From 63bf66b3c8ce6dcc6581d9e754144bc8d34a0d29 Mon Sep 17 00:00:00 2001 From: Jaeden Amero Date: Fri, 14 May 2021 08:34:32 +0100 Subject: [PATCH] psa: Support RSA signature without MBEDTLS_GENPRIME On space-constrained platforms, it is a useful configuration to be able to import/export and perform RSA key pair operations, but to exclude RSA key generation, potentially saving flash space. It is not possible to express this with the PSA_WANT_ configuration system at the present time. However, in previous versions of Mbed TLS (v2.24.0 and earlier) it was possible to configure a software PSA implementation which was capable of making RSA signatures but not capable of generating RSA keys. To do this, one unset MBEDTLS_GENPRIME. Since the addition of MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR, this expressivity was lost. Expressing that you wanted to work with RSA key pairs forced you to include the ability to generate key pairs as well. Change psa_crypto_rsa.c to only call mbedtls_rsa_gen_key() if MBEDTLS_GENPRIME is also set. This restores the configuration behavior present in Mbed TLS v2.24.0 and earlier versions. It left as a future exercise to add the ability to PSA to be able to express a desire for a software or accelerator configuration that includes RSA key pair operations, like signature, but excludes key pair generation. Without this change, linker errors will occur when attempts to call, which doesn't exist when MBEDTLS_GENPRIME is unset. psa_crypto_rsa.c.obj: in function `rsa_generate_key': psa_crypto_rsa.c:320: undefined reference to `mbedtls_rsa_gen_key' Fixes #4512 Signed-off-by: Jaeden Amero --- ChangeLog.d/psa-without-genprime-fix.txt | 5 +++++ library/psa_crypto_rsa.c | 14 ++++++++++---- tests/scripts/all.sh | 9 +++++++++ 3 files changed, 24 insertions(+), 4 deletions(-) create mode 100644 ChangeLog.d/psa-without-genprime-fix.txt diff --git a/ChangeLog.d/psa-without-genprime-fix.txt b/ChangeLog.d/psa-without-genprime-fix.txt new file mode 100644 index 000000000000..8a7153a9cde5 --- /dev/null +++ b/ChangeLog.d/psa-without-genprime-fix.txt @@ -0,0 +1,5 @@ +Bugfix + * Restore the ability to configure PSA via Mbed TLS options to support RSA + key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME + is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). + Fixes #4512. diff --git a/library/psa_crypto_rsa.c b/library/psa_crypto_rsa.c index 686f07d33446..12584925b043 100644 --- a/library/psa_crypto_rsa.c +++ b/library/psa_crypto_rsa.c @@ -274,7 +274,10 @@ static psa_status_t rsa_export_public_key( #endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || * defined(BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ -#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) +/* XXX Does MBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR use these functions? Both + * of them or just rsa_generate_key? */ +#if defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ + defined(MBEDTLS_GENPRIME) static psa_status_t psa_rsa_read_exponent( const uint8_t *domain_parameters, size_t domain_parameters_size, int *exponent ) @@ -332,7 +335,8 @@ static psa_status_t rsa_generate_key( return( status ); } -#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */ +#endif /* defined(BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + * defined(MBEDTLS_GENPRIME) */ /****************************************************************/ /* Sign/verify hashes */ @@ -565,7 +569,8 @@ psa_status_t mbedtls_psa_rsa_export_public_key( #endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) || * defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_PUBLIC_KEY) */ -#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) +#if defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) && \ + defined(MBEDTLS_GENPRIME) psa_status_t mbedtls_psa_rsa_generate_key( const psa_key_attributes_t *attributes, uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length ) @@ -573,7 +578,8 @@ psa_status_t mbedtls_psa_rsa_generate_key( return( rsa_generate_key( attributes, key_buffer, key_buffer_size, key_buffer_length ) ); } -#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) */ +#endif /* defined(MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR) + * defined(MBEDTLS_GENPRIME) */ #if defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PKCS1V15_SIGN) || \ defined(MBEDTLS_PSA_BUILTIN_ALG_RSA_PSS) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 8b9d7d172d32..a012c0f8d02c 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -809,6 +809,15 @@ component_test_psa_crypto_client () { make test } +component_test_psa_crypto_rsa_no_genprime() { + msg "build: default config minus MBEDTLS_GENPRIME" + scripts/config.py unset MBEDTLS_GENPRIME + make + + msg "test: default config minus MBEDTLS_GENPRIME" + make test +} + component_test_ref_configs () { msg "test/build: ref-configs (ASan build)" # ~ 6 min 20s CC=gcc cmake -D CMAKE_BUILD_TYPE:String=Asan .