sys/psa_crypto: add aead aes ccm

Update sys/include/psa_crypto/psa/crypto_sizes.h

Co-authored-by: mguetschow <[email protected]>

Update sys/psa_crypto/include/psa_aead.h

Co-authored-by: mguetschow <[email protected]>

Update sys/psa_crypto/include/psa_aead.h

Co-authored-by: mguetschow <[email protected]>

Update sys/psa_crypto/psa_crypto.c

Co-authored-by: mguetschow <[email protected]>

Update sys/psa_crypto/psa_crypto.c

Co-authored-by: mguetschow <[email protected]>

Update sys/psa_crypto/psa_crypto_algorithm_dispatch.c

Co-authored-by: mguetschow <[email protected]>

Update sys/psa_crypto/psa_crypto_algorithm_dispatch.c

Co-authored-by: mguetschow <[email protected]>

Update sys/include/psa_crypto/psa/crypto_sizes.h

Author: Lukas-Luger

sys/include/psa_crypto/psa/crypto_sizes.h

@@ -62,13 +62,16 @@ extern "C" {
 #elif (IS_USED(MODULE_PSA_ASYMMETRIC_ECC_P256R1) || \
        IS_USED(MODULE_PSA_ASYMMETRIC_ECC_ED25519) || \
        IS_USED(MODULE_PSA_CIPHER_AES_256_CBC) || \
+       IS_USED(MODULE_PSA_AEAD_AES_256_CCM) || \
        IS_USED(MODULE_PSA_SECURE_ELEMENT_ATECCX08A_ECC_P256) || \
        IS_USED(MODULE_PSA_CIPHER_CHACHA20))
 #define CONFIG_PSA_MAX_KEY_SIZE 32
 #elif (IS_USED(MODULE_PSA_CIPHER_AES_192_CBC) || \
+       IS_USED(MODULE_PSA_AEAD_AES_192_CCM) || \
        IS_USED(MODULE_PSA_ASYMMETRIC_ECC_P192R1))
 #define CONFIG_PSA_MAX_KEY_SIZE 24
 #elif (IS_USED(MODULE_PSA_CIPHER_AES_128_CBC)) || \
+      (IS_USED(MODULE_PSA_AEAD_AES_128_CCM)) || \
       (IS_USED(MODULE_PSA_CIPHER_AES_128_ECB))
 #define CONFIG_PSA_MAX_KEY_SIZE 16
 #else
@@ -124,6 +127,52 @@ extern "C" {
 #define PSA_AEAD_DECRYPT_OUTPUT_MAX_SIZE(ciphertext_length) \
 /* implementation-defined value */
 
+/**
+ * @brief   The length of a tag for an AEAD algorithm, in bytes.
+ *
+ * @details This is the size of the tag output from @ref psa_aead_finish().
+ *          If the size of the tag buffer is at least this large, it is guaranteed that
+ *          @ref psa_aead_finish() will not fail due to an insufficient tag buffer size.
+ *
+ *          See also @ref PSA_AEAD_TAG_MAX_SIZE.
+ *
+ * @param   key_type    The type of the AEAD key.
+ * @param   key_bits    The size of the AEAD key in bits.
+ * @param   alg         An AEAD algorithm: a value of type @ref psa_algorithm_t such that
+ *                      @ref PSA_ALG_IS_AEAD(@p alg) is true.
+ *
+ * @return  The tag length for the specified algorithm and key.
+ *          0 if the AEAD algorithm does not have an identified tag that can be distinguished from
+ *          the rest of the ciphertext.
+ *          0 if the AEAD algorithm is not recognized or not supported.
+ */
+#define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg)     \
+    (PSA_ALG_IS_AEAD(alg) ?                              \
+    (((alg) & 0x003f0000) >> 16) :                       \
+    ((void) (key_type), (void) (key_bits), 0))
+
+/**
+ * @brief   A sufficient buffer size for storing the tag output by @ref psa_aead_finish(),
+ *          for any of the supported key types and AEAD algorithms.
+ *
+ * @details If the size of the tag buffer is at least this large, it is guaranteed that
+ *          @ref psa_aead_finish() will not fail due to an insufficient buffer size.
+ *
+ *          See also @ref PSA_AEAD_TAG_LENGTH().
+ */
+#define PSA_AEAD_TAG_MAX_SIZE (16)
+
+/**
+ * @brief   A sufficient buffer size for storing the tag output by @ref psa_aead_finish(),
+ *          for AES key types and CCM algorithms.
+ *
+ * @details If the size of the tag buffer is at least this large, it is guaranteed that
+ *          @ref psa_aead_finish() will not fail due to an insufficient buffer size.
+ *
+ *          See also @ref PSA_AEAD_TAG_LENGTH().
+ */
+#define PSA_AES_CCM_TAG_MAX_SIZE (16)
+
 /**
  * @brief   A sufficient plaintext buffer size for @ref psa_aead_decrypt(), in bytes.
  *
@@ -143,7 +192,9 @@ extern "C" {
  *          are incompatible.
  */
 #define PSA_AEAD_DECRYPT_OUTPUT_SIZE(key_type, alg, ciphertext_length) \
-/* implementation-defined value */
+        (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 &&                  \
+            ((ciphertext_length) > PSA_AEAD_TAG_LENGTH(key_type, 0, alg)) ?   \
+        (ciphertext_length) - PSA_AEAD_TAG_LENGTH(key_type, 0, alg) : 0)
 
 /**
  * @brief   A sufficient ciphertext buffer size for @ref psa_aead_encrypt(),
@@ -158,7 +209,7 @@ extern "C" {
  * @param   plaintext_length Size of the plaintext in bytes.
  */
 #define PSA_AEAD_ENCRYPT_OUTPUT_MAX_SIZE(plaintext_length) \
-/* implementation-defined value */
+        ((plaintext_length) + PSA_AEAD_TAG_MAX_SIZE)
 
 /**
  * @brief   A sufficient ciphertext buffer size for @ref psa_aead_encrypt(), in bytes.
@@ -179,7 +230,8 @@ extern "C" {
  *          are incompatible.
  */
 #define PSA_AEAD_ENCRYPT_OUTPUT_SIZE(key_type, alg, plaintext_length) \
-/* implementation-defined value */
+        (PSA_AEAD_NONCE_LENGTH(key_type, alg) != 0 ?                  \
+        (plaintext_length) + PSA_AEAD_TAG_LENGTH(key_type, 0, alg) : 0)
 
 /**
  * @brief   A sufficient ciphertext buffer size for @ref psa_aead_finish(),
@@ -232,7 +284,13 @@ extern "C" {
  *          0 if the key type or AEAD algorithm is not recognized, not supported or the parameters
  *          are incompatible.
  */
-#define PSA_AEAD_NONCE_LENGTH(key_type, alg) /* implementation-defined value */
+#define PSA_AEAD_NONCE_LENGTH(key_type, alg) \
+    ((PSA_BLOCK_CIPHER_BLOCK_LENGTH(key_type) == 16 && \
+        ((PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg) == PSA_ALG_CCM) || \
+        (PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg) == PSA_ALG_CCM))) || \
+        (key_type == PSA_KEY_TYPE_CHACHA20 && \
+        PSA_ALG_AEAD_WITH_DEFAULT_LENGTH_TAG(alg) == PSA_ALG_CHACHA20_POLY1305) ? \
+        12 : 0)
 
 /**
  * @brief   A sufficient buffer size for storing the nonce generated by
@@ -243,40 +301,7 @@ extern "C" {
  *
  *          See also @ref PSA_AEAD_NONCE_LENGTH().
  */
-#define PSA_AEAD_NONCE_MAX_SIZE /* implementation-defined value */
-
-/**
- * @brief   The length of a tag for an AEAD algorithm, in bytes.
- *
- * @details This is the size of the tag output from @ref psa_aead_finish().
- *          If the size of the tag buffer is at least this large, it is guaranteed that
- *          @ref psa_aead_finish() will not fail due to an insufficient tag buffer size.
- *
- *          See also @ref PSA_AEAD_TAG_MAX_SIZE.
- *
- * @param   key_type    The type of the AEAD key.
- * @param   key_bits    The size of the AEAD key in bits.
- * @param   alg         An AEAD algorithm: a value of type @ref psa_algorithm_t such that
- *                      @ref PSA_ALG_IS_AEAD(@p alg) is true.
- *
- * @return  The tag length for the specified algorithm and key.
- *          0 if the AEAD algorithm does not have an identified tag that can be distinguished from
- *          the rest of the ciphertext.
- *          0 if the AEAD algorithm is not recognized or not supported.
- */
-#define PSA_AEAD_TAG_LENGTH(key_type, key_bits, alg) \
-/* implementation-defined value */
-
-/**
- * @brief   A sufficient buffer size for storing the tag output by @ref psa_aead_finish(),
- *          for any of the supported key types and AEAD algorithms.
- *
- * @details If the size of the tag buffer is at least this large, it is guaranteed that
- *          @ref psa_aead_finish() will not fail due to an insufficient buffer size.
- *
- *          See also @ref PSA_AEAD_TAG_LENGTH().
- */
-#define PSA_AEAD_TAG_MAX_SIZE /* implementation-defined value */
+#define PSA_AEAD_NONCE_MAX_SIZE (13)
 
 /**
  * @brief   A sufficient output buffer size for @ref psa_aead_update(), for any of the supported key

sys/psa_crypto/Makefile.dep

@@ -143,6 +143,77 @@ ifneq (,$(filter psa_cipher_aes_192_cbc_backend_riot,$(USEMODULE)))
   USEMODULE += psa_riot_cipher_aes_192_cbc
 endif
 
+# AEAD
+ifneq (,$(filter psa_aead,$(USEMODULE)))
+  USEMODULE += psa_key_management
+endif
+
+## AES-128-CCM
+ifneq (,$(filter psa_aead_aes_128_ccm,$(USEMODULE)))
+  ifeq (,$(filter psa_aead_aes_128_ccm_custom_backend,$(USEMODULE)))
+    FEATURES_OPTIONAL += periph_aead_aes_128_ccm
+    include $(RIOTMAKE)/features_check.inc.mk
+    # HACK: Due to kconfig migration, may cause problems
+    ifneq (,$(filter periph_aead_aes_128_ccm,$(FEATURES_USED)))
+      USEMODULE += psa_aead_aes_128_ccm_backend_periph
+    else
+      ifeq (, $(filter psa_aead_aes_128_ccm_backend_tinycrypt,$(USEMODULE)))
+        USEMODULE += psa_aead_aes_128_ccm_backend_cifra
+      endif
+    endif
+  endif
+endif
+ifneq (,$(filter psa_aead_aes_128_ccm_backend_periph,$(USEMODULE)))
+  FEATURES_REQUIRED += periph_aead_aes_128_ccm
+endif
+ifneq (,$(filter psa_aead_aes_128_ccm_backend_tinycrypt,$(USEMODULE)))
+  USEPKG += tinycrypt
+  USEMODULE += psa_tinycrypt
+  USEMODULE += psa_tinycrypt_aes_ccm
+endif
+
+## AES-192-CCM
+ifneq (,$(filter psa_aead_aes_192_ccm,$(USEMODULE)))
+  ifeq (,$(filter psa_aead_aes_192_ccm_custom_backend,$(USEMODULE)))
+    FEATURES_OPTIONAL += periph_aead_aes_192_ccm
+    include $(RIOTMAKE)/features_check.inc.mk
+    # HACK: Due to kconfig migration, may cause problems
+    ifneq (,$(filter periph_aead_aes_192_ccm,$(FEATURES_USED)))
+      USEMODULE += psa_aead_aes_192_ccm_backend_periph
+    else
+      USEMODULE += psa_aead_aes_192_ccm_backend_cifra
+    endif
+  endif
+endif
+ifneq (,$(filter psa_aead_aes_192_ccm_backend_periph,$(USEMODULE)))
+  FEATURES_REQUIRED += periph_aead_aes_192_ccm
+endif
+
+## AES-256-CCM
+ifneq (,$(filter psa_aead_aes_256_ccm,$(USEMODULE)))
+  ifeq (,$(filter psa_aead_aes_256_ccm_custom_backend,$(USEMODULE)))
+    FEATURES_OPTIONAL += periph_aead_aes_256_ccm
+    include $(RIOTMAKE)/features_check.inc.mk
+    # HACK: Due to kconfig migration, may cause problems
+    ifneq (,$(filter periph_aead_aes_256_ccm,$(FEATURES_USED)))
+      USEMODULE += psa_aead_aes_256_ccm_backend_periph
+    else
+      USEMODULE += psa_aead_aes_256_ccm_backend_cifra
+    endif
+  endif
+endif
+ifneq (,$(filter psa_aead_aes_256_ccm_backend_periph,$(USEMODULE)))
+  FEATURES_REQUIRED += periph_aead_aes_256_ccm
+endif
+
+## Cifra supports all of them
+ifneq (,$(filter psa_aead_aes_%_ccm_backend_cifra,$(USEMODULE)))
+  USEPKG += cifra
+  USEMODULE += psa_cifra
+  USEMODULE += psa_cifra_aes_ccm
+endif
+
+
 ## ChaCha20
 ifneq (,$(filter psa_cipher_chacha20,$(USEMODULE)))
   ifeq (,$(filter psa_cipher_chacha20_custom_backend,$(USEMODULE)))

sys/psa_crypto/Makefile.include

@@ -97,6 +97,43 @@ ifneq (,$(filter psa_cipher_chacha20,$(USEMODULE)))
   endif
 endif
 
+## AEAD
+PSEUDOMODULES += psa_aead
+PSEUDOMODULES += psa_aead_aes_128_ccm
+PSEUDOMODULES += psa_aead_aes_128_ccm_backend_periph
+PSEUDOMODULES += psa_aead_aes_128_ccm_backend_cifra
+PSEUDOMODULES += psa_aead_aes_128_ccm_backend_tinycrypt
+PSEUDOMODULES += psa_aead_aes_128_ccm_custom_backend
+
+# check that one and only one backend has been selected
+ifneq (,$(filter psa_aead_aes_128_ccm,$(USEMODULE)))
+  ifneq (1,$(call backends,psa_aead_aes_128_ccm))
+    $(error "One (and only one) backend should be selected for psa_aead_aes_128_ccm")
+  endif
+endif
+
+PSEUDOMODULES += psa_aead_aes_192_ccm
+PSEUDOMODULES += psa_aead_aes_192_ccm_backend_cifra
+PSEUDOMODULES += psa_aead_aes_192_ccm_custom_backend
+
+# check that one and only one backend has been selected
+ifneq (,$(filter psa_aead_aes_192_ccm,$(USEMODULE)))
+  ifneq (1,$(call backends,psa_aead_aes_192_ccm))
+    $(error "One (and only one) backend should be selected for psa_aead_aes_192_ccm")
+  endif
+endif
+
+PSEUDOMODULES += psa_aead_aes_256_ccm
+PSEUDOMODULES += psa_aead_aes_256_ccm_backend_cifra
+PSEUDOMODULES += psa_aead_aes_256_ccm_custom_backend
+
+# check that one and only one backend has been selected
+ifneq (,$(filter psa_aead_aes_256_ccm,$(USEMODULE)))
+  ifneq (1,$(call backends,psa_aead_aes_256_ccm))
+    $(error "One (and only one) backend should be selected for psa_aead_aes_256_ccm")
+  endif
+endif
+
 ## Hash
 PSEUDOMODULES += psa_hash
 PSEUDOMODULES += psa_hash_md5

sys/psa_crypto/doc.md

@@ -269,6 +269,25 @@ names in uppercase and add the prefix `CONFIG_MODULE_` to all of them.
 - psa_asymmetric_ecc_ed25519_custom_backend
 - psa_asymmetric_ecc_ed25519_backend_c25519
 
+### AEAD
+- Base: psa_aead
+
+#### AES CCM
+- psa_aead_aes_128_ccm
+- psa_aead_aes_128_ccm_backend_periph
+- psa_aead_aes_128_ccm_backend_cifra
+- psa_aead_aes_128_ccm_backend_tinycrypt
+
+@note    Be aware that the tinycrypt only allows a nonce size of 13.
+
+- psa_aead_aes_128_ccm_custom_backend
+- psa_aead_aes_192_ccm
+- psa_aead_aes_192_ccm_backend_cifra
+- psa_aead_aes_192_ccm_custom_backend
+- psa_aead_aes_256_ccm
+- psa_aead_aes_256_ccm_backend_cifra
+- psa_aead_aes_256_ccm_custom_backend
+
 ### Ciphers
 - Base: psa_cipher