Release 1.3.0

Author: cpfister

CHANGELOG.md

@@ -1,5 +1,34 @@
 # Oberon PSA Crypto change log
 
+## Oberon PSA Crypto 1.3.0
+<https://github.com/oberon-microsystems/oberon-psa-crypto-nrf/releases/tag/v1.3.0>
+8-May-2024 (c18f101)
+
+Oberon crypto software drivers require _ocrypto_ version 3.5.x
+
+### New Features
+- Align with Mbed TLS 3.6.0.
+- Unify `crypto.h` for API usage with or without isolation boundary
+  (adopted from Mbed TLS 3.6).
+- Add optional thread safety to Oberon PSA core by reusing Mbed TLS mutex
+  abstraction (software drivers are already thread-safe). Multi-threading
+  support can be enabled via define `MBEDTLS_THREADING_C`
+  (adopted from Mbed TLS 3.6).
+- Add CMake option to run tests on host with multi-threading option.
+
+### Improvements
+- Cleanup PSA key attributes
+  (adopted from Mbed TLS 3.6).
+- Add new Mbed TLS PSA tests and align with Mbed TLS test updates
+  (adopted from Mbed TLS 3.6).
+- Align Mbed TLS error return codes in drivers
+  (adopted from Mbed TLS 3.6).
+- Limit key derivation capacity for 64-bit ISA.
+- Adjust test support for TLS/SSL protocol test suite.
+- Improve key import parameter checks.
+
+--------------------------------------------------------------------------------
+
 ## Oberon PSA Crypto 1.2.3
 <https://github.com/oberon-microsystems/oberon-psa-crypto-nrf/releases/tag/v1.2.3>
 26-Mar-2024 (79d5e26)

CMakeLists.txt

@@ -7,6 +7,7 @@ set(PLATFORM demo CACHE STRING "Default generic 'demo' platform.")
 
 option(CONFIG_PSA_API_TESTS "Build PSA Certified APIs Architecture Test Suite" ON)
 option(CONFIG_MBEDTLS_PSA_TESTS "Build Mbed TLS tests" ON)
+option(CONFIG_MBEDTLS_THREADING "Build for multi-threading" ON)
 
 if(MSVC)
     set(CONFIG_PSA_API_TESTS OFF)
@@ -61,6 +62,7 @@ set(MBED_SOURCES
         ${CMAKE_SOURCE_DIR}/library/psa_crypto_storage.h
         ${CMAKE_SOURCE_DIR}/library/psa_crypto_storage.c
         ${CMAKE_SOURCE_DIR}/library/psa_its_file.c
+        ${CMAKE_SOURCE_DIR}/library/threading.c
 )
 
 # common sources and includes
@@ -89,6 +91,7 @@ message(STATUS "Options:")
 if(EXISTS ${CMAKE_SOURCE_DIR}/oberon/platforms/${PLATFORM}/CMakeLists.txt)
     message(STATUS " - CONFIG_MBEDTLS_PSA_TESTS: ${CONFIG_MBEDTLS_PSA_TESTS}")
     message(STATUS " - CONFIG_PSA_API_TESTS:     ${CONFIG_PSA_API_TESTS}")
+    message(STATUS " - CONFIG_MBEDTLS_THREADING: ${CONFIG_MBEDTLS_THREADING}")
 else()
     set(CONFIG_MBEDTLS_PSA_TESTS OFF)
     message(STATUS " - CONFIG_MBEDTLS_PSA_TESTS: SKIPPED, not available for ${PLATFORM}")
@@ -112,6 +115,7 @@ if (CONFIG_MBEDTLS_PSA_TESTS OR CONFIG_PSA_API_TESTS)
                 test_suite_psa_crypto_generate_key.generated
                 test_suite_psa_crypto_hash
                 # test_suite_psa_crypto_init # n.a. - tests Mbed TLS entropy initialization only /* !!OM */
+                test_suite_psa_crypto_memory
                 test_suite_psa_crypto_metadata
                 test_suite_psa_crypto_not_supported.generated
                 test_suite_psa_crypto_not_supported.misc
@@ -125,6 +129,7 @@ if (CONFIG_MBEDTLS_PSA_TESTS OR CONFIG_PSA_API_TESTS)
                 test_suite_psa_crypto_storage_format.current
                 test_suite_psa_crypto_storage_format.misc
                 test_suite_psa_crypto_storage_format.v0
+                # test_suite_psa_crypto_util                # n.a. - tests Mbed TLS specific funtions
                 test_suite_psa_its
         )
 
@@ -141,7 +146,7 @@ if (CONFIG_MBEDTLS_PSA_TESTS OR CONFIG_PSA_API_TESTS)
                 ${CMAKE_SOURCE_DIR}/tests/src/asn1write_min.c       # forked from asn1write.c
                 ${CMAKE_SOURCE_DIR}/tests/src/psa_crypto_helpers.c
                 ${CMAKE_SOURCE_DIR}/tests/src/psa_exercise_key.c
-                ${CMAKE_SOURCE_DIR}/tests/src/helpers_min.c
+                ${CMAKE_SOURCE_DIR}/tests/src/helpers.c
         )
     endif()
 
@@ -177,6 +182,12 @@ if (CONFIG_PSA_API_TESTS AND "${PLATFORM}" STREQUAL "demo")
     add_subdirectory(api-tests)
     add_executable(${PROJECT_NAME} api-tests/platform/targets/${PROJECT_NAME}/nspe/main.c)
 
+    if(CONFIG_MBEDTLS_THREADING)
+        target_compile_definitions(${PROJECT_NAME} PRIVATE MBEDTLS_THREADING_C)
+        target_compile_definitions(${PROJECT_NAME} PRIVATE MBEDTLS_THREADING_PTHREAD)
+        target_sources(${PROJECT_NAME} PRIVATE "${CMAKE_SOURCE_DIR}/library/threading.c")
+    endif()
+
     target_link_libraries(${PROJECT_NAME} PUBLIC ocrypto)
 
     add_subdirectory(oberon/drivers oberon/drivers/${TARGET})

LICENSING.md

@@ -25,7 +25,7 @@ This specification is licensed under _CC SA-BY 4.0_.
 ### PSA Crypto Driver API
 
 _PSA Crypto Driver API_ (Arm proposal):
-<https://github.com/Mbed-TLS/mbedtls/blob/v3.5.1/docs/proposed/psa-driver-interface.md>
+<https://github.com/Mbed-TLS/mbedtls/blob/v3.6.0/docs/proposed/psa-driver-interface.md>
 
 This specification has been published as part of _Mbed TLS_ and the same licenses
 apply, see below.

README.md

@@ -12,8 +12,8 @@ hardware crypto accelerators.
 
 The library is compatible with the _PSA Certified Crypto API_ version as
 specified in
-[PSA Certified Crypto API 1.1.2 and PAKE extension 1.1 Beta 1](https://arm-software.github.io/psa-api/crypto/),
-and to Arm's _Mbed TLS_ 3.5.0.
+[PSA Certified Crypto API 1.2.1 and PAKE extension 1.2 Final 1](https://arm-software.github.io/psa-api/crypto/),
+and to Arm's _Mbed TLS_ 3.6.0.
 
 The supported crypto feature set is documented in
 [Appendix A: Supported Crypto Features](oberon/docs/Appendix_A_Supported_Crypto_Features.md).
@@ -121,6 +121,22 @@ Supported platforms with demonstration drivers, configurations, and includes
 are located in path `oberon/platforms` and can be provided to CMake via
 `-DPLATFORM=folder_name`.
 
+Multi-threading support can be enabled with define `MBEDTLS_THREADING_C` in
+`mbedtls_config.h`.
+
+### Build with Tests
+By default, _Oberon PSA Crypto_ is build for a set of configurations, with 
+PSA-related _Mbed TLS_ tests, a _PSA Certified APIs Architecture Test Suite_, 
+and in variants with and without multi-threading support based on the POSIX 
+mutex reference implemenentation.
+
+To select for which tests Oberon PSA Crypto is built, the following CMAKE 
+options are provided:
+
+- PSA-related _Mbed TLS_ tests: `-DCONFIG_MBEDTLS_PSA_TESTS=ON/OFF`
+- _PSA Certified APIs Architecture Test Suite_: `DCONFIG_PSA_API_TESTS=ON/OFF`
+- Multi-threading support: `-DCONFIG_MBEDTLS_THREADING=ON/OFF`
+
 ### Run Tests
 
 Run all tests from the same `build` directory:

VERSION

@@ -1 +1 @@
-1.2.3 26-Mar-2024 79d5e26
+1.3.0 8-May-2024 c18f101

include/mbedtls/aes.h

@@ -22,19 +22,7 @@
 
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 
 #ifndef MBEDTLS_AES_H
@@ -167,6 +155,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
                            unsigned int keybits);
 
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 /**
  * \brief          This function sets the decryption key.
  *
@@ -185,6 +174,7 @@ int mbedtls_aes_setkey_enc(mbedtls_aes_context *ctx, const unsigned char *key,
 MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_aes_setkey_dec(mbedtls_aes_context *ctx, const unsigned char *key,
                            unsigned int keybits);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 
 #if defined(MBEDTLS_CIPHER_MODE_XTS)
 /**
@@ -604,6 +594,7 @@ int mbedtls_internal_aes_encrypt(mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16]);
 
+#if !defined(MBEDTLS_BLOCK_CIPHER_NO_DECRYPT)
 /**
  * \brief           Internal AES block decryption function. This is only
  *                  exposed to allow overriding it using see
@@ -619,6 +610,7 @@ MBEDTLS_CHECK_RETURN_TYPICAL
 int mbedtls_internal_aes_decrypt(mbedtls_aes_context *ctx,
                                  const unsigned char input[16],
                                  unsigned char output[16]);
+#endif /* !MBEDTLS_BLOCK_CIPHER_NO_DECRYPT */
 
 #if defined(MBEDTLS_SELF_TEST)
 /**

include/mbedtls/asn1.h

@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_ASN1_H
 #define MBEDTLS_ASN1_H
@@ -209,7 +197,8 @@ typedef struct mbedtls_asn1_named_data {
 }
 mbedtls_asn1_named_data;
 
-#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C)
+#if defined(MBEDTLS_ASN1_PARSE_C) || defined(MBEDTLS_X509_CREATE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
 /**
  * \brief       Get the length of an ASN.1 element.
  *              Updates the pointer to immediately behind the length.
@@ -256,7 +245,7 @@ int mbedtls_asn1_get_len(unsigned char **p,
 int mbedtls_asn1_get_tag(unsigned char **p,
                          const unsigned char *end,
                          size_t *len, int tag);
-#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C */
+#endif /* MBEDTLS_ASN1_PARSE_C || MBEDTLS_X509_CREATE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA */
 
 #if defined(MBEDTLS_ASN1_PARSE_C)
 /**
@@ -644,10 +633,10 @@ void mbedtls_asn1_free_named_data_list_shallow(mbedtls_asn1_named_data *name);
 /** \} name Functions to parse ASN.1 data structures */
 /** \} addtogroup asn1_module */
 
+#endif /* MBEDTLS_ASN1_PARSE_C */
+
 #ifdef __cplusplus
 }
 #endif
 
-#endif /* MBEDTLS_ASN1_PARSE_C */
-
 #endif /* asn1.h */

include/mbedtls/asn1write.h

@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_ASN1_WRITE_H
 #define MBEDTLS_ASN1_WRITE_H
@@ -48,7 +36,8 @@
 extern "C" {
 #endif
 
-#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C)
+#if defined(MBEDTLS_ASN1_WRITE_C) || defined(MBEDTLS_X509_USE_C) || \
+    defined(MBEDTLS_PSA_UTIL_HAVE_ECDSA)
 /**
  * \brief           Write a length field in ASN.1 format.
  *
@@ -77,7 +66,7 @@ int mbedtls_asn1_write_len(unsigned char **p, const unsigned char *start,
  */
 int mbedtls_asn1_write_tag(unsigned char **p, const unsigned char *start,
                            unsigned char tag);
-#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C */
+#endif /* MBEDTLS_ASN1_WRITE_C || MBEDTLS_X509_USE_C || MBEDTLS_PSA_UTIL_HAVE_ECDSA*/
 
 #if defined(MBEDTLS_ASN1_WRITE_C)
 /**

include/mbedtls/bignum.h

@@ -5,19 +5,7 @@
  */
 /*
  *  Copyright The Mbed TLS Contributors
- *  SPDX-License-Identifier: Apache-2.0
- *
- *  Licensed under the Apache License, Version 2.0 (the "License"); you may
- *  not use this file except in compliance with the License.
- *  You may obtain a copy of the License at
- *
- *  http://www.apache.org/licenses/LICENSE-2.0
- *
- *  Unless required by applicable law or agreed to in writing, software
- *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
- *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
- *  See the License for the specific language governing permissions and
- *  limitations under the License.
+ *  SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
  */
 #ifndef MBEDTLS_BIGNUM_H
 #define MBEDTLS_BIGNUM_H
@@ -63,15 +51,15 @@
 
 #if !defined(MBEDTLS_MPI_WINDOW_SIZE)
 /*
- * Maximum window size used for modular exponentiation. Default: 2
+ * Maximum window size used for modular exponentiation. Default: 3
  * Minimum value: 1. Maximum value: 6.
  *
  * Result is an array of ( 2 ** MBEDTLS_MPI_WINDOW_SIZE ) MPIs used
- * for the sliding window calculation. (So 64 by default)
+ * for the sliding window calculation. (So 8 by default)
  *
  * Reduction in size, reduces speed.
  */
-#define MBEDTLS_MPI_WINDOW_SIZE                           2        /**< Maximum window size used. */
+#define MBEDTLS_MPI_WINDOW_SIZE                           3        /**< Maximum window size used. */
 #endif /* !MBEDTLS_MPI_WINDOW_SIZE */
 
 #if !defined(MBEDTLS_MPI_MAX_SIZE)