Skip to content

Commit

Permalink
[nrf noup] Add MBEDTLS_PSA_CRYPTO_CLIENT support for TLS/DTLS and X.509
Browse files Browse the repository at this point in the history 
-Change from MBEDTLS_PSA_CRYPTO_C to MBEDTLS_PSA_CRYPTO_CLIENT for
 TLS/DTLS and X.509 use-cases as well as wrapper APIs that the
 aforementioned features uses:
  - pk.h/pk.c/pk_internal.h/pk_wrap. - Public Key interface
  - md.c
-Change from MBEDTLS_PSA_CRYPTO_C to MBEDTLS_PSA_CRYPTO_CLIENT to ensure
 psa_util_internal.h and psa_util.c is compiled in. This file contains
 functions relevant to changing from PSA error codes/ecc types etc.
 into legacy types e.g. in TLS/DTLS and X.509 use-cases. These files
 are used even in a core-less build
-Add a version to the non-standard mechanism to use key enrollment
 algorithm to wrap certain key-types. This functionality is not available
 in PSA crypto provided by TF-M, and hence it is wrapped with
 a check if MBEDTLS_PSA_CRYPTO_C is enabled (meaning local build of
 the PSA core)
-Note that this is a single commit to ensure bisectability

Note: This noup patch will be reverted/changed with Mbed TLS 3.6.0 but is
necessary right now to ensure core-less build of nrf_security for
nRF54H20 device support.

Signed-off-by: Frank Audun Kvamtrø <frank.kvamtro@nordicsemi.no>
  • Loading branch information
@frkv @nordicjm
frkv authored and nordicjm committed May 3, 2024
1 parent c99e53f commit 72868c6
Show file tree
Hide file tree
Showing 7 changed files with 30 additions and 18 deletions.
2 changes: 1 addition & 1 deletion include/library/psa_util_internal.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -16,7 +16,7 @@

#include "psa/crypto.h"

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)

/*************************************************************************
* FFDH
Expand Down
4 changes: 2 additions & 2 deletions include/mbedtls/pk.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -28,7 +28,7 @@
#include "mbedtls/ecdsa.h"
#endif

#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include "psa/crypto.h"
#endif

Expand Down Expand Up @@ -245,7 +245,7 @@ typedef struct mbedtls_pk_context {
* MBEDTLS_PK_USE_PSA_EC_DATA (as the public counterpart below) because,
* when working with opaque keys, it can be used also in
* mbedtls_pk_sign_ext for RSA keys. */
#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id); /**< Key ID for opaque keys */
#endif /* MBEDTLS_PSA_CRYPTO_C */
/* The following fields are meant for storing the public key in raw format
Expand Down
4 changes: 2 additions & 2 deletions library/md.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,7 +41,7 @@
#include "mbedtls/sha512.h"
#include "mbedtls/sha3.h"

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include <psa/crypto.h>
#include "md_psa.h"
#include "psa_util_internal.h"
Expand Down Expand Up @@ -761,7 +761,7 @@ mbedtls_md_type_t mbedtls_md_get_type(const mbedtls_md_info_t *md_info)
return md_info->type;
}

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
int mbedtls_md_error_from_psa(psa_status_t status)
{
return PSA_TO_MBEDTLS_ERR_LIST(status, psa_to_md_errors,
Expand Down
31 changes: 21 additions & 10 deletions library/pk.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -26,7 +26,7 @@
#include "mbedtls/ecdsa.h"
#endif

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include "psa_util_internal.h"
#include "md_psa.h"
#endif
Expand Down Expand Up @@ -311,16 +311,22 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
}

psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t key_alg, key_alg2;
psa_status_t status;

status = psa_get_key_attributes(ctx->priv_id, &attributes);
if (status != PSA_SUCCESS) {
return 0;
}

key_alg = psa_get_key_algorithm(&attributes);
key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
psa_algorithm_t key_alg = psa_get_key_algorithm(&attributes);
/* Key's enrollment is available only when an Mbed TLS implementation of PSA
* Crypto is being used, i.e. when MBEDTLS_PSA_CRYPTO_C is defined.
* Even though we don't officially support using other implementations of PSA
* Crypto with TLS and X.509 (yet), we try to keep vendor's customizations
* separated. */
#if defined(MBEDTLS_PSA_CRYPTO_C)
psa_algorithm_t key_alg2 = psa_get_key_enrollment_algorithm(&attributes);
#endif /* MBEDTLS_PSA_CRYPTO_C */
key_usage = psa_get_key_usage_flags(&attributes);
psa_reset_key_attributes(&attributes);

Expand All @@ -329,34 +335,39 @@ int mbedtls_pk_can_do_ext(const mbedtls_pk_context *ctx, psa_algorithm_t alg,
}

/*
* Common case: the key alg or alg2 only allows alg.
* Common case: the key alg [or alg2] only allows alg.
* This will match PSA_ALG_RSA_PKCS1V15_CRYPT & PSA_ALG_IS_ECDH
* directly.
* This would also match ECDSA/RSA_PKCS1V15_SIGN/RSA_PSS with
* a fixed hash on key_alg/key_alg2.
* a fixed hash on key_alg [or key_alg2].
*/
if (alg == key_alg || alg == key_alg2) {
if (alg == key_alg) {
return 1;
}
#if defined(MBEDTLS_PSA_CRYPTO_C)
if (alg == key_alg2) {
return 1;
}
#endif /* MBEDTLS_PSA_CRYPTO_C */

/*
* If key_alg or key_alg2 is a hash-and-sign with a wildcard for the hash,
* If key_alg [or key_alg2] is a hash-and-sign with a wildcard for the hash,
* and alg is the same hash-and-sign family with any hash,
* then alg is compliant with this key alg
*/
if (PSA_ALG_IS_SIGN_HASH(alg)) {

if (PSA_ALG_IS_SIGN_HASH(key_alg) &&
PSA_ALG_SIGN_GET_HASH(key_alg) == PSA_ALG_ANY_HASH &&
(alg & ~PSA_ALG_HASH_MASK) == (key_alg & ~PSA_ALG_HASH_MASK)) {
return 1;
}

#if defined(MBEDTLS_PSA_CRYPTO_C)
if (PSA_ALG_IS_SIGN_HASH(key_alg2) &&
PSA_ALG_SIGN_GET_HASH(key_alg2) == PSA_ALG_ANY_HASH &&
(alg & ~PSA_ALG_HASH_MASK) == (key_alg2 & ~PSA_ALG_HASH_MASK)) {
return 1;
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
}

return 0;
Expand Down
3 changes: 2 additions & 1 deletion library/pk_internal.h
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,9 +19,10 @@

#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#include "psa/crypto_extra.h"
#endif

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include "psa_util_internal.h"
#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
Expand Down
2 changes: 1 addition & 1 deletion library/pk_wrap.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -30,7 +30,7 @@
#include "pkwrite.h"
#endif

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)
#include "psa_util_internal.h"
#endif

Expand Down
2 changes: 1 addition & 1 deletion library/psa_util.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -8,7 +8,7 @@

#include "common.h"

#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_PSA_CRYPTO_CLIENT)

#include <psa/crypto.h>

Expand Down

0 comments on commit 72868c6

Please sign in to comment.