + + mbedtls_zeroize_and_free(*buf, *n); + + return MBEDTLS_ERR_PK_FILE_IO_ERROR; + } + + fclose(f); + + (*buf)[*n] = '\0'; + + if (strstr((const char *) *buf, "-----BEGIN ") != NULL) { + ++*n; + } + + return 0; +} + +/* + * Load and parse a private key + */ +int mbedtls_pk_parse_keyfile(mbedtls_pk_context *ctx, + const char *path, const char *pwd, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t n; + unsigned char *buf; + + if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { + return ret; + } + + if (pwd == NULL) { + ret = mbedtls_pk_parse_key(ctx, buf, n, NULL, 0, f_rng, p_rng); + } else { + ret = mbedtls_pk_parse_key(ctx, buf, n, + (const unsigned char *) pwd, strlen(pwd), f_rng, p_rng); + } + + mbedtls_zeroize_and_free(buf, n); + + return ret; +} + +/* + * Load and parse a public key + */ +int mbedtls_pk_parse_public_keyfile(mbedtls_pk_context *ctx, const char *path) +{ + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t n; + unsigned char *buf; + + if ((ret = mbedtls_pk_load_file(path, &buf, &n)) != 0) { + return ret; + } + + ret = mbedtls_pk_parse_public_key(ctx, buf, n); + + mbedtls_zeroize_and_free(buf, n); + + return ret; +} +#endif /* MBEDTLS_FS_IO */ + #endif /* MBEDTLS_PK_PARSE_C */ From 997a95e5926d4ef64836e8702fe2d00c955b9878 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 15:18:30 +0200 Subject: [PATCH 072/175] Merge two consecutive #ifs MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index fbf8cbfc11..98094a36fe 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -55,13 +55,14 @@ #include "mbedtls/pkcs12.h" #endif +#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) + /* Helper for Montgomery curves */ -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) +#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) #define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \ ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448)) -#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && MBEDTLS_PK_HAVE_RFC8410_CURVES */ +#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */ -#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf * * ECParameters ::= CHOICE { From 5470898e37875e2cf29019c4e66322f8a4ba5e69 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 15:38:36 +0200 Subject: [PATCH 073/175] Move code around again MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 566 ++++++++++++++++++++++++---------------------- 1 file changed, 292 insertions(+), 274 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 98094a36fe..5a35c43fbb 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -57,56 +57,274 @@ #if defined(MBEDTLS_PK_HAVE_ECC_KEYS) -/* Helper for Montgomery curves */ -#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) -#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \ - ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448)) -#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */ - -/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf +/*********************************************************************** * - * ECParameters ::= CHOICE { - * namedCurve OBJECT IDENTIFIER - * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } - * -- implicitCurve NULL - * } + * ECC setters + * + * 1. This is an abstraction layer around MBEDTLS_PK_USE_PSA_EC_DATA: + * this macro will not appear outside this section. + * 2. All inputs are raw: no metadata, no ASN.1 until the next section. + * + **********************************************************************/ + +/* + * Set the group used by this key. */ -static int pk_get_ecparams(unsigned char **p, const unsigned char *end, - mbedtls_asn1_buf *params) +static int pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) +{ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + size_t ec_bits; + psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits); + + /* group may already be initialized; if so, make sure IDs match */ + if ((pk->ec_family != 0 && pk->ec_family != ec_family) || + (pk->ec_bits != 0 && pk->ec_bits != ec_bits)) { + return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + } + + /* set group */ + pk->ec_family = ec_family; + pk->ec_bits = ec_bits; + + return 0; +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk); + + /* grp may already be initialized; if so, make sure IDs match */ + if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE && + mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) { + return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; + } + + /* set group */ + return mbedtls_ecp_group_load(&(ecp->grp), grp_id); +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ +} + +/* + * Set the private key material + * + * Must have already set the group with pk_ecc_set_group(). + * + * The 'key' argument points to the raw private key (no ASN.1 wrapping). + */ +static int pk_ecc_set_key(mbedtls_pk_context *pk, + unsigned char *key, size_t len) +{ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_status_t status; + + psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); + psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); + psa_key_usage_t flags = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE; + /* Montgomery allows only ECDH, others ECDSA too */ + if (pk->ec_family != PSA_ECC_FAMILY_MONTGOMERY) { + flags |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; + psa_set_key_enrollment_algorithm(&attributes, + MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH)); + } + psa_set_key_usage_flags(&attributes, flags); + + status = psa_import_key(&attributes, key, len, &pk->priv_id); + return psa_pk_status_to_mbedtls(status); + +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + + mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk); + int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len); + if (ret != 0) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + } + return 0; +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ +} + +/* + * Helper function for deriving a public key from its private counterpart. + * + * Note: the private key information is always available from pk, + * however for convenience the serialized version is also passed, + * as it's available at each calling site, and useful in some configs + * (as otherwise we're have to re-serialize it from the pk context). + */ +static int pk_derive_public_key(mbedtls_pk_context *pk, + const unsigned char *d, size_t d_len, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) +{ +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + psa_status_t status; + (void) f_rng; + (void) p_rng; + (void) d; + (void) d_len; + + status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), + &pk->pub_raw_len); + return psa_pk_status_to_mbedtls(status); +#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */ + int ret; + psa_status_t status; + (void) f_rng; + (void) p_rng; + + mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; + unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; + size_t key_len; + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; + size_t curve_bits; + psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits); + psa_status_t destruction_status; + + psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); + psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT); + + status = psa_import_key(&key_attr, d, d_len, &key_id); + ret = psa_pk_status_to_mbedtls(status); + if (ret != 0) { + return ret; + } + + status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len); + ret = psa_pk_status_to_mbedtls(status); + destruction_status = psa_destroy_key(key_id); + if (ret != 0) { + return ret; + } else if (destruction_status != PSA_SUCCESS) { + return psa_pk_status_to_mbedtls(destruction_status); + } + return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len); +#else /* MBEDTLS_USE_PSA_CRYPTO */ + mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; + (void) d; + (void) d_len; + + return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng); +#endif /* MBEDTLS_USE_PSA_CRYPTO */ +} + +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) +/* + * Create a temporary ecp_keypair for converting an EC point in compressed + * format to an uncompressed one + * + * Consumes everything or fails - inherited from + * mbedtls_ecp_point_read_binary(). + */ +static int pk_ecc_read_compressed(mbedtls_pk_context *pk, + const unsigned char *in_start, size_t in_len, + unsigned char *out_buf, size_t out_buf_size, + size_t *out_buf_len) +{ +#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) + mbedtls_ecp_keypair ecp_key; + mbedtls_ecp_group_id ecp_group_id; + int ret; + + ecp_group_id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0); + + mbedtls_ecp_keypair_init(&ecp_key); + ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id); + if (ret != 0) { + return ret; + } + ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q, + in_start, in_len); + if (ret != 0) { + goto exit; + } + ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q, + MBEDTLS_ECP_PF_UNCOMPRESSED, + out_buf_len, out_buf, out_buf_size); + +exit: + mbedtls_ecp_keypair_free(&ecp_key); + return ret; +#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; +#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ +} +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ + +/* + * EC public key is an EC point + * + * The caller is responsible for clearing the structure upon failure if + * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE + * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. + */ +static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, + mbedtls_pk_context *pk) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - if (end - *p < 1) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, - MBEDTLS_ERR_ASN1_OUT_OF_DATA); +#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) + mbedtls_svc_key_id_t key; + psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT; + size_t len = (size_t) (end - *p); + + if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) { + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - /* Tag may be either OID or SEQUENCE */ - params->tag = **p; - if (params->tag != MBEDTLS_ASN1_OID -#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) - && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) -#endif - ) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, - MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + if ((**p == 0x02) || (**p == 0x03)) { + /* Compressed format, not supported by PSA Crypto. + * Try converting using functions from ECP_LIGHT. */ + ret = pk_ecc_read_compressed(pk, *p, len, + pk->pub_raw, + PSA_EXPORT_PUBLIC_KEY_MAX_SIZE, + &pk->pub_raw_len); + if (ret != 0) { + return ret; + } + } else { + /* Uncompressed format */ + if (len > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { + return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; + } + memcpy(pk->pub_raw, *p, len); + pk->pub_raw_len = len; } - if ((ret = mbedtls_asn1_get_tag(p, end, ¶ms->len, params->tag)) != 0) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); + /* Validate the key by trying to importing it */ + psa_set_key_usage_flags(&key_attrs, 0); + psa_set_key_algorithm(&key_attrs, PSA_ALG_ECDSA_ANY); + psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family)); + psa_set_key_bits(&key_attrs, pk->ec_bits); + + if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len, + &key) != PSA_SUCCESS) || + (psa_destroy_key(key) != PSA_SUCCESS)) { + mbedtls_platform_zeroize(pk->pub_raw, MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN); + pk->pub_raw_len = 0; + return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - - params->p = *p; - *p += params->len; - - if (*p != end) { - return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, - MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + ret = 0; +#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx; + if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, + (const unsigned char *) *p, + end - *p)) == 0) { + ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q); } +#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - return 0; + /* + * We know mbedtls_ecp_point_read_binary and pk_ecc_read_compressed either + * consumed all bytes or failed, and memcpy consumed all bytes too. + */ + *p = (unsigned char *) end; + + return ret; } +/*********************************************************************** + * + * Unsorted (yet!) from this point on until the next section header + * + **********************************************************************/ + #if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) /* * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. @@ -352,77 +570,49 @@ cleanup: } #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ -/* - * Set the group used by this key. - */ -static int pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) -{ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - size_t ec_bits; - psa_ecc_family_t ec_family = mbedtls_ecc_group_to_psa(grp_id, &ec_bits); - /* group may already be initialized; if so, make sure IDs match */ - if ((pk->ec_family != 0 && pk->ec_family != ec_family) || - (pk->ec_bits != 0 && pk->ec_bits != ec_bits)) { - return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; - } - - /* set group */ - pk->ec_family = ec_family; - pk->ec_bits = ec_bits; - - return 0; -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - mbedtls_ecp_keypair *ecp = mbedtls_pk_ec_rw(*pk); - - /* grp may already be initialized; if so, make sure IDs match */ - if (mbedtls_pk_ec_ro(*pk)->grp.id != MBEDTLS_ECP_DP_NONE && - mbedtls_pk_ec_ro(*pk)->grp.id != grp_id) { - return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; - } - - /* set group */ - return mbedtls_ecp_group_load(&(ecp->grp), grp_id); -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ -} - -/* - * Set the private key material +/* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf * - * Must have already set the group with pk_ecc_set_group(). - * - * The 'key' argument points to the raw private key (no ASN.1 wrapping). + * ECParameters ::= CHOICE { + * namedCurve OBJECT IDENTIFIER + * specifiedCurve SpecifiedECDomain -- = SEQUENCE { ... } + * -- implicitCurve NULL + * } */ -static int pk_ecc_set_key(mbedtls_pk_context *pk, - unsigned char *key, size_t len) +static int pk_get_ecparams(unsigned char **p, const unsigned char *end, + mbedtls_asn1_buf *params) { -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_status_t status; + int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_set_key_type(&attributes, PSA_KEY_TYPE_ECC_KEY_PAIR(pk->ec_family)); - psa_set_key_algorithm(&attributes, PSA_ALG_ECDH); - psa_key_usage_t flags = PSA_KEY_USAGE_EXPORT | PSA_KEY_USAGE_DERIVE; - /* Montgomery allows only ECDH, others ECDSA too */ - if (pk->ec_family != PSA_ECC_FAMILY_MONTGOMERY) { - flags |= PSA_KEY_USAGE_SIGN_HASH | PSA_KEY_USAGE_SIGN_MESSAGE; - psa_set_key_enrollment_algorithm(&attributes, - MBEDTLS_PK_PSA_ALG_ECDSA_MAYBE_DET(PSA_ALG_ANY_HASH)); + if (end - *p < 1) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_OUT_OF_DATA); } - psa_set_key_usage_flags(&attributes, flags); - status = psa_import_key(&attributes, key, len, &pk->priv_id); - return psa_pk_status_to_mbedtls(status); + /* Tag may be either OID or SEQUENCE */ + params->tag = **p; + if (params->tag != MBEDTLS_ASN1_OID +#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) + && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) +#endif + ) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); + } -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - - mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk); - int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len); - if (ret != 0) { + if ((ret = mbedtls_asn1_get_tag(p, end, ¶ms->len, params->tag)) != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); } + + params->p = *p; + *p += params->len; + + if (*p != end) { + return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, + MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); + } + return 0; -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ } /* @@ -455,70 +645,6 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *p return pk_ecc_set_group(pk, grp_id); } -/* - * Helper function for deriving a public key from its private counterpart. - * - * Note: the private key information is always available from pk, - * however for convenience the serialized version is also passed, - * as it's available at each calling site, and useful in some configs - * (as otherwise we're have to re-serialize it from the pk context). - */ -static int pk_derive_public_key(mbedtls_pk_context *pk, - const unsigned char *d, size_t d_len, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) -{ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_status_t status; - (void) f_rng; - (void) p_rng; - (void) d; - (void) d_len; - - status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), - &pk->pub_raw_len); - return psa_pk_status_to_mbedtls(status); -#elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */ - int ret; - psa_status_t status; - (void) f_rng; - (void) p_rng; - - mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; - unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; - size_t key_len; - mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; - size_t curve_bits; - psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits); - psa_status_t destruction_status; - - psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); - psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT); - - status = psa_import_key(&key_attr, d, d_len, &key_id); - ret = psa_pk_status_to_mbedtls(status); - if (ret != 0) { - return ret; - } - - status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len); - ret = psa_pk_status_to_mbedtls(status); - destruction_status = psa_destroy_key(key_id); - if (ret != 0) { - return ret; - } else if (destruction_status != PSA_SUCCESS) { - return psa_pk_status_to_mbedtls(destruction_status); - } - return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len); -#else /* MBEDTLS_USE_PSA_CRYPTO */ - mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; - (void) d; - (void) d_len; - - return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -} - #if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) /* @@ -574,120 +700,6 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, } #endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */ -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) -/* - * Create a temporary ecp_keypair for converting an EC point in compressed - * format to an uncompressed one - * - * Consumes everything or fails - inherited from - * mbedtls_ecp_point_read_binary(). - */ -static int pk_ecc_read_compressed(mbedtls_pk_context *pk, - const unsigned char *in_start, size_t in_len, - unsigned char *out_buf, size_t out_buf_size, - size_t *out_buf_len) -{ -#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) - mbedtls_ecp_keypair ecp_key; - mbedtls_ecp_group_id ecp_group_id; - int ret; - - ecp_group_id = mbedtls_ecc_group_of_psa(pk->ec_family, pk->ec_bits, 0); - - mbedtls_ecp_keypair_init(&ecp_key); - ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id); - if (ret != 0) { - return ret; - } - ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q, - in_start, in_len); - if (ret != 0) { - goto exit; - } - ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q, - MBEDTLS_ECP_PF_UNCOMPRESSED, - out_buf_len, out_buf, out_buf_size); - -exit: - mbedtls_ecp_keypair_free(&ecp_key); - return ret; -#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ - return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; -#endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ -} -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - -/* - * EC public key is an EC point - * - * The caller is responsible for clearing the structure upon failure if - * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE - * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. - */ -static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, - mbedtls_pk_context *pk) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - -#if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - mbedtls_svc_key_id_t key; - psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT; - size_t len = (size_t) (end - *p); - - if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - - if ((**p == 0x02) || (**p == 0x03)) { - /* Compressed format, not supported by PSA Crypto. - * Try converting using functions from ECP_LIGHT. */ - ret = pk_ecc_read_compressed(pk, *p, len, - pk->pub_raw, - PSA_EXPORT_PUBLIC_KEY_MAX_SIZE, - &pk->pub_raw_len); - if (ret != 0) { - return ret; - } - } else { - /* Uncompressed format */ - if (len > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { - return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; - } - memcpy(pk->pub_raw, *p, len); - pk->pub_raw_len = len; - } - - /* Validate the key by trying to importing it */ - psa_set_key_usage_flags(&key_attrs, 0); - psa_set_key_algorithm(&key_attrs, PSA_ALG_ECDSA_ANY); - psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family)); - psa_set_key_bits(&key_attrs, pk->ec_bits); - - if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len, - &key) != PSA_SUCCESS) || - (psa_destroy_key(key) != PSA_SUCCESS)) { - mbedtls_platform_zeroize(pk->pub_raw, MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN); - pk->pub_raw_len = 0; - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - ret = 0; -#else /* MBEDTLS_PK_USE_PSA_EC_DATA */ - mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx; - if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, - (const unsigned char *) *p, - end - *p)) == 0) { - ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q); - } -#endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - - /* - * We know mbedtls_ecp_point_read_binary and pk_ecc_read_compressed either - * consumed all bytes or failed, and memcpy consumed all bytes too. - */ - *p = (unsigned char *) end; - - return ret; -} #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ #if defined(MBEDTLS_RSA_C) @@ -799,6 +811,12 @@ static int pk_get_pk_alg(unsigned char **p, return 0; } +/* Helper for Montgomery curves */ +#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES) +#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \ + ((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448)) +#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */ + /* * SubjectPublicKeyInfo ::= SEQUENCE { * algorithm AlgorithmIdentifier, From d1aa64239443ec4de20c0571f2dc56b50afa2586 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 22:24:23 +0200 Subject: [PATCH 074/175] Document pk_ecc_set_group() and pk_ecc_set_key() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 16 ++++++++++------ 1 file changed, 10 insertions(+), 6 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 5a35c43fbb..a123743582 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -69,6 +69,10 @@ /* * Set the group used by this key. + * + * [in/out] pk: in: must have been pk_setup() to an ECC type + * out: will have group (curve) information set + * [in] grp_in: a supported group ID (not NONE) */ static int pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) { @@ -104,12 +108,12 @@ static int pk_ecc_set_group(mbedtls_pk_context *pk, mbedtls_ecp_group_id grp_id) /* * Set the private key material * - * Must have already set the group with pk_ecc_set_group(). - * - * The 'key' argument points to the raw private key (no ASN.1 wrapping). + * [in/out] pk: in: must have the group set already, see pk_ecc_set_group(). + * out: will have the private key set. + * [in] key, key_len: the raw private key (no ASN.1 wrapping). */ static int pk_ecc_set_key(mbedtls_pk_context *pk, - unsigned char *key, size_t len) + unsigned char *key, size_t key_len) { #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; @@ -126,13 +130,13 @@ static int pk_ecc_set_key(mbedtls_pk_context *pk, } psa_set_key_usage_flags(&attributes, flags); - status = psa_import_key(&attributes, key, len, &pk->priv_id); + status = psa_import_key(&attributes, key, key_len, &pk->priv_id); return psa_pk_status_to_mbedtls(status); #else /* MBEDTLS_PK_USE_PSA_EC_DATA */ mbedtls_ecp_keypair *eck = mbedtls_pk_ec_rw(*pk); - int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, len); + int ret = mbedtls_ecp_read_key(eck->grp.id, eck, key, key_len); if (ret != 0) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, ret); } From de25194a20a978a253f8804f47c7cbcf7c402ef8 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 22:33:58 +0200 Subject: [PATCH 075/175] Rename and document pk_ecc_set_pubkey_from_prv() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 33 ++++++++++++++++++++++----------- 1 file changed, 22 insertions(+), 11 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index a123743582..007e1fc03f 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -145,23 +145,34 @@ static int pk_ecc_set_key(mbedtls_pk_context *pk, } /* - * Helper function for deriving a public key from its private counterpart. + * Derive a public key from its private counterpart. + * Computationally intensive, only use when public key is not available. + * + * [in/out] pk: in: must have the private key set, see pk_ecc_set_key(). + * out: will have the public key set. + * [in] prv, prv_len: the raw private key (see note below). + * [in] f_rng, p_rng: RNG function and context. * * Note: the private key information is always available from pk, * however for convenience the serialized version is also passed, * as it's available at each calling site, and useful in some configs * (as otherwise we're have to re-serialize it from the pk context). + * + * There are three implementations of this function: + * 1. MBEDTLS_PK_USE_PSA_EC_DATA, + * 2. MBEDTLS_USE_PSA_CRYPTO but not MBEDTLS_PK_USE_PSA_EC_DATA, + * 3. not MBEDTLS_USE_PSA_CRYPTO. */ -static int pk_derive_public_key(mbedtls_pk_context *pk, - const unsigned char *d, size_t d_len, - int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) +static int pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk, + const unsigned char *prv, size_t prv_len, + int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) psa_status_t status; (void) f_rng; (void) p_rng; - (void) d; - (void) d_len; + (void) prv; + (void) prv_len; status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), &pk->pub_raw_len); @@ -184,7 +195,7 @@ static int pk_derive_public_key(mbedtls_pk_context *pk, psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT); - status = psa_import_key(&key_attr, d, d_len, &key_id); + status = psa_import_key(&key_attr, prv, prv_len, &key_id); ret = psa_pk_status_to_mbedtls(status); if (ret != 0) { return ret; @@ -201,8 +212,8 @@ static int pk_derive_public_key(mbedtls_pk_context *pk, return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len); #else /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; - (void) d; - (void) d_len; + (void) prv; + (void) prv_len; return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng); #endif /* MBEDTLS_USE_PSA_CRYPTO */ @@ -696,7 +707,7 @@ static int pk_parse_key_rfc8410_der(mbedtls_pk_context *pk, /* pk_parse_key_pkcs8_unencrypted_der() only supports version 1 PKCS8 keys, * which never contain a public key. As such, derive the public key * unconditionally. */ - if ((ret = pk_derive_public_key(pk, key, len, f_rng, p_rng)) != 0) { + if ((ret = pk_ecc_set_pubkey_from_prv(pk, key, len, f_rng, p_rng)) != 0) { return ret; } @@ -1201,7 +1212,7 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, } if (!pubkey_done) { - if ((ret = pk_derive_public_key(pk, d, d_len, f_rng, p_rng)) != 0) { + if ((ret = pk_ecc_set_pubkey_from_prv(pk, d, d_len, f_rng, p_rng)) != 0) { return ret; } } From 0b8e45650f0b8d322a823b61ad9a90a2e7cbbbfd Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 22:43:25 +0200 Subject: [PATCH 076/175] Tune body of pk_ecc_set_pubkey_from_prv() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - avoid useless use of ret in PSA code, keep only status - improve variable names - keep declarations closer to use - a few internal comments Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 43 ++++++++++++++++++++++++------------------- 1 file changed, 24 insertions(+), 19 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 007e1fc03f..826412a54e 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -168,54 +168,59 @@ static int pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk, int (*f_rng)(void *, unsigned char *, size_t), void *p_rng) { #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - psa_status_t status; + (void) f_rng; (void) p_rng; (void) prv; (void) prv_len; + psa_status_t status; status = psa_export_public_key(pk->priv_id, pk->pub_raw, sizeof(pk->pub_raw), &pk->pub_raw_len); return psa_pk_status_to_mbedtls(status); + #elif defined(MBEDTLS_USE_PSA_CRYPTO) /* && !MBEDTLS_PK_USE_PSA_EC_DATA */ - int ret; - psa_status_t status; + (void) f_rng; (void) p_rng; + psa_status_t status; mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; - unsigned char key_buf[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; - size_t key_len; - mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; - psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; size_t curve_bits; psa_ecc_family_t curve = mbedtls_ecc_group_to_psa(eck->grp.id, &curve_bits); - psa_status_t destruction_status; + /* Import private key into PSA, from serialized input */ + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_type(&key_attr, PSA_KEY_TYPE_ECC_KEY_PAIR(curve)); psa_set_key_usage_flags(&key_attr, PSA_KEY_USAGE_EXPORT); - status = psa_import_key(&key_attr, prv, prv_len, &key_id); - ret = psa_pk_status_to_mbedtls(status); - if (ret != 0) { - return ret; + if (status != PSA_SUCCESS) { + return psa_pk_status_to_mbedtls(status); } - status = psa_export_public_key(key_id, key_buf, sizeof(key_buf), &key_len); - ret = psa_pk_status_to_mbedtls(status); - destruction_status = psa_destroy_key(key_id); - if (ret != 0) { - return ret; + /* Export public key from PSA */ + unsigned char pub[MBEDTLS_PSA_MAX_EC_PUBKEY_LENGTH]; + size_t pub_len; + status = psa_export_public_key(key_id, pub, sizeof(pub), &pub_len); + psa_status_t destruction_status = psa_destroy_key(key_id); + if (status != PSA_SUCCESS) { + return psa_pk_status_to_mbedtls(status); } else if (destruction_status != PSA_SUCCESS) { return psa_pk_status_to_mbedtls(destruction_status); } - return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, key_buf, key_len); + + /* Load serialized public key into ecp_keypair structure */ + return mbedtls_ecp_point_read_binary(&eck->grp, &eck->Q, pub, pub_len); + #else /* MBEDTLS_USE_PSA_CRYPTO */ - mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; + (void) prv; (void) prv_len; + mbedtls_ecp_keypair *eck = (mbedtls_ecp_keypair *) pk->pk_ctx; return mbedtls_ecp_mul(&eck->grp, &eck->Q, &eck->d, &eck->grp.G, f_rng, p_rng); + #endif /* MBEDTLS_USE_PSA_CRYPTO */ } From 681e30b7275c408549db58a20c8a999c98ab4fce Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 23:03:35 +0200 Subject: [PATCH 077/175] Rework pk_ecc_set_pubkey_psa_ecp_fallback() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - new semantic: sets the pubkey directly in the PK context - new name to reflect that semantic and obey the naming scheme - trivial case first - documentation and better parameter names Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 38 +++++++++++++++++++++----------------- 1 file changed, 21 insertions(+), 17 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 826412a54e..91f56062d3 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -226,18 +226,26 @@ static int pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk, #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) /* - * Create a temporary ecp_keypair for converting an EC point in compressed - * format to an uncompressed one + * Set the public key: fallback using ECP_LIGHT in the USE_PSA_EC_DATA case. * - * Consumes everything or fails - inherited from - * mbedtls_ecp_point_read_binary(). + * Normally, when MBEDTLS_PK_USE_PSA_EC_DATA is enabled, we only use PSA + * functions to handle keys. However, currently psa_import_key() does not + * support compressed points. In case that support was explicitly requested, + * this fallback uses ECP functions to get the job done. This is the reason + * why MBEDTLS_PK_PARSE_EC_COMPRESSED auto-enables MBEDTLS_ECP_LIGHT. + * + * [in/out] pk: in: must have the group set, see pk_ecc_set_group(). + * out: will have the public key set. + * [in] pub, pub_len: the public key as an ECPoint, + * in any format supported by ECP. */ -static int pk_ecc_read_compressed(mbedtls_pk_context *pk, - const unsigned char *in_start, size_t in_len, - unsigned char *out_buf, size_t out_buf_size, - size_t *out_buf_len) +static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk, + const unsigned char *pub, + size_t pub_len) { -#if defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) +#if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) + return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; +#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ mbedtls_ecp_keypair ecp_key; mbedtls_ecp_group_id ecp_group_id; int ret; @@ -250,19 +258,18 @@ static int pk_ecc_read_compressed(mbedtls_pk_context *pk, return ret; } ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q, - in_start, in_len); + pub, pub_len); if (ret != 0) { goto exit; } ret = mbedtls_ecp_point_write_binary(&(ecp_key.grp), &ecp_key.Q, MBEDTLS_ECP_PF_UNCOMPRESSED, - out_buf_len, out_buf, out_buf_size); + &pk->pub_raw_len, pk->pub_raw, + sizeof(pk->pub_raw)); exit: mbedtls_ecp_keypair_free(&ecp_key); return ret; -#else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ - return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; #endif /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ } #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ @@ -291,10 +298,7 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, if ((**p == 0x02) || (**p == 0x03)) { /* Compressed format, not supported by PSA Crypto. * Try converting using functions from ECP_LIGHT. */ - ret = pk_ecc_read_compressed(pk, *p, len, - pk->pub_raw, - PSA_EXPORT_PUBLIC_KEY_MAX_SIZE, - &pk->pub_raw_len); + ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, *p, len); if (ret != 0) { return ret; } From e4c883bc8cc64141b764b30ad0bc5c820e6831d3 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 23:31:01 +0200 Subject: [PATCH 078/175] New signature for pk_ecc_set_pubkey() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Also new name, for consistency, and documentation. The signature **p, *end is mostly for parsing functions that may not consume everything, and need to update the "current" pointer to reflect what has been consumed. This is not the case here. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 42 +++++++++++++++++------------------------- 1 file changed, 17 insertions(+), 25 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 91f56062d3..f897c1e8c1 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -275,40 +275,39 @@ exit: #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ /* - * EC public key is an EC point + * Set the public key. * - * The caller is responsible for clearing the structure upon failure if - * desired. Take care to pass along the possible ECP_FEATURE_UNAVAILABLE - * return code of mbedtls_ecp_point_read_binary() and leave p in a usable state. + * [in/out] pk: in: must have its group set, see pk_ecc_set_group(). + * out: will have the public key set. + * [in] pub, pub_len: the raw public key (an ECPoint). */ -static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, - mbedtls_pk_context *pk) +static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, + const unsigned char *pub, size_t pub_len) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) mbedtls_svc_key_id_t key; psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT; - size_t len = (size_t) (end - *p); - if (len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) { + if (pub_len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) { return MBEDTLS_ERR_PK_BAD_INPUT_DATA; } - if ((**p == 0x02) || (**p == 0x03)) { + if ((*pub == 0x02) || (*pub == 0x03)) { /* Compressed format, not supported by PSA Crypto. * Try converting using functions from ECP_LIGHT. */ - ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, *p, len); + ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len); if (ret != 0) { return ret; } } else { /* Uncompressed format */ - if (len > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { + if (pub_len > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; } - memcpy(pk->pub_raw, *p, len); - pk->pub_raw_len = len; + memcpy(pk->pub_raw, pub, pub_len); + pk->pub_raw_len = pub_len; } /* Validate the key by trying to importing it */ @@ -328,18 +327,10 @@ static int pk_get_ecpubkey(unsigned char **p, const unsigned char *end, #else /* MBEDTLS_PK_USE_PSA_EC_DATA */ mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx; if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, - (const unsigned char *) *p, - end - *p)) == 0) { + pub, pub_len)) == 0) { ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q); } #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - - /* - * We know mbedtls_ecp_point_read_binary and pk_ecc_read_compressed either - * consumed all bytes or failed, and memcpy consumed all bytes too. - */ - *p = (unsigned char *) end; - return ret; } @@ -900,7 +891,8 @@ int mbedtls_pk_parse_subpubkey(unsigned char **p, const unsigned char *end, ret = pk_use_ecparams(&alg_params, pk); } if (ret == 0) { - ret = pk_get_ecpubkey(p, end, pk); + ret = pk_ecc_set_pubkey(pk, *p, end - *p); + *p += end - *p; } } else #endif /* MBEDTLS_PK_HAVE_ECC_KEYS */ @@ -1204,11 +1196,11 @@ static int pk_parse_key_sec1_der(mbedtls_pk_context *pk, MBEDTLS_ERR_ASN1_LENGTH_MISMATCH); } - if ((ret = pk_get_ecpubkey(&p, end2, pk)) == 0) { + if ((ret = pk_ecc_set_pubkey(pk, p, end2 - p)) == 0) { pubkey_done = 1; } else { /* - * The only acceptable failure mode of pk_get_ecpubkey() above + * The only acceptable failure mode of pk_ecc_set_pubkey() above * is if the point format is not recognized. */ if (ret != MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE) { From ff72ea9d518b5cfda03288adb586e0c6055d6103 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 26 Jul 2023 23:56:05 +0200 Subject: [PATCH 079/175] Rework pk_ecc_set_pubkey() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Fix the logic around format: we were just assuming that if the format was not compressed, it was uncompressed, but it could also have been just invalid. - Remove redundant length check: the fallback does its own checks. - Remove set_algorithm() that's not needed and introduced a depencency on ECDSA. - Some style / naming / scope reduction. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 57 ++++++++++++++++++++++------------------------- 1 file changed, 27 insertions(+), 30 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index f897c1e8c1..e8678ed348 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -284,54 +284,51 @@ exit: static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len) { - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) - mbedtls_svc_key_id_t key; - psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT; - if (pub_len > PSA_EXPORT_PUBLIC_KEY_MAX_SIZE) { - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; - } - - if ((*pub == 0x02) || (*pub == 0x03)) { - /* Compressed format, not supported by PSA Crypto. - * Try converting using functions from ECP_LIGHT. */ - ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len); - if (ret != 0) { - return ret; - } - } else { - /* Uncompressed format */ - if (pub_len > MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN) { + /* Load the key */ + if (*pub == 0x04) { + /* Uncompressed format, directly supported by PSA */ + if (pub_len > sizeof(pk->pub_raw)) { return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; } memcpy(pk->pub_raw, pub, pub_len); pk->pub_raw_len = pub_len; + } else { + /* Other format, try the fallback */ + int ret = pk_ecc_set_pubkey_psa_ecp_fallback(pk, pub, pub_len); + if (ret != 0) { + return ret; + } } - /* Validate the key by trying to importing it */ + /* Validate the key by trying to import it */ + mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; + psa_key_attributes_t key_attrs = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_usage_flags(&key_attrs, 0); - psa_set_key_algorithm(&key_attrs, PSA_ALG_ECDSA_ANY); psa_set_key_type(&key_attrs, PSA_KEY_TYPE_ECC_PUBLIC_KEY(pk->ec_family)); psa_set_key_bits(&key_attrs, pk->ec_bits); if ((psa_import_key(&key_attrs, pk->pub_raw, pk->pub_raw_len, - &key) != PSA_SUCCESS) || - (psa_destroy_key(key) != PSA_SUCCESS)) { - mbedtls_platform_zeroize(pk->pub_raw, MBEDTLS_PK_MAX_EC_PUBKEY_RAW_LEN); - pk->pub_raw_len = 0; - return MBEDTLS_ERR_PK_BAD_INPUT_DATA; + &key_id) != PSA_SUCCESS) || + (psa_destroy_key(key_id) != PSA_SUCCESS)) { + return MBEDTLS_ERR_PK_INVALID_PUBKEY; } - ret = 0; + + return 0; + #else /* MBEDTLS_PK_USE_PSA_EC_DATA */ + + int ret; mbedtls_ecp_keypair *ec_key = (mbedtls_ecp_keypair *) pk->pk_ctx; - if ((ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, - pub, pub_len)) == 0) { - ret = mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q); + ret = mbedtls_ecp_point_read_binary(&ec_key->grp, &ec_key->Q, pub, pub_len); + if (ret != 0) { + return ret; } + return mbedtls_ecp_check_pubkey(&ec_key->grp, &ec_key->Q); + #endif /* MBEDTLS_PK_USE_PSA_EC_DATA */ - return ret; } /*********************************************************************** From fac9819edcbc4b647dc44b99909972cac066970c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 27 Jul 2023 09:19:42 +0200 Subject: [PATCH 080/175] Fix and document return of pk_ecc_set_pubkey() MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit One of the calling site needs to distinguish between "the format is potentially valid but not supported" vs "other errors", and it uses MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for that. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) diff --git a/library/pkparse.c b/library/pkparse.c index e8678ed348..d12984fb07 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -238,13 +238,19 @@ static int pk_ecc_set_pubkey_from_prv(mbedtls_pk_context *pk, * out: will have the public key set. * [in] pub, pub_len: the public key as an ECPoint, * in any format supported by ECP. + * + * Return: + * - 0 on success; + * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid + * but not supported; + * - another error code otherwise. */ static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len) { #if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) - return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE; + return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; #else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ mbedtls_ecp_keypair ecp_key; mbedtls_ecp_group_id ecp_group_id; @@ -280,6 +286,12 @@ exit: * [in/out] pk: in: must have its group set, see pk_ecc_set_group(). * out: will have the public key set. * [in] pub, pub_len: the raw public key (an ECPoint). + * + * Return: + * - 0 on success; + * - MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE if the format is potentially valid + * but not supported; + * - another error code otherwise. */ static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, const unsigned char *pub, size_t pub_len) From 12ea63a5f7b96b2169331a40221b0f5779111201 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 27 Jul 2023 12:20:16 +0200 Subject: [PATCH 081/175] Abstract away MBEDTLS_PK_PARSE_EC_EXTENDED MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 69 +++++++++++++++++++++++++++++++++++------------ 1 file changed, 52 insertions(+), 17 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index d12984fb07..9d87a71506 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -345,15 +345,51 @@ static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, /*********************************************************************** * - * Unsorted (yet!) from this point on until the next section header + * Low-level ECC parsing: optional support for SpecifiedECDomain + * + * There are two functions here that are used by the rest of the code: + * - pk_ecc_tag_may_be_speficied_ec_domain() + * - pk_ecc_group_id_from_specified() + * + * All the other functions are internal to this section. + * + * The two "public" functions have a dummy variant provided + * in configs without MBEDTLS_PK_PARSE_EC_EXTENDED. This acts as an + * abstraction layer for this macro, which should not appear outside + * this section. * **********************************************************************/ -#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) +#if !defined(MBEDTLS_PK_PARSE_EC_EXTENDED) +/* See the "real" version for documentation */ +static int pk_ecc_tag_may_be_specified_ec_domain(int tag) +{ + (void) tag; + return 0; +} + +/* See the "real" version for documentation */ +static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params, + mbedtls_ecp_group_id *grp_id) +{ + (void) params; + (void) grp_id; + return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; +} +#else /* MBEDTLS_PK_PARSE_EC_EXTENDED */ +/* + * Tell if the passed tag might be the start of SpecifiedECDomain + * (that is, a sequence). + */ +static int pk_ecc_tag_may_be_specified_ec_domain(int tag) +{ + return tag == (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); +} + /* * Parse a SpecifiedECDomain (SEC 1 C.2) and (mostly) fill the group with it. * WARNING: the resulting group should only be used with - * pk_group_id_from_specified(), since its base point may not be set correctly + * pk_ecc_group_id_from_specified(), since its base point may not be set correctly * if it was encoded compressed. * * SpecifiedECDomain ::= SEQUENCE { @@ -562,8 +598,8 @@ cleanup: /* * Parse a SpecifiedECDomain (SEC 1 C.2) and find the associated group ID */ -static int pk_group_id_from_specified(const mbedtls_asn1_buf *params, - mbedtls_ecp_group_id *grp_id) +static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params, + mbedtls_ecp_group_id *grp_id) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; mbedtls_ecp_group grp; @@ -578,7 +614,7 @@ static int pk_group_id_from_specified(const mbedtls_asn1_buf *params, cleanup: /* The API respecting lifecycle for mbedtls_ecp_group struct is - * _init(), _load() and _free(). In pk_group_id_from_specified() the + * _init(), _load() and _free(). In pk_ecc_group_id_from_specified() the * temporary grp breaks that flow and it's members are populated * by pk_group_id_from_group(). As such mbedtls_ecp_group_free() * which is assuming a group populated by _setup() may not clean-up @@ -594,6 +630,11 @@ cleanup: } #endif /* MBEDTLS_PK_PARSE_EC_EXTENDED */ +/*********************************************************************** + * + * Unsorted (yet!) from this point on until the next section header + * + **********************************************************************/ /* Minimally parse an ECParameters buffer to and mbedtls_asn1_buf * @@ -613,13 +654,10 @@ static int pk_get_ecparams(unsigned char **p, const unsigned char *end, MBEDTLS_ERR_ASN1_OUT_OF_DATA); } - /* Tag may be either OID or SEQUENCE */ + /* Acceptable tags: OID for namedCurve, or specifiedECDomain */ params->tag = **p; - if (params->tag != MBEDTLS_ASN1_OID -#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) - && params->tag != (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE) -#endif - ) { + if (params->tag != MBEDTLS_ASN1_OID && + !pk_ecc_tag_may_be_specified_ec_domain(params->tag)) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); } @@ -657,13 +695,10 @@ static int pk_use_ecparams(const mbedtls_asn1_buf *params, mbedtls_pk_context *p return MBEDTLS_ERR_PK_UNKNOWN_NAMED_CURVE; } } else { -#if defined(MBEDTLS_PK_PARSE_EC_EXTENDED) - if ((ret = pk_group_id_from_specified(params, &grp_id)) != 0) { + ret = pk_ecc_group_id_from_specified(params, &grp_id); + if (ret != 0) { return ret; } -#else - return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT; -#endif } return pk_ecc_set_group(pk, grp_id); From 53d3e40a21c9c56a053c25ec8fe801ccb796a18e Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Tue, 1 Aug 2023 11:19:24 +0200 Subject: [PATCH 082/175] Fix unused warnings in dummy definition MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/pkparse.c b/library/pkparse.c index 9d87a71506..ffa91d30d6 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -250,6 +250,9 @@ static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk, size_t pub_len) { #if !defined(MBEDTLS_PK_PARSE_EC_COMPRESSED) + (void) pk; + (void) pub; + (void) pub_len; return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE; #else /* MBEDTLS_PK_PARSE_EC_COMPRESSED */ mbedtls_ecp_keypair ecp_key; From 564bc1bb960cd4d67a3d58488fff53565cf74ef2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 2 Aug 2023 12:05:16 +0200 Subject: [PATCH 083/175] Fix limitation in checking supported alg in pk_sign MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The recent changes in pkparse made it so ECDSA (deterministic or not) is set as the secondary alg and ECDH the first one. This broke the wrapper in pk_wrap as it was only checking the first alg when deciding whether to use deterministic or not. The wrapper should not have unnecessary requirements on how algs are set up, so make the check more flexible. Signed-off-by: Manuel Pégourié-Gonnard --- library/pk_wrap.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/library/pk_wrap.c b/library/pk_wrap.c index 53e11d5cb9..2c67836747 100644 --- a/library/pk_wrap.c +++ b/library/pk_wrap.c @@ -976,16 +976,17 @@ static int ecdsa_sign_psa(mbedtls_svc_key_id_t key_id, mbedtls_md_type_t md_alg, psa_status_t status; psa_algorithm_t psa_sig_md; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; - psa_algorithm_t alg; + psa_algorithm_t alg, alg2; status = psa_get_key_attributes(key_id, &key_attr); if (status != PSA_SUCCESS) { return PSA_PK_ECDSA_TO_MBEDTLS_ERR(status); } alg = psa_get_key_algorithm(&key_attr); + alg2 = psa_get_key_enrollment_algorithm(&key_attr); psa_reset_key_attributes(&key_attr); - if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg)) { + if (PSA_ALG_IS_DETERMINISTIC_ECDSA(alg) || PSA_ALG_IS_DETERMINISTIC_ECDSA(alg2)) { psa_sig_md = PSA_ALG_DETERMINISTIC_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)); } else { psa_sig_md = PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type(md_alg)); From 94cf1f82ad73ea2dcf68367d9daf18a13e3b3db5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 2 Aug 2023 12:09:24 +0200 Subject: [PATCH 084/175] Fix a typo in a comment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pkparse.c b/library/pkparse.c index ffa91d30d6..bb6db0824c 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -156,7 +156,7 @@ static int pk_ecc_set_key(mbedtls_pk_context *pk, * Note: the private key information is always available from pk, * however for convenience the serialized version is also passed, * as it's available at each calling site, and useful in some configs - * (as otherwise we're have to re-serialize it from the pk context). + * (as otherwise we would have to re-serialize it from the pk context). * * There are three implementations of this function: * 1. MBEDTLS_PK_USE_PSA_EC_DATA, From 842ffc5085a12998407de61d465c3d2fbb910e04 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 2 Aug 2023 12:10:51 +0200 Subject: [PATCH 085/175] Make code more robust MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Using return here is only correct if we know that group_load() is atomic (either succeeds, or allocates no ressources). I'm not sure it is, and even if it were, goto exit is more obviously correct, so let's use that. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/library/pkparse.c b/library/pkparse.c index bb6db0824c..b0eef95a32 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -264,7 +264,7 @@ static int pk_ecc_set_pubkey_psa_ecp_fallback(mbedtls_pk_context *pk, mbedtls_ecp_keypair_init(&ecp_key); ret = mbedtls_ecp_group_load(&(ecp_key.grp), ecp_group_id); if (ret != 0) { - return ret; + goto exit; } ret = mbedtls_ecp_point_read_binary(&(ecp_key.grp), &ecp_key.Q, pub, pub_len); From f1b7633443ef3c4709e594817fd7e57645404472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 2 Aug 2023 12:14:19 +0200 Subject: [PATCH 086/175] Use clearer function name MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit I went for "may be" as I was thinking just checking the tag technically does not guarantee that what follows is correct, but I was wrong: according to ASN.1, when there are variants, the tag does distinguish unambiguously between variants, so we can be more positive here. (Whether the thing inside that variant is correct is a different question.) As a welcome side effect, this makes the name more standard hence more readable. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index b0eef95a32..820c8d1cf4 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -351,7 +351,7 @@ static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, * Low-level ECC parsing: optional support for SpecifiedECDomain * * There are two functions here that are used by the rest of the code: - * - pk_ecc_tag_may_be_speficied_ec_domain() + * - pk_ecc_tag_is_speficied_ec_domain() * - pk_ecc_group_id_from_specified() * * All the other functions are internal to this section. @@ -365,7 +365,7 @@ static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, #if !defined(MBEDTLS_PK_PARSE_EC_EXTENDED) /* See the "real" version for documentation */ -static int pk_ecc_tag_may_be_specified_ec_domain(int tag) +static int pk_ecc_tag_is_specified_ec_domain(int tag) { (void) tag; return 0; @@ -384,7 +384,7 @@ static int pk_ecc_group_id_from_specified(const mbedtls_asn1_buf *params, * Tell if the passed tag might be the start of SpecifiedECDomain * (that is, a sequence). */ -static int pk_ecc_tag_may_be_specified_ec_domain(int tag) +static int pk_ecc_tag_is_specified_ec_domain(int tag) { return tag == (MBEDTLS_ASN1_CONSTRUCTED | MBEDTLS_ASN1_SEQUENCE); } @@ -660,7 +660,7 @@ static int pk_get_ecparams(unsigned char **p, const unsigned char *end, /* Acceptable tags: OID for namedCurve, or specifiedECDomain */ params->tag = **p; if (params->tag != MBEDTLS_ASN1_OID && - !pk_ecc_tag_may_be_specified_ec_domain(params->tag)) { + !pk_ecc_tag_is_specified_ec_domain(params->tag)) { return MBEDTLS_ERROR_ADD(MBEDTLS_ERR_PK_KEY_INVALID_FORMAT, MBEDTLS_ERR_ASN1_UNEXPECTED_TAG); } From 52e9548c227d659fb889d3a73657244608cf8d82 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 3 Aug 2023 10:22:41 +0200 Subject: [PATCH 087/175] Fix check for format supported by PSA MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit For non-Weierstrass curves there's only one format and it's supported. Signed-off-by: Manuel Pégourié-Gonnard --- library/pkparse.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index 820c8d1cf4..b4299518fd 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -302,8 +302,10 @@ static int pk_ecc_set_pubkey(mbedtls_pk_context *pk, #if defined(MBEDTLS_PK_USE_PSA_EC_DATA) /* Load the key */ - if (*pub == 0x04) { - /* Uncompressed format, directly supported by PSA */ + if (!PSA_ECC_FAMILY_IS_WEIERSTRASS(pk->ec_family) || *pub == 0x04) { + /* Format directly supported by PSA: + * - non-Weierstrass curves that only have one format; + * - uncompressed format for Weierstrass curves. */ if (pub_len > sizeof(pk->pub_raw)) { return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL; } From d35b188a5cf0e9e706129a8a04bebbfd3047d3c3 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 16 Oct 2023 10:25:30 +0100 Subject: [PATCH 088/175] Make component_build_aes_aesce_armcc silent Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 15 ++++++++++----- 1 file changed, 10 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 91ed1a566d..8adf3f485e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4340,13 +4340,18 @@ component_build_aes_aesce_armcc () { } support_build_sha_armce() { - # clang >= 4 is required to build with SHA extensions - clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" + if ( $(which clang > /dev/null) ); then + # clang >= 4 is required to build with SHA extensions + clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" - # we need asm/hwcap.h available for runtime detection - echo '#include ' | clang -E - >/dev/null 2>&1 && have_hwcap=1 || have_hwcap=0 + # we need asm/hwcap.h available for runtime detection + echo '#include ' | clang -E - >/dev/null 2>&1 && have_hwcap=1 || have_hwcap=0 - [[ "${clang_ver}" -ge 4 && "${have_hwcap}" -eq 1 ]] + [[ "${clang_ver}" -ge 4 && "${have_hwcap}" -eq 1 ]] + else + # clang not available + false + fi } component_build_sha_armce () { From f2ea08ae5039e30fba8289ea26a0d04f432852c0 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 16 Oct 2023 11:37:28 +0100 Subject: [PATCH 089/175] Improve test for clang presence Signed-off-by: Dave Rodgman --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8adf3f485e..28767eb3f3 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4340,7 +4340,7 @@ component_build_aes_aesce_armcc () { } support_build_sha_armce() { - if ( $(which clang > /dev/null) ); then + if command -v clang > /dev/null ; then # clang >= 4 is required to build with SHA extensions clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" From 811a954383d4a63320c35cbf8023917f970cdf5b Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 17 Oct 2023 11:08:12 +0100 Subject: [PATCH 090/175] Add reentrancy section to thread safety design Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 0724307620..53ee2c88c1 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -347,6 +347,25 @@ Implementing "thread_safe” drivers depends on the condition variable protectio Start with implementing threading for drivers without the "thread_safe” property (all drivers behave like the property wasn't set). Add "thread_safe" drivers at some point after the #condition-variables approach is implemented in the core. +#### Reentrancy + +It is natural sometimes to want to perform cryptographic operations from a driver, for example calculating a hash as part of various other crypto primitives, or using a block cipher in a driver for a mode, etc. Also encrypting/authenticating communication with a secure element. + +If the driver is thread safe, it is the drivers responsibility to handle re-entrancy. + +In the non-thread-safe case we have these natural assumptions/requirements: +1. Drivers don't call the core for any operation for which they provide an entry point +2. The core doesn't hold the driver mutex between calls to entry points + +With these, the only way of a deadlock is when we have several drivers and they have circular dependencies. That is, Driver A makes a call that is despatched to Driver B and upon executing that Driver B makes a call that is despatched to Driver A. For example Driver A does CCM calls Driver B to do CBC-MAC, which in turn calls Driver A to do AES. This example is pretty contrived and it is hard to find a more practical example. + +Potential ways for resolving this: +1. Non-thread-safe drivers must not call the core +2. Provide a new public API that drivers can safely call +3. There is a whitelist of core APIs that drivers can call. Drivers providing entry points to these must not make a call to the core when handling these calls. (Drivers are still allowed to call any core API that can't have a driver entry point.) + +The first is too restrictive, the second is too expensive, the only viable option is the third. + ### Global Data PSA Crypto makes use of a `global_data` variable that will be accessible from multiple threads and needs to be protected. Any function accessing this variable (or its members) must take the corresponding lock first. Since `global_data` holds the RNG state, these will involve relatively expensive operations and therefore ideally `global_data` should be protected by its own, dedicated lock (different from the one protecting the key store). From 574100bb0d69554aa3543cc6ec536c3cd8330cfd Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 17 Oct 2023 12:09:57 +0100 Subject: [PATCH 091/175] Add clarifications to thread safety design Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 53ee2c88c1..3a18d35ab7 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -303,7 +303,7 @@ Solution: after some team discussion, we've decided to rely on a new threading a When calling `psa_wipe_key_slot` it is the callers responsibility to set the slot state to WRITING first. For most functions this is a clean UNUSED -> WRITING transition: psa_get_empty_key_slot, psa_get_and_lock_key_slot, psa_close_key, psa_purge_key. -`psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This opens up the way for an untrusted application to launch a DoS attack against the crypto service, but this is still better than compromising confidentiality or integrity and this is the most we can do with mutexes only. Also, this is the current behaviour. +`psa_wipe_all_key_slots` is only called from `mbedtls_psa_crypto_free`, here we will need to return an error as we won't be able to free the key store if a key is in use without compromising the state of the secure side. This is acceptable as an untrusted application cannot call `mbedtls_psa_crypto_free` in a crypto service. In a service integration, `mbedtls_psa_crypto_free` on the client cuts the communication with the crypto service. Also, this is the current behaviour. `psa_destroy_key` marks the slot as deleted, deletes persistent keys and opaque keys and returns. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). When the last reading operation finishes, it wipes the key slot. This will free the key ID, but the slot might be still in use. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it. @@ -314,7 +314,7 @@ Variations: 1. As a first step the multipart operations would lock the keys for reading on setup and release on free 2. In a later stage this would be improved by locking the keys on entry into multi-part API calls and released before exiting. -The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must left unsupported in the first variant. +The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must be left unsupported in the first variant. This makes the first variant impractical (multipart operations returning an error in builds with multithreading enabled is not a behaviour that would be very useful to release). ### Condition variables From d7a39ae21ed953b1fd81f07ae022b1fd2fd0eb48 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Tue, 17 Oct 2023 14:34:26 +0100 Subject: [PATCH 092/175] Add plan for 3.6 to threading design Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 3a18d35ab7..9e396e082b 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -381,3 +381,18 @@ Since we only have simple mutexes, locking the same mutex from the same thread i Releasing the mutex before a function call might introduce race conditions. Therefore might not be practical to take the mutex in low level access functions. If functions like that don't take the mutex, they need to rely on the caller to take it for them. These functions will document that the caller is required to hold the mutex. To avoid performance degradation, functions must not start expensive operations (eg. doing cryptography) while holding the mutex. + +## Strategy for 3.6 + +The goal is to provide viable threading support without extending the platform abstraction. (Condition variables should be added in 4.0.) This means that we will be relying on mutexes only. + +- Key Store + - Slot states guarantee safe concurrent access to slot contents + - Slot states will be protected by a global mutex + - Simple key destruction strategy as described in #mutex-only (variant 2.) +- Concurrent calls to operation contexts will be prevented by state fields which shall be protected by a global mutex +- Drivers + - The solution shall use the pre-existing MBEDTLS_THREADING_C threading abstraction + - Drivers will be protected by their own dedicated lock - only non-thread safe drivers are supported + - Constraints on the drivers and the core will be in place and documented as proposed in #reentrancy +- The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex From a0e810de4b7a457348d5d6a516e8303cd41220e8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2023 16:04:27 +0200 Subject: [PATCH 093/175] Convey that it's ok for mbedtls_ssl_session_save to fail mbedtls_ssl_session_save() always outputs the output length, even on error. Here, we're only calling it to get the needed output length, so it's ok to ignore the return value. Convey this to linters. Signed-off-by: Gilles Peskine --- programs/ssl/ssl_client2.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 7c2c818d81..ac02e548ab 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -705,7 +705,7 @@ static int ssl_save_session_serialize(mbedtls_ssl_context *ssl, } /* get size of the buffer needed */ - mbedtls_ssl_session_save(&exported_session, NULL, 0, session_data_len); + (void) mbedtls_ssl_session_save(&exported_session, NULL, 0, session_data_len); *session_data = mbedtls_calloc(1, *session_data_len); if (*session_data == NULL) { mbedtls_printf(" failed\n ! alloc %u bytes for session data\n", From 21e46b39ccf6ca1e47f13df25aacfd1defc5e889 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2023 16:35:20 +0200 Subject: [PATCH 094/175] Fix missing initializations on some error paths Signed-off-by: Gilles Peskine --- tests/suites/test_suite_ctr_drbg.function | 4 +--- tests/suites/test_suite_pkwrite.function | 4 +--- .../test_suite_psa_crypto_se_driver_hal.function | 2 +- tests/suites/test_suite_ssl.function | 9 ++++----- tests/suites/test_suite_x509parse.function | 12 +++++++----- tests/suites/test_suite_x509write.function | 14 +++++++------- 6 files changed, 21 insertions(+), 24 deletions(-) diff --git a/tests/suites/test_suite_ctr_drbg.function b/tests/suites/test_suite_ctr_drbg.function index 7d816080ac..c6896998ee 100644 --- a/tests/suites/test_suite_ctr_drbg.function +++ b/tests/suites/test_suite_ctr_drbg.function @@ -31,15 +31,13 @@ static void ctr_drbg_validate_internal(int reseed_mode, data_t *nonce, data_t *result) { mbedtls_ctr_drbg_context ctx; + mbedtls_ctr_drbg_init(&ctx); unsigned char buf[64]; size_t entropy_chunk_len = (size_t) entropy_len_arg; - TEST_ASSERT(entropy_chunk_len <= sizeof(buf)); test_offset_idx = 0; - mbedtls_ctr_drbg_init(&ctx); - test_max_idx = entropy->len; /* CTR_DRBG_Instantiate(entropy[:entropy->len], nonce, perso, ) diff --git a/tests/suites/test_suite_pkwrite.function b/tests/suites/test_suite_pkwrite.function index 730bb881bb..733909ebc8 100644 --- a/tests/suites/test_suite_pkwrite.function +++ b/tests/suites/test_suite_pkwrite.function @@ -68,6 +68,7 @@ static int pk_write_any_key(mbedtls_pk_context *pk, unsigned char **p, static void pk_write_check_common(char *key_file, int is_public_key, int is_der) { mbedtls_pk_context key; + mbedtls_pk_init(&key); unsigned char *buf = NULL; unsigned char *check_buf = NULL; unsigned char *start_buf; @@ -78,9 +79,6 @@ static void pk_write_check_common(char *key_file, int is_public_key, int is_der) USE_PSA_INIT(); - mbedtls_pk_init(&key); - USE_PSA_INIT(); - /* Note: if mbedtls_pk_load_file() successfully reads the file, then it also allocates check_buf, which should be freed on exit */ TEST_EQUAL(mbedtls_pk_load_file(key_file, &check_buf, &check_buf_len), 0); diff --git a/tests/suites/test_suite_psa_crypto_se_driver_hal.function b/tests/suites/test_suite_psa_crypto_se_driver_hal.function index 9c5ef23a65..8e96984439 100644 --- a/tests/suites/test_suite_psa_crypto_se_driver_hal.function +++ b/tests/suites/test_suite_psa_crypto_se_driver_hal.function @@ -1297,7 +1297,7 @@ void sign_verify(int flow, mbedtls_svc_key_id_t returned_id; mbedtls_svc_key_id_t sw_key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t sw_attributes = PSA_KEY_ATTRIBUTES_INIT; - psa_key_attributes_t drv_attributes; + psa_key_attributes_t drv_attributes = PSA_KEY_ATTRIBUTES_INIT; uint8_t signature[PSA_SIGNATURE_MAX_SIZE]; size_t signature_length; diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index eb2407d2e5..8a837bb9c9 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -24,6 +24,7 @@ void test_callback_buffer_sanity() { enum { MSGLEN = 10 }; mbedtls_test_ssl_buffer buf; + mbedtls_test_ssl_buffer_init(&buf); unsigned char input[MSGLEN]; unsigned char output[MSGLEN]; @@ -43,8 +44,6 @@ void test_callback_buffer_sanity() /* Make sure calling put and get on a buffer that hasn't been set up results * in error. */ - mbedtls_test_ssl_buffer_init(&buf); - TEST_ASSERT(mbedtls_test_ssl_buffer_put(&buf, input, sizeof(input)) == -1); TEST_ASSERT(mbedtls_test_ssl_buffer_get(&buf, output, sizeof(output)) @@ -1787,7 +1786,9 @@ void ssl_tls13_record_protection(int ciphersuite, { mbedtls_ssl_key_set keys; mbedtls_ssl_transform transform_send; + mbedtls_ssl_transform_init(&transform_send); mbedtls_ssl_transform transform_recv; + mbedtls_ssl_transform_init(&transform_recv); mbedtls_record rec; unsigned char *buf = NULL; size_t buf_len; @@ -1818,8 +1819,6 @@ void ssl_tls13_record_protection(int ciphersuite, keys.key_len = server_write_key->len; keys.iv_len = server_write_iv->len; - mbedtls_ssl_transform_init(&transform_recv); - mbedtls_ssl_transform_init(&transform_send); MD_OR_USE_PSA_INIT(); TEST_ASSERT(mbedtls_ssl_tls13_populate_transform( @@ -3122,6 +3121,7 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key) mbedtls_psa_stats_t stats; size_t free_slots_before = -1; mbedtls_test_handshake_test_options options; + mbedtls_test_init_handshake_options(&options); uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; @@ -3129,7 +3129,6 @@ void raw_key_agreement_fail(int bad_server_ecdhe_key) mbedtls_platform_zeroize(&client, sizeof(client)); mbedtls_platform_zeroize(&server, sizeof(server)); - mbedtls_test_init_handshake_options(&options); options.pk_alg = MBEDTLS_PK_ECDSA; options.server_min_version = MBEDTLS_SSL_VERSION_TLS1_2; options.server_max_version = MBEDTLS_SSL_VERSION_TLS1_2; diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 114bd52776..c38a372837 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -928,15 +928,17 @@ void mbedtls_x509_dn_get_next(char *name_str, int ret = 0, i; size_t len = 0, out_size; mbedtls_asn1_named_data *names = NULL; - mbedtls_x509_name parsed, *parsed_cur; + mbedtls_x509_name parsed; + memset(&parsed, 0, sizeof(parsed)); + mbedtls_x509_name *parsed_cur; // Size of buf is maximum required for test cases - unsigned char buf[80], *out = NULL, *c; + unsigned char buf[80] = {0}; + unsigned char *out = NULL; + unsigned char *c = buf + sizeof(buf); const char *short_name; USE_PSA_INIT(); - memset(&parsed, 0, sizeof(parsed)); - memset(buf, 0, sizeof(buf)); - c = buf + sizeof(buf); + // Additional size required for trailing space out_size = strlen(expected_oids) + 2; TEST_CALLOC(out, out_size); diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index a7ed26295e..06e08168cb 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -699,16 +699,16 @@ void mbedtls_x509_string_to_names(char *name, char *parsed_name, int ret; size_t len = 0; mbedtls_asn1_named_data *names = NULL; - mbedtls_x509_name parsed, *parsed_cur, *parsed_prv; - unsigned char buf[1024], out[1024], *c; + mbedtls_x509_name parsed; + memset(&parsed, 0, sizeof(parsed)); + mbedtls_x509_name *parsed_cur = NULL; + mbedtls_x509_name *parsed_prv = NULL; + unsigned char buf[1024] = {0}; + unsigned char out[1024] = {0}; + unsigned char *c = buf + sizeof(buf); USE_PSA_INIT(); - memset(&parsed, 0, sizeof(parsed)); - memset(out, 0, sizeof(out)); - memset(buf, 0, sizeof(buf)); - c = buf + sizeof(buf); - ret = mbedtls_x509_string_to_names(&names, name); TEST_EQUAL(ret, result); From bb7d92c4b259e9b01760fc24624651dbd111172a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2023 17:26:44 +0200 Subject: [PATCH 095/175] Remove redundant null check crl_file is a test argument and can't be null. Besides the code above already assumes that it's non-null. Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.function | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index c38a372837..938917ad71 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -729,7 +729,7 @@ void x509_verify(char *crt_file, char *ca_file, char *crl_file, #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) /* CRLs aren't supported with CA callbacks, so skip the CA callback * version of the test if CRLs are in use. */ - if (crl_file == NULL || strcmp(crl_file, "") == 0) { + if (strcmp(crl_file, "") == 0) { flags = 0; res = mbedtls_x509_crt_verify_with_ca_cb(&crt, From d681ffdb54568353206bf1111dfcecbffeeb7c24 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2023 17:31:50 +0200 Subject: [PATCH 096/175] Use modern macros for calloc in test code Signed-off-by: Gilles Peskine --- tests/suites/test_suite_ssl.function | 15 ++++++++------- 1 file changed, 8 insertions(+), 7 deletions(-) diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 8a837bb9c9..9ebc56c34c 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -1199,7 +1199,7 @@ void ssl_crypt_record(int cipher_type, int hash_id, TEST_ASSERT(ret == 0); - TEST_ASSERT((buf = mbedtls_calloc(1, buflen)) != NULL); + TEST_CALLOC(buf, buflen); while (num_records-- > 0) { mbedtls_ssl_transform *t_dec, *t_enc; @@ -1353,7 +1353,7 @@ void ssl_crypt_record_small(int cipher_type, int hash_id, TEST_ASSERT(ret == 0); - TEST_ASSERT((buf = mbedtls_calloc(1, buflen)) != NULL); + TEST_CALLOC(buf, buflen); for (mode = 1; mode <= 3; mode++) { seen_success = 0; @@ -1957,7 +1957,7 @@ void ssl_serialize_session_save_load(int ticket_len, char *crt_file, /* Serialize it */ TEST_ASSERT(mbedtls_ssl_session_save(&original, NULL, 0, &len) == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - TEST_ASSERT((buf = mbedtls_calloc(1, len)) != NULL); + TEST_CALLOC(buf, len); TEST_ASSERT(mbedtls_ssl_session_save(&original, buf, len, &len) == 0); @@ -2171,7 +2171,8 @@ void ssl_serialize_session_save_buf_size(int ticket_len, char *crt_file, for (bad_len = 1; bad_len < good_len; bad_len++) { /* Allocate exact size so that asan/valgrind can detect any overwrite */ mbedtls_free(buf); - TEST_ASSERT((buf = mbedtls_calloc(1, bad_len)) != NULL); + buf = NULL; + TEST_CALLOC(buf, bad_len); TEST_ASSERT(mbedtls_ssl_session_save(&session, buf, bad_len, &test_len) == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); @@ -2214,7 +2215,7 @@ void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file, } TEST_ASSERT(mbedtls_ssl_session_save(&session, NULL, 0, &good_len) == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL); - TEST_ASSERT((good_buf = mbedtls_calloc(1, good_len)) != NULL); + TEST_CALLOC(good_buf, good_len); TEST_ASSERT(mbedtls_ssl_session_save(&session, good_buf, good_len, &good_len) == 0); mbedtls_ssl_session_free(&session); @@ -2223,8 +2224,8 @@ void ssl_serialize_session_load_buf_size(int ticket_len, char *crt_file, for (bad_len = 0; bad_len < good_len; bad_len++) { /* Allocate exact size so that asan/valgrind can detect any overread */ mbedtls_free(bad_buf); - bad_buf = mbedtls_calloc(1, bad_len ? bad_len : 1); - TEST_ASSERT(bad_buf != NULL); + bad_buf = NULL; + TEST_CALLOC_NONNULL(bad_buf, bad_len); memcpy(bad_buf, good_buf, bad_len); TEST_ASSERT(mbedtls_ssl_session_load(&session, bad_buf, bad_len) From bbd92917d837d6c2a94b6b871ed454ca7b1280a1 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 17 Oct 2023 18:08:24 +0200 Subject: [PATCH 097/175] Close file on error path Signed-off-by: Gilles Peskine --- tests/suites/test_suite_entropy.function | 2 ++ 1 file changed, 2 insertions(+) diff --git a/tests/suites/test_suite_entropy.function b/tests/suites/test_suite_entropy.function index 0e013b740d..ed9f3ac3cc 100644 --- a/tests/suites/test_suite_entropy.function +++ b/tests/suites/test_suite_entropy.function @@ -102,6 +102,7 @@ static int write_nv_seed(unsigned char *buf, size_t buf_len) if (fwrite(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) != MBEDTLS_ENTROPY_BLOCK_SIZE) { + fclose(f); return -1; } @@ -124,6 +125,7 @@ int read_nv_seed(unsigned char *buf, size_t buf_len) if (fread(buf, 1, MBEDTLS_ENTROPY_BLOCK_SIZE, f) != MBEDTLS_ENTROPY_BLOCK_SIZE) { + fclose(f); return -1; } From b47b2990d63ec69ba2325a162999a015fa7b3d30 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Wed, 18 Oct 2023 15:50:35 +0800 Subject: [PATCH 098/175] fix various issues - fix wrong typo - remove redundant check - remove psk mode tests Signed-off-by: Jerry Yu --- library/ssl_tls13_server.c | 20 ++------------------ tests/opt-testcases/tls13-misc.sh | 29 ++++++----------------------- 2 files changed, 8 insertions(+), 41 deletions(-) diff --git a/library/ssl_tls13_server.c b/library/ssl_tls13_server.c index dad07817ad..6445a00a19 100644 --- a/library/ssl_tls13_server.c +++ b/library/ssl_tls13_server.c @@ -1757,29 +1757,14 @@ static void ssl_tls13_update_early_data_status(mbedtls_ssl_context *ssl) if ((handshake->received_extensions & MBEDTLS_SSL_EXT_MASK(EARLY_DATA)) == 0) { MBEDTLS_SSL_DEBUG_MSG( - 1, ("EarlyData: early data extension is not received.")); + 1, ("EarlyData: no early data extension received.")); ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_RECEIVED; return; } + /* We do not accept early data for the time being */ ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_REJECTED; - if (ssl->conf->early_data_enabled == MBEDTLS_SSL_EARLY_DATA_DISABLED) { - MBEDTLS_SSL_DEBUG_MSG( - 1, ("EarlyData: rejected. configured disabled.")); - return; - } - - MBEDTLS_SSL_DEBUG_MSG( - 3, ("EarlyData: conf->max_early_data_size = %u", - (unsigned int) ssl->conf->max_early_data_size)); - - /* TODO: Add more checks here. */ - - MBEDTLS_SSL_DEBUG_MSG( - 1, ("EarlyData: For time being, it should not happen.")); - ssl->early_data_status = MBEDTLS_SSL_EARLY_DATA_STATUS_ACCEPTED; - } #endif /* MBEDTLS_SSL_EARLY_DATA */ @@ -1812,7 +1797,6 @@ static int ssl_tls13_postprocess_client_hello(mbedtls_ssl_context *ssl) #if defined(MBEDTLS_SSL_EARLY_DATA) /* There is enough information, update early data state. */ ssl_tls13_update_early_data_status(ssl); - #endif /* MBEDTLS_SSL_EARLY_DATA */ return 0; diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 9845717aae..635e31a69b 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -497,31 +497,14 @@ requires_gnutls_next requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED \ - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_ECP_LIGHT + MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -run_test "TLS 1.3 G->m: EarlyData: ephemeral: feature is disabled, fail." \ +run_test "TLS 1.3 G->m: EarlyData: feature is disabled, fail." \ "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1 $(get_srv_psk_list)" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL -d 10 -r --earlydata $EARLY_DATA_INPUT" \ 1 \ - -c "Resume Handshake was completed" \ - -s "ClientHello: early_data(42) extension exists." \ - -S "EncryptedExtensions: early_data(42) extension exists." \ - -s "NewSessionTicket: early_data(42) extension does not exist." - -requires_gnutls_next -requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS \ - MBEDTLS_SSL_SRV_C MBEDTLS_DEBUG_C MBEDTLS_HAVE_TIME \ - MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE MBEDTLS_ECP_LIGHT -requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ - MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED -run_test "TLS 1.3 G->m: EarlyData: psk*: feature is disabled, fail." \ - "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1 $(get_srv_psk_list)" \ - "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL:-KX-ALL:+ECDHE-PSK:+DHE-PSK:+PSK \ - -d 10 -r --earlydata $EARLY_DATA_INPUT \ - --pskusername Client_identity --pskkey=6162636465666768696a6b6c6d6e6f70" \ - 1 \ - -c "Resume Handshake was completed" \ - -s "ClientHello: early_data(42) extension exists." \ - -S "EncryptedExtensions: early_data(42) extension exists." \ - -s "NewSessionTicket: early_data(42) extension does not exist." + -s "ClientHello: early_data(42) extension exists." \ + -s "EncryptedExtensions: early_data(42) extension does not exists." \ + -s "NewSessionTicket: early_data(42) extension does not exist." \ + -s "Last error was: -29056 - SSL - Verification of the message MAC failed" From f2574206e5cf70d978a0cf4b880534271fc788cc Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 18 Oct 2023 17:39:48 +0200 Subject: [PATCH 099/175] Fix code style Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.function | 2 +- tests/suites/test_suite_x509write.function | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 938917ad71..894e0bb18e 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -932,7 +932,7 @@ void mbedtls_x509_dn_get_next(char *name_str, memset(&parsed, 0, sizeof(parsed)); mbedtls_x509_name *parsed_cur; // Size of buf is maximum required for test cases - unsigned char buf[80] = {0}; + unsigned char buf[80] = { 0 }; unsigned char *out = NULL; unsigned char *c = buf + sizeof(buf); const char *short_name; diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index 06e08168cb..4de9addca0 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -703,8 +703,8 @@ void mbedtls_x509_string_to_names(char *name, char *parsed_name, memset(&parsed, 0, sizeof(parsed)); mbedtls_x509_name *parsed_cur = NULL; mbedtls_x509_name *parsed_prv = NULL; - unsigned char buf[1024] = {0}; - unsigned char out[1024] = {0}; + unsigned char buf[1024] = { 0 }; + unsigned char out[1024] = { 0 }; unsigned char *c = buf + sizeof(buf); USE_PSA_INIT(); From 154982719a96c0f4bfd874dd0c9e317f0a8dcabf Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Thu, 19 Oct 2023 10:29:07 +0800 Subject: [PATCH 100/175] fix wrong typo Signed-off-by: Jerry Yu --- tests/opt-testcases/tls13-misc.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 635e31a69b..572a291fd2 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -505,6 +505,6 @@ run_test "TLS 1.3 G->m: EarlyData: feature is disabled, fail." \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL -d 10 -r --earlydata $EARLY_DATA_INPUT" \ 1 \ -s "ClientHello: early_data(42) extension exists." \ - -s "EncryptedExtensions: early_data(42) extension does not exists." \ + -s "EncryptedExtensions: early_data(42) extension does not exist." \ -s "NewSessionTicket: early_data(42) extension does not exist." \ -s "Last error was: -29056 - SSL - Verification of the message MAC failed" From bb4f63cbb222994c35c061c9785289de3e7b0599 Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 19 Oct 2023 10:38:58 +0800 Subject: [PATCH 101/175] all.sh: build_mingw: test default config without MBEDTLS_AESNI_C Signed-off-by: Pengyu Lv --- tests/scripts/all.sh | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 64bde15fd3..c197ee10bc 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -5124,6 +5124,17 @@ component_build_mingw () { make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 lib programs make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests make WINDOWS_BUILD=1 clean + + msg "build: Windows cross build - mingw64, make (Link Library, default config without MBEDTLS_AESNI_C)" # ~ 30s + ./scripts/config.py unset MBEDTLS_AESNI_C # + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests + make WINDOWS_BUILD=1 clean + + msg "build: Windows cross build - mingw64, make (DLL, default config without MBEDTLS_AESNI_C)" # ~ 30s + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests + make WINDOWS_BUILD=1 clean } support_build_mingw() { case $(i686-w64-mingw32-gcc -dumpversion 2>/dev/null) in From 3898f10fed1de8c3d9c4382f5ec3f9d9798d2a6d Mon Sep 17 00:00:00 2001 From: Sergey Markelov Date: Mon, 16 Oct 2023 12:54:48 -0700 Subject: [PATCH 102/175] Fix #8372 - Error compiling AESNI in Mbed-TLS with clang on Windows It can successfully compile w/ the clang options -maes -mpclmul. Signed-off-by: Sergey Markelov --- ChangeLog.d/8372.txt | 3 +++ library/aesni.c | 4 ++-- library/aesni.h | 6 +++--- 3 files changed, 8 insertions(+), 5 deletions(-) create mode 100644 ChangeLog.d/8372.txt diff --git a/ChangeLog.d/8372.txt b/ChangeLog.d/8372.txt new file mode 100644 index 0000000000..4a72edfb1a --- /dev/null +++ b/ChangeLog.d/8372.txt @@ -0,0 +1,3 @@ +Features + * AES-NI is now supported in Windows builds with clang and clang-cl. + Resolves #8372. diff --git a/library/aesni.c b/library/aesni.c index 5f25a8249f..92626e1376 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -52,7 +52,7 @@ int mbedtls_aesni_has_support(unsigned int what) if (!done) { #if MBEDTLS_AESNI_HAVE_CODE == 2 - static unsigned info[4] = { 0, 0, 0, 0 }; + static int info[4] = { 0, 0, 0, 0 }; #if defined(_MSC_VER) __cpuid(info, 1); #else @@ -187,7 +187,7 @@ void mbedtls_aesni_gcm_mult(unsigned char c[16], const unsigned char a[16], const unsigned char b[16]) { - __m128i aa, bb, cc, dd; + __m128i aa = { 0 }, bb = { 0 }, cc, dd; /* The inputs are in big-endian order, so byte-reverse them */ for (size_t i = 0; i < 16; i++) { diff --git a/library/aesni.h b/library/aesni.h index ba14290298..952e138508 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -39,7 +39,7 @@ * (Only implemented with certain compilers, only for certain targets.) */ #undef MBEDTLS_AESNI_HAVE_INTRINSICS -#if defined(_MSC_VER) +#if defined(_MSC_VER) && !defined(__clang__) /* Visual Studio supports AESNI intrinsics since VS 2008 SP1. We only support * VS 2013 and up for other reasons anyway, so no need to check the version. */ #define MBEDTLS_AESNI_HAVE_INTRINSICS @@ -47,7 +47,7 @@ /* GCC-like compilers: currently, we only support intrinsics if the requisite * target flag is enabled when building the library (e.g. `gcc -mpclmul -msse2` * or `clang -maes -mpclmul`). */ -#if defined(__GNUC__) && defined(__AES__) && defined(__PCLMUL__) +#if (defined(__GNUC__) || defined(__clang__)) && defined(__AES__) && defined(__PCLMUL__) #define MBEDTLS_AESNI_HAVE_INTRINSICS #endif @@ -65,7 +65,7 @@ * (Only implemented with gas syntax, only for 64-bit.) */ #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly -#elif defined(__GNUC__) +#elif defined(__GNUC__) || defined(__clang__) # error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C" #else #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" From 158eead001677307d4731f1a4dacb4f38245dc6d Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 19 Oct 2023 11:27:05 +0800 Subject: [PATCH 103/175] all.sh: build_mingw: only test build lib without MBEDTLS_AESNI_C Signed-off-by: Pengyu Lv --- tests/scripts/all.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c197ee10bc..81084a9ee8 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -5125,15 +5125,9 @@ component_build_mingw () { make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra -maes -msse2 -mpclmul' WINDOWS_BUILD=1 SHARED=1 tests make WINDOWS_BUILD=1 clean - msg "build: Windows cross build - mingw64, make (Link Library, default config without MBEDTLS_AESNI_C)" # ~ 30s + msg "build: Windows cross build - mingw64, make (Library only, default config without MBEDTLS_AESNI_C)" # ~ 30s ./scripts/config.py unset MBEDTLS_AESNI_C # - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib programs - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror' WINDOWS_BUILD=1 tests - make WINDOWS_BUILD=1 clean - - msg "build: Windows cross build - mingw64, make (DLL, default config without MBEDTLS_AESNI_C)" # ~ 30s - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 lib programs - make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 SHARED=1 tests + make CC=i686-w64-mingw32-gcc AR=i686-w64-mingw32-ar LD=i686-w64-minggw32-ld CFLAGS='-Werror -Wall -Wextra' WINDOWS_BUILD=1 lib make WINDOWS_BUILD=1 clean } support_build_mingw() { From 74f2c15ea3894ca52fef5d32047cedccec4af3ed Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 19 Oct 2023 11:39:17 +0800 Subject: [PATCH 104/175] Add a changelog entry Signed-off-by: Pengyu Lv --- ChangeLog.d/fix-mingw32-build.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix-mingw32-build.txt diff --git a/ChangeLog.d/fix-mingw32-build.txt b/ChangeLog.d/fix-mingw32-build.txt new file mode 100644 index 0000000000..c657f23e28 --- /dev/null +++ b/ChangeLog.d/fix-mingw32-build.txt @@ -0,0 +1,4 @@ +Bugfix + * Fix an inconsistency between implementations and usages of `__cpuid`, + which mainly causes failures when building Windows target using + mingw or clang. Fix #8334 & #8332. From 0df6d9688add33721fbae9d9a098a3cc49a584f6 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 11 Oct 2023 13:27:25 +0800 Subject: [PATCH 105/175] all.sh: fix a typo in comment Signed-off-by: Yanray Wang --- tests/scripts/all.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 9290aa6d91..baa2b600f1 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -864,7 +864,7 @@ pre_generate_files() { # Example: # loc_extra_list="ALG_SHA_224 ALG_SHA_256 ALG_SHA_384 ALG_SHA_512" # helper_libtestdriver1_make_drivers "$loc_accel_list" "$loc_extra_list" -# 4b. Call helper_libtestdriver1_make_main "$loc_accel_list". Any +# 3b. Call helper_libtestdriver1_make_main "$loc_accel_list". Any # additional arguments will be passed to make: this can be useful if # you don't want to build everything when iterating during development. # Example: From af5003a1577d2798e90a7f3c1824b9e6d0145bdf Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Wed, 11 Oct 2023 11:57:10 +0800 Subject: [PATCH 106/175] CMAC: accelerate CMAC in accel_cipher Signed-off-by: Yanray Wang --- .../crypto_config_test_driver_extension.h | 9 ++++++++- tests/scripts/all.sh | 19 ++++++++++--------- 2 files changed, 18 insertions(+), 10 deletions(-) diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index ef8c88a668..b0bbc44211 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -32,6 +32,14 @@ #endif #endif +#if defined(PSA_WANT_ALG_CMAC) +#if defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) +#undef MBEDTLS_PSA_ACCEL_ALG_CMAC +#else +#define MBEDTLS_PSA_ACCEL_ALG_CMAC 1 +#endif +#endif + #if defined(PSA_WANT_ALG_CTR) #if defined(MBEDTLS_PSA_ACCEL_ALG_CTR) #undef MBEDTLS_PSA_ACCEL_ALG_CTR @@ -395,7 +403,6 @@ #define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1 #define MBEDTLS_PSA_ACCEL_ALG_CCM 1 -#define MBEDTLS_PSA_ACCEL_ALG_CMAC 1 #define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1 #define MBEDTLS_PSA_ACCEL_ALG_GCM 1 #define MBEDTLS_PSA_ACCEL_ALG_HKDF 1 diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index baa2b600f1..17f894a7b9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3528,22 +3528,22 @@ component_test_psa_crypto_config_reference_hash_use_psa() { component_test_psa_crypto_config_accel_cipher () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher" - loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS KEY_TYPE_DES" + loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ + ALG_CTR ALG_CFB ALG_OFB ALG_XTS \ + KEY_TYPE_DES ALG_CMAC" # Configure # --------- + # There is no intended accelerator support for STREAM_CIPHER and + # ECB_NO_PADDING. Therefore, asking for them in the build implies the + # inclusion of the Mbed TLS cipher operations. As we want to test here with + # cipher operations solely supported by accelerators, disabled those + # PSA configuration options by helper_libtestdriver1_adjust_config. + # Start from the full config helper_libtestdriver1_adjust_config "full" - # There is no intended accelerator support for ALG CMAC. Therefore, asking - # for it in the build implies the inclusion of the Mbed TLS cipher - # operations. As we want to test here with cipher operations solely - # supported by accelerators, disabled this PSA configuration option. - # (Note: the same applies to STREAM_CIPHER and ECB_NO_PADDING, which are - # already disabled by helper_libtestdriver1_adjust_config above.) - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - # Disable the things that are being accelerated scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 @@ -3552,6 +3552,7 @@ component_test_psa_crypto_config_accel_cipher () { scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_CMAC_C # Build # ----- From 893623fb289d170e0a32ea8dbb26cb7bba469434 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 16 Oct 2023 11:55:37 +0800 Subject: [PATCH 107/175] PBKDF2-AES-CMAC: remove not needed preprocessor directive PBKDF2-AES-CMAC works if we provide the driver of AES-CMAC or KEY-TYPE-AES or both. So if PBKDF2-AES-CMAC is requested via PSA, we don't need to additionally enable builtin AES-CMAC or builtin KEY-TYPE-AES. Signed-off-by: Yanray Wang --- include/mbedtls/config_adjust_legacy_from_psa.h | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index e3c2ed117d..5c294e914a 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -724,8 +724,7 @@ #endif /* !MBEDTLS_PSA_ACCEL_KEY_TYPE_AES */ #if defined(PSA_HAVE_SOFT_KEY_TYPE_AES) || \ defined(PSA_HAVE_SOFT_BLOCK_MODE) || \ - defined(PSA_HAVE_SOFT_BLOCK_AEAD) || \ - defined(PSA_HAVE_SOFT_PBKDF2_CMAC) + defined(PSA_HAVE_SOFT_BLOCK_AEAD) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES 1 #define MBEDTLS_AES_C #endif /* PSA_HAVE_SOFT_KEY_TYPE_AES || PSA_HAVE_SOFT_BLOCK_MODE */ @@ -796,8 +795,7 @@ #if defined(PSA_WANT_ALG_CMAC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC) || \ - defined(PSA_HAVE_SOFT_BLOCK_CIPHER) || \ - defined(PSA_HAVE_SOFT_PBKDF2_CMAC) + defined(PSA_HAVE_SOFT_BLOCK_CIPHER) #define MBEDTLS_PSA_BUILTIN_ALG_CMAC 1 #define MBEDTLS_CMAC_C #endif /* !MBEDTLS_PSA_ACCEL_ALG_CMAC */ From 3d43434953767d64a8bb1770e506157e1dbcc07e Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 16 Oct 2023 14:03:52 +0800 Subject: [PATCH 108/175] test_suite_psa_crypto_driver_wrappers.data: fix dependency There are some fallback test cases which should rely on builtin implementations. This commit adjusts them with correct dependencies. Signed-off-by: Yanray Wang --- ...test_suite_psa_crypto_driver_wrappers.data | 22 +++++++++---------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_driver_wrappers.data b/tests/suites/test_suite_psa_crypto_driver_wrappers.data index 54558f0f09..8ba3b79977 100644 --- a/tests/suites/test_suite_psa_crypto_driver_wrappers.data +++ b/tests/suites/test_suite_psa_crypto_driver_wrappers.data @@ -340,11 +340,11 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":15:15:0:"8f9408fe80a81d3e813da3c7b0b2bd":0:PSA_SUCCESS:PSA_SUCCESS PSA symmetric encrypt multipart: AES-CTR, 16 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER +depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e117393172a":16:16:0:"8f9408fe80a81d3e813da3c7b0b2bd32":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric encrypt multipart: AES-CTR, 15 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER +depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES cipher_encrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee22e409f96e93d7e11739317":15:15:0:"8f9408fe80a81d3e813da3c7b0b2bd":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric encrypt multipart: AES-CTR, 16 bytes, fake @@ -372,7 +372,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_decrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":16:16:0:"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_SUCCESS:PSA_SUCCESS PSA symmetric decrypt multipart: AES-CTR, 16 bytes, fallback -depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_CIPHER +depends_on:MBEDTLS_PSA_BUILTIN_ALG_CTR:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES cipher_decrypt_multipart:PSA_ALG_CTR:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"396ee84fb75fdbb5c2b13c7fe5a654aa":16:16:0:"dd3b5e5319b7591daab1e1a92687feb2":0:PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA symmetric decrypt multipart: AES-CTR, 16 bytes, fake @@ -460,7 +460,7 @@ depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES aead_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_SUCCESS PSA AEAD encrypt: AES-CCM, 24 bytes, fallback -depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CCM aead_encrypt:PSA_KEY_TYPE_AES:"4189351B5CAEA375A0299E81C621BF43":PSA_ALG_CCM:"48c0906930561e0ab0ef4cd972":"40a27c1d1e23ea3dbe8056b2774861a4a201cce49f19997d19206d8c8a343951":"4535d12b4377928a7c0a61c9f825a48671ea05910748c8ef":"26c56961c035a7e452cce61bc6ee220d77b3f94d18fd10b6d80e8bf80f4a46cab06d4313f0db9be9":PSA_ERROR_NOT_SUPPORTED PSA AEAD encrypt: AES-CCM, 24 bytes, INSUFFICIENT_MEMORY @@ -472,7 +472,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_encrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":PSA_SUCCESS PSA AEAD encrypt, AES-GCM, 128 bytes #1, fallback -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM aead_encrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":PSA_ERROR_NOT_SUPPORTED PSA AEAD encrypt, AES-GCM, 128 bytes #1, INSUFFICIENT_MEMORY @@ -484,7 +484,7 @@ depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES aead_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":PSA_SUCCESS PSA AEAD decrypt: AES-CCM, 39 bytes, fallback -depends_on:MBEDTLS_AES_C:MBEDTLS_CCM_C +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CCM aead_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"00412B4EA9CDBE3C9696766CFA":"0BE1A88BACE018B1":"4CB97F86A2A4689A877947AB8091EF5386A6FFBDD080F8120333D1FCB691F3406CBF531F83A4D8":"08E8CF97D820EA258460E96AD9CF5289054D895CEAC47C":PSA_ERROR_NOT_SUPPORTED PSA AEAD decrypt: AES-CCM, 39 bytes, INSUFFICIENT_MEMORY @@ -496,7 +496,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_SUCCESS PSA AEAD decrypt, AES-GCM, 144 bytes #1, fallback -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM aead_decrypt:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c872814365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_NOT_SUPPORTED PSA AEAD decrypt, AES-GCM, 144 bytes #1, INSUFFICIENT_MEMORY @@ -536,7 +536,7 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_ACCEL_ALG_CMAC mac_sign:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_SUCCESS PSA MAC sign, fallback: CMAC-AES-128 -depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC mac_sign:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_ERROR_NOT_SUPPORTED PSA MAC sign, driver reports error: CMAC-AES-128 @@ -576,7 +576,7 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_ACCEL_ALG_CMAC mac_verify:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_SUCCESS PSA MAC verify, fallback: CMAC-AES-128 -depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_CMAC mac_verify:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":PSA_ALG_CMAC:"6bc1bee22e409f96e93d7e117393172aae2d8a571e03ac9c9eb76fac45af8e5130c81c46a35ce411":"dfa66747de9ae63030ca32611497c827":PSA_ERROR_NOT_SUPPORTED PSA MAC verify, driver reports error: CMAC-AES-128 @@ -802,7 +802,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_encrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":PSA_SUCCESS:PSA_SUCCESS PSA AEAD encrypt setup, AES-GCM, 128 bytes #1, fallback -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM aead_encrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA AEAD encrypt setup, AES-GCM, 128 bytes #1, INSUFFICIENT_MEMORY @@ -814,7 +814,7 @@ depends_on:PSA_WANT_ALG_GCM:PSA_WANT_KEY_TYPE_AES aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_SUCCESS:PSA_SUCCESS PSA AEAD decrypt setup, AES-GCM, 144 bytes #1, fallback -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:MBEDTLS_PSA_BUILTIN_KEY_TYPE_AES:MBEDTLS_PSA_BUILTIN_ALG_GCM aead_decrypt_setup:PSA_KEY_TYPE_AES:"a0ec7b0052541d9e9c091fb7fc481409":PSA_ALG_GCM:"00e440846db73a490573deaf3728c94f":"a3cfcb832e935eb5bc3812583b3a1b2e82920c07fda3668a35d939d8f11379bb606d39e6416b2ef336fffb15aec3f47a71e191f4ff6c56ff15913562619765b26ae094713d60bab6ab82bfc36edaaf8c7ce2cf5906554dcc5933acdb9cb42c1d24718efdc4a09256020b024b224cfe602772bd688c6c8f1041a46f7ec7d51208":"3b6de52f6e582d317f904ee768895bd4d0790912efcf27b58651d0eb7eb0b2f07222c6ffe9f7e127d98ccb132025b098a67dc0ec0083235e9f83af1ae1297df4319547cbcb745cebed36abc1f32a059a05ede6c00e0da097521ead901ad6a73be20018bda4c323faa135169e21581e5106ac20853642e9d6b17f1dd925c87281":"4365847fe0b7b7fbed325953df344a96":"5431d93278c35cfcd7ffa9ce2de5c6b922edffd5055a9eaa5b54cae088db007cf2d28efaf9edd1569341889073e87c0a88462d77016744be62132fd14a243ed6e30e12cd2f7d08a8daeec161691f3b27d4996df8745d74402ee208e4055615a8cb069d495cf5146226490ac615d7b17ab39fb4fdd098e4e7ee294d34c1312826":PSA_ERROR_NOT_SUPPORTED:PSA_SUCCESS PSA AEAD decrypt setup, AES-GCM, 144 bytes #1, insufficient memory From d2d3d6374ec0df38dca7d6bd35d9bb4fad54681f Mon Sep 17 00:00:00 2001 From: Pengyu Lv Date: Thu, 19 Oct 2023 16:50:45 +0800 Subject: [PATCH 109/175] Reword the changelog entry Signed-off-by: Pengyu Lv --- ChangeLog.d/fix-mingw32-build.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/fix-mingw32-build.txt b/ChangeLog.d/fix-mingw32-build.txt index c657f23e28..feef0a2c51 100644 --- a/ChangeLog.d/fix-mingw32-build.txt +++ b/ChangeLog.d/fix-mingw32-build.txt @@ -1,4 +1,4 @@ Bugfix * Fix an inconsistency between implementations and usages of `__cpuid`, which mainly causes failures when building Windows target using - mingw or clang. Fix #8334 & #8332. + mingw or clang. Fixes #8334 & #8332. From 22334a202aea9302222fa0451652fdc688fdabaf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 19 Oct 2023 11:27:33 +0200 Subject: [PATCH 110/175] Fix some dependencies in ssl-opt.sh MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit These are explicitly PSA tests, so use PSA_WANT. Was missed by analyze_outcomes.py because those test cases were not listed properly, which will be fixed by #8088. Signed-off-by: Manuel Pégourié-Gonnard --- tests/ssl-opt.sh | 22 +++++++++++----------- 1 file changed, 11 insertions(+), 11 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 0dcff67962..51d59bbbf1 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -2572,32 +2572,32 @@ run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA run_test_psa TLS-ECDHE-ECDSA-WITH-AES-128-CBC-SHA256 run_test_psa TLS-ECDHE-ECDSA-WITH-AES-256-CBC-SHA384 -requires_config_enabled MBEDTLS_ECP_DP_SECP521R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_521 run_test_psa_force_curve "secp521r1" -requires_config_enabled MBEDTLS_ECP_DP_BP512R1_ENABLED +requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_512 run_test_psa_force_curve "brainpoolP512r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP384R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_384 run_test_psa_force_curve "secp384r1" -requires_config_enabled MBEDTLS_ECP_DP_BP384R1_ENABLED +requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_384 run_test_psa_force_curve "brainpoolP384r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_256 run_test_psa_force_curve "secp256r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP256K1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_K1_256 run_test_psa_force_curve "secp256k1" -requires_config_enabled MBEDTLS_ECP_DP_BP256R1_ENABLED +requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256 run_test_psa_force_curve "brainpoolP256r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP224R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_224 run_test_psa_force_curve "secp224r1" ## SECP224K1 is buggy via the PSA API ## (https://github.com/Mbed-TLS/mbedtls/issues/3541), ## so it is disabled in PSA even when it's enabled in Mbed TLS. ## The proper dependency would be on PSA_WANT_ECC_SECP_K1_224 but ## dependencies on PSA symbols in ssl-opt.sh are not implemented yet. -#requires_config_enabled MBEDTLS_ECP_DP_SECP224K1_ENABLED +#requires_config_enabled PSA_WANT_ECC_SECP_K1_224 #run_test_psa_force_curve "secp224k1" -requires_config_enabled MBEDTLS_ECP_DP_SECP192R1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_R1_192 run_test_psa_force_curve "secp192r1" -requires_config_enabled MBEDTLS_ECP_DP_SECP192K1_ENABLED +requires_config_enabled PSA_WANT_ECC_SECP_K1_192 run_test_psa_force_curve "secp192k1" # Test current time in ServerHello From 19192a515888557af0b6281e1964b51d0c0603ad Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 20 Oct 2023 13:05:55 +0100 Subject: [PATCH 111/175] Clarify reentrancy requirements for drivers Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 19 ++++++++++++++++--- 1 file changed, 16 insertions(+), 3 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 9e396e082b..281189cce2 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -351,7 +351,9 @@ Start with implementing threading for drivers without the "thread_safe” proper It is natural sometimes to want to perform cryptographic operations from a driver, for example calculating a hash as part of various other crypto primitives, or using a block cipher in a driver for a mode, etc. Also encrypting/authenticating communication with a secure element. -If the driver is thread safe, it is the drivers responsibility to handle re-entrancy. +**Non-thread-safe drivers:** + +A driver is non-thread-safe if the `thread-safe` property (see #driver-requirements) is set to false. In the non-thread-safe case we have these natural assumptions/requirements: 1. Drivers don't call the core for any operation for which they provide an entry point @@ -362,9 +364,20 @@ With these, the only way of a deadlock is when we have several drivers and they Potential ways for resolving this: 1. Non-thread-safe drivers must not call the core 2. Provide a new public API that drivers can safely call -3. There is a whitelist of core APIs that drivers can call. Drivers providing entry points to these must not make a call to the core when handling these calls. (Drivers are still allowed to call any core API that can't have a driver entry point.) +3. Make the dispatch layer public for drivers to call +4. There is a whitelist of core APIs that drivers can call. Drivers providing entry points to these must not make a call to the core when handling these calls. (Drivers are still allowed to call any core API that can't have a driver entry point.) -The first is too restrictive, the second is too expensive, the only viable option is the third. +The first is too restrictive, the second and the third would require making it a stable API, and would likely increase the code size for a relatively rare feature. Choosing the fourth as that is the most viable option. + +**Thread-safe drivers:** + +A driver is non-thread-safe if the `thread-safe` property (see #driver-requirements) is set to true. + +To make reentrancy in non-thread-safe drivers work, thread-safe drivers must not make a call to the core when handling a call that is on the non-thread-safe driver whitelist. + +Thread-safe drivers have less guarantees from the core and need to implement more complex logic and we can reasonably expect them to be more flexible in terms of reentrancy as well. At this point hard to see what further guarantees would be useful and feasible. Therefore, we don't provide any further guarantees for now. + +Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed in the #reentrancy and #driver-requirements sections. ### Global Data From 52586895f701ccb78c4995c56d7139747e326ec3 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 20 Oct 2023 14:26:57 +0100 Subject: [PATCH 112/175] Clarify threading design document structure Separate design analysis from plans and make the distinction clear between what is implemented, what is planned to be implemented soon, what is planned to be implemented in the future, and what is ideas that are rejected. (The distinction between the last two categories doesn't have to be clear, we can't and shouldn't plan that far ahead.) Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 73 ++++++++++++++------------ 1 file changed, 40 insertions(+), 33 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 281189cce2..493d4fb7bf 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -1,9 +1,16 @@ -Thread safety of the PSA subsystem -================================== +# Thread safety of the PSA subsystem -## Requirements +Currently PSA Crypto API calls in Mbed TLS releases are not thread-safe. In Mbed TLS 3.6 we are planning to add a minimal support for thread-safety of the PSA Crypto API (see #strategy-for-3.6). -### Backward compatibility requirement +In the #design-analysis section we analyse design choices. This discussion is not constrained to what is planned for 3.6 and considers future developments. It also leaves some questions open and discusses options that have been (or probably will be) rejected. + +## Design analysis + +This section explores possible designs and does not reflect what is currently implemented. + +### Requirements + +#### Backward compatibility requirement Code that is currently working must keep working. There can be an exception for code that uses features that are advertised as experimental; for example, it would be annoying but ok to add extra requirements for drivers. @@ -18,7 +25,7 @@ Tempting platform requirements that we cannot add to the default `MBEDTLS_THREAD * Releasing a mutex from a different thread than the one that acquired it. This isn't even guaranteed to work with pthreads. * New primitives such as semaphores or condition variables. -### Correctness out of the box +#### Correctness out of the box If you build with `MBEDTLS_PSA_CRYPTO_C` and `MBEDTLS_THREADING_C`, the code must be functionally correct: no race conditions, deadlocks or livelocks. @@ -31,7 +38,7 @@ The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/ov Note that while the specification does not define the behavior in such cases, Mbed TLS can be used as a crypto service. It's acceptable if an application can mess itself up, but it is not acceptable if an application can mess up the crypto service. As a consequence, destroying a key while it's in use may violate the security property that all key material is erased as soon as `psa_destroy_key` returns, but it may not cause data corruption or read-after-free inside the key store. -### No spinning +#### No spinning The code must not spin on a potentially non-blocking task. For example, this is proscribed: ``` @@ -44,7 +51,7 @@ while (!its_my_turn) { Rationale: this can cause battery drain, and can even be a livelock (spinning forever), e.g. if the thread that might unblock this one has a lower priority. -### Driver requirements +#### Driver requirements At the time of writing, the driver interface specification does not consider multithreaded environments. @@ -59,7 +66,7 @@ Combining the two we arrive at the following policy: * Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver. * Even with a thread-safe driver, the core never starts the destruction of a key while there are operations in progress on it, and never performs concurrent calls on the same multipart operation. -### Long-term performance requirements +#### Long-term performance requirements In the short term, correctness is the important thing. We can start with a global lock. @@ -67,9 +74,9 @@ In the medium to long term, performing a slow or blocking operation (for example We may want to go directly to a more sophisticated approach because when a system works with a global lock, it's typically hard to get rid of it to get more fine-grained concurrency. -### Key destruction short-term requirements +#### Key destruction short-term requirements -#### Summary of guarantees in the short term +##### Summary of guarantees in the short term When `psa_destroy_key` returns: @@ -79,11 +86,11 @@ When `psa_destroy_key` returns: When `psa_destroy_key` is called on a key that is in use, guarantee 2. might be violated. (This is consistent with the requirement [“Correctness out of the box”](#correctness-out-of-the-box), as destroying a key while it's in use is undefined behavior.) -### Key destruction long-term requirements +#### Key destruction long-term requirements The [PSA Crypto API specification](https://armmbed.github.io/mbed-crypto/html/api/keys/management.html#key-destruction) mandates that implementations make a best effort to ensure that the key material cannot be recovered. In the long term, it would be good to guarantee that `psa_destroy_key` wipes all copies of the key material. -#### Summary of guarantees in the long term +##### Summary of guarantees in the long term When `psa_destroy_key` returns: @@ -94,11 +101,11 @@ When `psa_destroy_key` returns: As opposed to the short term requirements, all the above guarantees hold even if `psa_destroy_key` is called on a key that is in use. -## Resources to protect +### Resources to protect Analysis of the behavior of the PSA key store as of Mbed TLS 9202ba37b19d3ea25c8451fd8597fce69eaa6867. -### Global variables +#### Global variables * `psa_crypto_slot_management::global_data.key_slots[i]`: see [“Key slots”](#key-slots). @@ -120,9 +127,9 @@ Analysis of the behavior of the PSA key store as of Mbed TLS 9202ba37b19d3ea25c8 * `psa_crypto_init`: modification. * Many functions via `GUARD_MODULE_INITIALIZED`: read. -### Key slots +#### Key slots -#### Key slot array traversal +##### Key slot array traversal “Occupied key slot” is determined by `psa_is_key_slot_occupied` based on `slot->attr.type`. @@ -136,7 +143,7 @@ The following functions traverse the key slot array: * `psa_wipe_all_key_slots`: writes to all slots. * `mbedtls_psa_get_stats`: reads from all slots. -#### Key slot state +##### Key slot state The following functions modify a slot's usage state: @@ -194,13 +201,13 @@ The following functions modify a slot's usage state: * `psa_key_derivation_input_key` - reads attr.type * `psa_key_agreement_raw_internal` - reads attr.type and attr.bits -#### Determining whether a key slot is occupied +##### Determining whether a key slot is occupied `psa_is_key_slot_occupied` currently uses the `attr.type` field to determine whether a key slot is occupied. This works because we maintain the invariant that an occupied slot contains key material. With concurrency, it is desirable to allow a key slot to be reserved, but not yet contain key material or even metadata. When creating a key, determining the key type can be costly, for example when loading a persistent key from storage or (not yet implemented) when importing or unwrapping a key using an interface that determines the key type from the data that it parses. So we should not need to hold the global key store lock while the key type is undetermined. Instead, `psa_is_key_slot_occupied` should use the key identifier to decide whether a slot is occupied. The key identifier is always readily available: when allocating a slot for a persistent key, it's an input of the function that allocates the key slot; when allocating a slot for a volatile key, the identifier is calculated from the choice of slot. -#### Key slot content +##### Key slot content Other than what is used to determine the [“key slot state”](#key-slot-state), the contents of a key slot are only accessed as follows: @@ -236,7 +243,7 @@ Other than what is used to determine the [“key slot state”](#key-slot-state) * `psa_key_agreement_raw_internal` - passes key data to mbedtls_psa_ecp_load_representation * `psa_generate_key` - passes key data to psa_driver_wrapper_generate_key -### Random generator +#### Random generator The PSA RNG can be accessed both from various PSA functions, and from application code via `mbedtls_psa_get_random`. @@ -244,11 +251,11 @@ With the built-in RNG implementations using `mbedtls_ctr_drbg_context` or `mbedt When `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is enabled, thread safety depends on the implementation. -### Driver resources +#### Driver resources Depends on the driver. The PSA driver interface specification does not discuss whether drivers must support concurrent calls. -## Simple global lock strategy +### Simple global lock strategy Have a single mutex protecting all accesses to the key store and other global variables. In practice, this means every PSA API function needs to take the lock on entry and release on exit, except for: @@ -261,7 +268,7 @@ Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, This approach is conceptually simple, but requires extra instrumentation to every function and has bad performance in a multithreaded environment since a slow operation in one thread blocks unrelated operations on other threads. -## Global lock excluding slot content +### Global lock excluding slot content Have a single mutex protecting all accesses to the key store and other global variables, except that it's ok to access the content of a key slot without taking the lock if one of the following conditions holds: @@ -270,7 +277,7 @@ Have a single mutex protecting all accesses to the key store and other global va Note that a thread must hold the global mutex when it reads or changes a slot's state. -### Slot states +#### Slot states For concurrency purposes, a slot can be in one of three states: @@ -291,7 +298,7 @@ The current `state->lock_count` corresponds to the difference between UNUSED and There is currently no indication of when a slot is in the WRITING state. This only happens between a call to `psa_start_key_creation` and a call to one of `psa_finish_key_creation` or `psa_fail_key_creation`. This new state can be conveyed by a new boolean flag, or by setting `lock_count` to `~0`. -### Destruction of a key in use +#### Destruction of a key in use Problem: In #key-destruction-long-term-requirements we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (READING or WRITING). @@ -299,7 +306,7 @@ How do we ensure that? This needs something more sophisticated than mutexes (con Solution: after some team discussion, we've decided to rely on a new threading abstraction which mimics C11 (i.e. `mbedtls_fff` where `fff` is the C11 function name, having the same parameters and return type, with default implementations for C11, pthreads and Windows). We'll likely use condition variables in addition to mutexes. -#### Mutex only +##### Mutex only When calling `psa_wipe_key_slot` it is the callers responsibility to set the slot state to WRITING first. For most functions this is a clean UNUSED -> WRITING transition: psa_get_empty_key_slot, psa_get_and_lock_key_slot, psa_close_key, psa_purge_key. @@ -316,7 +323,7 @@ Variations: The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must be left unsupported in the first variant. This makes the first variant impractical (multipart operations returning an error in builds with multithreading enabled is not a behaviour that would be very useful to release). -### Condition variables +#### Condition variables Clean UNUSED -> WRITING transition works as before. @@ -329,17 +336,17 @@ To resolve this, we can either: 1. Depend on the deletion marker. If the slot has been reused and is marked for deletion again, the threads keep waiting until the second deletion completes. 2. Introduce a uuid (eg a global counter plus a slot ID), which is recorded by the thread waiting for deletion and checks whether it matches. If it doesn't, the function can return as the slot was already reallocated. If it does match, it can check whether it is still marked for deletion, if it is, the thread goes back to sleep, if it isn't, the function can return. -#### Platform abstraction +##### Platform abstraction Introducing condition variables to the platform abstraction layer would be best done in a major version. If we can't wait until that, we will need to introduce a new compile time flag. Considering that this only will be needed on the PSA Crypto side and the upcoming split, it makes sense to make this flag responsible for the entire PSA Crypto threading support. Therefore if we want to keep the option open for implementing this in a backward compatible manner, we need to introduce and use this new flag already when implementing #mutex-only. (If we keep the abstraction layer for mutexes the same, this shouldn't mean increase in code size and would mean only minimal effort on the porting side.) -### Operation contexts +#### Operation contexts Concurrent access to the same operation context can compromise the crypto service for example if the operation context has a pointer (depending on the compiler and the platform, the pointer assignment may or may not be atomic). This violates the functional correctness requirement. (Concurrent calls to operations is undefined behaviour, but still should not compromise the CIA of the crypto service.) Operations will have a status field protected by a global mutex similarly to key slots. On entry, API calls check the state and return an error if it is already ACTIVE. Otherwise they set it to ACTIVE and restore it to INACTIVE before returning. -### Drivers +#### Drivers Each driver that hasn’t got the "thread_safe” property set has a dedicated mutex. @@ -347,7 +354,7 @@ Implementing "thread_safe” drivers depends on the condition variable protectio Start with implementing threading for drivers without the "thread_safe” property (all drivers behave like the property wasn't set). Add "thread_safe" drivers at some point after the #condition-variables approach is implemented in the core. -#### Reentrancy +##### Reentrancy It is natural sometimes to want to perform cryptographic operations from a driver, for example calculating a hash as part of various other crypto primitives, or using a block cipher in a driver for a mode, etc. Also encrypting/authenticating communication with a secure element. @@ -379,7 +386,7 @@ Thread-safe drivers have less guarantees from the core and need to implement mor Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed in the #reentrancy and #driver-requirements sections. -### Global Data +#### Global Data PSA Crypto makes use of a `global_data` variable that will be accessible from multiple threads and needs to be protected. Any function accessing this variable (or its members) must take the corresponding lock first. Since `global_data` holds the RNG state, these will involve relatively expensive operations and therefore ideally `global_data` should be protected by its own, dedicated lock (different from the one protecting the key store). @@ -387,7 +394,7 @@ Note that this does not protect access to the RNG via `mbedtls_psa_get_random`, The purpose of `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` is very similar to the driver interface (and might even be added to it in the long run), therefore it makes sense to handle it the same way. In particular, we can use the `global_data` mutex to protect it as a default and when we implement the "thread_safe” property for drivers, we implement it for `MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG` as well. -### Implementation notes +#### Implementation notes Since we only have simple mutexes, locking the same mutex from the same thread is a deadlock. Therefore functions taking the global mutex must not be called while holding the same mutex. Functions taking the mutex will document this fact and the implications. From de0e3e352d07a1f497e023d1efc951918f9e51be Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 20 Oct 2023 15:12:42 +0100 Subject: [PATCH 113/175] Threading design: Update empty slot tracking Using a dedicated field allows clean separatin between key attributes and slot state. This allows us to use the same mechanics for attributes and key content. Which in turn means lower code size and easier maintenance. Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 493d4fb7bf..a1081a9b63 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -207,6 +207,8 @@ The following functions modify a slot's usage state: Instead, `psa_is_key_slot_occupied` should use the key identifier to decide whether a slot is occupied. The key identifier is always readily available: when allocating a slot for a persistent key, it's an input of the function that allocates the key slot; when allocating a slot for a volatile key, the identifier is calculated from the choice of slot. +Alternatively, we could use a dedicated indicator that the slot is occupied. The advantage of this is that no field of the `attr` structure would be needed to determine the slot state. This would be a clean separation between key attributes and slot state and `attr` could be treated exactly like key slot content. This would save code size and maintenance effort. The cost of it would be that each slot would need an extra field to indicate whether it is occupied. + ##### Key slot content Other than what is used to determine the [“key slot state”](#key-slot-state), the contents of a key slot are only accessed as follows: @@ -323,6 +325,8 @@ Variations: The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must be left unsupported in the first variant. This makes the first variant impractical (multipart operations returning an error in builds with multithreading enabled is not a behaviour that would be very useful to release). +We can't reuse the `lock_count` field to mark key slots deleted, as we still need to keep track the lock count while the slot is marked for deletion. This means that we will need to add a new field to key slots. This new field can be reused to indicate whether the slot is occupied (see #determining-whether-a-key-slot-is-occupied). (There would be three states: deleted, occupied, empty.) + #### Condition variables Clean UNUSED -> WRITING transition works as before. From 49d467c37dc0dd084ebeb4f651952b4dbed3ab77 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Fri, 20 Oct 2023 15:41:40 +0100 Subject: [PATCH 114/175] Threading design: update and clarify 3.6 plan - Separation of attr and slot state is added - Driver support is cut back Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 23 +++++++++++------------ 1 file changed, 11 insertions(+), 12 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index a1081a9b63..d6af5a9593 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -57,10 +57,10 @@ At the time of writing, the driver interface specification does not consider mul We need to define clear policies so that driver implementers know what to expect. Here are two possible policies at two ends of the spectrum; what is desirable is probably somewhere in between. -* Driver entry points may be called concurrently from multiple threads, even if they're using the same key, and even including destroying a key while an operation is in progress on it. -* At most one driver entry point is active at any given time. +* **Policy 1:** Driver entry points may be called concurrently from multiple threads, even if they're using the same key, and even including destroying a key while an operation is in progress on it. +* **Policy 2:** At most one driver entry point is active at any given time. -Combining the two we arrive at the following policy: +Combining the two we arrive at **Policy 3**: * By default, each driver only has at most one entry point active at any given time. In other words, each driver has its own exclusive lock. * Drivers have an optional `"thread_safe"` boolean property. If true, it allows concurrent calls to this driver. @@ -411,12 +411,11 @@ To avoid performance degradation, functions must not start expensive operations The goal is to provide viable threading support without extending the platform abstraction. (Condition variables should be added in 4.0.) This means that we will be relying on mutexes only. - Key Store - - Slot states guarantee safe concurrent access to slot contents - - Slot states will be protected by a global mutex - - Simple key destruction strategy as described in #mutex-only (variant 2.) -- Concurrent calls to operation contexts will be prevented by state fields which shall be protected by a global mutex -- Drivers - - The solution shall use the pre-existing MBEDTLS_THREADING_C threading abstraction - - Drivers will be protected by their own dedicated lock - only non-thread safe drivers are supported - - Constraints on the drivers and the core will be in place and documented as proposed in #reentrancy -- The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex + - Slot states are described in #slot-states. They guarantee safe concurrent access to slot contents. + - Slot states will be protected by a global mutex as described in the introduction of #global-lock-excluding-slot-content. + - Simple key destruction strategy as described in #mutex-only (variant 2). + - The slot state and key attributes will be separated as described in the last paragraph of #determining-whether-a-key-slot-is-occupied. +- Concurrent calls to operation contexts will be prevented by state fields which shall be protected by a global mutex as in #operation-contexts. +- The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex as described in #global-data. +- The solution shall use the pre-existing `MBEDTLS_THREADING_C` threading abstraction. That is, the flag proposed in #platform-abstraction won't be implemented. +- The core makes no additional guarantees for drivers. That is, Policy 1 in #driver-requirements applies. From 078edc205d5b640f5faa9d0d9c693055b81beeae Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Fri, 20 Oct 2023 19:14:46 +0100 Subject: [PATCH 115/175] Add missing exit labels to MPS tests Coverity flagged this due to the potential leaked memory allocations in mbedtls_mps_reader_random_usage() Signed-off-by: Paul Elliott --- tests/suites/test_suite_mps.function | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) diff --git a/tests/suites/test_suite_mps.function b/tests/suites/test_suite_mps.function index 0b8434b7c1..6751136582 100644 --- a/tests/suites/test_suite_mps.function +++ b/tests/suites/test_suite_mps.function @@ -65,6 +65,8 @@ void mbedtls_mps_reader_no_pausing_single_step_single_round(int with_acc) /* Wrapup (lower layer) */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, &paused) == 0); TEST_ASSERT(paused == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -119,6 +121,8 @@ void mbedtls_mps_reader_no_pausing_single_step_multiple_rounds(int with_acc) TEST_ASSERT(mbedtls_mps_reader_commit(&rd) == 0); /* Wrapup (lower layer) */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -170,6 +174,8 @@ void mbedtls_mps_reader_no_pausing_multiple_steps_single_round(int with_acc) TEST_ASSERT(mbedtls_mps_reader_commit(&rd) == 0); /* Wrapup (lower layer) */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -217,6 +223,8 @@ void mbedtls_mps_reader_no_pausing_multiple_steps_multiple_rounds(int with_acc) TEST_ASSERT(mbedtls_mps_reader_commit(&rd) == 0); /* Wrapup */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -250,6 +258,8 @@ void mbedtls_mps_reader_pausing_needed_disabled() /* Wrapup (lower layer) */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == MBEDTLS_ERR_MPS_READER_NEED_ACCUMULATOR); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -297,6 +307,7 @@ void mbedtls_mps_reader_pausing_needed_buffer_too_small() TEST_ASSERT(mbedtls_mps_reader_get(&rd, 50, &tmp, &tmp_len) == 0); TEST_MEMORY_COMPARE(tmp, tmp_len, buf + 50, 50); +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -333,6 +344,7 @@ void mbedtls_mps_reader_reclaim_overflow() TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == MBEDTLS_ERR_MPS_READER_ACCUMULATOR_TOO_SMALL); +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -458,6 +470,8 @@ void mbedtls_mps_reader_pausing(int option) /* Wrapup */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -562,6 +576,8 @@ void mbedtls_mps_reader_pausing_multiple_feeds(int option) /* Wrapup */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -623,6 +639,8 @@ void mbedtls_mps_reader_reclaim_data_left(int option) /* Wrapup */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == MBEDTLS_ERR_MPS_READER_DATA_LEFT); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -795,6 +813,7 @@ void mbedtls_mps_reader_multiple_pausing(int option) break; } +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ @@ -951,6 +970,7 @@ void mbedtls_mps_reader_random_usage(int num_out_chunks, } } +exit: /* Cleanup */ mbedtls_mps_reader_free(&rd); mbedtls_free(incoming); @@ -1103,6 +1123,7 @@ void mbedtls_reader_inconsistent_usage(int option) TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); } +exit: /* Wrapup */ mbedtls_mps_reader_free(&rd); } @@ -1136,6 +1157,8 @@ void mbedtls_mps_reader_feed_empty() /* Wrapup */ TEST_ASSERT(mbedtls_mps_reader_reclaim(&rd, NULL) == 0); + +exit: mbedtls_mps_reader_free(&rd); } /* END_CASE */ From 53a332d970aae9d8cf84a4b677bb0eabb26d9fb7 Mon Sep 17 00:00:00 2001 From: Jerry Yu Date: Mon, 23 Oct 2023 13:52:49 +0800 Subject: [PATCH 116/175] fix various issues - rename file name from `early_data.txt` to `tls13_early_data.txt` - fix typo issue - remove redundant parameter Signed-off-by: Jerry Yu --- tests/data_files/{early_data.txt => tls13_early_data.txt} | 2 +- tests/opt-testcases/tls13-misc.sh | 2 +- tests/ssl-opt.sh | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) rename tests/data_files/{early_data.txt => tls13_early_data.txt} (70%) diff --git a/tests/data_files/early_data.txt b/tests/data_files/tls13_early_data.txt similarity index 70% rename from tests/data_files/early_data.txt rename to tests/data_files/tls13_early_data.txt index f0084c3ef0..0c84b07205 100644 --- a/tests/data_files/early_data.txt +++ b/tests/data_files/tls13_early_data.txt @@ -1,3 +1,3 @@ EarlyData context: line 0 lf EarlyData context: line 1 lf -EarlyData context: If it appear, that means early_data success +EarlyData context: If it appears, that means early_data received. diff --git a/tests/opt-testcases/tls13-misc.sh b/tests/opt-testcases/tls13-misc.sh index 572a291fd2..d5efc9edc1 100755 --- a/tests/opt-testcases/tls13-misc.sh +++ b/tests/opt-testcases/tls13-misc.sh @@ -501,7 +501,7 @@ requires_all_configs_enabled MBEDTLS_SSL_EARLY_DATA MBEDTLS_SSL_SESSION_TICKETS requires_any_configs_enabled MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED \ MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL_ENABLED run_test "TLS 1.3 G->m: EarlyData: feature is disabled, fail." \ - "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1 $(get_srv_psk_list)" \ + "$P_SRV force_version=tls13 debug_level=4 max_early_data_size=-1" \ "$G_NEXT_CLI localhost --priority=NORMAL:-VERS-ALL:+VERS-TLS1.3:+GROUP-ALL -d 10 -r --earlydata $EARLY_DATA_INPUT" \ 1 \ -s "ClientHello: early_data(42) extension exists." \ diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 2ff097ff1e..696ec164aa 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -72,7 +72,7 @@ guess_config_name() { : ${MBEDTLS_TEST_OUTCOME_FILE=} : ${MBEDTLS_TEST_CONFIGURATION:="$(guess_config_name)"} : ${MBEDTLS_TEST_PLATFORM:="$(uname -s | tr -c \\n0-9A-Za-z _)-$(uname -m | tr -c \\n0-9A-Za-z _)"} -: ${EARLY_DATA_INPUT:=data_files/early_data.txt} +: ${EARLY_DATA_INPUT:=data_files/tls13_early_data.txt} O_SRV="$OPENSSL s_server -www -cert data_files/server5.crt -key data_files/server5.key" O_CLI="echo 'GET / HTTP/1.0' | $OPENSSL s_client" From 23f7e41633174a0a750812eb2713549170afa39a Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 23 Oct 2023 10:11:18 +0100 Subject: [PATCH 117/175] Threading design: improve language Co-authored-by: Paul Elliott <62069445+paul-elliott-arm@users.noreply.github.com> Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index d6af5a9593..6ff834f83a 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -333,7 +333,7 @@ Clean UNUSED -> WRITING transition works as before. `psa_wipe_all_key_slots` and `psa_destroy_key` mark the slot as deleted and go to sleep until the slot state becomes UNUSED. When waking up, they wipe the slot, and return. -If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy #key-destruction-long-term-requirements none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been whiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again. +If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy #key-destruction-long-term-requirements none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been wiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again. To resolve this, we can either: @@ -378,15 +378,15 @@ Potential ways for resolving this: 3. Make the dispatch layer public for drivers to call 4. There is a whitelist of core APIs that drivers can call. Drivers providing entry points to these must not make a call to the core when handling these calls. (Drivers are still allowed to call any core API that can't have a driver entry point.) -The first is too restrictive, the second and the third would require making it a stable API, and would likely increase the code size for a relatively rare feature. Choosing the fourth as that is the most viable option. +The first is too restrictive, the second and the third would require making it a stable API, and would likely increase the code size for a relatively rare feature. We are choosing the fourth as that is the most viable option. **Thread-safe drivers:** A driver is non-thread-safe if the `thread-safe` property (see #driver-requirements) is set to true. -To make reentrancy in non-thread-safe drivers work, thread-safe drivers must not make a call to the core when handling a call that is on the non-thread-safe driver whitelist. +To make reentrancy in non-thread-safe drivers work, thread-safe drivers must not make a call to the core when handling a call that is on the non-thread-safe driver core API whitelist. -Thread-safe drivers have less guarantees from the core and need to implement more complex logic and we can reasonably expect them to be more flexible in terms of reentrancy as well. At this point hard to see what further guarantees would be useful and feasible. Therefore, we don't provide any further guarantees for now. +Thread-safe drivers have less guarantees from the core and need to implement more complex logic and we can reasonably expect them to be more flexible in terms of reentrancy as well. At this point it is hard to see what further guarantees would be useful and feasible. Therefore, we don't provide any further guarantees for now. Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed in the #reentrancy and #driver-requirements sections. From e604269a59acc37c0cef02c9023270d101939a77 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 23 Oct 2023 10:16:58 +0100 Subject: [PATCH 118/175] Threading Design: emphasise performance requirement Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 6ff834f83a..5952874b8d 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -404,7 +404,7 @@ Since we only have simple mutexes, locking the same mutex from the same thread i Releasing the mutex before a function call might introduce race conditions. Therefore might not be practical to take the mutex in low level access functions. If functions like that don't take the mutex, they need to rely on the caller to take it for them. These functions will document that the caller is required to hold the mutex. -To avoid performance degradation, functions must not start expensive operations (eg. doing cryptography) while holding the mutex. +To avoid performance degradation, functions must hold mutexes for as short time as possible. In particular, they must not start expensive operations (eg. doing cryptography) while holding the mutex. ## Strategy for 3.6 From 54bd71b40f72a3aac2fdd90adbcd6664b20bcd45 Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 23 Oct 2023 10:30:50 +0100 Subject: [PATCH 119/175] Update operation threading strategy The library does not need to provide protection, leave it to the crypto service. Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 5952874b8d..3a3e9bda6a 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -346,9 +346,11 @@ Introducing condition variables to the platform abstraction layer would be best #### Operation contexts -Concurrent access to the same operation context can compromise the crypto service for example if the operation context has a pointer (depending on the compiler and the platform, the pointer assignment may or may not be atomic). This violates the functional correctness requirement. (Concurrent calls to operations is undefined behaviour, but still should not compromise the CIA of the crypto service.) +Concurrent access to the same operation context can compromise the crypto service for example if the operation context has a pointer (depending on the compiler and the platform, the pointer assignment may or may not be atomic). This violates the functional correctness requirement of the crypto service. (Concurrent calls to operations is undefined behaviour, but still should not compromise the CIA of the crypto service.) -Operations will have a status field protected by a global mutex similarly to key slots. On entry, API calls check the state and return an error if it is already ACTIVE. Otherwise they set it to ACTIVE and restore it to INACTIVE before returning. +If we want to protect against this in the library, operations will need a status field protected by a global mutex similarly to key slots. On entry, API calls would check the state and return an error if it is already ACTIVE. Otherwise they set it to ACTIVE and restore it to INACTIVE before returning. + +Alternatively, protecting operation contexts can be left as the responsibility of the crypto service. The [PSA Crypto API Specification](https://arm-software.github.io/psa-api/crypto/1.1/overview/conventions.html#concurrent-calls) does not require the library to provide any protection in this case. A crypto service can easily add its own mutex in its operation structure wrapper (the same structure where it keeps track of which client connection owns that operation object). #### Drivers @@ -415,7 +417,6 @@ The goal is to provide viable threading support without extending the platform a - Slot states will be protected by a global mutex as described in the introduction of #global-lock-excluding-slot-content. - Simple key destruction strategy as described in #mutex-only (variant 2). - The slot state and key attributes will be separated as described in the last paragraph of #determining-whether-a-key-slot-is-occupied. -- Concurrent calls to operation contexts will be prevented by state fields which shall be protected by a global mutex as in #operation-contexts. - The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex as described in #global-data. - The solution shall use the pre-existing `MBEDTLS_THREADING_C` threading abstraction. That is, the flag proposed in #platform-abstraction won't be implemented. - The core makes no additional guarantees for drivers. That is, Policy 1 in #driver-requirements applies. From bd24d95c27c82d2e33c1ae3d2e141ecea9ebe1d1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 16 Oct 2023 16:31:32 +0200 Subject: [PATCH 120/175] legacy_from_psa: fix support for PSA_ACCEL_ALG_[STREAM_CIPHER/ECB_NO_PADDING] Signed-off-by: Valerio Setti --- .../mbedtls/config_adjust_legacy_from_psa.h | 21 ++++++++++--------- 1 file changed, 11 insertions(+), 10 deletions(-) diff --git a/include/mbedtls/config_adjust_legacy_from_psa.h b/include/mbedtls/config_adjust_legacy_from_psa.h index 5c294e914a..66d9887e19 100644 --- a/include/mbedtls/config_adjust_legacy_from_psa.h +++ b/include/mbedtls/config_adjust_legacy_from_psa.h @@ -697,11 +697,9 @@ #if (defined(PSA_WANT_ALG_CTR) && !defined(MBEDTLS_PSA_ACCEL_ALG_CTR)) || \ (defined(PSA_WANT_ALG_CFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_CFB)) || \ (defined(PSA_WANT_ALG_OFB) && !defined(MBEDTLS_PSA_ACCEL_ALG_OFB)) || \ - defined(PSA_WANT_ALG_ECB_NO_PADDING) || \ - (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ - !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \ - (defined(PSA_WANT_ALG_CBC_PKCS7) && \ - !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \ + (defined(PSA_WANT_ALG_ECB_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING)) || \ + (defined(PSA_WANT_ALG_CBC_NO_PADDING) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_NO_PADDING)) || \ + (defined(PSA_WANT_ALG_CBC_PKCS7) && !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_PKCS7)) || \ (defined(PSA_WANT_ALG_CMAC) && !defined(MBEDTLS_PSA_ACCEL_ALG_CMAC)) #define PSA_HAVE_SOFT_BLOCK_MODE 1 #endif @@ -765,8 +763,15 @@ #endif /*PSA_HAVE_SOFT_KEY_TYPE_DES || PSA_HAVE_SOFT_BLOCK_MODE */ #endif /* PSA_WANT_KEY_TYPE_DES */ +#if defined(PSA_WANT_ALG_STREAM_CIPHER) +#if !defined(MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER) +#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 +#endif /* MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER */ +#endif /* PSA_WANT_ALG_STREAM_CIPHER */ + #if defined(PSA_WANT_KEY_TYPE_CHACHA20) -#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) +#if !defined(MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20) || \ + defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 #define MBEDTLS_CHACHA20_C #endif /*!MBEDTLS_PSA_ACCEL_KEY_TYPE_CHACHA20 */ @@ -782,10 +787,6 @@ #define PSA_HAVE_SOFT_BLOCK_CIPHER 1 #endif -#if defined(PSA_WANT_ALG_STREAM_CIPHER) -#define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 -#endif /* PSA_WANT_ALG_STREAM_CIPHER */ - #if defined(PSA_WANT_ALG_CBC_MAC) #if !defined(MBEDTLS_PSA_ACCEL_ALG_CBC_MAC) #error "CBC-MAC is not yet supported via the PSA API in Mbed TLS." From 91adb41a8cf373d6b36d0d06ccdc893a3301293e Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 16 Oct 2023 16:34:09 +0200 Subject: [PATCH 121/175] all.sh: remove fixes in test components Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 11 ----------- 1 file changed, 11 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 17f894a7b9..29390ef39d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -883,11 +883,6 @@ helper_libtestdriver1_adjust_config() { # Enable PSA-based config (necessary to use drivers) scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG - # Disable ALG_STREAM_CIPHER and ALG_ECB_NO_PADDING to avoid having - # partial support for cipher operations in the driver test library. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - # Dynamic secure element support is a deprecated feature and needs to be disabled here. # This is done to have the same form of psa_key_attributes_s for libdriver and library. scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C @@ -3535,12 +3530,6 @@ component_test_psa_crypto_config_accel_cipher () { # Configure # --------- - # There is no intended accelerator support for STREAM_CIPHER and - # ECB_NO_PADDING. Therefore, asking for them in the build implies the - # inclusion of the Mbed TLS cipher operations. As we want to test here with - # cipher operations solely supported by accelerators, disabled those - # PSA configuration options by helper_libtestdriver1_adjust_config. - # Start from the full config helper_libtestdriver1_adjust_config "full" From 221d8aa8e747759544f3a9c11cf6200fdc8c3e28 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 17 Oct 2023 13:55:38 +0200 Subject: [PATCH 122/175] libtestdriver1: fix acceleration for ALG_STREAM_CIPHER/ALG_ECB_NO_PADDING Signed-off-by: Valerio Setti --- .../crypto_config_test_driver_extension.h | 18 ++++++++++++++++-- 1 file changed, 16 insertions(+), 2 deletions(-) diff --git a/tests/include/test/drivers/crypto_config_test_driver_extension.h b/tests/include/test/drivers/crypto_config_test_driver_extension.h index b0bbc44211..0eedb8b106 100644 --- a/tests/include/test/drivers/crypto_config_test_driver_extension.h +++ b/tests/include/test/drivers/crypto_config_test_driver_extension.h @@ -48,6 +48,22 @@ #endif #endif +#if defined(PSA_WANT_ALG_STREAM_CIPHER) +#if defined(MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER) +#undef MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER +#else +#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER 1 +#endif +#endif + +#if defined(PSA_WANT_ALG_ECB_NO_PADDING) +#if defined(MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING) +#undef MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING +#else +#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1 +#endif +#endif + #if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) #if defined(MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA) #undef MBEDTLS_PSA_ACCEL_ALG_DETERMINISTIC_ECDSA @@ -403,7 +419,6 @@ #define MBEDTLS_PSA_ACCEL_ALG_CBC_MAC 1 #define MBEDTLS_PSA_ACCEL_ALG_CCM 1 -#define MBEDTLS_PSA_ACCEL_ALG_ECB_NO_PADDING 1 #define MBEDTLS_PSA_ACCEL_ALG_GCM 1 #define MBEDTLS_PSA_ACCEL_ALG_HKDF 1 #define MBEDTLS_PSA_ACCEL_ALG_HKDF_EXTRACT 1 @@ -411,7 +426,6 @@ #define MBEDTLS_PSA_ACCEL_ALG_HMAC 1 #define MBEDTLS_PSA_ACCEL_ALG_RSA_OAEP 1 #define MBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT 1 -#define MBEDTLS_PSA_ACCEL_ALG_STREAM_CIPHER 1 #if defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA) && \ defined(MBEDTLS_PSA_ACCEL_ALG_ECDH) && \ From 0244fbbf28d693588aafb622b4ae19cf51ae5fee Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 19 Oct 2023 10:42:31 +0200 Subject: [PATCH 123/175] all.sh: accelerate ALG_ECB_NO_PADDING in test_psa_crypto_config_accel_cipher() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 29390ef39d..86e8a0ecaa 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3523,9 +3523,9 @@ component_test_psa_crypto_config_reference_hash_use_psa() { component_test_psa_crypto_config_accel_cipher () { msg "test: MBEDTLS_PSA_CRYPTO_CONFIG with accelerated cipher" - loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ - ALG_CTR ALG_CFB ALG_OFB ALG_XTS \ - KEY_TYPE_DES ALG_CMAC" + loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 \ + ALG_CTR ALG_CFB ALG_OFB ALG_XTS ALG_CMAC \ + KEY_TYPE_DES" # Configure # --------- From 66d5512571305e3aed3bf5a28e0ee7a5c020bad4 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Mon, 23 Oct 2023 15:12:32 +0100 Subject: [PATCH 124/175] Remove dependency on asm/hwcap.h Signed-off-by: Dave Rodgman --- library/sha256.c | 8 +++++++- tests/scripts/all.sh | 5 +---- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/library/sha256.c b/library/sha256.c index a6d0a7a46d..596b2c533f 100644 --- a/library/sha256.c +++ b/library/sha256.c @@ -126,7 +126,13 @@ # if defined(__linux__) /* Our preferred method of detection is getauxval() */ # include -# include +/* These are not always defined via sys/auxv.h */ +# if !defined(HWCAP_SHA2) +# define HWCAP_SHA2 (1 << 6) +# endif +# if !defined(HWCAP2_SHA2) +# define HWCAP2_SHA2 (1 << 3) +# endif # endif /* Use SIGILL on Unix, and fall back to it on Linux */ # include diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 28767eb3f3..114f27109d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4344,10 +4344,7 @@ support_build_sha_armce() { # clang >= 4 is required to build with SHA extensions clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" - # we need asm/hwcap.h available for runtime detection - echo '#include ' | clang -E - >/dev/null 2>&1 && have_hwcap=1 || have_hwcap=0 - - [[ "${clang_ver}" -ge 4 && "${have_hwcap}" -eq 1 ]] + [[ "${clang_ver}" -ge 4 ]] else # clang not available false From 6c68df4155d20f63f94a0325b93d1074e243e132 Mon Sep 17 00:00:00 2001 From: Paul Elliott Date: Mon, 23 Oct 2023 15:33:37 +0100 Subject: [PATCH 125/175] Convert interruptible test over to using TEST_CALLOC Also fix potential leak in unlikely edge case. Signed-off-by: Paul Elliott --- tests/suites/test_suite_psa_crypto.function | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 2dfc7a4bfc..a510f8e01a 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -7639,8 +7639,7 @@ void interruptible_signverify_hash_edgecase_tests(int key_type_arg, * no reliance on external buffers. */ psa_interruptible_set_max_ops(PSA_INTERRUPTIBLE_MAX_OPS_UNLIMITED); - input_buffer = mbedtls_calloc(1, input_data->len); - TEST_ASSERT(input_buffer != NULL); + TEST_CALLOC(input_buffer, input_data->len); memcpy(input_buffer, input_data->x, input_data->len); @@ -7657,8 +7656,7 @@ void interruptible_signverify_hash_edgecase_tests(int key_type_arg, PSA_ASSERT(psa_sign_hash_abort(&sign_operation)); - input_buffer = mbedtls_calloc(1, input_data->len); - TEST_ASSERT(input_buffer != NULL); + TEST_CALLOC(input_buffer, input_data->len); memcpy(input_buffer, input_data->x, input_data->len); @@ -7683,6 +7681,7 @@ exit: psa_destroy_key(key); mbedtls_free(signature); + mbedtls_free(input_buffer); PSA_DONE(); } /* END_CASE */ From f842868dd9dfe3105d0357a66246ec1ca0d10de9 Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Tue, 24 Oct 2023 14:18:38 +0100 Subject: [PATCH 126/175] Fix MBEDTLS_MAYBE_UNUSED for IAR Signed-off-by: Dave Rodgman --- library/common.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/library/common.h b/library/common.h index 570b97eca9..73b3d61272 100644 --- a/library/common.h +++ b/library/common.h @@ -344,8 +344,11 @@ static inline void mbedtls_xor_no_simd(unsigned char *r, # define MBEDTLS_MAYBE_UNUSED __attribute__((unused)) #endif #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__) +/* IAR does support __attribute__((unused)), but only if the -e flag (extended language support) + * is given; the pragma always works. + * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless. */ # if (__VER__ >= 8010000) // IAR 8.1 or later -# define MBEDTLS_MAYBE_UNUSED __attribute__((unused)) +# define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177") # endif #endif #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(_MSC_VER) From b6b301fa8d9bbd8f42bb7df69605e58867bbb9b3 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 4 Oct 2023 12:05:05 +0200 Subject: [PATCH 127/175] test: add component accelerating both ciphers and AEADs This also adds a new task in analyze_outcomes.py for checking the accelaration coverage against the reference element. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 96 ++++++++++++++++++++++++++++++- tests/scripts/analyze_outcomes.py | 11 ++++ 2 files changed, 106 insertions(+), 1 deletion(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index f76edda4e9..a0430abd53 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -204,7 +204,7 @@ pre_initialize_variables () { # CFLAGS and LDFLAGS for Asan builds that don't use CMake # default to -O2, use -Ox _after_ this if you want another level - ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + ASAN_CFLAGS='-O0 -g -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' # Platform tests have an allocation that returns null export ASAN_OPTIONS="allocator_may_return_null=1" @@ -3596,6 +3596,100 @@ component_test_psa_crypto_config_accel_aead () { make test } +# The 2 following test components, i.e. +# - component_test_psa_crypto_config_accel_cipher_aead +# - component_test_psa_crypto_config_reference_cipher_aead +# are meant to be used together in analyze_outcomes.py script in order to test +# driver's coverage for ciphers and AEADs. +component_test_psa_crypto_config_accel_cipher_aead () { + msg "test: crypto config with accelerated cipher and AEAD" + + loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS \ + ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ + KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" + + # Configure + # --------- + + # Start from the crypto config (no X509 and TLS) + helper_libtestdriver1_adjust_config "crypto" + + # There is no intended accelerator support for ALG CMAC. Therefore, asking + # for it in the build implies the inclusion of the Mbed TLS cipher + # operations. As we want to test here with cipher operations solely + # supported by accelerators, disabled this PSA configuration option. + # (Note: the same applies to STREAM_CIPHER and ECB_NO_PADDING, which are + # already disabled by helper_libtestdriver1_adjust_config above.) + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + + # Disable the things that are being accelerated + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7 + scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR + scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB + scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CHACHA20_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + + # Disable dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + + # Build + # ----- + + helper_libtestdriver1_make_drivers "$loc_accel_list" + + helper_libtestdriver1_make_main "$loc_accel_list" + + # Make sure this was not re-enabled by accident (additive config) + not grep mbedtls_des* library/des.o + not grep mbedtls_aes* library/aes.o + not grep mbedtls_aria* library/aria.o + not grep mbedtls_camellia* library/camellia.o + not grep mbedtls_ccm library/ccm.o + not grep mbedtls_gcm library/gcm.o + not grep mbedtls_chachapoly library/chachapoly.o + not grep mbedtls_cmac library/cmac.o + + # Run the tests + # ------------- + + msg "test: crypto config with accelerated cipher and AEAD" + make test +} + +component_test_psa_crypto_config_reference_cipher_aead () { + helper_libtestdriver1_adjust_config "crypto" + + # Disable the same dependencies and undesired components as in the + # accelerated counterpart + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + + # ALG_PBKDF2_AES_CMAC_PRF_128 is disabled on the accelerated counterpart + # so we disable PKCS5/12 here for simmetry + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_PKCS12_C + + msg "test: crypto config with non-accelerated cipher and AEAD" + make test +} + component_test_aead_chachapoly_disabled() { msg "build: full minus CHACHAPOLY" scripts/config.py full diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 9254331189..b7fb5775c3 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -214,6 +214,17 @@ KNOWN_TASKS = { } } }, + 'analyze_driver_vs_reference_cipher_aead': { + 'test_function': do_analyze_driver_vs_reference, + 'args': { + 'component_ref': 'test_psa_crypto_config_reference_cipher_aead', + 'component_driver': 'test_psa_crypto_config_accel_cipher_aead', + 'ignored_suites': [ + ], + 'ignored_tests': { + } + } + }, 'analyze_driver_vs_reference_ecp_light_only': { 'test_function': do_analyze_driver_vs_reference, 'args': { From d3bdccc0635a550994f4c63d715cbcc4e8918548 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 4 Oct 2023 12:09:06 +0200 Subject: [PATCH 128/175] test_suite_cipher: successfully quit test if no cipher is supported Signed-off-by: Valerio Setti --- tests/suites/test_suite_cipher.function | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 3140ba9edc..336357e844 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -173,8 +173,8 @@ void cipher_invalid_param_unconditional() unsigned char valid_buffer[] = { 0x01, 0x02, 0x03, 0x04, 0x05, 0x06, 0x07 }; int valid_size = sizeof(valid_buffer); int valid_bitlen = valid_size * 8; - const mbedtls_cipher_info_t *valid_info = mbedtls_cipher_info_from_type( - *(mbedtls_cipher_list())); + const int *cipher_list = mbedtls_cipher_list(); + const mbedtls_cipher_info_t *valid_info; size_t size_t_var; (void) valid_mode; /* In some configurations this is unused */ @@ -182,6 +182,12 @@ void cipher_invalid_param_unconditional() mbedtls_cipher_init(&valid_ctx); mbedtls_cipher_init(&invalid_ctx); + /* Ensure that there is at least 1 supported cipher, otherwise exit gracefully */ + if (*cipher_list == 0) { + goto exit; + } + valid_info = mbedtls_cipher_info_from_type(*cipher_list); + TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, valid_info) == 0); /* mbedtls_cipher_setup() */ From 7448cee8f017d660db69751c0938fc20a84531d7 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 4 Oct 2023 15:46:42 +0200 Subject: [PATCH 129/175] analyze_outcomes.py: skip tests that depends on builtin features Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 61 +++++++++++++++++++++++++++++++ 1 file changed, 61 insertions(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index b7fb5775c3..bc99a043f8 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -219,9 +219,70 @@ KNOWN_TASKS = { 'args': { 'component_ref': 'test_psa_crypto_config_reference_cipher_aead', 'component_driver': 'test_psa_crypto_config_accel_cipher_aead', + # Ignore suites that are being accelerated 'ignored_suites': [ + 'aes.cbc', + 'aes.cfb', + 'aes.ecb', + 'aes.ofb', + 'aes.rest', + 'aes.xts', + 'aria', + 'camellia', + 'ccm', + 'chacha20', + 'chachapoly', + 'cipher.aes', + 'cipher.aria', + 'cipher.camellia', + 'cipher.ccm', + 'cipher.chacha20', + 'cipher.chachapoly', + 'cipher.des', + 'cipher.gcm', + 'cipher.nist_kw', + 'cipher.padding', + 'des', + 'gcm.aes128_de', + 'gcm.aes128_en', + 'gcm.aes192_de', + 'gcm.aes192_en', + 'gcm.aes256_de', + 'gcm.aes256_en', + 'gcm.camellia', + 'gcm.misc', ], 'ignored_tests': { + # Following tests depends on AES_C/DES_C + 'test_suite_pem': [ + 'PEM read (AES-128-CBC + invalid iv)' + 'PEM read (DES-CBC + invalid iv)', + 'PEM read (DES-EDE3-CBC + invalid iv)', + 'PEM read (malformed PEM AES-128-CBC)', + 'PEM read (malformed PEM DES-CBC)', + 'PEM read (malformed PEM DES-EDE3-CBC)', + 'PEM read (unknown encryption algorithm)', + 'PEM read (AES-128-CBC + invalid iv)', + 'PEM read (DES-CBC + invalid iv)', + ], + # Following tests depends on AES_C/DES_C + 'test_suite_error': [ + 'Low and high error', + 'Single low error' + ], + # Following tests depends on AES_C/DES_C/GCM_C/CTR + 'test_suite_psa_crypto': [ + 'PSA AEAD encrypt/decrypt: DES-CCM not supported', + 'PSA AEAD encrypt/decrypt: invalid algorithm (CTR)', + 'PSA cipher setup: bad algorithm (unknown cipher algorithm)', + 'PSA cipher setup: incompatible key ChaCha20 for CTR', + 'PSA cipher setup: invalid key type, CTR', + 'PSA symmetric decrypt: CCM*-no-tag, input too short (15 bytes)', + ], + # Following test depends on AES_C + 'test_suite_version': [ + 'Check for MBEDTLS_AES_C when already present', + ] } } }, From 58d2b1aff262c25fcc78dbbea715d84daf206314 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Oct 2023 15:24:12 +0200 Subject: [PATCH 130/175] all.sh: fix minor issues Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a0430abd53..a484df0117 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -204,7 +204,7 @@ pre_initialize_variables () { # CFLAGS and LDFLAGS for Asan builds that don't use CMake # default to -O2, use -Ox _after_ this if you want another level - ASAN_CFLAGS='-O0 -g -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' # Platform tests have an allocation that returns null export ASAN_OPTIONS="allocator_may_return_null=1" @@ -3652,10 +3652,10 @@ component_test_psa_crypto_config_accel_cipher_aead () { helper_libtestdriver1_make_main "$loc_accel_list" # Make sure this was not re-enabled by accident (additive config) - not grep mbedtls_des* library/des.o - not grep mbedtls_aes* library/aes.o - not grep mbedtls_aria* library/aria.o - not grep mbedtls_camellia* library/camellia.o + not grep mbedtls_des library/des.o + not grep mbedtls_aes library/aes.o + not grep mbedtls_aria library/aria.o + not grep mbedtls_camellia library/camellia.o not grep mbedtls_ccm library/ccm.o not grep mbedtls_gcm library/gcm.o not grep mbedtls_chachapoly library/chachapoly.o From e86677d0c3b0672072d2526ddd2252bb7cdd4ef6 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Oct 2023 16:05:10 +0200 Subject: [PATCH 131/175] pkparse: fix missing guards for pkcs5/12 functions Signed-off-by: Valerio Setti --- library/pkparse.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/library/pkparse.c b/library/pkparse.c index b4299518fd..ef57cee806 100644 --- a/library/pkparse.c +++ b/library/pkparse.c @@ -1424,7 +1424,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( unsigned char *buf; unsigned char *p, *end; mbedtls_asn1_buf pbe_alg_oid, pbe_params; -#if defined(MBEDTLS_PKCS12_C) +#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) mbedtls_cipher_type_t cipher_alg; mbedtls_md_type_t md_alg; #endif @@ -1472,7 +1472,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( /* * Decrypt EncryptedData with appropriate PBE */ -#if defined(MBEDTLS_PKCS12_C) +#if defined(MBEDTLS_PKCS12_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) if (mbedtls_oid_get_pkcs12_pbe_alg(&pbe_alg_oid, &md_alg, &cipher_alg) == 0) { if ((ret = mbedtls_pkcs12_pbe_ext(&pbe_params, MBEDTLS_PKCS12_PBE_DECRYPT, cipher_alg, md_alg, @@ -1487,7 +1487,7 @@ MBEDTLS_STATIC_TESTABLE int mbedtls_pk_parse_key_pkcs8_encrypted_der( decrypted = 1; } else #endif /* MBEDTLS_PKCS12_C */ -#if defined(MBEDTLS_PKCS5_C) +#if defined(MBEDTLS_PKCS5_C) && defined(MBEDTLS_CIPHER_PADDING_PKCS7) if (MBEDTLS_OID_CMP(MBEDTLS_OID_PKCS5_PBES2, &pbe_alg_oid) == 0) { if ((ret = mbedtls_pkcs5_pbes2_ext(&pbe_params, MBEDTLS_PKCS5_DECRYPT, pwd, pwdlen, p, len, buf, len, &outlen)) != 0) { From a6c0761c43cb1c70c762db940ab672561b709a2b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Oct 2023 18:48:24 +0200 Subject: [PATCH 132/175] cipher_wrap: fix guards for GCM/CCM AES Signed-off-by: Valerio Setti --- library/cipher_wrap.c | 38 +++++++++++++++++++------------------- library/cipher_wrap.h | 6 ++++++ 2 files changed, 25 insertions(+), 19 deletions(-) diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c index 4e1e996c6f..d977e47572 100644 --- a/library/cipher_wrap.c +++ b/library/cipher_wrap.c @@ -568,17 +568,18 @@ static const mbedtls_cipher_info_t aes_256_xts_info = { }; #endif #endif /* MBEDTLS_CIPHER_MODE_XTS */ +#endif /* MBEDTLS_AES_C */ -#if defined(MBEDTLS_GCM_C) +#if defined(MBEDTLS_GCM_C) && defined(MBEDTLS_AES_C) static int gcm_aes_setkey_wrap(void *ctx, const unsigned char *key, unsigned int key_bitlen) { return mbedtls_gcm_setkey((mbedtls_gcm_context *) ctx, MBEDTLS_CIPHER_ID_AES, key, key_bitlen); } -#endif /* MBEDTLS_GCM_C */ +#endif /* MBEDTLS_GCM_C && MBEDTLS_AES_C */ -#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA) static const mbedtls_cipher_base_t gcm_aes_info = { MBEDTLS_CIPHER_ID_AES, NULL, @@ -612,9 +613,9 @@ static const mbedtls_cipher_base_t gcm_aes_info = { NULL, #endif /* MBEDTLS_GCM_C */ }; -#endif /* MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA */ +#endif /* MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA */ -#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA) static const mbedtls_cipher_info_t aes_128_gcm_info = { "AES-128-GCM", 16, @@ -649,18 +650,18 @@ static const mbedtls_cipher_info_t aes_256_gcm_info = { MBEDTLS_CIPHER_BASE_INDEX_GCM_AES }; #endif -#endif /* MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA */ +#endif /* MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA */ -#if defined(MBEDTLS_CCM_C) +#if defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C) static int ccm_aes_setkey_wrap(void *ctx, const unsigned char *key, unsigned int key_bitlen) { return mbedtls_ccm_setkey((mbedtls_ccm_context *) ctx, MBEDTLS_CIPHER_ID_AES, key, key_bitlen); } -#endif /* MBEDTLS_CCM_C */ +#endif /* MBEDTLS_CCM_C && MBEDTLS_AES_C */ -#if defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA) static const mbedtls_cipher_base_t ccm_aes_info = { MBEDTLS_CIPHER_ID_AES, NULL, @@ -694,9 +695,9 @@ static const mbedtls_cipher_base_t ccm_aes_info = { NULL, #endif }; -#endif /* MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA */ +#endif /* MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA */ -#if defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA) static const mbedtls_cipher_info_t aes_128_ccm_info = { "AES-128-CCM", 16, @@ -731,9 +732,9 @@ static const mbedtls_cipher_info_t aes_256_ccm_info = { MBEDTLS_CIPHER_BASE_INDEX_CCM_AES }; #endif -#endif /* MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA */ +#endif /* MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA */ -#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA) static const mbedtls_cipher_info_t aes_128_ccm_star_no_tag_info = { "AES-128-CCM*-NO-TAG", 16, @@ -768,9 +769,8 @@ static const mbedtls_cipher_info_t aes_256_ccm_star_no_tag_info = { MBEDTLS_CIPHER_BASE_INDEX_CCM_AES }; #endif -#endif /* MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA */ +#endif /* MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA */ -#endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) @@ -2269,28 +2269,28 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = { MBEDTLS_CIPHER_AES_256_XTS, &aes_256_xts_info }, #endif #endif -#if defined(MBEDTLS_CIPHER_HAVE_GCM_VIA_LEGACY_OR_USE_PSA) +#endif /* MBEDTLS_AES_C */ +#if defined(MBEDTLS_CIPHER_HAVE_GCM_AES_VIA_LEGACY_OR_USE_PSA) { MBEDTLS_CIPHER_AES_128_GCM, &aes_128_gcm_info }, #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) { MBEDTLS_CIPHER_AES_192_GCM, &aes_192_gcm_info }, { MBEDTLS_CIPHER_AES_256_GCM, &aes_256_gcm_info }, #endif #endif -#if defined(MBEDTLS_CIPHER_HAVE_CCM_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_CCM_AES_VIA_LEGACY_OR_USE_PSA) { MBEDTLS_CIPHER_AES_128_CCM, &aes_128_ccm_info }, #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) { MBEDTLS_CIPHER_AES_192_CCM, &aes_192_ccm_info }, { MBEDTLS_CIPHER_AES_256_CCM, &aes_256_ccm_info }, #endif #endif -#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA) +#if defined(MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA) { MBEDTLS_CIPHER_AES_128_CCM_STAR_NO_TAG, &aes_128_ccm_star_no_tag_info }, #if !defined(MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH) { MBEDTLS_CIPHER_AES_192_CCM_STAR_NO_TAG, &aes_192_ccm_star_no_tag_info }, { MBEDTLS_CIPHER_AES_256_CCM_STAR_NO_TAG, &aes_256_ccm_star_no_tag_info }, #endif #endif -#endif /* MBEDTLS_AES_C */ #if defined(MBEDTLS_CAMELLIA_C) { MBEDTLS_CIPHER_CAMELLIA_128_ECB, &camellia_128_ecb_info }, diff --git a/library/cipher_wrap.h b/library/cipher_wrap.h index c1915bce9e..85a011caf1 100644 --- a/library/cipher_wrap.h +++ b/library/cipher_wrap.h @@ -62,6 +62,12 @@ extern "C" { #define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_VIA_LEGACY_OR_USE_PSA #endif +#if (defined(MBEDTLS_CCM_C) && defined(MBEDTLS_AES_C)) || \ + (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CCM_STAR_NO_TAG) && \ + defined(PSA_WANT_KEY_TYPE_AES)) +#define MBEDTLS_CIPHER_HAVE_CCM_STAR_NO_TAG_AES_VIA_LEGACY_OR_USE_PSA +#endif + #if defined(MBEDTLS_CHACHAPOLY_C) || \ (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CHACHA20_POLY1305)) #define MBEDTLS_CIPHER_HAVE_CHACHAPOLY_VIA_LEGACY_OR_USE_PSA From 79a02de79fe9f73a80e198dc914ff4aaa4551634 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Oct 2023 18:48:55 +0200 Subject: [PATCH 133/175] cipher: check that ctx_alloc_func is not NULL before calling it Signed-off-by: Valerio Setti --- library/cipher.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/library/cipher.c b/library/cipher.c index 9f9f1075c7..fd04a7de13 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -263,7 +263,8 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); - if (NULL == (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func())) { + if ((mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) && + (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func()) == NULL) { return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; } From 29bcd01cf34b03bcfbaf63467e2cb3a19620dfd4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 12 Oct 2023 18:54:58 +0200 Subject: [PATCH 134/175] all.sh: move [accel/reference]_cipher_aead to crypto_full Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index a484df0117..3b4cdd38ad 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -204,7 +204,7 @@ pre_initialize_variables () { # CFLAGS and LDFLAGS for Asan builds that don't use CMake # default to -O2, use -Ox _after_ this if you want another level - ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + ASAN_CFLAGS='-O0 -g -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' # Platform tests have an allocation that returns null export ASAN_OPTIONS="allocator_may_return_null=1" @@ -3612,7 +3612,7 @@ component_test_psa_crypto_config_accel_cipher_aead () { # --------- # Start from the crypto config (no X509 and TLS) - helper_libtestdriver1_adjust_config "crypto" + helper_libtestdriver1_adjust_config "crypto_full" # There is no intended accelerator support for ALG CMAC. Therefore, asking # for it in the build implies the inclusion of the Mbed TLS cipher @@ -3669,7 +3669,7 @@ component_test_psa_crypto_config_accel_cipher_aead () { } component_test_psa_crypto_config_reference_cipher_aead () { - helper_libtestdriver1_adjust_config "crypto" + helper_libtestdriver1_adjust_config "crypto_full" # Disable the same dependencies and undesired components as in the # accelerated counterpart From 93941440c13585c9aa75ecd7ae36cf19fdd393b4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 13 Oct 2023 09:19:52 +0200 Subject: [PATCH 135/175] all.sh: keep PKCS5/12 enabled in the reference component This commit also add proper "ignore" fields to the "analyze_outcomes.py" script. Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 5 - tests/scripts/analyze_outcomes.py | 255 +++++++++++++++++++++++++++++- 2 files changed, 254 insertions(+), 6 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 3b4cdd38ad..83aa7a2b13 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3681,11 +3681,6 @@ component_test_psa_crypto_config_reference_cipher_aead () { scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C - # ALG_PBKDF2_AES_CMAC_PRF_128 is disabled on the accelerated counterpart - # so we disable PKCS5/12 here for simmetry - scripts/config.py unset MBEDTLS_PKCS5_C - scripts/config.py unset MBEDTLS_PKCS12_C - msg "test: crypto config with non-accelerated cipher and AEAD" make test } diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index bc99a043f8..52aadb6f62 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -282,7 +282,260 @@ KNOWN_TASKS = { # Following test depends on AES_C 'test_suite_version': [ 'Check for MBEDTLS_AES_C when already present', - ] + ], + # Following tests depends on PCKS7 + 'test_suite_pkcs12': [ + 'PBE Decrypt, (Invalid padding & PKCS7 padding enabled)', + 'PBE Decrypt, pad = 7 (OK)', + 'PBE Decrypt, pad = 8 (Invalid output size)', + 'PBE Decrypt, pad = 8 (OK)', + 'PBE Encrypt, pad = 7 (OK)', + 'PBE Encrypt, pad = 8 (Invalid output size)', + 'PBE Encrypt, pad = 8 (OK)', + ], + # Following tests depends on PCKS7 + 'test_suite_pkcs5': [ + 'PBES2 Decrypt (Invalid output size)', + 'PBES2 Decrypt (Invalid padding & PKCS7 padding enabled)', + 'PBES2 Decrypt (KDF != PBKDF2)', + 'PBES2 Decrypt (OK)', + 'PBES2 Decrypt (OK, PBKDF2 params explicit keylen)', + 'PBES2 Decrypt (OK, PBKDF2 params explicit prf_alg)', + 'PBES2 Decrypt (bad KDF AlgId: not a sequence)', + 'PBES2 Decrypt (bad KDF AlgId: overlong)', + 'PBES2 Decrypt (bad PBKDF2 params explicit keylen: overlong)', + 'PBES2 Decrypt (bad PBKDF2 params iter: not an int)', + 'PBES2 Decrypt (bad PBKDF2 params iter: overlong)', + 'PBES2 Decrypt (bad PBKDF2 params salt: not an octet string)', + 'PBES2 Decrypt (bad PBKDF2 params salt: overlong)', + 'PBES2 Decrypt (bad PBKDF2 params: not a sequence)', + 'PBES2 Decrypt (bad PBKDF2 params: overlong)', + 'PBES2 Decrypt (bad enc_scheme_alg params: len != iv_len)', + 'PBES2 Decrypt (bad enc_scheme_alg params: not an octet string)', + 'PBES2 Decrypt (bad enc_scheme_alg params: overlong)', + 'PBES2 Decrypt (bad enc_scheme_alg: not a sequence)', + 'PBES2 Decrypt (bad enc_scheme_alg: overlong)', + 'PBES2 Decrypt (bad enc_scheme_alg: unknown oid)', + 'PBES2 Decrypt (bad iter value)', + 'PBES2 Decrypt (bad params tag)', + 'PBES2 Decrypt (bad password)', + 'PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg != HMAC-SHA*)', + 'PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg not a sequence)', + 'PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg overlong)', + 'PBES2 Decrypt (bad, PBKDF2 params extra data)', + 'PBES2 Encrypt, pad=6 (OK)', + 'PBES2 Encrypt, pad=8 (Invalid output size)', + 'PBES2 Encrypt, pad=8 (OK)', + ], + # Following tests depends on DES + 'test_suite_pkparse': [ + 'Key ASN1 (Encrypted key PKCS12, trailing garbage data)', + 'Key ASN1 (Encrypted key PKCS5, trailing garbage data)', + 'Parse RSA Key #20 (PKCS#8 encrypted SHA1-3DES)', + 'Parse RSA Key #20.1 (PKCS#8 encrypted SHA1-3DES, wrong PW)', + 'Parse RSA Key #20.2 (PKCS#8 encrypted SHA1-3DES, no PW)', + 'Parse RSA Key #21 (PKCS#8 encrypted SHA1-3DES, 2048-bit)', + 'Parse RSA Key #21.1 (PKCS#8 encrypted SHA1-3DES, 2048-bit, wrong PW)', + 'Parse RSA Key #21.2 (PKCS#8 encrypted SHA1-3DES, 2048-bit, no PW)', + 'Parse RSA Key #22 (PKCS#8 encrypted SHA1-3DES, 4096-bit)', + 'Parse RSA Key #22.1 (PKCS#8 encrypted SHA1-3DES, 4096-bit, wrong PW)', + 'Parse RSA Key #22.2 (PKCS#8 encrypted SHA1-3DES, 4096-bit, no PW)', + 'Parse RSA Key #23 (PKCS#8 encrypted SHA1-3DES DER)', + 'Parse RSA Key #24 (PKCS#8 encrypted SHA1-3DES DER, 2048-bit)', + 'Parse RSA Key #25 (PKCS#8 encrypted SHA1-3DES DER, 4096-bit)', + 'Parse RSA Key #26 (PKCS#8 encrypted SHA1-2DES)', + 'Parse RSA Key #26.1 (PKCS#8 encrypted SHA1-2DES, wrong PW)', + 'Parse RSA Key #26.2 (PKCS#8 encrypted SHA1-2DES, no PW)', + 'Parse RSA Key #27 (PKCS#8 encrypted SHA1-2DES, 2048-bit)', + 'Parse RSA Key #27.1 (PKCS#8 encrypted SHA1-2DES, 2048-bit, wrong PW)', + 'Parse RSA Key #27.2 (PKCS#8 encrypted SHA1-2DES, 2048-bit no PW)', + 'Parse RSA Key #28 (PKCS#8 encrypted SHA1-2DES, 4096-bit)', + 'Parse RSA Key #28.1 (PKCS#8 encrypted SHA1-2DES, 4096-bit, wrong PW)', + 'Parse RSA Key #28.2 (PKCS#8 encrypted SHA1-2DES, 4096-bit, no PW)', + 'Parse RSA Key #29 (PKCS#8 encrypted SHA1-2DES DER)', + 'Parse RSA Key #30 (PKCS#8 encrypted SHA1-2DES DER, 2048-bit)', + 'Parse RSA Key #31 (PKCS#8 encrypted SHA1-2DES DER, 4096-bit)', + 'Parse RSA Key #38 (PKCS#8 encrypted v2 PBKDF2 3DES)', + 'Parse RSA Key #38.1 (PKCS#8 encrypted v2 PBKDF2 3DES, wrong PW)', + 'Parse RSA Key #38.2 (PKCS#8 encrypted v2 PBKDF2 3DES, no PW)', + 'Parse RSA Key #39 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit)', + 'Parse RSA Key #39.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, wrong PW)', + 'Parse RSA Key #39.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, no PW)', + 'Parse RSA Key #40 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit)', + 'Parse RSA Key #40.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, wrong PW)', + 'Parse RSA Key #40.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, no PW)', + 'Parse RSA Key #41 (PKCS#8 encrypted v2 PBKDF2 3DES DER)', + 'Parse RSA Key #41.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, wrong PW)', + 'Parse RSA Key #41.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, no PW)', + 'Parse RSA Key #42 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit)', + 'Parse RSA Key #42.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, wrong PW)', + 'Parse RSA Key #42.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, no PW)', + 'Parse RSA Key #43 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit)', + 'Parse RSA Key #43.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, wrong PW)', + 'Parse RSA Key #43.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, no PW)', + 'Parse RSA Key #44 (PKCS#8 encrypted v2 PBKDF2 DES)', + 'Parse RSA Key #44.1 (PKCS#8 encrypted v2 PBKDF2 DES, wrong PW)', + 'Parse RSA Key #44.2 (PKCS#8 encrypted v2 PBKDF2 DES, no PW)', + 'Parse RSA Key #45 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit)', + 'Parse RSA Key #45.1 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, wrong PW)', + 'Parse RSA Key #45.2 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, no PW)', + 'Parse RSA Key #46 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit)', + 'Parse RSA Key #46.1 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, wrong PW)', + 'Parse RSA Key #46.2 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, no PW)', + 'Parse RSA Key #47 (PKCS#8 encrypted v2 PBKDF2 DES DER)', + 'Parse RSA Key #47.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, wrong PW)', + 'Parse RSA Key #47.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, no PW)', + 'Parse RSA Key #48 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit)', + 'Parse RSA Key #48.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, wrong PW)', + 'Parse RSA Key #48.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, no PW)', + 'Parse RSA Key #49 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit)', + 'Parse RSA Key #49.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, wrong PW)', + 'Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW)', + 'Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224)', + 'Parse RSA Key #50.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, wrong PW)', + 'Parse RSA Key #50.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, no PW)', + 'Parse RSA Key #51 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit)', + 'Parse RSA Key #51.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, wrong PW)', + 'Parse RSA Key #51.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, no PW)', + 'Parse RSA Key #52 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit)', + 'Parse RSA Key #52.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, wrong PW)', + 'Parse RSA Key #52.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, no PW)', + 'Parse RSA Key #53 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER)', + 'Parse RSA Key #53.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, wrong PW)', + 'Parse RSA Key #53.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, no PW)', + 'Parse RSA Key #54 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit)', + 'Parse RSA Key #54.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #54.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, no PW)', + 'Parse RSA Key #55 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit)', + 'Parse RSA Key #55.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #55.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, no PW)', + 'Parse RSA Key #56 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224)', + 'Parse RSA Key #56.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, wrong PW)', + 'Parse RSA Key #56.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, no PW)', + 'Parse RSA Key #57 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit)', + 'Parse RSA Key #57.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, wrong PW)', + 'Parse RSA Key #57.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, no PW)', + 'Parse RSA Key #58 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit)', + 'Parse RSA Key #58.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, wrong PW)', + 'Parse RSA Key #58.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, no PW)', + 'Parse RSA Key #59 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER)', + 'Parse RSA Key #59.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, wrong PW)', + 'Parse RSA Key #59.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, no PW)', + 'Parse RSA Key #60 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit)', + 'Parse RSA Key #60.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #60.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, no PW)', + 'Parse RSA Key #61 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit)', + 'Parse RSA Key #61.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #61.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, no PW)', + 'Parse RSA Key #62 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256)', + 'Parse RSA Key #62.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, wrong PW)', + 'Parse RSA Key #62.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, no PW)', + 'Parse RSA Key #63 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit)', + 'Parse RSA Key #63.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, wrong PW)', + 'Parse RSA Key #63.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, no PW)', + 'Parse RSA Key #64 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit)', + 'Parse RSA Key #64.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, wrong PW)', + 'Parse RSA Key #64.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, no PW)', + 'Parse RSA Key #65 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER)', + 'Parse RSA Key #65.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, wrong PW)', + 'Parse RSA Key #65.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, no PW)', + 'Parse RSA Key #66 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit)', + 'Parse RSA Key #66.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #66.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, no PW)', + 'Parse RSA Key #67 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit)', + 'Parse RSA Key #68.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #68.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, no PW)', + 'Parse RSA Key #69 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256)', + 'Parse RSA Key #69.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, wrong PW)', + 'Parse RSA Key #69.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, no PW)', + 'Parse RSA Key #70 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit)', + 'Parse RSA Key #70.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, wrong PW)', + 'Parse RSA Key #70.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, no PW)', + 'Parse RSA Key #71 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit)', + 'Parse RSA Key #71.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, wrong PW)', + 'Parse RSA Key #71.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, no PW)', + 'Parse RSA Key #72 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER)', + 'Parse RSA Key #72.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, wrong PW)', + 'Parse RSA Key #72.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, no PW)', + 'Parse RSA Key #73 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit)', + 'Parse RSA Key #73.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #73.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, no PW)', + 'Parse RSA Key #74 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit)', + 'Parse RSA Key #74.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #74.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, no PW)', + 'Parse RSA Key #75 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384)', + 'Parse RSA Key #75.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, wrong PW)', + 'Parse RSA Key #75.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, no PW)', + 'Parse RSA Key #76 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit)', + 'Parse RSA Key #76.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, wrong PW)', + 'Parse RSA Key #76.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, no PW)', + 'Parse RSA Key #77 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit)', + 'Parse RSA Key #77.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, wrong PW)', + 'Parse RSA Key #77.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, no PW)', + 'Parse RSA Key #78 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER)', + 'Parse RSA Key #78.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, wrong PW)', + 'Parse RSA Key #78.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, no PW)', + 'Parse RSA Key #79 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit)', + 'Parse RSA Key #79.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #79.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, no PW)', + 'Parse RSA Key #80 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit)', + 'Parse RSA Key #80.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #80.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, no PW)', + 'Parse RSA Key #81 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384)', + 'Parse RSA Key #81.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, wrong PW)', + 'Parse RSA Key #81.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, no PW)', + 'Parse RSA Key #82 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit)', + 'Parse RSA Key #82.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, wrong PW)', + 'Parse RSA Key #82.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, no PW)', + 'Parse RSA Key #83 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit)', + 'Parse RSA Key #83.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, wrong PW)', + 'Parse RSA Key #83.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, no PW)', + 'Parse RSA Key #84 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER)', + 'Parse RSA Key #84.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, wrong PW)', + 'Parse RSA Key #85.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, no PW)', + 'Parse RSA Key #86 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit)', + 'Parse RSA Key #86.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #86.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, no PW)', + 'Parse RSA Key #87 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit)', + 'Parse RSA Key #87.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #87.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, no PW)', + 'Parse RSA Key #88 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512)', + 'Parse RSA Key #88.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, wrong PW)', + 'Parse RSA Key #88.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, no PW)', + 'Parse RSA Key #89 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit)', + 'Parse RSA Key #89.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, wrong PW)', + 'Parse RSA Key #89.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, no PW)', + 'Parse RSA Key #90 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit)', + 'Parse RSA Key #90.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, wrong PW)', + 'Parse RSA Key #90.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, no PW)', + 'Parse RSA Key #91 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER)', + 'Parse RSA Key #91.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, wrong PW)', + 'Parse RSA Key #91.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, no PW)', + 'Parse RSA Key #92 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit)', + 'Parse RSA Key #92.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #92.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, no PW)', + 'Parse RSA Key #93 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit)', + 'Parse RSA Key #93.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #93.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, no PW)', + 'Parse RSA Key #94 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512)', + 'Parse RSA Key #94.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, wrong PW)', + 'Parse RSA Key #94.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, no PW)', + 'Parse RSA Key #95 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit)', + 'Parse RSA Key #95.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, wrong PW)', + 'Parse RSA Key #95.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, no PW)', + 'Parse RSA Key #96 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit)', + 'Parse RSA Key #96.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, wrong PW)', + 'Parse RSA Key #96.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, no PW)', + 'Parse RSA Key #97 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER)', + 'Parse RSA Key #97.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, wrong PW)', + 'Parse RSA Key #97.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, no PW)', + 'Parse RSA Key #98 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit)', + 'Parse RSA Key #98.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, wrong PW)', + 'Parse RSA Key #98.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, no PW)', + 'Parse RSA Key #99 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit)', + 'Parse RSA Key #99.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, wrong PW)', + 'Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, no PW)', + ], } } }, From b680fc4f0b2830844fa0944e3d5822a31a53965b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 13 Oct 2023 09:29:37 +0200 Subject: [PATCH 136/175] all.sh: add a common configuration function for accel/reference components Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 39 ++++++++++++++++----------------------- 1 file changed, 16 insertions(+), 23 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 83aa7a2b13..459567da3c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -204,7 +204,7 @@ pre_initialize_variables () { # CFLAGS and LDFLAGS for Asan builds that don't use CMake # default to -O2, use -Ox _after_ this if you want another level - ASAN_CFLAGS='-O0 -g -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' + ASAN_CFLAGS='-O2 -Werror -fsanitize=address,undefined -fno-sanitize-recover=all' # Platform tests have an allocation that returns null export ASAN_OPTIONS="allocator_may_return_null=1" @@ -3596,6 +3596,19 @@ component_test_psa_crypto_config_accel_aead () { make test } +# This is a common configuration function used in: +# - component_test_psa_crypto_config_accel_cipher_aead +# - component_test_psa_crypto_config_reference_cipher_aead +common_psa_crypto_config_accel_cipher_aead() { + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C +} + # The 2 following test components, i.e. # - component_test_psa_crypto_config_accel_cipher_aead # - component_test_psa_crypto_config_reference_cipher_aead @@ -3614,14 +3627,7 @@ component_test_psa_crypto_config_accel_cipher_aead () { # Start from the crypto config (no X509 and TLS) helper_libtestdriver1_adjust_config "crypto_full" - # There is no intended accelerator support for ALG CMAC. Therefore, asking - # for it in the build implies the inclusion of the Mbed TLS cipher - # operations. As we want to test here with cipher operations solely - # supported by accelerators, disabled this PSA configuration option. - # (Note: the same applies to STREAM_CIPHER and ECB_NO_PADDING, which are - # already disabled by helper_libtestdriver1_adjust_config above.) - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + common_psa_crypto_config_accel_cipher_aead # Disable the things that are being accelerated scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC @@ -3639,11 +3645,6 @@ component_test_psa_crypto_config_accel_cipher_aead () { scripts/config.py unset MBEDTLS_CHACHA20_C scripts/config.py unset MBEDTLS_CAMELLIA_C - # Disable dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - # Build # ----- @@ -3671,15 +3672,7 @@ component_test_psa_crypto_config_accel_cipher_aead () { component_test_psa_crypto_config_reference_cipher_aead () { helper_libtestdriver1_adjust_config "crypto_full" - # Disable the same dependencies and undesired components as in the - # accelerated counterpart - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C + common_psa_crypto_config_accel_cipher_aead msg "test: crypto config with non-accelerated cipher and AEAD" make test From 5cd18f91504a94723b424a05a0b2d0b86b486388 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 13 Oct 2023 15:14:07 +0200 Subject: [PATCH 137/175] analyze_oucomes.py: ignore line-too-long error for skipped tests Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 1 + 1 file changed, 1 insertion(+) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 52aadb6f62..327e923c4a 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -328,6 +328,7 @@ KNOWN_TASKS = { 'PBES2 Encrypt, pad=8 (OK)', ], # Following tests depends on DES + # pylint: disable=line-too-long 'test_suite_pkparse': [ 'Key ASN1 (Encrypted key PKCS12, trailing garbage data)', 'Key ASN1 (Encrypted key PKCS5, trailing garbage data)', From 9d9b4b547f22489915e576f8261ff78249e2c7eb Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 19 Oct 2023 10:51:03 +0200 Subject: [PATCH 138/175] test_suite_cipher: use TEST_ASSUME() to evaluate supported ciphers Signed-off-by: Valerio Setti --- tests/suites/test_suite_cipher.function | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 336357e844..aca415095f 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -183,9 +183,7 @@ void cipher_invalid_param_unconditional() mbedtls_cipher_init(&invalid_ctx); /* Ensure that there is at least 1 supported cipher, otherwise exit gracefully */ - if (*cipher_list == 0) { - goto exit; - } + TEST_ASSUME(*cipher_list != 0); valid_info = mbedtls_cipher_info_from_type(*cipher_list); TEST_ASSERT(mbedtls_cipher_setup(&valid_ctx, valid_info) == 0); From 3b1559060a46468d132bb4bfd28656308110f1f4 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 09:38:54 +0200 Subject: [PATCH 139/175] test_suite_psa_crypto: replace builtin dependencies with PSA_WANT Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 9 --------- tests/suites/test_suite_psa_crypto.data | 12 ++++++------ 2 files changed, 6 insertions(+), 15 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 327e923c4a..b669d4b79b 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -270,15 +270,6 @@ KNOWN_TASKS = { 'Low and high error', 'Single low error' ], - # Following tests depends on AES_C/DES_C/GCM_C/CTR - 'test_suite_psa_crypto': [ - 'PSA AEAD encrypt/decrypt: DES-CCM not supported', - 'PSA AEAD encrypt/decrypt: invalid algorithm (CTR)', - 'PSA cipher setup: bad algorithm (unknown cipher algorithm)', - 'PSA cipher setup: incompatible key ChaCha20 for CTR', - 'PSA cipher setup: invalid key type, CTR', - 'PSA symmetric decrypt: CCM*-no-tag, input too short (15 bytes)', - ], # Following test depends on AES_C 'test_suite_version': [ 'Check for MBEDTLS_AES_C when already present', diff --git a/tests/suites/test_suite_psa_crypto.data b/tests/suites/test_suite_psa_crypto.data index 7b1974865a..f790a118d1 100644 --- a/tests/suites/test_suite_psa_crypto.data +++ b/tests/suites/test_suite_psa_crypto.data @@ -2205,7 +2205,7 @@ depends_on:PSA_WANT_ALG_CTR:PSA_WANT_KEY_TYPE_AES cipher_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CTR:PSA_SUCCESS PSA cipher setup: bad algorithm (unknown cipher algorithm) -depends_on:MBEDTLS_AES_C +depends_on:PSA_WANT_KEY_TYPE_AES cipher_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CATEGORY_CIPHER:PSA_ERROR_NOT_SUPPORTED PSA cipher setup: bad algorithm (not a cipher algorithm) @@ -2213,12 +2213,12 @@ depends_on:PSA_WANT_ALG_CMAC:PSA_WANT_KEY_TYPE_AES cipher_setup:PSA_KEY_TYPE_AES:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CMAC:PSA_ERROR_INVALID_ARGUMENT PSA cipher setup: invalid key type, CTR -depends_on:MBEDTLS_CIPHER_MODE_CTR +depends_on:PSA_WANT_ALG_CTR # Either INVALID_ARGUMENT or NOT_SUPPORTED would be reasonable here cipher_setup:PSA_KEY_TYPE_RAW_DATA:"000102030405060708090a0b0c0d0e0f":PSA_ALG_CTR:PSA_ERROR_NOT_SUPPORTED PSA cipher setup: incompatible key ChaCha20 for CTR -depends_on:PSA_WANT_KEY_TYPE_CHACHA20:MBEDTLS_CIPHER_MODE_CTR +depends_on:PSA_WANT_KEY_TYPE_CHACHA20:PSA_WANT_ALG_CTR # Either INVALID_ARGUMENT or NOT_SUPPORTED would be reasonable here cipher_setup:PSA_KEY_TYPE_CHACHA20:"000102030405060708090a0b0c0d0e0f10111213141516171819202122232425":PSA_ALG_CTR:PSA_ERROR_NOT_SUPPORTED @@ -2419,7 +2419,7 @@ depends_on:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_KEY_TYPE_AES cipher_decrypt_fail:PSA_ALG_CBC_NO_PADDING:PSA_KEY_TYPE_AES:"2b7e151628aed2a6abf7158809cf4f3c":"2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a2a":"6bc1bee223":PSA_ERROR_INVALID_ARGUMENT PSA symmetric decrypt: CCM*-no-tag, input too short (15 bytes) -depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:MBEDTLS_AES_C +depends_on:PSA_WANT_ALG_CCM_STAR_NO_TAG:PSA_WANT_KEY_TYPE_AES cipher_decrypt_fail:PSA_ALG_CCM_STAR_NO_TAG:PSA_KEY_TYPE_AES:"19ebfde2d5468ba0a3031bde629b11fd":"5a8aa485c316e9":"2a2a2a2a2a2a2a2a":PSA_ERROR_INVALID_ARGUMENT PSA symmetric decrypt: AES-ECB, 0 bytes, good @@ -2805,7 +2805,7 @@ depends_on:PSA_WANT_ALG_CCM:PSA_WANT_KEY_TYPE_AES aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"000102030405060708090A0B":"EC46BB63B02520C33C49FD70":"B96B49E21D621741632875DB7F6C9243D2D7C2":PSA_SUCCESS PSA AEAD encrypt/decrypt: DES-CCM not supported -depends_on:MBEDTLS_DES_C:MBEDTLS_CCM_C +depends_on:PSA_WANT_KEY_TYPE_DES:PSA_WANT_ALG_CCM aead_encrypt_decrypt:PSA_KEY_TYPE_DES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CCM:"000102030405060708090A0B":"EC46BB63B02520C33C49FD70":"B96B49E21D621741632875DB7F6C9243D2D7C2":PSA_ERROR_NOT_SUPPORTED PSA AEAD encrypt: AES-CCM, 23 bytes @@ -3201,7 +3201,7 @@ depends_on:PSA_WANT_ALG_CHACHA20_POLY1305:PSA_WANT_KEY_TYPE_CHACHA20 aead_decrypt:PSA_KEY_TYPE_CHACHA20:"808182838485868788898a8b8c8d8e8f909192939495969798999a9b9c9d9e9f":PSA_ALG_CHACHA20_POLY1305:"07000000404142434445464700":"":"a0784d7a4716f3feb4f64e7f4b39bf04":"":PSA_ERROR_INVALID_ARGUMENT PSA AEAD encrypt/decrypt: invalid algorithm (CTR) -depends_on:MBEDTLS_AES_C:MBEDTLS_GCM_C +depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM aead_encrypt_decrypt:PSA_KEY_TYPE_AES:"D7828D13B2B0BDC325A76236DF93CC6B":PSA_ALG_CTR:"000102030405060708090A0B0C0D0E0F":"":"":PSA_ERROR_INVALID_ARGUMENT PSA AEAD encrypt/decrypt: invalid algorithm (ChaCha20) From 97454fde546e21fd5d316f87f2d4a696f41111ec Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 25 Oct 2023 12:27:12 +0200 Subject: [PATCH 140/175] all.sh: accelerate CMAC in test_psa_crypto_config_accel_cipher_aead() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 ++---- tests/scripts/analyze_outcomes.py | 1 + 2 files changed, 3 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 459567da3c..d169b58da4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3600,12 +3600,9 @@ component_test_psa_crypto_config_accel_aead () { # - component_test_psa_crypto_config_accel_cipher_aead # - component_test_psa_crypto_config_reference_cipher_aead common_psa_crypto_config_accel_cipher_aead() { - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C } @@ -3618,7 +3615,7 @@ component_test_psa_crypto_config_accel_cipher_aead () { msg "test: crypto config with accelerated cipher and AEAD" loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS \ - ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 \ + ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" # Configure @@ -3639,6 +3636,7 @@ component_test_psa_crypto_config_accel_cipher_aead () { scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C + scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_DES_C scripts/config.py unset MBEDTLS_AES_C scripts/config.py unset MBEDTLS_ARIA_C diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index b669d4b79b..e1d465d1df 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -251,6 +251,7 @@ KNOWN_TASKS = { 'gcm.aes256_en', 'gcm.camellia', 'gcm.misc', + 'cmac', ], 'ignored_tests': { # Following tests depends on AES_C/DES_C From ad8b7f0306a7a51779332c3eb39617e9e691f84a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 25 Oct 2023 12:39:50 +0200 Subject: [PATCH 141/175] all.sh: accelerate ALG_[STREAM_CIPHER/ECB_NO_PADDING] in accel_cipher_aead() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 5 ++--- 1 file changed, 2 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d169b58da4..b0b32fed50 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -3600,8 +3600,6 @@ component_test_psa_crypto_config_accel_aead () { # - component_test_psa_crypto_config_accel_cipher_aead # - component_test_psa_crypto_config_reference_cipher_aead common_psa_crypto_config_accel_cipher_aead() { - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_NIST_KW_C } @@ -3614,7 +3612,8 @@ common_psa_crypto_config_accel_cipher_aead() { component_test_psa_crypto_config_accel_cipher_aead () { msg "test: crypto config with accelerated cipher and AEAD" - loc_accel_list="ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB ALG_OFB ALG_XTS \ + loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \ + ALG_OFB ALG_XTS ALG_STREAM_CIPHER \ ALG_GCM ALG_CCM ALG_CHACHA20_POLY1305 ALG_CMAC \ KEY_TYPE_DES KEY_TYPE_AES KEY_TYPE_ARIA KEY_TYPE_CHACHA20 KEY_TYPE_CAMELLIA" From d1c4fb07eead59921b25cfa21dc606788c57539f Mon Sep 17 00:00:00 2001 From: Dave Rodgman Date: Wed, 25 Oct 2023 15:07:35 +0100 Subject: [PATCH 142/175] Support older IAR versions Signed-off-by: Dave Rodgman --- library/common.h | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/library/common.h b/library/common.h index 73b3d61272..87fae171cd 100644 --- a/library/common.h +++ b/library/common.h @@ -346,8 +346,11 @@ static inline void mbedtls_xor_no_simd(unsigned char *r, #if !defined(MBEDTLS_MAYBE_UNUSED) && defined(__IAR_SYSTEMS_ICC__) && defined(__VER__) /* IAR does support __attribute__((unused)), but only if the -e flag (extended language support) * is given; the pragma always works. - * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless. */ -# if (__VER__ >= 8010000) // IAR 8.1 or later + * Unfortunately the pragma affects the rest of the file where it is used, but this is harmless. + * Check for version 5.2 or later - this pragma may be supported by earlier versions, but I wasn't + * able to find documentation). + */ +# if (__VER__ >= 5020000) # define MBEDTLS_MAYBE_UNUSED _Pragma("diag_suppress=Pe177") # endif #endif From bf3c3fa122dc80b0d495dc80a616f393aadfdb16 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 25 Oct 2023 17:40:19 +0200 Subject: [PATCH 143/175] Define try_chdir everywhere Signed-off-by: Gilles Peskine --- tests/suites/host_test.function | 9 ++++++++- tests/suites/main_test.function | 4 +--- 2 files changed, 9 insertions(+), 4 deletions(-) diff --git a/tests/suites/host_test.function b/tests/suites/host_test.function index 736883fe10..d8ff49ef17 100644 --- a/tests/suites/host_test.function +++ b/tests/suites/host_test.function @@ -442,7 +442,7 @@ static void write_outcome_result(FILE *outcome_file, * * Failures are silent. */ -static void try_chdir(const char *argv0) +static void try_chdir_if_supported(const char *argv0) { /* We might want to allow backslash as well, for Windows. But then we also * need to consider chdir() vs _chdir(), and different conventions @@ -467,6 +467,13 @@ static void try_chdir(const char *argv0) } mbedtls_free(path); } +#else /* MBEDTLS_HAVE_CHDIR */ +/* No chdir() or no support for parsing argv[0] on this platform. */ +static void try_chdir_if_supported(const char *argv0) +{ + (void) argv0; + return; +} #endif /* MBEDTLS_HAVE_CHDIR */ /** diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index eb74e8f0cc..6ab4a5618c 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -237,7 +237,6 @@ int main(int argc, const char *argv[]) #endif #endif -#ifdef MBEDTLS_HAVE_CHDIR /* Try changing to the directory containing the executable, if * using the default data file. This allows running the executable * from another directory (e.g. the project root) and still access @@ -249,8 +248,7 @@ int main(int argc, const char *argv[]) * test-specific files such as the outcome file, which is arguably * not desirable and should be fixed later. */ - try_chdir(argv[0]); -#endif /* MBEDTLS_HAVE_CHDIR */ + try_chdir_if_supported(argv[0]); int ret = mbedtls_test_platform_setup(); if (ret != 0) { From cc2bbfe905253ac7920b65d130198954aff38b9d Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 25 Oct 2023 17:43:51 +0200 Subject: [PATCH 144/175] Fix invocation with explicit .datax file Don't chdir when invoking a test suite executable with an explicit .datax file. The point of the chdir is to automatically find the .datax file (and the relative location of the data_files directory) in typical cases. This conflicts with the expectation that passing a relative path to a .datax file will work. (This is what I had originally intended, and what is documented in the comment, but I forgot to add the argc check in the initial commit.) Signed-off-by: Gilles Peskine --- tests/suites/main_test.function | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index 6ab4a5618c..ef1898ba38 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -248,7 +248,9 @@ int main(int argc, const char *argv[]) * test-specific files such as the outcome file, which is arguably * not desirable and should be fixed later. */ - try_chdir_if_supported(argv[0]); + if (argc == 1) { + try_chdir_if_supported(argv[0]); + } int ret = mbedtls_test_platform_setup(); if (ret != 0) { From bbc46b4cc2c743951c9c436c4e3e04877faad689 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 26 Oct 2023 09:00:21 +0200 Subject: [PATCH 145/175] cipher: improve code readibility in mbedtls_cipher_setup() Signed-off-by: Valerio Setti --- library/cipher.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/library/cipher.c b/library/cipher.c index fd04a7de13..67ed0e3207 100644 --- a/library/cipher.c +++ b/library/cipher.c @@ -263,9 +263,11 @@ int mbedtls_cipher_setup(mbedtls_cipher_context_t *ctx, memset(ctx, 0, sizeof(mbedtls_cipher_context_t)); - if ((mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) && - (ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func()) == NULL) { - return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; + if (mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func != NULL) { + ctx->cipher_ctx = mbedtls_cipher_get_base(cipher_info)->ctx_alloc_func(); + if (ctx->cipher_ctx == NULL) { + return MBEDTLS_ERR_CIPHER_ALLOC_FAILED; + } } ctx->cipher_info = cipher_info; From 507e08f9af5d052a7df21497acfed3f2ad2a973d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 26 Oct 2023 09:44:06 +0200 Subject: [PATCH 146/175] analyze_outcomes: update cipher/aead data Signed-off-by: Valerio Setti --- tests/scripts/analyze_outcomes.py | 55 ++++++++++--------------------- 1 file changed, 17 insertions(+), 38 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index e1d465d1df..706421f6c4 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -219,42 +219,18 @@ KNOWN_TASKS = { 'args': { 'component_ref': 'test_psa_crypto_config_reference_cipher_aead', 'component_driver': 'test_psa_crypto_config_accel_cipher_aead', - # Ignore suites that are being accelerated + # Modules replaced by drivers. 'ignored_suites': [ - 'aes.cbc', - 'aes.cfb', - 'aes.ecb', - 'aes.ofb', - 'aes.rest', - 'aes.xts', - 'aria', - 'camellia', - 'ccm', - 'chacha20', - 'chachapoly', - 'cipher.aes', - 'cipher.aria', - 'cipher.camellia', - 'cipher.ccm', - 'cipher.chacha20', - 'cipher.chachapoly', - 'cipher.des', - 'cipher.gcm', - 'cipher.nist_kw', - 'cipher.padding', - 'des', - 'gcm.aes128_de', - 'gcm.aes128_en', - 'gcm.aes192_de', - 'gcm.aes192_en', - 'gcm.aes256_de', - 'gcm.aes256_en', - 'gcm.camellia', - 'gcm.misc', - 'cmac', + # low-level (block/stream) cipher modules + 'aes', 'aria', 'camellia', 'des', 'chacha20', + # AEAD modes + 'ccm', 'chachapoly', 'cmac', 'gcm', + # The Cipher abstraction layer + 'cipher', ], 'ignored_tests': { - # Following tests depends on AES_C/DES_C + # PEM decryption is not supported so far. + # The rest of PEM (write, unencrypted read) works though. 'test_suite_pem': [ 'PEM read (AES-128-CBC + invalid iv)' 'PEM read (DES-CBC + invalid iv)', @@ -266,16 +242,18 @@ KNOWN_TASKS = { 'PEM read (AES-128-CBC + invalid iv)', 'PEM read (DES-CBC + invalid iv)', ], - # Following tests depends on AES_C/DES_C + # Following tests depend on AES_C/DES_C but are not about + # them really, just need to know some error code is there. 'test_suite_error': [ 'Low and high error', 'Single low error' ], - # Following test depends on AES_C + # Similar to test_suite_error above. 'test_suite_version': [ 'Check for MBEDTLS_AES_C when already present', ], - # Following tests depends on PCKS7 + # The en/decryption part of PKCS#12 is not supported so far. + # The rest of PKCS#12 (key derivation) works though. 'test_suite_pkcs12': [ 'PBE Decrypt, (Invalid padding & PKCS7 padding enabled)', 'PBE Decrypt, pad = 7 (OK)', @@ -285,7 +263,8 @@ KNOWN_TASKS = { 'PBE Encrypt, pad = 8 (Invalid output size)', 'PBE Encrypt, pad = 8 (OK)', ], - # Following tests depends on PCKS7 + # The en/decryption part of PKCS#5 is not supported so far. + # The rest of PKCS#5 (PBKDF2) works though. 'test_suite_pkcs5': [ 'PBES2 Decrypt (Invalid output size)', 'PBES2 Decrypt (Invalid padding & PKCS7 padding enabled)', @@ -319,7 +298,7 @@ KNOWN_TASKS = { 'PBES2 Encrypt, pad=8 (Invalid output size)', 'PBES2 Encrypt, pad=8 (OK)', ], - # Following tests depends on DES + # Encrypted keys are not supported so far. # pylint: disable=line-too-long 'test_suite_pkparse': [ 'Key ASN1 (Encrypted key PKCS12, trailing garbage data)', From a365efc6f13e206d07732261b2156087091fad1c Mon Sep 17 00:00:00 2001 From: Janos Follath Date: Mon, 23 Oct 2023 11:54:30 +0100 Subject: [PATCH 147/175] Threading design: fix internal links Signed-off-by: Janos Follath --- docs/architecture/psa-thread-safety.md | 40 +++++++++++++------------- 1 file changed, 20 insertions(+), 20 deletions(-) diff --git a/docs/architecture/psa-thread-safety.md b/docs/architecture/psa-thread-safety.md index 3a3e9bda6a..0d03e324d5 100644 --- a/docs/architecture/psa-thread-safety.md +++ b/docs/architecture/psa-thread-safety.md @@ -1,8 +1,8 @@ # Thread safety of the PSA subsystem -Currently PSA Crypto API calls in Mbed TLS releases are not thread-safe. In Mbed TLS 3.6 we are planning to add a minimal support for thread-safety of the PSA Crypto API (see #strategy-for-3.6). +Currently PSA Crypto API calls in Mbed TLS releases are not thread-safe. In Mbed TLS 3.6 we are planning to add a minimal support for thread-safety of the PSA Crypto API (see section [Strategy for 3.6](#strategy-for-36)). -In the #design-analysis section we analyse design choices. This discussion is not constrained to what is planned for 3.6 and considers future developments. It also leaves some questions open and discusses options that have been (or probably will be) rejected. +In the [Design analysis](#design-analysis) section we analyse design choices. This discussion is not constrained to what is planned for 3.6 and considers future developments. It also leaves some questions open and discusses options that have been (or probably will be) rejected. ## Design analysis @@ -294,7 +294,7 @@ A high-level view of state transitions: * `psa_unlock_key_slot`: READING → UNUSED or READING. * `psa_finish_key_creation`: WRITING → READING. * `psa_fail_key_creation`: WRITING → UNUSED. -* `psa_wipe_key_slot`: any → UNUSED. If the slot is READING or WRITING on entry, this function must wait until the writer or all readers have finished. (By the way, the WRITING state is possible if `mbedtls_psa_crypto_free` is called while a key creation is in progress.) See [“Destruction of a key in use”](#destruction of a key in use). +* `psa_wipe_key_slot`: any → UNUSED. If the slot is READING or WRITING on entry, this function must wait until the writer or all readers have finished. (By the way, the WRITING state is possible if `mbedtls_psa_crypto_free` is called while a key creation is in progress.) See [“Destruction of a key in use”](#destruction-of-a-key-in-use). The current `state->lock_count` corresponds to the difference between UNUSED and READING: a slot is in use iff its lock count is nonzero, so `lock_count == 0` corresponds to UNUSED and `lock_count != 0` corresponds to READING. @@ -302,7 +302,7 @@ There is currently no indication of when a slot is in the WRITING state. This on #### Destruction of a key in use -Problem: In #key-destruction-long-term-requirements we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (READING or WRITING). +Problem: In [Key destruction long-term requirements](#key-destruction-long-term-requirements) we require that the key slot is destroyed (by `psa_wipe_key_slot`) even while it's in use (READING or WRITING). How do we ensure that? This needs something more sophisticated than mutexes (concurrency number >2)! Even a per-slot mutex isn't enough (we'd need a reader-writer lock). @@ -316,7 +316,7 @@ When calling `psa_wipe_key_slot` it is the callers responsibility to set the slo `psa_destroy_key` marks the slot as deleted, deletes persistent keys and opaque keys and returns. This only works if drivers are protected by a mutex (and the persistent storage as well if needed). When the last reading operation finishes, it wipes the key slot. This will free the key ID, but the slot might be still in use. In case of volatile keys freeing up the ID while the slot is still in use does not provide any benefit and we don't need to do it. -These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the #key-destruction-short-term-requirements. +These are serious limitations, but this can be implemented with mutexes only and arguably satisfies the [Key destruction short-term requirements](#key-destruction-short-term-requirements). Variations: @@ -325,7 +325,7 @@ Variations: The second variant can't be implemented as a backward compatible improvement on the first as multipart operations that were successfully completed in the first case, would fail in the second. If we want to implement these incrementally, multipart operations in a multithreaded environment must be left unsupported in the first variant. This makes the first variant impractical (multipart operations returning an error in builds with multithreading enabled is not a behaviour that would be very useful to release). -We can't reuse the `lock_count` field to mark key slots deleted, as we still need to keep track the lock count while the slot is marked for deletion. This means that we will need to add a new field to key slots. This new field can be reused to indicate whether the slot is occupied (see #determining-whether-a-key-slot-is-occupied). (There would be three states: deleted, occupied, empty.) +We can't reuse the `lock_count` field to mark key slots deleted, as we still need to keep track the lock count while the slot is marked for deletion. This means that we will need to add a new field to key slots. This new field can be reused to indicate whether the slot is occupied (see section [Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied)). (There would be three states: deleted, occupied, empty.) #### Condition variables @@ -333,7 +333,7 @@ Clean UNUSED -> WRITING transition works as before. `psa_wipe_all_key_slots` and `psa_destroy_key` mark the slot as deleted and go to sleep until the slot state becomes UNUSED. When waking up, they wipe the slot, and return. -If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy #key-destruction-long-term-requirements none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been wiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again. +If the slot is already marked as deleted the threads calling `psa_wipe_all_key_slots` and `psa_destroy_key` go to sleep until the deletion completes. To satisfy [Key destruction long-term requirements](#key-destruction-long-term-requirements) none of the threads may return from the call until the slot is deleted completely. This can be achieved by signalling them when the slot has already been wiped and ready for use, that is not marked for deletion anymore. To handle spurious wake-ups, these threads need to be able to tell whether the slot was already deleted. This is not trivial, because by the time the thread wakes up, theoretically the slot might be in any state. It might have been reused and maybe even marked for deletion again. To resolve this, we can either: @@ -342,7 +342,7 @@ To resolve this, we can either: ##### Platform abstraction -Introducing condition variables to the platform abstraction layer would be best done in a major version. If we can't wait until that, we will need to introduce a new compile time flag. Considering that this only will be needed on the PSA Crypto side and the upcoming split, it makes sense to make this flag responsible for the entire PSA Crypto threading support. Therefore if we want to keep the option open for implementing this in a backward compatible manner, we need to introduce and use this new flag already when implementing #mutex-only. (If we keep the abstraction layer for mutexes the same, this shouldn't mean increase in code size and would mean only minimal effort on the porting side.) +Introducing condition variables to the platform abstraction layer would be best done in a major version. If we can't wait until that, we will need to introduce a new compile time flag. Considering that this only will be needed on the PSA Crypto side and the upcoming split, it makes sense to make this flag responsible for the entire PSA Crypto threading support. Therefore if we want to keep the option open for implementing this in a backward compatible manner, we need to introduce and use this new flag already when implementing [Mutex only](#mutex-only). (If we keep the abstraction layer for mutexes the same, this shouldn't mean increase in code size and would mean only minimal effort on the porting side.) #### Operation contexts @@ -358,7 +358,7 @@ Each driver that hasn’t got the "thread_safe” property set has a dedicated Implementing "thread_safe” drivers depends on the condition variable protection in the key store, as we must guarantee that the core never starts the destruction of a key while there are operations in progress on it. -Start with implementing threading for drivers without the "thread_safe” property (all drivers behave like the property wasn't set). Add "thread_safe" drivers at some point after the #condition-variables approach is implemented in the core. +Start with implementing threading for drivers without the "thread_safe” property (all drivers behave like the property wasn't set). Add "thread_safe" drivers at some point after the [Condition variables](#condition-variables) approach is implemented in the core. ##### Reentrancy @@ -366,7 +366,7 @@ It is natural sometimes to want to perform cryptographic operations from a drive **Non-thread-safe drivers:** -A driver is non-thread-safe if the `thread-safe` property (see #driver-requirements) is set to false. +A driver is non-thread-safe if the `thread-safe` property (see [Driver requirements](#driver-requirements)) is set to false. In the non-thread-safe case we have these natural assumptions/requirements: 1. Drivers don't call the core for any operation for which they provide an entry point @@ -384,15 +384,15 @@ The first is too restrictive, the second and the third would require making it a **Thread-safe drivers:** -A driver is non-thread-safe if the `thread-safe` property (see #driver-requirements) is set to true. +A driver is non-thread-safe if the `thread-safe` property (see [Driver requirements](#driver-requirements)) is set to true. To make reentrancy in non-thread-safe drivers work, thread-safe drivers must not make a call to the core when handling a call that is on the non-thread-safe driver core API whitelist. Thread-safe drivers have less guarantees from the core and need to implement more complex logic and we can reasonably expect them to be more flexible in terms of reentrancy as well. At this point it is hard to see what further guarantees would be useful and feasible. Therefore, we don't provide any further guarantees for now. -Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed in the #reentrancy and #driver-requirements sections. +Thread-safe drivers must not make any assumption about the operation of the core beyond what is discussed in the [Reentrancy](#reentrancy) and [Driver requirements](#driver-requirements) sections. -#### Global Data +#### Global data PSA Crypto makes use of a `global_data` variable that will be accessible from multiple threads and needs to be protected. Any function accessing this variable (or its members) must take the corresponding lock first. Since `global_data` holds the RNG state, these will involve relatively expensive operations and therefore ideally `global_data` should be protected by its own, dedicated lock (different from the one protecting the key store). @@ -413,10 +413,10 @@ To avoid performance degradation, functions must hold mutexes for as short time The goal is to provide viable threading support without extending the platform abstraction. (Condition variables should be added in 4.0.) This means that we will be relying on mutexes only. - Key Store - - Slot states are described in #slot-states. They guarantee safe concurrent access to slot contents. - - Slot states will be protected by a global mutex as described in the introduction of #global-lock-excluding-slot-content. - - Simple key destruction strategy as described in #mutex-only (variant 2). - - The slot state and key attributes will be separated as described in the last paragraph of #determining-whether-a-key-slot-is-occupied. -- The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex as described in #global-data. -- The solution shall use the pre-existing `MBEDTLS_THREADING_C` threading abstraction. That is, the flag proposed in #platform-abstraction won't be implemented. -- The core makes no additional guarantees for drivers. That is, Policy 1 in #driver-requirements applies. + - Slot states are described in the [Slot states](#slot-states) section. They guarantee safe concurrent access to slot contents. + - Slot states will be protected by a global mutex as described in the introduction of the [Global lock excluding slot content](#global-lock-excluding-slot-content) section. + - Simple key destruction strategy as described in the [Mutex only](#mutex-only) section (variant 2). + - The slot state and key attributes will be separated as described in the last paragraph of the [Determining whether a key slot is occupied](#determining-whether-a-key-slot-is-occupied) section. +- The main `global_data` (the one in `psa_crypto.c`) shall be protected by its own mutex as described in the [Global data](#global-data) section. +- The solution shall use the pre-existing `MBEDTLS_THREADING_C` threading abstraction. That is, the flag proposed in the [Platform abstraction](#platform-abstraction) section won't be implemented. +- The core makes no additional guarantees for drivers. That is, Policy 1 in section [Driver requirements](#driver-requirements) applies. From 257f6dd57d790d133a60fe5c9794dedae885d7bc Mon Sep 17 00:00:00 2001 From: Tom Cosgrove Date: Thu, 26 Oct 2023 13:58:57 +0100 Subject: [PATCH 148/175] Fix builds in conda-forge, which doesn't have CLOCK_BOOTTIME Fixes #8422 Signed-off-by: Tom Cosgrove --- ChangeLog.d/fix-linux-builds-in-conda-forge.txt | 2 ++ library/platform_util.c | 2 +- 2 files changed, 3 insertions(+), 1 deletion(-) create mode 100644 ChangeLog.d/fix-linux-builds-in-conda-forge.txt diff --git a/ChangeLog.d/fix-linux-builds-in-conda-forge.txt b/ChangeLog.d/fix-linux-builds-in-conda-forge.txt new file mode 100644 index 0000000000..5cfee855aa --- /dev/null +++ b/ChangeLog.d/fix-linux-builds-in-conda-forge.txt @@ -0,0 +1,2 @@ +Bugfix + * Fix build failure in conda-forge. Fixes #8422. diff --git a/library/platform_util.c b/library/platform_util.c index 09216edfbc..fdafa1fc66 100644 --- a/library/platform_util.c +++ b/library/platform_util.c @@ -265,7 +265,7 @@ mbedtls_ms_time_t mbedtls_ms_time(void) struct timespec tv; mbedtls_ms_time_t current_ms; -#if defined(__linux__) +#if defined(__linux__) && defined(CLOCK_BOOTTIME) ret = clock_gettime(CLOCK_BOOTTIME, &tv); #else ret = clock_gettime(CLOCK_MONOTONIC, &tv); From c1d50b631452cddb8b5cf0dda7d074535ca67cfc Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:20:00 +0200 Subject: [PATCH 149/175] check_config: fix dependency of PSA_CRYPTO_C on CIPHER_C Signed-off-by: Valerio Setti --- include/mbedtls/check_config.h | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 619f8428e3..1251cdfa7a 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -766,7 +766,9 @@ #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites (missing RNG)" #endif -#if defined(MBEDTLS_PSA_CRYPTO_C) && !defined(MBEDTLS_CIPHER_C ) +#if defined(MBEDTLS_PSA_CRYPTO_C) && \ + (defined(PSA_HAVE_SOFT_BLOCK_CIPHER) || defined(PSA_HAVE_SOFT_BLOCK_AEAD)) && \ + !defined(MBEDTLS_CIPHER_C) #error "MBEDTLS_PSA_CRYPTO_C defined, but not all prerequisites" #endif From c5d9dd262b96d2b99a0ff2c08e81bc6e29bb405b Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:21:31 +0200 Subject: [PATCH 150/175] adjust_psa_from_legacy: enable ALG_STREAM_CIPHER on when CIPHER_C is defined Signed-off-by: Valerio Setti --- include/mbedtls/config_adjust_psa_from_legacy.h | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/config_adjust_psa_from_legacy.h b/include/mbedtls/config_adjust_psa_from_legacy.h index 088711d375..296d624613 100644 --- a/include/mbedtls/config_adjust_psa_from_legacy.h +++ b/include/mbedtls/config_adjust_psa_from_legacy.h @@ -238,9 +238,12 @@ #if defined(MBEDTLS_CHACHA20_C) #define PSA_WANT_KEY_TYPE_CHACHA20 1 -#define PSA_WANT_ALG_STREAM_CIPHER 1 #define MBEDTLS_PSA_BUILTIN_KEY_TYPE_CHACHA20 1 +/* ALG_STREAM_CIPHER requires CIPHER_C in order to be supported in PSA */ +#if defined(MBEDTLS_CIPHER_C) +#define PSA_WANT_ALG_STREAM_CIPHER 1 #define MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER 1 +#endif #if defined(MBEDTLS_CHACHAPOLY_C) #define PSA_WANT_ALG_CHACHA20_POLY1305 1 #define MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305 1 From 2c2adedd829f318047d58063992b95f7f9c5b8f3 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:22:19 +0200 Subject: [PATCH 151/175] psa_crypto_aead: add guard for CIPHER_C dependency Signed-off-by: Valerio Setti --- library/psa_crypto_aead.c | 9 +++++---- library/psa_crypto_cipher.c | 2 ++ library/psa_crypto_cipher.h | 2 ++ 3 files changed, 9 insertions(+), 4 deletions(-) diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index 85d1f39be7..73d8b01e9b 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -43,13 +43,13 @@ static psa_status_t psa_aead_setup( psa_algorithm_t alg) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - size_t key_bits; - const mbedtls_cipher_info_t *cipher_info; - mbedtls_cipher_id_t cipher_id; (void) key_buffer_size; - key_bits = attributes->core.bits; +#if defined(MBEDTLS_CIPHER_C) + const mbedtls_cipher_info_t *cipher_info; + mbedtls_cipher_id_t cipher_id; + size_t key_bits = attributes->core.bits; cipher_info = mbedtls_cipher_info_from_psa(alg, attributes->core.type, key_bits, @@ -57,6 +57,7 @@ static psa_status_t psa_aead_setup( if (cipher_info == NULL) { return PSA_ERROR_NOT_SUPPORTED; } +#endif /* MBEDTLS_CIPHER_C */ switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index b997a07cf1..c881d65b6b 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,6 +31,7 @@ #include +#if defined(MBEDTLS_CIPHER_C) const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, @@ -158,6 +159,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode); } +#endif /* MBEDTLS_CIPHER_C */ #if defined(MBEDTLS_PSA_BUILTIN_CIPHER) diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index bf43ff08ab..933092dddd 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -24,6 +24,7 @@ #include #include +#if defined(MBEDTLS_CIPHER_C) /** Get Mbed TLS cipher information given the cipher algorithm PSA identifier * as well as the PSA type and size of the key to be used with the cipher * algorithm. @@ -39,6 +40,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, size_t key_bits, mbedtls_cipher_id_t *cipher_id); +#endif /* MBEDTLS_CIPHER_C */ /** * \brief Set the key for a multipart symmetric encryption operation. From 4a249828a8ab2773661be9225c3bd26acc3648f2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Wed, 18 Oct 2023 12:34:54 +0200 Subject: [PATCH 152/175] psa_crypto_cipher: add mbedtls_cipher_values_from_psa() This commit splits mbedtls_cipher_info_from_psa() in 2 parts: - mbedtls_cipher_values_from_psa() that performs parameters' validation and return cipher's values - mbedtls_cipher_info_from_psa() which then use those values to return the proper cipher_info pointer. Of course this depends on CIPHER_C. Signed-off-by: Valerio Setti --- library/psa_crypto_aead.c | 19 ++++------ library/psa_crypto_cipher.c | 69 ++++++++++++++++++++++++------------- library/psa_crypto_cipher.h | 21 +++++++++++ 3 files changed, 73 insertions(+), 36 deletions(-) diff --git a/library/psa_crypto_aead.c b/library/psa_crypto_aead.c index 73d8b01e9b..6f026a0d7d 100644 --- a/library/psa_crypto_aead.c +++ b/library/psa_crypto_aead.c @@ -43,21 +43,16 @@ static psa_status_t psa_aead_setup( psa_algorithm_t alg) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - + mbedtls_cipher_id_t cipher_id; + mbedtls_cipher_mode_t mode; + size_t key_bits = attributes->core.bits; (void) key_buffer_size; -#if defined(MBEDTLS_CIPHER_C) - const mbedtls_cipher_info_t *cipher_info; - mbedtls_cipher_id_t cipher_id; - size_t key_bits = attributes->core.bits; - - cipher_info = mbedtls_cipher_info_from_psa(alg, - attributes->core.type, key_bits, - &cipher_id); - if (cipher_info == NULL) { - return PSA_ERROR_NOT_SUPPORTED; + status = mbedtls_cipher_values_from_psa(alg, attributes->core.type, + &key_bits, &mode, &cipher_id); + if (status != PSA_SUCCESS) { + return status; } -#endif /* MBEDTLS_CIPHER_C */ switch (PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0)) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index c881d65b6b..7e81dfee79 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,15 +31,15 @@ #include -#if defined(MBEDTLS_CIPHER_C) -const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( +psa_status_t mbedtls_cipher_values_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, - size_t key_bits, + size_t *key_bits, + mbedtls_cipher_mode_t *mode, mbedtls_cipher_id_t *cipher_id) { - mbedtls_cipher_mode_t mode; mbedtls_cipher_id_t cipher_id_tmp; + (void) key_bits; if (PSA_ALG_IS_AEAD(alg)) { alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0); @@ -49,66 +49,66 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( switch (alg) { #if defined(MBEDTLS_PSA_BUILTIN_ALG_STREAM_CIPHER) case PSA_ALG_STREAM_CIPHER: - mode = MBEDTLS_MODE_STREAM; + *mode = MBEDTLS_MODE_STREAM; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CTR) case PSA_ALG_CTR: - mode = MBEDTLS_MODE_CTR; + *mode = MBEDTLS_MODE_CTR; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CFB) case PSA_ALG_CFB: - mode = MBEDTLS_MODE_CFB; + *mode = MBEDTLS_MODE_CFB; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_OFB) case PSA_ALG_OFB: - mode = MBEDTLS_MODE_OFB; + *mode = MBEDTLS_MODE_OFB; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_ECB_NO_PADDING) case PSA_ALG_ECB_NO_PADDING: - mode = MBEDTLS_MODE_ECB; + *mode = MBEDTLS_MODE_ECB; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_NO_PADDING) case PSA_ALG_CBC_NO_PADDING: - mode = MBEDTLS_MODE_CBC; + *mode = MBEDTLS_MODE_CBC; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CBC_PKCS7) case PSA_ALG_CBC_PKCS7: - mode = MBEDTLS_MODE_CBC; + *mode = MBEDTLS_MODE_CBC; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM_STAR_NO_TAG) case PSA_ALG_CCM_STAR_NO_TAG: - mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; + *mode = MBEDTLS_MODE_CCM_STAR_NO_TAG; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): - mode = MBEDTLS_MODE_CCM; + *mode = MBEDTLS_MODE_CCM; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_GCM) case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): - mode = MBEDTLS_MODE_GCM; + *mode = MBEDTLS_MODE_GCM; break; #endif #if defined(MBEDTLS_PSA_BUILTIN_ALG_CHACHA20_POLY1305) case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): - mode = MBEDTLS_MODE_CHACHAPOLY; + *mode = MBEDTLS_MODE_CHACHAPOLY; break; #endif default: - return NULL; + return PSA_ERROR_NOT_SUPPORTED; } } else if (alg == PSA_ALG_CMAC) { - mode = MBEDTLS_MODE_ECB; + *mode = MBEDTLS_MODE_ECB; } else { - return NULL; + return PSA_ERROR_NOT_SUPPORTED; } switch (key_type) { @@ -126,7 +126,7 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( case PSA_KEY_TYPE_DES: /* key_bits is 64 for Single-DES, 128 for two-key Triple-DES, * and 192 for three-key Triple-DES. */ - if (key_bits == 64) { + if (*key_bits == 64) { cipher_id_tmp = MBEDTLS_CIPHER_ID_DES; } else { cipher_id_tmp = MBEDTLS_CIPHER_ID_3DES; @@ -134,8 +134,8 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( /* mbedtls doesn't recognize two-key Triple-DES as an algorithm, * but two-key Triple-DES is functionally three-key Triple-DES * with K1=K3, so that's how we present it to mbedtls. */ - if (key_bits == 128) { - key_bits = 192; + if (*key_bits == 128) { + *key_bits = 192; } break; #endif @@ -150,14 +150,35 @@ const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( break; #endif default: - return NULL; + return PSA_ERROR_NOT_SUPPORTED; } if (cipher_id != NULL) { *cipher_id = cipher_id_tmp; } - return mbedtls_cipher_info_from_values(cipher_id_tmp, - (int) key_bits, mode); + return PSA_SUCCESS; +} + +#if defined(MBEDTLS_CIPHER_C) +const mbedtls_cipher_info_t *mbedtls_cipher_info_from_psa( + psa_algorithm_t alg, + psa_key_type_t key_type, + size_t key_bits, + mbedtls_cipher_id_t *cipher_id) +{ + mbedtls_cipher_mode_t mode; + psa_status_t status; + mbedtls_cipher_id_t cipher_id_tmp; + + status = mbedtls_cipher_values_from_psa(alg, key_type, &key_bits, &mode, &cipher_id_tmp); + if (status != PSA_SUCCESS) { + return NULL; + } + if (cipher_id != NULL) { + *cipher_id = cipher_id_tmp; + } + + return mbedtls_cipher_info_from_values(cipher_id_tmp, (int) key_bits, mode); } #endif /* MBEDTLS_CIPHER_C */ diff --git a/library/psa_crypto_cipher.h b/library/psa_crypto_cipher.h index 933092dddd..5ed8a77799 100644 --- a/library/psa_crypto_cipher.h +++ b/library/psa_crypto_cipher.h @@ -24,6 +24,27 @@ #include #include +/** Get Mbed TLS cipher information given the cipher algorithm PSA identifier + * as well as the PSA type and size of the key to be used with the cipher + * algorithm. + * + * \param[in] alg PSA cipher algorithm identifier + * \param[in] key_type PSA key type + * \param[in,out] key_bits Size of the key in bits. The value provided in input + * might be updated if necessary. + * \param[out] mode Mbed TLS cipher mode + * \param[out] cipher_id Mbed TLS cipher algorithm identifier + * + * \return On success \c PSA_SUCCESS is returned and key_bits, mode and cipher_id + * are properly updated. + * \c PSA_ERROR_NOT_SUPPORTED is returned if the cipher algorithm is not + * supported. + */ + +psa_status_t mbedtls_cipher_values_from_psa(psa_algorithm_t alg, psa_key_type_t key_type, + size_t *key_bits, mbedtls_cipher_mode_t *mode, + mbedtls_cipher_id_t *cipher_id); + #if defined(MBEDTLS_CIPHER_C) /** Get Mbed TLS cipher information given the cipher algorithm PSA identifier * as well as the PSA type and size of the key to be used with the cipher From 7e710e8272d9803c4a8e3eded629c64723113e45 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 25 Aug 2023 09:14:15 +0200 Subject: [PATCH 153/175] all.sh: add components as full_no_cipher with CRYPTO_C and CRYPTO_CONFIG Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 87 +++++++++++++++++++++++++++++++++++++++++++- 1 file changed, 85 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b0b32fed50..db6bed835d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1488,7 +1488,7 @@ component_test_crypto_full_md_light_only () { } component_test_full_no_cipher () { - msg "build: full minus CIPHER" + msg "build: full - CIPHER - PSA_CRYPTO_C" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C # Don't pull in cipher via PSA mechanisms @@ -1518,10 +1518,93 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_LMS_PRIVATE make - msg "test: full minus CIPHER" + msg "test: full - CIPHER - PSA_CRYPTO_C" make test } +# This is a common configurator and test function that is used in: +# - component_test_full_no_cipher_with_crypto +# - component_test_full_no_cipher_with_crypto_config +# It accepts 2 input parameters: +# - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG +# - $2: a text string which describes the test component +common_test_full_no_cipher_with_crypto () { + USE_CRYPTO_CONFIG="$1" + COMPONENT_DESCRIPTION="$2" + + msg "build: $COMPONENT_DESCRIPTION" + + scripts/config.py full + scripts/config.py unset MBEDTLS_CIPHER_C + + if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then + # Direct dependencies from PSA config + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_AES + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_CAMELLIA + scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ARIA + else + # Don't pull in cipher via PSA mechanisms + scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + fi + # Direct dependencies + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_PKCS12_C + scripts/config.py unset MBEDTLS_PKCS5_C + scripts/config.py unset MBEDTLS_SSL_TLS_C + scripts/config.py unset MBEDTLS_SSL_TICKET_C + # Disable cipher modes/keys that make PSA depend on CIPHER_C. + # Keep CHACHA20 enabled since it does not depend on CIPHER_C. + scripts/config.py unset-all MBEDTLS_CIPHER_MODE + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + # Dependencies on AES_C + scripts/config.py unset MBEDTLS_CTR_DRBG_C + # Disable dependencies on the AEAD algs + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + # Indirect dependencies + scripts/config.py unset MBEDTLS_SSL_CLI_C + scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID + scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT + scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + scripts/config.py unset MBEDTLS_SSL_SRV_C + scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO + scripts/config.py unset MBEDTLS_LMS_C + scripts/config.py unset MBEDTLS_LMS_PRIVATE + make + + # Ensure that CIPHER_C was not re-enabled + not grep mbedtls_cipher_init library/cipher.o + + msg "test: $COMPONENT_DESCRIPTION" + make test +} + +component_test_full_no_cipher_with_crypto() { + common_test_full_no_cipher_with_crypto 0 "full - CIPHER - CRYPTO_CONFIG" +} + +component_test_full_no_cipher_with_crypto_config() { + common_test_full_no_cipher_with_crypto 1 "full - CIPHER" +} + component_test_full_no_bignum () { msg "build: full minus bignum" scripts/config.py full From 1e21f26d886bb9e86476c185bd761e20b5905329 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Fri, 20 Oct 2023 16:24:07 +0200 Subject: [PATCH 154/175] psa_crypto_cipher: add helper to validate PSA cipher values Signed-off-by: Valerio Setti --- library/psa_crypto_cipher.c | 54 ++++++++++++++++++++++++++++++++++++- 1 file changed, 53 insertions(+), 1 deletion(-) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index 7e81dfee79..b195bb9fd5 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -31,6 +31,58 @@ #include +/* mbedtls_cipher_values_from_psa() below only checks if the proper build symbols + * are enabled, but it does not provide any compatibility check between them + * (i.e. if the specified key works with the specified algorithm). This helper + * function is meant to provide this support. + * mbedtls_cipher_info_from_psa() might be used for the same purpose, but it + * requires CIPHER_C to be enabled. + */ +static psa_status_t mbedtls_cipher_validate_values( + psa_algorithm_t alg, + psa_key_type_t key_type) +{ + switch (alg) { + case PSA_ALG_STREAM_CIPHER: + case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CHACHA20_POLY1305, 0): + if (key_type != PSA_KEY_TYPE_CHACHA20) { + return PSA_ERROR_NOT_SUPPORTED; + } + break; + + case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, 0): + case PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_GCM, 0): + case PSA_ALG_CCM_STAR_NO_TAG: + if ((key_type != PSA_KEY_TYPE_AES) && + (key_type != PSA_KEY_TYPE_ARIA) && + (key_type != PSA_KEY_TYPE_CAMELLIA)) { + return PSA_ERROR_NOT_SUPPORTED; + } + break; + + case PSA_ALG_CTR: + case PSA_ALG_CFB: + case PSA_ALG_OFB: + case PSA_ALG_XTS: + case PSA_ALG_ECB_NO_PADDING: + case PSA_ALG_CBC_NO_PADDING: + case PSA_ALG_CBC_PKCS7: + case PSA_ALG_CMAC: + if ((key_type != PSA_KEY_TYPE_AES) && + (key_type != PSA_KEY_TYPE_ARIA) && + (key_type != PSA_KEY_TYPE_DES) && + (key_type != PSA_KEY_TYPE_CAMELLIA)) { + return PSA_ERROR_NOT_SUPPORTED; + } + break; + + default: + return PSA_ERROR_NOT_SUPPORTED; + } + + return PSA_SUCCESS; +} + psa_status_t mbedtls_cipher_values_from_psa( psa_algorithm_t alg, psa_key_type_t key_type, @@ -156,7 +208,7 @@ psa_status_t mbedtls_cipher_values_from_psa( *cipher_id = cipher_id_tmp; } - return PSA_SUCCESS; + return mbedtls_cipher_validate_values(alg, key_type); } #if defined(MBEDTLS_CIPHER_C) From 36fe8b9f4b4b65432d84bbd26ebcad97e6d6e593 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:12:23 +0200 Subject: [PATCH 155/175] psa_crypto_cipher: add guard for unused variable Signed-off-by: Valerio Setti --- library/psa_crypto_cipher.c | 3 +++ 1 file changed, 3 insertions(+) diff --git a/library/psa_crypto_cipher.c b/library/psa_crypto_cipher.c index b195bb9fd5..38be84b0b7 100644 --- a/library/psa_crypto_cipher.c +++ b/library/psa_crypto_cipher.c @@ -91,7 +91,10 @@ psa_status_t mbedtls_cipher_values_from_psa( mbedtls_cipher_id_t *cipher_id) { mbedtls_cipher_id_t cipher_id_tmp; + /* Only DES modifies key_bits */ +#if !defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_DES) (void) key_bits; +#endif if (PSA_ALG_IS_AEAD(alg)) { alg = PSA_ALG_AEAD_WITH_SHORTENED_TAG(alg, 0); From df17a102e50e7a0db66c8ee9649d54485870d26a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:14:19 +0200 Subject: [PATCH 156/175] all.sh: replace minus sign in text messages with "no" Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index db6bed835d..8f52637592 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1488,7 +1488,7 @@ component_test_crypto_full_md_light_only () { } component_test_full_no_cipher () { - msg "build: full - CIPHER - PSA_CRYPTO_C" + msg "build: full no CIPHER no PSA_CRYPTO_C" scripts/config.py full scripts/config.py unset MBEDTLS_CIPHER_C # Don't pull in cipher via PSA mechanisms @@ -1518,7 +1518,7 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_LMS_PRIVATE make - msg "test: full - CIPHER - PSA_CRYPTO_C" + msg "test: full no CIPHER no PSA_CRYPTO_C" make test } @@ -1598,11 +1598,11 @@ common_test_full_no_cipher_with_crypto () { } component_test_full_no_cipher_with_crypto() { - common_test_full_no_cipher_with_crypto 0 "full - CIPHER - CRYPTO_CONFIG" + common_test_full_no_cipher_with_crypto 0 "full no CIPHER no CRYPTO_CONFIG" } component_test_full_no_cipher_with_crypto_config() { - common_test_full_no_cipher_with_crypto 1 "full - CIPHER" + common_test_full_no_cipher_with_crypto 1 "full no CIPHER" } component_test_full_no_bignum () { From c84d940704a4608e7085f2cf639100746900d89d Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:58:25 +0200 Subject: [PATCH 157/175] all.sh: fix comments in common_test_full_no_cipher_with_crypto() Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8f52637592..d0e0c60980 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1538,7 +1538,7 @@ common_test_full_no_cipher_with_crypto () { scripts/config.py unset MBEDTLS_CIPHER_C if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then - # Direct dependencies from PSA config + # The built-in implementation of these modes currently depends on CIPHER_C scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM @@ -1558,7 +1558,7 @@ common_test_full_no_cipher_with_crypto () { # Don't pull in cipher via PSA mechanisms scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG fi - # Direct dependencies + # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_GCM_C From fb0b0ffaa4b3d3745cb7d43d0932c6f2f37a3ad2 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 23 Oct 2023 14:58:55 +0200 Subject: [PATCH 158/175] all.sh: keep symbols that don't depend on CIPHER_C (directly or indirectly) Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 13 +------------ 1 file changed, 1 insertion(+), 12 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index d0e0c60980..c27923ce84 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1576,18 +1576,7 @@ common_test_full_no_cipher_with_crypto () { scripts/config.py unset MBEDTLS_CAMELLIA_C # Dependencies on AES_C scripts/config.py unset MBEDTLS_CTR_DRBG_C - # Disable dependencies on the AEAD algs - scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Indirect dependencies - scripts/config.py unset MBEDTLS_SSL_CLI_C - scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_SSL_SRV_C - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_LMS_C - scripts/config.py unset MBEDTLS_LMS_PRIVATE + make # Ensure that CIPHER_C was not re-enabled From 4529d65e30179d25e38dd09301c1f1350c109079 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 11:51:58 +0200 Subject: [PATCH 159/175] all.sh: improve test_full_no_cipher() - remove unnecessary disabled items (most of them were already disabled automatically once MBEDTLS_SSL_TLS_C was disabled) - improve dependencies' comments, especially the last one which list items depending on PSA_CRYPTO_C Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 10 ++-------- 1 file changed, 2 insertions(+), 8 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index c27923ce84..0e4d0e22a5 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1494,7 +1494,7 @@ component_test_full_no_cipher () { # Don't pull in cipher via PSA mechanisms # (currently ignored anyway because we completely disable PSA) scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG - # Direct dependencies + # Disable features that depend on CIPHER_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_GCM_C @@ -1504,15 +1504,9 @@ component_test_full_no_cipher () { scripts/config.py unset MBEDTLS_PSA_CRYPTO_C scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Indirect dependencies - scripts/config.py unset MBEDTLS_SSL_CLI_C + # Disable features that depend on PSA_CRYPTO_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_SE_C scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C - scripts/config.py unset MBEDTLS_SSL_DTLS_ANTI_REPLAY - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID - scripts/config.py unset MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py unset MBEDTLS_SSL_SRV_C scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_LMS_C scripts/config.py unset MBEDTLS_LMS_PRIVATE From 5b4039f36dc27c65a442d941cb187bfa6081a730 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 13:41:44 +0200 Subject: [PATCH 160/175] all.sh: rename common config/test function Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 0e4d0e22a5..b33795176d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1522,7 +1522,7 @@ component_test_full_no_cipher () { # It accepts 2 input parameters: # - $1: boolean value which basically reflects status of MBEDTLS_PSA_CRYPTO_CONFIG # - $2: a text string which describes the test component -common_test_full_no_cipher_with_crypto () { +common_test_full_no_cipher_with_psa_crypto () { USE_CRYPTO_CONFIG="$1" COMPONENT_DESCRIPTION="$2" @@ -1581,11 +1581,11 @@ common_test_full_no_cipher_with_crypto () { } component_test_full_no_cipher_with_crypto() { - common_test_full_no_cipher_with_crypto 0 "full no CIPHER no CRYPTO_CONFIG" + common_test_full_no_cipher_with_psa_crypto 0 "full no CIPHER no CRYPTO_CONFIG" } component_test_full_no_cipher_with_crypto_config() { - common_test_full_no_cipher_with_crypto 1 "full no CIPHER" + common_test_full_no_cipher_with_psa_crypto 1 "full no CIPHER" } component_test_full_no_bignum () { From 862021a1189f50f6690f97b78af7897c7bce5574 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 13:52:06 +0200 Subject: [PATCH 161/175] all.sh: improve comments in common_test_full_no_cipher_with_psa_crypto Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b33795176d..eb12a89d74 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1532,7 +1532,10 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py unset MBEDTLS_CIPHER_C if [ "$USE_CRYPTO_CONFIG" -eq 1 ]; then - # The built-in implementation of these modes currently depends on CIPHER_C + # The built-in implementation of the following algs/key-types depends + # on CIPHER_C so we disable them. + # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 + # so we keep them enabled. scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM @@ -1562,7 +1565,7 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C # Disable cipher modes/keys that make PSA depend on CIPHER_C. - # Keep CHACHA20 enabled since it does not depend on CIPHER_C. + # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. scripts/config.py unset-all MBEDTLS_CIPHER_MODE scripts/config.py unset MBEDTLS_AES_C scripts/config.py unset MBEDTLS_DES_C From 287f6d1f5c1c967195054edd46ca66f0ff484fda Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Tue, 24 Oct 2023 14:12:59 +0200 Subject: [PATCH 162/175] all.sh: unset MBEDTLS symbols for modes/keys only when !PSA_CRYPTO_CONFIG Signed-off-by: Valerio Setti --- tests/scripts/all.sh | 18 +++++++++--------- 1 file changed, 9 insertions(+), 9 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index eb12a89d74..1eea025cb0 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1554,6 +1554,15 @@ common_test_full_no_cipher_with_psa_crypto () { else # Don't pull in cipher via PSA mechanisms scripts/config.py unset MBEDTLS_PSA_CRYPTO_CONFIG + # Disable cipher modes/keys that make PSA depend on CIPHER_C. + # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. + scripts/config.py unset-all MBEDTLS_CIPHER_MODE + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_DES_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + # Dependencies on AES_C + scripts/config.py unset MBEDTLS_CTR_DRBG_C fi # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_CCM_C @@ -1564,15 +1573,6 @@ common_test_full_no_cipher_with_psa_crypto () { scripts/config.py unset MBEDTLS_PKCS5_C scripts/config.py unset MBEDTLS_SSL_TLS_C scripts/config.py unset MBEDTLS_SSL_TICKET_C - # Disable cipher modes/keys that make PSA depend on CIPHER_C. - # Keep CHACHA20 and CHACHAPOLY enabled since they do not depend on CIPHER_C. - scripts/config.py unset-all MBEDTLS_CIPHER_MODE - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_DES_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - # Dependencies on AES_C - scripts/config.py unset MBEDTLS_CTR_DRBG_C make From 4da369f74136d975c8d01eaf68d7261638faecb7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 18 Oct 2023 09:40:32 +0200 Subject: [PATCH 163/175] analyze_outcomes: minor code cleanup MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 9 ++++++--- 1 file changed, 6 insertions(+), 3 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 706421f6c4..ae3450d39a 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -112,15 +112,18 @@ def analyze_driver_vs_reference(results: Results, outcomes, hits = outcomes[key].hits() if key in outcomes else 0 if hits == 0: continue - # Skip ignored test suites - full_test_suite = key.split(';')[0] # retrieve full test suite name - test_string = key.split(';')[1] # retrieve the text string of this test + + # key is like "test_suite_foo.bar;Description of test case" + (full_test_suite, test_string) = key.split(';') test_suite = full_test_suite.split('.')[0] # retrieve main part of test suite name + # Skip fully-ignored test suites if test_suite in ignored_suites or full_test_suite in ignored_suites: continue + # Skip ignored test cases inside test suites if ((full_test_suite in ignored_test) and (test_string in ignored_test[full_test_suite])): continue + # Search for tests that run in reference component and not in driver component driver_test_passed = False reference_test_passed = False From 881ce01db3ffc62989ff0641a1dd71b7581f5807 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 18 Oct 2023 10:22:07 +0200 Subject: [PATCH 164/175] analyze_outcomes: add regex match for ignored tests MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 38 +++++++++++++++---------------- 1 file changed, 19 insertions(+), 19 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index ae3450d39a..60717442f3 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -95,9 +95,22 @@ def analyze_coverage(results, outcomes, allow_list, full_coverage): else: results.warning('Allow listed test case was executed: {}', key) +def name_matches_pattern(name, str_or_re): + """Check if name matches a pattern, that may be a string or regex. + - If the pattern is a string, name must be equal to match. + - If the pattern is a regex, name must fully match. + """ + if isinstance(str_or_re, re.Pattern): + if str_or_re.fullmatch(name): + return True + else: + if str_or_re == name: + return True + return False + def analyze_driver_vs_reference(results: Results, outcomes, component_ref, component_driver, - ignored_suites, ignored_test=None): + ignored_suites, ignored_tests=None): """Check that all tests executed in the reference component are also executed in the corresponding driver component. Skip: @@ -120,9 +133,10 @@ def analyze_driver_vs_reference(results: Results, outcomes, if test_suite in ignored_suites or full_test_suite in ignored_suites: continue # Skip ignored test cases inside test suites - if ((full_test_suite in ignored_test) and - (test_string in ignored_test[full_test_suite])): - continue + if full_test_suite in ignored_tests: + for str_or_re in ignored_tests[full_test_suite]: + if name_matches_pattern(test_string, str_or_re): + continue # Search for tests that run in reference component and not in driver component driver_test_passed = False @@ -921,21 +935,7 @@ KNOWN_TASKS = { ], 'test_suite_asn1write': [ # Following tests depends on BIGNUM_C - 'ASN.1 Write mpi 0 (1 limb)', - 'ASN.1 Write mpi 0 (null)', - 'ASN.1 Write mpi 0x100', - 'ASN.1 Write mpi 0x7f', - 'ASN.1 Write mpi 0x7f with leading 0 limb', - 'ASN.1 Write mpi 0x80', - 'ASN.1 Write mpi 0x80 with leading 0 limb', - 'ASN.1 Write mpi 0xff', - 'ASN.1 Write mpi 1', - 'ASN.1 Write mpi, 127*8 bits', - 'ASN.1 Write mpi, 127*8+1 bits', - 'ASN.1 Write mpi, 127*8-1 bits', - 'ASN.1 Write mpi, 255*8 bits', - 'ASN.1 Write mpi, 255*8-1 bits', - 'ASN.1 Write mpi, 256*8-1 bits', + re.compile('ASN.1 Write mpi.*'), ], } } From 371165aec0cc4ea2570a77ec763b989ffc815c2f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 18 Oct 2023 12:44:54 +0200 Subject: [PATCH 165/175] analyze_outcomes: useless ignores are now errors MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Change from iterating on all available tests to iterating on tests with an outcome: initially we were iterating on available tests but immediately ignoring those that were always skipped. That last part played poorly with the new error (we want to know if the test ignored due to a pattern was skipped in the reference component), but when removing it, we were left with iterating on all available tests then skipping those that don't have outcomes entries: this is equivalent to iterating on tests with an outcome entry, which is more readable. Also, give an error if the outcome file contains no passing test from the reference component: probably means we're using the wrong outcome file. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 31 +++++++++++++++++++------------ 1 file changed, 19 insertions(+), 12 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 60717442f3..6611373fed 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -118,25 +118,24 @@ def analyze_driver_vs_reference(results: Results, outcomes, - only some specific test inside a test suite, for which the corresponding output string is provided """ - available = check_test_cases.collect_available_test_cases() - - for key in available: - # Continue if test was not executed by any component - hits = outcomes[key].hits() if key in outcomes else 0 - if hits == 0: - continue - + seen_reference_passing = False + for key in outcomes: # key is like "test_suite_foo.bar;Description of test case" (full_test_suite, test_string) = key.split(';') test_suite = full_test_suite.split('.')[0] # retrieve main part of test suite name - # Skip fully-ignored test suites + + # Immediately skip fully-ignored test suites if test_suite in ignored_suites or full_test_suite in ignored_suites: continue - # Skip ignored test cases inside test suites + + # For ignored test cases inside test suites, just remember and: + # don't issue an error if they're skipped with drivers, + # but issue an error if they're not (means we have a bad entry). + ignored = False if full_test_suite in ignored_tests: for str_or_re in ignored_tests[full_test_suite]: if name_matches_pattern(test_string, str_or_re): - continue + ignored = True # Search for tests that run in reference component and not in driver component driver_test_passed = False @@ -146,8 +145,16 @@ def analyze_driver_vs_reference(results: Results, outcomes, driver_test_passed = True if component_ref in entry: reference_test_passed = True + seen_reference_passing = True if(reference_test_passed and not driver_test_passed): - results.error("Did not pass with driver: {}", key) + if not ignored: + results.error("PASS -> SKIP/FAIL: {}", key) + else: + if ignored: + results.error("uselessly ignored: {}", key) + + if not seen_reference_passing: + results.error("no passing test in reference component: bad outcome file?") def analyze_outcomes(results: Results, outcomes, args): """Run all analyses on the given outcome collection.""" From b4558bd6e46af48eb83181e84f233d3dae745e96 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 18 Oct 2023 13:00:49 +0200 Subject: [PATCH 166/175] analyze_outcomes: remove useless ignore entries MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 99 ------------------------------- 1 file changed, 99 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 6611373fed..7c6b47d208 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -587,14 +587,6 @@ KNOWN_TASKS = { 'ECP test vectors secp384r1 rfc 5114', 'ECP test vectors secp521r1 rfc 5114', ], - 'test_suite_psa_crypto': [ - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1', - ], 'test_suite_ssl': [ 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', ], @@ -618,21 +610,6 @@ KNOWN_TASKS = { 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], - 'test_suite_psa_crypto': [ - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1', - 'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)', - ], 'test_suite_pkparse': [ # When PK_PARSE_C and ECP_C are defined then PK_PARSE_EC_COMPRESSED # is automatically enabled in build_info.h (backward compatibility) @@ -686,21 +663,6 @@ KNOWN_TASKS = { 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], - 'test_suite_psa_crypto': [ - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1', - 'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)', - ], 'test_suite_pkparse': [ # See the description provided above in the # analyze_driver_vs_reference_no_ecp_at_all component. @@ -783,21 +745,6 @@ KNOWN_TASKS = { 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], - 'test_suite_psa_crypto': [ - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp384r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #0', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp521r1 #1', - 'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)', - ], 'test_suite_pkparse': [ # See the description provided above in the # analyze_driver_vs_reference_no_ecp_at_all component. @@ -887,55 +834,9 @@ KNOWN_TASKS = { 'ignored_tests': { # Ignore all tests that require DERIVE support which is disabled # in the driver version - 'test_suite_psa_crypto': [ - 'PSA key agreement setup: ECDH + HKDF-SHA-256: good', - ('PSA key agreement setup: ECDH + HKDF-SHA-256: good, key algorithm broader ' - 'than required'), - 'PSA key agreement setup: ECDH + HKDF-SHA-256: public key not on curve', - 'PSA key agreement setup: KDF instead of a key agreement algorithm', - 'PSA key agreement setup: bad key agreement algorithm', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: capacity=8160', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 0+32', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 1+31', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 31+1', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 32+0', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 32+32', - 'PSA key agreement: ECDH SECP256R1 (RFC 5903) + HKDF-SHA-256: read 64+0', - 'PSA key derivation: ECDH on P256 with HKDF-SHA256, info first', - 'PSA key derivation: ECDH on P256 with HKDF-SHA256, key output', - 'PSA key derivation: ECDH on P256 with HKDF-SHA256, missing info', - 'PSA key derivation: ECDH on P256 with HKDF-SHA256, omitted salt', - 'PSA key derivation: ECDH on P256 with HKDF-SHA256, raw output', - 'PSA key derivation: ECDH on P256 with HKDF-SHA256, salt after secret', - 'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, good case', - 'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, missing label', - 'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, missing label and secret', - 'PSA key derivation: ECDH with TLS 1.2 PRF SHA-256, no inputs', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1 (1 redraw)', - 'PSA key derivation: HKDF-SHA-256 -> ECC secp256r1, exercise ECDSA', - 'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, SHA-256, 0+48, ka', - 'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, SHA-256, 24+24, ka', - 'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, SHA-256, 48+0, ka', - 'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, bad state #1, ka', - 'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, bad state #3, ka', - 'PSA key derivation: TLS 1.2 Mix-PSK-to-MS, bad state #4, ka', - 'PSA key derivation: bits=7 invalid for ECC BRAINPOOL_P_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC MONTGOMERY (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECP_R2 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_K1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R1 (ECC enabled)', - 'PSA key derivation: bits=7 invalid for ECC SECT_R2 (ECC enabled)', - 'PSA raw key agreement: ECDH SECP256R1 (RFC 5903)', - ], 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], - 'test_suite_psa_crypto_pake': [ - 'PSA PAKE: ecjpake size macros', - ], 'test_suite_asn1parse': [ # This test depends on BIGNUM_C 'INTEGER too large for mpi', From 4fd5a6ac9ed8e7873cca7c5514b584378865516a Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 20 Oct 2023 10:21:09 +0200 Subject: [PATCH 167/175] analyze_outcomes: use regexes with ECC components MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 231 ++++++------------------------ 1 file changed, 45 insertions(+), 186 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 7c6b47d208..641d114c1f 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -541,11 +541,13 @@ KNOWN_TASKS = { 'component_ref': 'test_psa_crypto_config_reference_ecc_ecp_light_only', 'component_driver': 'test_psa_crypto_config_accel_ecc_ecp_light_only', 'ignored_suites': [ - 'ecdsa', - 'ecdh', - 'ecjpake', + # Modules replaced by drivers + 'ecdsa', 'ecdh', 'ecjpake', ], 'ignored_tests': { + # This test wants a legacy function that takes f_rng, p_rng + # arguments, and uses legacy ECDSA for that. The test is + # really about the wrapper around the PSA RNG, not ECDSA. 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], @@ -553,41 +555,14 @@ KNOWN_TASKS = { # so we must ignore disparities in the tests for which ECP_C # is required. 'test_suite_ecp': [ - 'ECP check public-private #1 (OK)', - 'ECP check public-private #2 (group none)', - 'ECP check public-private #3 (group mismatch)', - 'ECP check public-private #4 (Qx mismatch)', - 'ECP check public-private #5 (Qy mismatch)', - 'ECP check public-private #6 (wrong Qx)', - 'ECP check public-private #7 (wrong Qy)', - 'ECP gen keypair [#1]', - 'ECP gen keypair [#2]', - 'ECP gen keypair [#3]', - 'ECP gen keypair wrapper', - 'ECP point muladd secp256r1 #1', - 'ECP point muladd secp256r1 #2', - 'ECP point multiplication Curve25519 (element of order 2: origin) #3', - 'ECP point multiplication Curve25519 (element of order 4: 1) #4', - 'ECP point multiplication Curve25519 (element of order 8) #5', - 'ECP point multiplication Curve25519 (normalized) #1', - 'ECP point multiplication Curve25519 (not normalized) #2', - 'ECP point multiplication rng fail Curve25519', - 'ECP point multiplication rng fail secp256r1', - 'ECP test vectors Curve25519', - 'ECP test vectors Curve448 (RFC 7748 6.2, after decodeUCoordinate)', - 'ECP test vectors brainpoolP256r1 rfc 7027', - 'ECP test vectors brainpoolP384r1 rfc 7027', - 'ECP test vectors brainpoolP512r1 rfc 7027', - 'ECP test vectors secp192k1', - 'ECP test vectors secp192r1 rfc 5114', - 'ECP test vectors secp224k1', - 'ECP test vectors secp224r1 rfc 5114', - 'ECP test vectors secp256k1', - 'ECP test vectors secp256r1 rfc 5114', - 'ECP test vectors secp384r1 rfc 5114', - 'ECP test vectors secp521r1 rfc 5114', + re.compile(r'ECP check public-private .*'), + re.compile(r'ECP gen keypair .*'), + re.compile(r'ECP point muladd .*'), + re.compile(r'ECP point multiplication .*'), + re.compile(r'ECP test vectors .*'), ], 'test_suite_ssl': [ + # This deprecated function is only present when ECP_C is On. 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', ], } @@ -599,14 +574,11 @@ KNOWN_TASKS = { 'component_ref': 'test_psa_crypto_config_reference_ecc_no_ecp_at_all', 'component_driver': 'test_psa_crypto_config_accel_ecc_no_ecp_at_all', 'ignored_suites': [ - # Ignore test suites for the modules that are disabled in the - # accelerated test case. - 'ecp', - 'ecdsa', - 'ecdh', - 'ecjpake', + # Modules replaced by drivers + 'ecp', 'ecdsa', 'ecdh', 'ecjpake', ], 'ignored_tests': { + # See ecp_light_only 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], @@ -617,23 +589,10 @@ KNOWN_TASKS = { # consequence compressed points are supported in the reference # component but not in the accelerated one, so they should be skipped # while checking driver's coverage. - 'Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)', - 'Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)', - 'Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)', - 'Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)', - 'Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)', - 'Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)', - 'Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)', - 'Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)', - 'Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)', - 'Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)', - 'Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)', - 'Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)', - 'Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)', - 'Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)', - 'Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)', - 'Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)', + re.compile(r'Parse EC Key .*compressed\)'), + re.compile(r'Parse Public EC Key .*compressed\)'), ], + # See ecp_light_only 'test_suite_ssl': [ 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', ], @@ -646,75 +605,31 @@ KNOWN_TASKS = { 'component_ref': 'test_psa_crypto_config_reference_ecc_no_bignum', 'component_driver': 'test_psa_crypto_config_accel_ecc_no_bignum', 'ignored_suites': [ - # Ignore test suites for the modules that are disabled in the - # accelerated test case. - 'ecp', - 'ecdsa', - 'ecdh', - 'ecjpake', - 'bignum_core', - 'bignum_random', - 'bignum_mod', - 'bignum_mod_raw', - 'bignum.generated', - 'bignum.misc', + # Modules replaced by drivers + 'ecp', 'ecdsa', 'ecdh', 'ecjpake', + 'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw', + 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { + # See ecp_light_only 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], + # See no_ecp_at_all 'test_suite_pkparse': [ - # See the description provided above in the - # analyze_driver_vs_reference_no_ecp_at_all component. - 'Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)', - 'Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)', - 'Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)', - 'Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)', - 'Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)', - 'Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)', - 'Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)', - 'Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)', - 'Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)', - 'Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)', - 'Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)', - 'Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)', - 'Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)', - 'Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)', - 'Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)', - 'Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)', + re.compile(r'Parse EC Key .*compressed\)'), + re.compile(r'Parse Public EC Key .*compressed\)'), ], 'test_suite_asn1parse': [ - # This test depends on BIGNUM_C 'INTEGER too large for mpi', ], 'test_suite_asn1write': [ - # Following tests depends on BIGNUM_C - 'ASN.1 Write mpi 0 (1 limb)', - 'ASN.1 Write mpi 0 (null)', - 'ASN.1 Write mpi 0x100', - 'ASN.1 Write mpi 0x7f', - 'ASN.1 Write mpi 0x7f with leading 0 limb', - 'ASN.1 Write mpi 0x80', - 'ASN.1 Write mpi 0x80 with leading 0 limb', - 'ASN.1 Write mpi 0xff', - 'ASN.1 Write mpi 1', - 'ASN.1 Write mpi, 127*8 bits', - 'ASN.1 Write mpi, 127*8+1 bits', - 'ASN.1 Write mpi, 127*8-1 bits', - 'ASN.1 Write mpi, 255*8 bits', - 'ASN.1 Write mpi, 255*8-1 bits', - 'ASN.1 Write mpi, 256*8-1 bits', + re.compile(r'ASN.1 Write mpi.*'), ], 'test_suite_debug': [ - # Following tests depends on BIGNUM_C - 'Debug print mbedtls_mpi #2: 3 bits', - 'Debug print mbedtls_mpi: 0 (empty representation)', - 'Debug print mbedtls_mpi: 0 (non-empty representation)', - 'Debug print mbedtls_mpi: 49 bits', - 'Debug print mbedtls_mpi: 759 bits', - 'Debug print mbedtls_mpi: 764 bits #1', - 'Debug print mbedtls_mpi: 764 bits #2', + re.compile(r'Debug print mbedtls_mpi.*'), ], + # See ecp_light_only 'test_suite_ssl': [ 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', ], @@ -727,76 +642,31 @@ KNOWN_TASKS = { 'component_ref': 'test_psa_crypto_config_reference_ecc_ffdh_no_bignum', 'component_driver': 'test_psa_crypto_config_accel_ecc_ffdh_no_bignum', 'ignored_suites': [ - # Ignore test suites for the modules that are disabled in the - # accelerated test case. - 'ecp', - 'ecdsa', - 'ecdh', - 'ecjpake', - 'bignum_core', - 'bignum_random', - 'bignum_mod', - 'bignum_mod_raw', - 'bignum.generated', - 'bignum.misc', - 'dhm', + # Modules replaced by drivers + 'ecp', 'ecdsa', 'ecdh', 'ecjpake', 'dhm', + 'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw', + 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { + # See ecp_light_only 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], + # See no_ecp_at_all 'test_suite_pkparse': [ - # See the description provided above in the - # analyze_driver_vs_reference_no_ecp_at_all component. - 'Parse EC Key #10a (SEC1 PEM, secp384r1, compressed)', - 'Parse EC Key #11a (SEC1 PEM, secp521r1, compressed)', - 'Parse EC Key #12a (SEC1 PEM, bp256r1, compressed)', - 'Parse EC Key #13a (SEC1 PEM, bp384r1, compressed)', - 'Parse EC Key #14a (SEC1 PEM, bp512r1, compressed)', - 'Parse EC Key #2a (SEC1 PEM, secp192r1, compressed)', - 'Parse EC Key #8a (SEC1 PEM, secp224r1, compressed)', - 'Parse EC Key #9a (SEC1 PEM, secp256r1, compressed)', - 'Parse Public EC Key #2a (RFC 5480, PEM, secp192r1, compressed)', - 'Parse Public EC Key #3a (RFC 5480, secp224r1, compressed)', - 'Parse Public EC Key #4a (RFC 5480, secp256r1, compressed)', - 'Parse Public EC Key #5a (RFC 5480, secp384r1, compressed)', - 'Parse Public EC Key #6a (RFC 5480, secp521r1, compressed)', - 'Parse Public EC Key #7a (RFC 5480, brainpoolP256r1, compressed)', - 'Parse Public EC Key #8a (RFC 5480, brainpoolP384r1, compressed)', - 'Parse Public EC Key #9a (RFC 5480, brainpoolP512r1, compressed)', + re.compile(r'Parse EC Key .*compressed\)'), + re.compile(r'Parse Public EC Key .*compressed\)'), ], 'test_suite_asn1parse': [ - # This test depends on BIGNUM_C 'INTEGER too large for mpi', ], 'test_suite_asn1write': [ - # Following tests depends on BIGNUM_C - 'ASN.1 Write mpi 0 (1 limb)', - 'ASN.1 Write mpi 0 (null)', - 'ASN.1 Write mpi 0x100', - 'ASN.1 Write mpi 0x7f', - 'ASN.1 Write mpi 0x7f with leading 0 limb', - 'ASN.1 Write mpi 0x80', - 'ASN.1 Write mpi 0x80 with leading 0 limb', - 'ASN.1 Write mpi 0xff', - 'ASN.1 Write mpi 1', - 'ASN.1 Write mpi, 127*8 bits', - 'ASN.1 Write mpi, 127*8+1 bits', - 'ASN.1 Write mpi, 127*8-1 bits', - 'ASN.1 Write mpi, 255*8 bits', - 'ASN.1 Write mpi, 255*8-1 bits', - 'ASN.1 Write mpi, 256*8-1 bits', + re.compile(r'ASN.1 Write mpi.*'), ], 'test_suite_debug': [ - # Following tests depends on BIGNUM_C - 'Debug print mbedtls_mpi #2: 3 bits', - 'Debug print mbedtls_mpi: 0 (empty representation)', - 'Debug print mbedtls_mpi: 0 (non-empty representation)', - 'Debug print mbedtls_mpi: 49 bits', - 'Debug print mbedtls_mpi: 759 bits', - 'Debug print mbedtls_mpi: 764 bits #1', - 'Debug print mbedtls_mpi: 764 bits #2', + re.compile(r'Debug print mbedtls_mpi.*'), ], + # See ecp_light_only 'test_suite_ssl': [ 'Test configuration of groups for DHE through mbedtls_ssl_conf_curves()', ], @@ -818,32 +688,21 @@ KNOWN_TASKS = { 'component_ref': 'test_tfm_config', 'component_driver': 'test_tfm_config_p256m_driver_accel_ec', 'ignored_suites': [ - # Ignore test suites for the modules that are disabled in the - # accelerated test case. - 'ecp', - 'ecdsa', - 'ecdh', - 'ecjpake', - 'bignum_core', - 'bignum_random', - 'bignum_mod', - 'bignum_mod_raw', - 'bignum.generated', - 'bignum.misc', + # Modules replaced by drivers + 'ecp', 'ecdsa', 'ecdh', 'ecjpake', + 'bignum_core', 'bignum_random', 'bignum_mod', 'bignum_mod_raw', + 'bignum.generated', 'bignum.misc', ], 'ignored_tests': { - # Ignore all tests that require DERIVE support which is disabled - # in the driver version + # See ecp_light_only 'test_suite_random': [ 'PSA classic wrapper: ECDSA signature (SECP256R1)', ], 'test_suite_asn1parse': [ - # This test depends on BIGNUM_C 'INTEGER too large for mpi', ], 'test_suite_asn1write': [ - # Following tests depends on BIGNUM_C - re.compile('ASN.1 Write mpi.*'), + re.compile(r'ASN.1 Write mpi.*'), ], } } From 62d6131e5e78f5dabee836264c77862cb1b1d745 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 20 Oct 2023 10:51:57 +0200 Subject: [PATCH 168/175] analyze_outcomes: minor output fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 641d114c1f..a5340bd62c 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -741,7 +741,7 @@ def main(): tasks_list = re.split(r'[, ]+', options.specified_tasks) for task in tasks_list: if task not in KNOWN_TASKS: - sys.stderr.write('invalid task: {}'.format(task)) + sys.stderr.write('invalid task: {}\n'.format(task)) sys.exit(2) KNOWN_TASKS['analyze_coverage']['args']['full_coverage'] = options.full_coverage From b26954375ff3026ef071caaac8ca023b9172f472 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 23 Oct 2023 09:30:40 +0200 Subject: [PATCH 169/175] analyze_outcome: work around old Python in CI MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index a5340bd62c..a0127be863 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -100,7 +100,9 @@ def name_matches_pattern(name, str_or_re): - If the pattern is a string, name must be equal to match. - If the pattern is a regex, name must fully match. """ - if isinstance(str_or_re, re.Pattern): + # The CI's python is too old for re.Pattern + #if isinstance(str_or_re, re.Pattern): + if not isinstance(str_or_re, str): if str_or_re.fullmatch(name): return True else: From 9d9c2344ea526312e6178fc379ec1906cf76d1cf Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 26 Oct 2023 09:37:40 +0200 Subject: [PATCH 170/175] analyze_outcome: Simplify some code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 7 ++----- 1 file changed, 2 insertions(+), 5 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index a0127be863..11a8cbf792 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -103,12 +103,9 @@ def name_matches_pattern(name, str_or_re): # The CI's python is too old for re.Pattern #if isinstance(str_or_re, re.Pattern): if not isinstance(str_or_re, str): - if str_or_re.fullmatch(name): - return True + return str_or_re.fullmatch(name) else: - if str_or_re == name: - return True - return False + return str_or_re == name def analyze_driver_vs_reference(results: Results, outcomes, component_ref, component_driver, From d36a37f0deecc7a309038855c1148807e9bf7fd5 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Thu, 26 Oct 2023 09:41:59 +0200 Subject: [PATCH 171/175] analyze_outcomes: ignore patterns apply to whole suite MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This may come in handy when ignoring patterns in test_suite_cipher for example which is split in several .data files where we'll want to ignore the same patterns. Currently none of the entries had a '.' in the test suite name, so this doesn't change anything for existing entries. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 11a8cbf792..8f45dae787 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -132,7 +132,7 @@ def analyze_driver_vs_reference(results: Results, outcomes, # but issue an error if they're not (means we have a bad entry). ignored = False if full_test_suite in ignored_tests: - for str_or_re in ignored_tests[full_test_suite]: + for str_or_re in ignored_tests[test_suite]: if name_matches_pattern(test_string, str_or_re): ignored = True From 800f2b7c020678a84abfa9688962b91c36e6693d Mon Sep 17 00:00:00 2001 From: Beniamin Sandu Date: Fri, 27 Oct 2023 16:58:00 +0100 Subject: [PATCH 172/175] AES-NI: use target attributes for x86 32-bit intrinsics This way we build with 32-bit gcc/clang out of the box. We also fallback to assembly for 64-bit clang-cl if needed cpu flags are not provided, instead of throwing an error. Signed-off-by: Beniamin Sandu --- library/aesni.c | 20 ++++++++++++++++++++ library/aesni.h | 8 +++++--- 2 files changed, 25 insertions(+), 3 deletions(-) diff --git a/library/aesni.c b/library/aesni.c index 57d6e090e7..864d0d6134 100644 --- a/library/aesni.c +++ b/library/aesni.c @@ -43,6 +43,17 @@ #include #endif +#if defined(MBEDTLS_ARCH_IS_X86) +#if defined(MBEDTLS_COMPILER_IS_GCC) +#pragma GCC push_options +#pragma GCC target ("pclmul,sse2,aes") +#define MBEDTLS_POP_TARGET_PRAGMA +#elif defined(__clang__) +#pragma clang attribute push (__attribute__((target("pclmul,sse2,aes"))), apply_to=function) +#define MBEDTLS_POP_TARGET_PRAGMA +#endif +#endif + #if !defined(MBEDTLS_AES_USE_HARDWARE_ONLY) /* * AES-NI support detection routine @@ -398,6 +409,15 @@ static void aesni_setkey_enc_256(unsigned char *rk_bytes, } #endif /* !MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */ +#if defined(MBEDTLS_POP_TARGET_PRAGMA) +#if defined(__clang__) +#pragma clang attribute pop +#elif defined(__GNUC__) +#pragma GCC pop_options +#endif +#undef MBEDTLS_POP_TARGET_PRAGMA +#endif + #else /* MBEDTLS_AESNI_HAVE_CODE == 1 */ #if defined(__has_feature) diff --git a/library/aesni.h b/library/aesni.h index 952e138508..f007735a62 100644 --- a/library/aesni.h +++ b/library/aesni.h @@ -50,6 +50,10 @@ #if (defined(__GNUC__) || defined(__clang__)) && defined(__AES__) && defined(__PCLMUL__) #define MBEDTLS_AESNI_HAVE_INTRINSICS #endif +/* For 32-bit, we only support intrinsics */ +#if defined(MBEDTLS_ARCH_IS_X86) && (defined(__GNUC__) || defined(__clang__)) +#define MBEDTLS_AESNI_HAVE_INTRINSICS +#endif /* Choose the implementation of AESNI, if one is available. * @@ -60,13 +64,11 @@ #if defined(MBEDTLS_AESNI_HAVE_INTRINSICS) #define MBEDTLS_AESNI_HAVE_CODE 2 // via intrinsics #elif defined(MBEDTLS_HAVE_ASM) && \ - defined(__GNUC__) && defined(MBEDTLS_ARCH_IS_X64) + (defined(__GNUC__) || defined(__clang__)) && defined(MBEDTLS_ARCH_IS_X64) /* Can we do AESNI with inline assembly? * (Only implemented with gas syntax, only for 64-bit.) */ #define MBEDTLS_AESNI_HAVE_CODE 1 // via assembly -#elif defined(__GNUC__) || defined(__clang__) -# error "Must use `-mpclmul -msse2 -maes` for MBEDTLS_AESNI_C" #else #error "MBEDTLS_AESNI_C defined, but neither intrinsics nor assembly available" #endif From 3bca7817e512cc39d06910f6ebd60a2655cc2033 Mon Sep 17 00:00:00 2001 From: Beniamin Sandu Date: Tue, 24 Oct 2023 18:55:36 +0100 Subject: [PATCH 173/175] tests/scripts/all.sh: add test for 32-bit AES-NI intrinsics with clang Signed-off-by: Beniamin Sandu --- tests/scripts/all.sh | 38 +++++++++++++++++++++++++++++++++----- 1 file changed, 33 insertions(+), 5 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index b0b32fed50..bdd6a3fe2e 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -4400,8 +4400,6 @@ component_test_aesni () { # ~ 60s not grep -q "AES note: built-in implementation." ./programs/test/selftest } - - support_test_aesni_m32() { support_test_m32_o0 && (lscpu | grep -qw aes) } @@ -4417,10 +4415,10 @@ component_test_aesni_m32 () { # ~ 60s scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY scripts/config.py set MBEDTLS_HAVE_ASM - # test the intrinsics implementation - msg "AES tests, test intrinsics" + # test the intrinsics implementation with gcc + msg "AES tests, test intrinsics (gcc)" make clean - make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra -mpclmul -msse2 -maes' LDFLAGS='-m32' + make CC=gcc CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32' # check that we built intrinsics - this should be used by default when supported by the compiler ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" grep -q "AES note: using AESNI" ./programs/test/selftest @@ -4442,6 +4440,36 @@ component_test_aesni_m32 () { # ~ 60s not grep -q mbedtls_aesni_has_support ./programs/test/selftest } +support_test_aesni_m32_clang() { + support_test_aesni_m32 && if command -v clang > /dev/null ; then + # clang >= 4 is required to build with target attributes + clang_ver="$(clang --version|grep version|sed -E 's#.*version ([0-9]+).*#\1#')" + [[ "${clang_ver}" -ge 4 ]] + else + # clang not available + false + fi +} + +component_test_aesni_m32_clang() { + + scripts/config.py set MBEDTLS_AESNI_C + scripts/config.py set MBEDTLS_PADLOCK_C + scripts/config.py unset MBEDTLS_AES_USE_HARDWARE_ONLY + scripts/config.py set MBEDTLS_HAVE_ASM + + # test the intrinsics implementation with clang + msg "AES tests, test intrinsics (clang)" + make clean + make CC=clang CFLAGS='-m32 -Werror -Wall -Wextra' LDFLAGS='-m32' + # check that we built intrinsics - this should be used by default when supported by the compiler + ./programs/test/selftest aes | grep "AESNI code" | grep -q "intrinsics" + grep -q "AES note: using AESNI" ./programs/test/selftest + grep -q "AES note: built-in implementation." ./programs/test/selftest + grep -q "AES note: using VIA Padlock" ./programs/test/selftest + grep -q mbedtls_aesni_has_support ./programs/test/selftest +} + # For timebeing, no aarch64 gcc available in CI and no arm64 CI node. component_build_aes_aesce_armcc () { msg "Build: AESCE test on arm64 platform without plain C." From cd84a290a9f47e236d9ef2033d26c03075316cfa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Fri, 27 Oct 2023 09:24:44 +0200 Subject: [PATCH 174/175] analyze_outcomes: use regexes for cipher/aead MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 257 +----------------------------- 1 file changed, 6 insertions(+), 251 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 8f45dae787..81e3ca37fb 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -255,15 +255,7 @@ KNOWN_TASKS = { # PEM decryption is not supported so far. # The rest of PEM (write, unencrypted read) works though. 'test_suite_pem': [ - 'PEM read (AES-128-CBC + invalid iv)' - 'PEM read (DES-CBC + invalid iv)', - 'PEM read (DES-EDE3-CBC + invalid iv)', - 'PEM read (malformed PEM AES-128-CBC)', - 'PEM read (malformed PEM DES-CBC)', - 'PEM read (malformed PEM DES-EDE3-CBC)', - 'PEM read (unknown encryption algorithm)', - 'PEM read (AES-128-CBC + invalid iv)', - 'PEM read (DES-CBC + invalid iv)', + re.compile(r'PEM read .*(AES|DES|\bencrypt).*'), ], # Following tests depend on AES_C/DES_C but are not about # them really, just need to know some error code is there. @@ -278,258 +270,21 @@ KNOWN_TASKS = { # The en/decryption part of PKCS#12 is not supported so far. # The rest of PKCS#12 (key derivation) works though. 'test_suite_pkcs12': [ - 'PBE Decrypt, (Invalid padding & PKCS7 padding enabled)', - 'PBE Decrypt, pad = 7 (OK)', - 'PBE Decrypt, pad = 8 (Invalid output size)', - 'PBE Decrypt, pad = 8 (OK)', - 'PBE Encrypt, pad = 7 (OK)', - 'PBE Encrypt, pad = 8 (Invalid output size)', - 'PBE Encrypt, pad = 8 (OK)', + re.compile(r'PBE Encrypt, .*'), + re.compile(r'PBE Decrypt, .*'), ], # The en/decryption part of PKCS#5 is not supported so far. # The rest of PKCS#5 (PBKDF2) works though. 'test_suite_pkcs5': [ - 'PBES2 Decrypt (Invalid output size)', - 'PBES2 Decrypt (Invalid padding & PKCS7 padding enabled)', - 'PBES2 Decrypt (KDF != PBKDF2)', - 'PBES2 Decrypt (OK)', - 'PBES2 Decrypt (OK, PBKDF2 params explicit keylen)', - 'PBES2 Decrypt (OK, PBKDF2 params explicit prf_alg)', - 'PBES2 Decrypt (bad KDF AlgId: not a sequence)', - 'PBES2 Decrypt (bad KDF AlgId: overlong)', - 'PBES2 Decrypt (bad PBKDF2 params explicit keylen: overlong)', - 'PBES2 Decrypt (bad PBKDF2 params iter: not an int)', - 'PBES2 Decrypt (bad PBKDF2 params iter: overlong)', - 'PBES2 Decrypt (bad PBKDF2 params salt: not an octet string)', - 'PBES2 Decrypt (bad PBKDF2 params salt: overlong)', - 'PBES2 Decrypt (bad PBKDF2 params: not a sequence)', - 'PBES2 Decrypt (bad PBKDF2 params: overlong)', - 'PBES2 Decrypt (bad enc_scheme_alg params: len != iv_len)', - 'PBES2 Decrypt (bad enc_scheme_alg params: not an octet string)', - 'PBES2 Decrypt (bad enc_scheme_alg params: overlong)', - 'PBES2 Decrypt (bad enc_scheme_alg: not a sequence)', - 'PBES2 Decrypt (bad enc_scheme_alg: overlong)', - 'PBES2 Decrypt (bad enc_scheme_alg: unknown oid)', - 'PBES2 Decrypt (bad iter value)', - 'PBES2 Decrypt (bad params tag)', - 'PBES2 Decrypt (bad password)', - 'PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg != HMAC-SHA*)', - 'PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg not a sequence)', - 'PBES2 Decrypt (bad, PBKDF2 params explicit prf_alg overlong)', - 'PBES2 Decrypt (bad, PBKDF2 params extra data)', - 'PBES2 Encrypt, pad=6 (OK)', - 'PBES2 Encrypt, pad=8 (Invalid output size)', - 'PBES2 Encrypt, pad=8 (OK)', + re.compile(r'PBES2 Encrypt, .*'), + re.compile(r'PBES2 Decrypt .*'), ], # Encrypted keys are not supported so far. # pylint: disable=line-too-long 'test_suite_pkparse': [ 'Key ASN1 (Encrypted key PKCS12, trailing garbage data)', 'Key ASN1 (Encrypted key PKCS5, trailing garbage data)', - 'Parse RSA Key #20 (PKCS#8 encrypted SHA1-3DES)', - 'Parse RSA Key #20.1 (PKCS#8 encrypted SHA1-3DES, wrong PW)', - 'Parse RSA Key #20.2 (PKCS#8 encrypted SHA1-3DES, no PW)', - 'Parse RSA Key #21 (PKCS#8 encrypted SHA1-3DES, 2048-bit)', - 'Parse RSA Key #21.1 (PKCS#8 encrypted SHA1-3DES, 2048-bit, wrong PW)', - 'Parse RSA Key #21.2 (PKCS#8 encrypted SHA1-3DES, 2048-bit, no PW)', - 'Parse RSA Key #22 (PKCS#8 encrypted SHA1-3DES, 4096-bit)', - 'Parse RSA Key #22.1 (PKCS#8 encrypted SHA1-3DES, 4096-bit, wrong PW)', - 'Parse RSA Key #22.2 (PKCS#8 encrypted SHA1-3DES, 4096-bit, no PW)', - 'Parse RSA Key #23 (PKCS#8 encrypted SHA1-3DES DER)', - 'Parse RSA Key #24 (PKCS#8 encrypted SHA1-3DES DER, 2048-bit)', - 'Parse RSA Key #25 (PKCS#8 encrypted SHA1-3DES DER, 4096-bit)', - 'Parse RSA Key #26 (PKCS#8 encrypted SHA1-2DES)', - 'Parse RSA Key #26.1 (PKCS#8 encrypted SHA1-2DES, wrong PW)', - 'Parse RSA Key #26.2 (PKCS#8 encrypted SHA1-2DES, no PW)', - 'Parse RSA Key #27 (PKCS#8 encrypted SHA1-2DES, 2048-bit)', - 'Parse RSA Key #27.1 (PKCS#8 encrypted SHA1-2DES, 2048-bit, wrong PW)', - 'Parse RSA Key #27.2 (PKCS#8 encrypted SHA1-2DES, 2048-bit no PW)', - 'Parse RSA Key #28 (PKCS#8 encrypted SHA1-2DES, 4096-bit)', - 'Parse RSA Key #28.1 (PKCS#8 encrypted SHA1-2DES, 4096-bit, wrong PW)', - 'Parse RSA Key #28.2 (PKCS#8 encrypted SHA1-2DES, 4096-bit, no PW)', - 'Parse RSA Key #29 (PKCS#8 encrypted SHA1-2DES DER)', - 'Parse RSA Key #30 (PKCS#8 encrypted SHA1-2DES DER, 2048-bit)', - 'Parse RSA Key #31 (PKCS#8 encrypted SHA1-2DES DER, 4096-bit)', - 'Parse RSA Key #38 (PKCS#8 encrypted v2 PBKDF2 3DES)', - 'Parse RSA Key #38.1 (PKCS#8 encrypted v2 PBKDF2 3DES, wrong PW)', - 'Parse RSA Key #38.2 (PKCS#8 encrypted v2 PBKDF2 3DES, no PW)', - 'Parse RSA Key #39 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit)', - 'Parse RSA Key #39.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, wrong PW)', - 'Parse RSA Key #39.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 2048-bit, no PW)', - 'Parse RSA Key #40 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit)', - 'Parse RSA Key #40.1 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, wrong PW)', - 'Parse RSA Key #40.2 (PKCS#8 encrypted v2 PBKDF2 3DES, 4096-bit, no PW)', - 'Parse RSA Key #41 (PKCS#8 encrypted v2 PBKDF2 3DES DER)', - 'Parse RSA Key #41.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, wrong PW)', - 'Parse RSA Key #41.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, no PW)', - 'Parse RSA Key #42 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit)', - 'Parse RSA Key #42.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, wrong PW)', - 'Parse RSA Key #42.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 2048-bit, no PW)', - 'Parse RSA Key #43 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit)', - 'Parse RSA Key #43.1 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, wrong PW)', - 'Parse RSA Key #43.2 (PKCS#8 encrypted v2 PBKDF2 3DES DER, 4096-bit, no PW)', - 'Parse RSA Key #44 (PKCS#8 encrypted v2 PBKDF2 DES)', - 'Parse RSA Key #44.1 (PKCS#8 encrypted v2 PBKDF2 DES, wrong PW)', - 'Parse RSA Key #44.2 (PKCS#8 encrypted v2 PBKDF2 DES, no PW)', - 'Parse RSA Key #45 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit)', - 'Parse RSA Key #45.1 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, wrong PW)', - 'Parse RSA Key #45.2 (PKCS#8 encrypted v2 PBKDF2 DES, 2048-bit, no PW)', - 'Parse RSA Key #46 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit)', - 'Parse RSA Key #46.1 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, wrong PW)', - 'Parse RSA Key #46.2 (PKCS#8 encrypted v2 PBKDF2 DES, 4096-bit, no PW)', - 'Parse RSA Key #47 (PKCS#8 encrypted v2 PBKDF2 DES DER)', - 'Parse RSA Key #47.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, wrong PW)', - 'Parse RSA Key #47.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, no PW)', - 'Parse RSA Key #48 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit)', - 'Parse RSA Key #48.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, wrong PW)', - 'Parse RSA Key #48.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 2048-bit, no PW)', - 'Parse RSA Key #49 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit)', - 'Parse RSA Key #49.1 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, wrong PW)', - 'Parse RSA Key #49.2 (PKCS#8 encrypted v2 PBKDF2 DES DER, 4096-bit, no PW)', - 'Parse RSA Key #50 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224)', - 'Parse RSA Key #50.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, wrong PW)', - 'Parse RSA Key #50.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, no PW)', - 'Parse RSA Key #51 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit)', - 'Parse RSA Key #51.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, wrong PW)', - 'Parse RSA Key #51.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 2048-bit, no PW)', - 'Parse RSA Key #52 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit)', - 'Parse RSA Key #52.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, wrong PW)', - 'Parse RSA Key #52.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224, 4096-bit, no PW)', - 'Parse RSA Key #53 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER)', - 'Parse RSA Key #53.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, wrong PW)', - 'Parse RSA Key #53.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, no PW)', - 'Parse RSA Key #54 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit)', - 'Parse RSA Key #54.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #54.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 2048-bit, no PW)', - 'Parse RSA Key #55 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit)', - 'Parse RSA Key #55.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #55.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA224 DER, 4096-bit, no PW)', - 'Parse RSA Key #56 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224)', - 'Parse RSA Key #56.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, wrong PW)', - 'Parse RSA Key #56.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, no PW)', - 'Parse RSA Key #57 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit)', - 'Parse RSA Key #57.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, wrong PW)', - 'Parse RSA Key #57.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 2048-bit, no PW)', - 'Parse RSA Key #58 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit)', - 'Parse RSA Key #58.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, wrong PW)', - 'Parse RSA Key #58.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224, 4096-bit, no PW)', - 'Parse RSA Key #59 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER)', - 'Parse RSA Key #59.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, wrong PW)', - 'Parse RSA Key #59.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, no PW)', - 'Parse RSA Key #60 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit)', - 'Parse RSA Key #60.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #60.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 2048-bit, no PW)', - 'Parse RSA Key #61 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit)', - 'Parse RSA Key #61.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #61.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA224 DER, 4096-bit, no PW)', - 'Parse RSA Key #62 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256)', - 'Parse RSA Key #62.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, wrong PW)', - 'Parse RSA Key #62.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, no PW)', - 'Parse RSA Key #63 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit)', - 'Parse RSA Key #63.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, wrong PW)', - 'Parse RSA Key #63.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 2048-bit, no PW)', - 'Parse RSA Key #64 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit)', - 'Parse RSA Key #64.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, wrong PW)', - 'Parse RSA Key #64.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256, 4096-bit, no PW)', - 'Parse RSA Key #65 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER)', - 'Parse RSA Key #65.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, wrong PW)', - 'Parse RSA Key #65.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, no PW)', - 'Parse RSA Key #66 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit)', - 'Parse RSA Key #66.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #66.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 2048-bit, no PW)', - 'Parse RSA Key #67 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit)', - 'Parse RSA Key #68.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #68.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA256 DER, 4096-bit, no PW)', - 'Parse RSA Key #69 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256)', - 'Parse RSA Key #69.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, wrong PW)', - 'Parse RSA Key #69.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, no PW)', - 'Parse RSA Key #70 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit)', - 'Parse RSA Key #70.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, wrong PW)', - 'Parse RSA Key #70.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 2048-bit, no PW)', - 'Parse RSA Key #71 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit)', - 'Parse RSA Key #71.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, wrong PW)', - 'Parse RSA Key #71.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256, 4096-bit, no PW)', - 'Parse RSA Key #72 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER)', - 'Parse RSA Key #72.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, wrong PW)', - 'Parse RSA Key #72.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, no PW)', - 'Parse RSA Key #73 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit)', - 'Parse RSA Key #73.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #73.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 2048-bit, no PW)', - 'Parse RSA Key #74 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit)', - 'Parse RSA Key #74.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #74.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA256 DER, 4096-bit, no PW)', - 'Parse RSA Key #75 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384)', - 'Parse RSA Key #75.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, wrong PW)', - 'Parse RSA Key #75.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, no PW)', - 'Parse RSA Key #76 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit)', - 'Parse RSA Key #76.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, wrong PW)', - 'Parse RSA Key #76.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 2048-bit, no PW)', - 'Parse RSA Key #77 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit)', - 'Parse RSA Key #77.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, wrong PW)', - 'Parse RSA Key #77.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384, 4096-bit, no PW)', - 'Parse RSA Key #78 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER)', - 'Parse RSA Key #78.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, wrong PW)', - 'Parse RSA Key #78.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, no PW)', - 'Parse RSA Key #79 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit)', - 'Parse RSA Key #79.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #79.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 2048-bit, no PW)', - 'Parse RSA Key #80 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit)', - 'Parse RSA Key #80.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #80.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA384 DER, 4096-bit, no PW)', - 'Parse RSA Key #81 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384)', - 'Parse RSA Key #81.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, wrong PW)', - 'Parse RSA Key #81.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, no PW)', - 'Parse RSA Key #82 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit)', - 'Parse RSA Key #82.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, wrong PW)', - 'Parse RSA Key #82.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 2048-bit, no PW)', - 'Parse RSA Key #83 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit)', - 'Parse RSA Key #83.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, wrong PW)', - 'Parse RSA Key #83.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384, 4096-bit, no PW)', - 'Parse RSA Key #84 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER)', - 'Parse RSA Key #84.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, wrong PW)', - 'Parse RSA Key #85.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, no PW)', - 'Parse RSA Key #86 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit)', - 'Parse RSA Key #86.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #86.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 2048-bit, no PW)', - 'Parse RSA Key #87 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit)', - 'Parse RSA Key #87.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #87.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA384 DER, 4096-bit, no PW)', - 'Parse RSA Key #88 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512)', - 'Parse RSA Key #88.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, wrong PW)', - 'Parse RSA Key #88.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, no PW)', - 'Parse RSA Key #89 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit)', - 'Parse RSA Key #89.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, wrong PW)', - 'Parse RSA Key #89.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 2048-bit, no PW)', - 'Parse RSA Key #90 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit)', - 'Parse RSA Key #90.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, wrong PW)', - 'Parse RSA Key #90.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512, 4096-bit, no PW)', - 'Parse RSA Key #91 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER)', - 'Parse RSA Key #91.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, wrong PW)', - 'Parse RSA Key #91.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, no PW)', - 'Parse RSA Key #92 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit)', - 'Parse RSA Key #92.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #92.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 2048-bit, no PW)', - 'Parse RSA Key #93 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit)', - 'Parse RSA Key #93.1 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #93.2 (PKCS#8 encrypted v2 PBKDF2 3DES hmacWithSHA512 DER, 4096-bit, no PW)', - 'Parse RSA Key #94 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512)', - 'Parse RSA Key #94.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, wrong PW)', - 'Parse RSA Key #94.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, no PW)', - 'Parse RSA Key #95 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit)', - 'Parse RSA Key #95.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, wrong PW)', - 'Parse RSA Key #95.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 2048-bit, no PW)', - 'Parse RSA Key #96 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit)', - 'Parse RSA Key #96.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, wrong PW)', - 'Parse RSA Key #96.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512, 4096-bit, no PW)', - 'Parse RSA Key #97 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER)', - 'Parse RSA Key #97.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, wrong PW)', - 'Parse RSA Key #97.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, no PW)', - 'Parse RSA Key #98 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit)', - 'Parse RSA Key #98.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, wrong PW)', - 'Parse RSA Key #98.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 2048-bit, no PW)', - 'Parse RSA Key #99 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit)', - 'Parse RSA Key #99.1 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, wrong PW)', - 'Parse RSA Key #99.2 (PKCS#8 encrypted v2 PBKDF2 DES hmacWithSHA512 DER, 4096-bit, no PW)', + re.compile(r'Parse RSA Key .*\(PKCS#8 encrypted .*\)'), ], } } From c51c411cc1228a6916c2ba44ac1135cfdca37725 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 30 Oct 2023 10:21:22 +0100 Subject: [PATCH 175/175] analyze_outcome: only warn on ignored tests that pass MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit The previous check also warned when on tests that were already skipped in the reference config, which are not really a problem. The purpose of this "uselessly ignored" check is to make sure that the ignore list (together with the config common to driver and reference in all.sh) always correct reflects what works or doesn't in driver-only builds. For this it's enough to warn when a test is ignored but passing. The previous, stricter check, was causing issues like: Error: uselessly ignored: test_suite_pkcs12;PBE Encrypt, pad = 8 (PKCS7 padding disabled) Error: uselessly ignored: test_suite_pkcs12;PBE Decrypt, (Invalid padding & PKCS7 padding disabled) Error: uselessly ignored: test_suite_pkcs5;PBES2 Decrypt (Invalid padding & PKCS7 padding disabled) These are skipped in the reference config because is has PKCS7 padding enabled, and that's OK. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/analyze_outcomes.py | 10 ++++------ 1 file changed, 4 insertions(+), 6 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 81e3ca37fb..80b6459cd7 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -145,12 +145,10 @@ def analyze_driver_vs_reference(results: Results, outcomes, if component_ref in entry: reference_test_passed = True seen_reference_passing = True - if(reference_test_passed and not driver_test_passed): - if not ignored: - results.error("PASS -> SKIP/FAIL: {}", key) - else: - if ignored: - results.error("uselessly ignored: {}", key) + if reference_test_passed and not driver_test_passed and not ignored: + results.error("PASS -> SKIP/FAIL: {}", key) + if ignored and driver_test_passed: + results.error("uselessly ignored: {}", key) if not seen_reference_passing: results.error("no passing test in reference component: bad outcome file?")