mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-18 05:42:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Add ECDSA support to PSA crypto configuration

Browse Source 
Initial changes to PSA crypto core to support configuration
of ECDSA algorithm using PSA crypto configuration mechanism.
Guards using MBEDTLS_ECDSA_C and MBEDTLS_ECDSA_DETERMINISTIC have
been changed to be based off PSA_WANT_ALG_ECDSA and
PSA_WANT_ALG_ECDSA_DETERMINISTIC. Added new tests to all.sh to
confirm new settings are working properly. Current code does not
pass the tests since built in signature verification is not in place.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
This commit is contained in:
John Durkop 2020-09-20 23:09:17 -07:00
parent 7758c858ae
commit d8959390c5
3 changed files with 61 additions and 10 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

17
include/mbedtls/config_psa.h
View File

@ -32,6 +32,23 @@
extern "C" { extern "C" {
#endif #endif
//#define PSA_WANT_ALG_ECDSA
//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA
//#define PSA_WANT_ALG_ECDSA_DETERMINISTIC
//#define MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC
#if defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)
#define MBEDTLS_PSA_BUILTIN_ALG_ECDSA
#else /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/
#define MBEDTLS_ECDSA_C
#endif /* defined(PSA_WANT_ALG_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA)*/
#if defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC)
#define MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA
#else /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */
#define MBEDTLS_ECDSA_DETERMINISTIC
#endif /* defined(PSA_WANT_ALG_DETERMINISTIC_ECDSA) && !defined(MBEDTLS_PSA_ACCEL_ALG_ECDSA_DETERMINISTIC) */
#ifdef __cplusplus #ifdef __cplusplus
} }
#endif #endif

20
library/psa_crypto.c
View File

@ -2256,7 +2256,7 @@ exit:
/* Message digests */ /* Message digests */
/****************************************************************/ /****************************************************************/
#if defined(MBEDTLS_RSA_C) || defined(MBEDTLS_ECDSA_DETERMINISTIC) #if defined(MBEDTLS_RSA_C) || defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg ) static const mbedtls_md_info_t *mbedtls_md_info_from_psa( psa_algorithm_t alg )
{ {
switch( alg ) switch( alg )
@ -3530,7 +3530,7 @@ static psa_status_t psa_rsa_verify( mbedtls_rsa_context *rsa,
} }
#endif /* MBEDTLS_RSA_C */ #endif /* MBEDTLS_RSA_C */
#if defined(MBEDTLS_ECDSA_C) #if defined(PSA_WANT_ALG_ECDSA)
/* `ecp` cannot be const because `ecp->grp` needs to be non-const /* `ecp` cannot be const because `ecp->grp` needs to be non-const
* for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det() * for mbedtls_ecdsa_sign() and mbedtls_ecdsa_sign_det()
* (even though these functions don't modify it). */ * (even though these functions don't modify it). */
@ -3554,7 +3554,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
goto cleanup; goto cleanup;
} }
#if defined(MBEDTLS_ECDSA_DETERMINISTIC) #if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) ) if( PSA_ALG_DSA_IS_DETERMINISTIC( alg ) )
{ {
psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg ); psa_algorithm_t hash_alg = PSA_ALG_SIGN_GET_HASH( alg );
@ -3567,7 +3567,7 @@ static psa_status_t psa_ecdsa_sign( mbedtls_ecp_keypair *ecp,
&global_data.ctr_drbg ) ); &global_data.ctr_drbg ) );
} }
else else
#endif /* MBEDTLS_ECDSA_DETERMINISTIC */ #endif /* PSA_WANT_ALG_ECDSA_DETERMINISTIC */
{ {
(void) alg; (void) alg;
MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d, MBEDTLS_MPI_CHK( mbedtls_ecdsa_sign( &ecp->grp, &r, &s, &ecp->d,
@ -3629,7 +3629,7 @@ cleanup:
mbedtls_mpi_free( &s ); mbedtls_mpi_free( &s );
return( mbedtls_to_psa_error( ret ) ); return( mbedtls_to_psa_error( ret ) );
} }
#endif /* MBEDTLS_ECDSA_C */ #endif /* PSA_WANT_ALG_ECDSA */
psa_status_t psa_sign_hash( psa_key_handle_t handle, psa_status_t psa_sign_hash( psa_key_handle_t handle,
psa_algorithm_t alg, psa_algorithm_t alg,
@ -3698,9 +3698,9 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{ {
#if defined(MBEDTLS_ECDSA_C) #if defined(PSA_WANT_ALG_ECDSA)
if( if(
#if defined(MBEDTLS_ECDSA_DETERMINISTIC) #if defined(PSA_WANT_ALG_ECDSA_DETERMINISTIC)
PSA_ALG_IS_ECDSA( alg ) PSA_ALG_IS_ECDSA( alg )
#else #else
PSA_ALG_IS_RANDOMIZED_ECDSA( alg ) PSA_ALG_IS_RANDOMIZED_ECDSA( alg )
@ -3723,7 +3723,7 @@ psa_status_t psa_sign_hash( psa_key_handle_t handle,
mbedtls_free( ecp ); mbedtls_free( ecp );
} }
else else
#endif /* defined(MBEDTLS_ECDSA_C) */ #endif /* defined(PSA_WANT_ALG_ECDSA) */
{ {
status = PSA_ERROR_INVALID_ARGUMENT; status = PSA_ERROR_INVALID_ARGUMENT;
} }
@ -3799,7 +3799,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
#if defined(MBEDTLS_ECP_C) #if defined(MBEDTLS_ECP_C)
if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) ) if( PSA_KEY_TYPE_IS_ECC( slot->attr.type ) )
{ {
#if defined(MBEDTLS_ECDSA_C) #if defined(PSA_WANT_ALG_ECDSA)
if( PSA_ALG_IS_ECDSA( alg ) ) if( PSA_ALG_IS_ECDSA( alg ) )
{ {
mbedtls_ecp_keypair *ecp = NULL; mbedtls_ecp_keypair *ecp = NULL;
@ -3817,7 +3817,7 @@ psa_status_t psa_verify_hash( psa_key_handle_t handle,
return( status ); return( status );
} }
else else
#endif /* defined(MBEDTLS_ECDSA_C) */ #endif /* defined(PSA_WANT_ALG_ECDSA) */
{ {
return( PSA_ERROR_INVALID_ARGUMENT ); return( PSA_ERROR_INVALID_ARGUMENT );
} }

34
tests/scripts/all.sh
View File

@ -1290,6 +1290,40 @@ component_test_no_use_psa_crypto_full_cmake_asan() {
if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA' if_build_succeeded env OPENSSL_CMD="$OPENSSL_NEXT" tests/compat.sh -e '^$' -f 'ARIA\|CHACHA'
} }
component_test_psa_crypto_config_basic() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,
# and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO
msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG MBEDTLS_PSA_CRYPTO_DRIVERS"
msg "build: minus MBEDTLS_USE_PSA_CRYPTO"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
msg "test: psa crypto config basic"
make test
}
component_test_psa_crypto_config_want_ecdsa() {
# full plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,
# and PSA_CRYPTO_DRIVER_TEST minus MBEDTLS_USE_PSA_CRYPTO
msg "build: full config plus MBEDTLS_PSA_CRYPTO_CONFIG, MBEDTLS_PSA_CRYPTO_DRIVERS,"
msg "build: PSA_CRYPTO_DRIVER_TEST, MBEDTLS_PSA_ACCEL_ALG_ECDSA,"
msg "build: PSA_WANT_ALG_ECDSA minus MBEDTLS_USE_PSA_CRYPTO"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_CONFIG
scripts/config.py set MBEDTLS_PSA_CRYPTO_DRIVERS
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_ECDSA_C
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=gcc CFLAGS="$ASAN_CFLAGS -DMBEDTLS_PSA_ACCEL_ALG_ECDSA -DPSA_WANT_ALG_ECDSA -DPSA_CRYPTO_DRIVER_TEST -I../tests/include -O2" LDFLAGS="$ASAN_CFLAGS"
msg "test: psa crypto config want ECDSA"
make test
}
component_test_check_params_functionality () { component_test_check_params_functionality () {
msg "build+test: MBEDTLS_CHECK_PARAMS functionality" msg "build+test: MBEDTLS_CHECK_PARAMS functionality"
scripts/config.py full # includes CHECK_PARAMS scripts/config.py full # includes CHECK_PARAMS