From 45574797e7c66dcd99cfeb0e0be5feb291271d1a Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Mon, 13 Oct 2025 09:06:24 +0200 Subject: [PATCH 1/3] psa: crypto_extra: improve buffer size computation for static key slots Take also MAC's key types into account when computing the size of the buffer to store key material in static key slot configuration. Signed-off-by: Valerio Setti --- include/psa/crypto_extra.h | 36 +++++++++++++++++++++++++++++++----- 1 file changed, 31 insertions(+), 5 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index a710397a77..58322cddf4 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -33,13 +33,39 @@ extern "C" { #endif /* If the size of static key slots is not explicitly defined by the user, then - * set it to the maximum between PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE and - * PSA_CIPHER_MAX_KEY_LENGTH. + * set it to the maximum between PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE, + * PSA_CIPHER_MAX_KEY_LENGTH and PSA_MAC_MAX_SIZE. * See mbedtls_config.h for the definition. */ #if !defined(MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE) -#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE \ - ((PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE > PSA_CIPHER_MAX_KEY_LENGTH) ? \ - PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE : PSA_CIPHER_MAX_KEY_LENGTH) + +#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 1 + +#if PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE +#endif + +#if PSA_CIPHER_MAX_KEY_LENGTH > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_CIPHER_MAX_KEY_LENGTH +#endif + +/* For HMAC, it's typical but not mandatory to use a key size that is equal to + * the hash size. */ +#if PSA_WANT_ALG_HMAC +#if PSA_HASH_MAX_SIZE > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_HASH_MAX_SIZE +#endif +#endif /* PSA_WANT_ALG_HMAC */ + +#if PSA_WANT_ALG_CMAC +#if PSA_CIPHER_MAX_KEY_LENGTH > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE +#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_CIPHER_MAX_KEY_LENGTH +#endif +#endif /* PSA_WANT_ALG_CMAC */ + #endif /* !MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE*/ /** \addtogroup attributes From 5306324015b9db29969dff1ba592f6675a6dedf5 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 16 Oct 2025 16:36:50 +0200 Subject: [PATCH 2/3] psa: crypto_extra: update documentation of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE Signed-off-by: Valerio Setti --- include/psa/crypto_extra.h | 15 ++++----------- 1 file changed, 4 insertions(+), 11 deletions(-) diff --git a/include/psa/crypto_extra.h b/include/psa/crypto_extra.h index 58322cddf4..89a38a8054 100644 --- a/include/psa/crypto_extra.h +++ b/include/psa/crypto_extra.h @@ -33,9 +33,8 @@ extern "C" { #endif /* If the size of static key slots is not explicitly defined by the user, then - * set it to the maximum between PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE, - * PSA_CIPHER_MAX_KEY_LENGTH and PSA_MAC_MAX_SIZE. - * See mbedtls_config.h for the definition. */ + * try to guess it based on some of the most common the key types enabled in the build. + * See mbedtls_config.h for the definition of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE. */ #if !defined(MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE) #define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 1 @@ -45,6 +44,7 @@ extern "C" { #define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_EXPORT_KEY_PAIR_OR_PUBLIC_MAX_SIZE #endif +/* This covers ciphers, AEADs and CMAC. */ #if PSA_CIPHER_MAX_KEY_LENGTH > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE #undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE #define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_CIPHER_MAX_KEY_LENGTH @@ -52,20 +52,13 @@ extern "C" { /* For HMAC, it's typical but not mandatory to use a key size that is equal to * the hash size. */ -#if PSA_WANT_ALG_HMAC +#if defined(PSA_WANT_ALG_HMAC) #if PSA_HASH_MAX_SIZE > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE #undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE #define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_HASH_MAX_SIZE #endif #endif /* PSA_WANT_ALG_HMAC */ -#if PSA_WANT_ALG_CMAC -#if PSA_CIPHER_MAX_KEY_LENGTH > MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE -#undef MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE -#define MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE PSA_CIPHER_MAX_KEY_LENGTH -#endif -#endif /* PSA_WANT_ALG_CMAC */ - #endif /* !MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE*/ /** \addtogroup attributes From a8ff9f76e9569ed2595259b9ee5cca2ee4be4ca1 Mon Sep 17 00:00:00 2001 From: Valerio Setti Date: Thu, 16 Oct 2025 16:47:01 +0200 Subject: [PATCH 3/3] changelog: add note about MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE improvements Signed-off-by: Valerio Setti --- ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt diff --git a/ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt b/ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt new file mode 100644 index 0000000000..bb04efcf2b --- /dev/null +++ b/ChangeLog.d/fix-static-key-slot-buffer-size-computation.txt @@ -0,0 +1,4 @@ +Features + * The automatic computation of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE has + been improved to take into account the following key types: + asymmetric keys, ciphers, AEADs, CMAC and HMAC.