From c7708ffb599ca916f798abfd4a57ad593b290b9f Mon Sep 17 00:00:00 2001 From: makejian Date: Thu, 15 Jan 2026 16:29:55 +0800 Subject: [PATCH 1/2] crypto/mbedtls: add AES key ID support in AES-ALT Add support for AES encryption key setup using key identifiers in the mbedtls alternative implementation, including functions for 128/192/256-bit key sizes in both encryption and decryption modes. Signed-off-by: makejian --- crypto/mbedtls/include/aes_alt.h | 25 ++++++++++++++ crypto/mbedtls/source/aes_alt.c | 56 +++++++++++++++++++++++++++++++- 2 files changed, 80 insertions(+), 1 deletion(-) diff --git a/crypto/mbedtls/include/aes_alt.h b/crypto/mbedtls/include/aes_alt.h index 0ba13cc419d..c632c97a0e8 100644 --- a/crypto/mbedtls/include/aes_alt.h +++ b/crypto/mbedtls/include/aes_alt.h @@ -37,10 +37,35 @@ typedef struct mbedtls_aes_context { cryptodev_context_t dev; + int mode; unsigned char key[MAX_KEY_SIZE]; } mbedtls_aes_context; #define mbedtls_aes_xts_context mbedtls_aes_context +int mbedtls_aes_set128key_dec_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits); + +int mbedtls_aes_set192key_dec_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits); + +int mbedtls_aes_set256key_dec_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits); + +int mbedtls_aes_set128key_enc_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits); + +int mbedtls_aes_set192key_enc_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits); + +int mbedtls_aes_set256key_enc_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits); + #endif /* __APPS_CRYPTO_MBEDTLS_INCLUDE_AES_ALT_H */ diff --git a/crypto/mbedtls/source/aes_alt.c b/crypto/mbedtls/source/aes_alt.c index 23baa195970..b69cae410b8 100644 --- a/crypto/mbedtls/source/aes_alt.c +++ b/crypto/mbedtls/source/aes_alt.c @@ -78,6 +78,60 @@ int mbedtls_aes_setkey_dec(FAR mbedtls_aes_context *ctx, return mbedtls_aes_setkey_enc(ctx, key, keybits); } +int mbedtls_aes_set128key_enc_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits) +{ + memcpy(ctx->key, key, keybits / 8); + ctx->dev.session.key = (caddr_t)ctx->key; + ctx->dev.session.keylen = keybits / 8; + ctx->mode = CRYPTO_AES_CBC; + return 0; +} + +int mbedtls_aes_set192key_enc_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits) +{ + memcpy(ctx->key, key, keybits / 8); + ctx->dev.session.key = (caddr_t)ctx->key; + ctx->dev.session.keylen = keybits / 8; + ctx->mode = CRYPTO_AES_192_CBC; + return 0; +} + +int mbedtls_aes_set256key_enc_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits) +{ + memcpy(ctx->key, key, keybits / 8); + ctx->dev.session.key = (caddr_t)ctx->key; + ctx->dev.session.keylen = keybits / 8; + ctx->mode = CRYPTO_AES_256_CBC; + return 0; +} + +int mbedtls_aes_set128key_dec_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits) +{ + return mbedtls_aes_set128key_enc_keyid(ctx, key, keybits); +} + +int mbedtls_aes_set192key_dec_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits) +{ + return mbedtls_aes_set192key_enc_keyid(ctx, key, keybits); +} + +int mbedtls_aes_set256key_dec_keyid(FAR mbedtls_aes_context *ctx, + FAR const unsigned char *key, + unsigned int keybits) +{ + return mbedtls_aes_set256key_enc_keyid(ctx, key, keybits); +} + /* AES-ECB block encryption/decryption */ int mbedtls_aes_crypt_ecb(FAR mbedtls_aes_context *ctx, @@ -93,7 +147,7 @@ int mbedtls_aes_crypt_ecb(FAR mbedtls_aes_context *ctx, return MBEDTLS_ERR_AES_BAD_INPUT_DATA; } - ctx->dev.session.cipher = CRYPTO_AES_CBC; + ctx->dev.session.cipher = ctx->mode ? ctx->mode : CRYPTO_AES_CBC; ret = cryptodev_get_session(&ctx->dev); if (ret != 0) { From ecd5fc568b838eca8bc2284557f480a36d67b2a6 Mon Sep 17 00:00:00 2001 From: makejian Date: Thu, 15 Jan 2026 16:30:01 +0800 Subject: [PATCH 2/2] crypto/mbedtls: add patch for mbedtls cipher-wrap with key ID support Add patch file and build system integration (CMakeLists.txt and Makefile) to support AES cipher wrapping with key ID functionality in the mbedtls third-party library. Signed-off-by: makejian --- ...s-cipher-wrap-support-aes-with-keyid.patch | 268 ++++++++++++++++++ crypto/mbedtls/CMakeLists.txt | 2 + crypto/mbedtls/Makefile | 1 + 3 files changed, 271 insertions(+) create mode 100644 crypto/mbedtls/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch diff --git a/crypto/mbedtls/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch b/crypto/mbedtls/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch new file mode 100644 index 00000000000..4eb5e2ab37f --- /dev/null +++ b/crypto/mbedtls/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch @@ -0,0 +1,268 @@ +diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h +index 970a343802..6002668ac0 100644 +--- a/include/mbedtls/cipher.h ++++ b/include/mbedtls/cipher.h +@@ -101,9 +101,19 @@ typedef enum { + MBEDTLS_CIPHER_AES_128_ECB, /**< AES cipher with 128-bit ECB mode. */ + MBEDTLS_CIPHER_AES_192_ECB, /**< AES cipher with 192-bit ECB mode. */ + MBEDTLS_CIPHER_AES_256_ECB, /**< AES cipher with 256-bit ECB mode. */ ++#if defined(MBEDTLS_AES_ALT) ++ MBEDTLS_CIPHER_AES_128_ECB_KEYID, /**< AES cipher with 128-bit ECB mode in keyid type. */ ++ MBEDTLS_CIPHER_AES_192_ECB_KEYID, /**< AES cipher with 192-bit ECB mode in keyid type. */ ++ MBEDTLS_CIPHER_AES_256_ECB_KEYID, /**< AES cipher with 256-bit ECB mode in keyid type. */ ++#endif + MBEDTLS_CIPHER_AES_128_CBC, /**< AES cipher with 128-bit CBC mode. */ + MBEDTLS_CIPHER_AES_192_CBC, /**< AES cipher with 192-bit CBC mode. */ + MBEDTLS_CIPHER_AES_256_CBC, /**< AES cipher with 256-bit CBC mode. */ ++#if defined(MBEDTLS_AES_ALT) ++ MBEDTLS_CIPHER_AES_128_CBC_KEYID, /**< AES cipher with 128-bit CBC mode in keyid type. */ ++ MBEDTLS_CIPHER_AES_192_CBC_KEYID, /**< AES cipher with 192-bit CBC mode in keyid type. */ ++ MBEDTLS_CIPHER_AES_256_CBC_KEYID, /**< AES cipher with 256-bit CBC mode in keyid type. */ ++#endif + MBEDTLS_CIPHER_AES_128_CFB128, /**< AES cipher with 128-bit CFB128 mode. */ + MBEDTLS_CIPHER_AES_192_CFB128, /**< AES cipher with 192-bit CFB128 mode. */ + MBEDTLS_CIPHER_AES_256_CFB128, /**< AES cipher with 256-bit CFB128 mode. */ +diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c +index a05c66e9ec..5c8738501a 100644 +--- a/library/cipher_wrap.c ++++ b/library/cipher_wrap.c +@@ -202,6 +202,44 @@ static int aes_setkey_enc_wrap(void *ctx, const unsigned char *key, + return mbedtls_aes_setkey_enc((mbedtls_aes_context *) ctx, key, key_bitlen); + } + ++#if defined(MBEDTLS_AES_ALT) ++static int aes_set128key_dec_keyid_wrap(void *ctx, const unsigned char *key, ++ unsigned int key_bitlen) ++{ ++ return mbedtls_aes_set128key_dec_keyid((mbedtls_aes_context *) ctx, key, key_bitlen); ++} ++ ++static int aes_set192key_dec_keyid_wrap(void *ctx, const unsigned char *key, ++ unsigned int key_bitlen) ++{ ++ return mbedtls_aes_set192key_dec_keyid((mbedtls_aes_context *) ctx, key, key_bitlen); ++} ++ ++static int aes_set256key_dec_keyid_wrap(void *ctx, const unsigned char *key, ++ unsigned int key_bitlen) ++{ ++ return mbedtls_aes_set256key_dec_keyid((mbedtls_aes_context *) ctx, key, key_bitlen); ++} ++ ++static int aes_set128key_enc_keyid_wrap(void *ctx, const unsigned char *key, ++ unsigned int key_bitlen) ++{ ++ return mbedtls_aes_set128key_enc_keyid((mbedtls_aes_context *) ctx, key, key_bitlen); ++} ++ ++static int aes_set192key_enc_keyid_wrap(void *ctx, const unsigned char *key, ++ unsigned int key_bitlen) ++{ ++ return mbedtls_aes_set256key_enc_keyid((mbedtls_aes_context *) ctx, key, key_bitlen); ++} ++ ++static int aes_set256key_enc_keyid_wrap(void *ctx, const unsigned char *key, ++ unsigned int key_bitlen) ++{ ++ return mbedtls_aes_set256key_enc_keyid((mbedtls_aes_context *) ctx, key, key_bitlen); ++} ++#endif ++ + static void *aes_ctx_alloc(void) + { + mbedtls_aes_context *aes = mbedtls_calloc(1, sizeof(mbedtls_aes_context)); +@@ -248,6 +286,89 @@ static const mbedtls_cipher_base_t aes_info = { + aes_ctx_free + }; + ++#if defined(MBEDTLS_AES_ALT) ++static const mbedtls_cipher_base_t aes_128keyid_info = { ++ MBEDTLS_CIPHER_ID_AES, ++ aes_crypt_ecb_wrap, ++#if defined(MBEDTLS_CIPHER_MODE_CBC) ++ aes_crypt_cbc_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_CFB) ++ aes_crypt_cfb128_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_OFB) ++ aes_crypt_ofb_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_CTR) ++ aes_crypt_ctr_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_XTS) ++ NULL, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_STREAM) ++ NULL, ++#endif ++ aes_set128key_enc_keyid_wrap, ++ aes_set128key_dec_keyid_wrap, ++ aes_ctx_alloc, ++ aes_ctx_free ++}; ++ ++static const mbedtls_cipher_base_t aes_192keyid_info = { ++ MBEDTLS_CIPHER_ID_AES, ++ aes_crypt_ecb_wrap, ++#if defined(MBEDTLS_CIPHER_MODE_CBC) ++ aes_crypt_cbc_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_CFB) ++ aes_crypt_cfb128_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_OFB) ++ aes_crypt_ofb_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_CTR) ++ aes_crypt_ctr_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_XTS) ++ NULL, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_STREAM) ++ NULL, ++#endif ++ aes_set192key_enc_keyid_wrap, ++ aes_set192key_dec_keyid_wrap, ++ aes_ctx_alloc, ++ aes_ctx_free ++}; ++ ++static const mbedtls_cipher_base_t aes_256keyid_info = { ++ MBEDTLS_CIPHER_ID_AES, ++ aes_crypt_ecb_wrap, ++#if defined(MBEDTLS_CIPHER_MODE_CBC) ++ aes_crypt_cbc_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_CFB) ++ aes_crypt_cfb128_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_OFB) ++ aes_crypt_ofb_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_CTR) ++ aes_crypt_ctr_wrap, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_XTS) ++ NULL, ++#endif ++#if defined(MBEDTLS_CIPHER_MODE_STREAM) ++ NULL, ++#endif ++ aes_set256key_enc_keyid_wrap, ++ aes_set256key_dec_keyid_wrap, ++ aes_ctx_alloc, ++ aes_ctx_free ++}; ++#endif ++ + static const mbedtls_cipher_info_t aes_128_ecb_info = { + MBEDTLS_CIPHER_AES_128_ECB, + MBEDTLS_MODE_ECB, +@@ -281,6 +402,41 @@ static const mbedtls_cipher_info_t aes_256_ecb_info = { + &aes_info + }; + ++#if defined(MBEDTLS_AES_ALT) ++static const mbedtls_cipher_info_t aes_128_ecb_keyid_info = { ++ MBEDTLS_CIPHER_AES_128_ECB, ++ MBEDTLS_MODE_ECB, ++ 32, ++ "AES-128-ECB-KEYID", ++ 0, ++ 0, ++ 16, ++ &aes_128keyid_info ++}; ++ ++static const mbedtls_cipher_info_t aes_192_ecb_keyid_info = { ++ MBEDTLS_CIPHER_AES_192_ECB, ++ MBEDTLS_MODE_ECB, ++ 32, ++ "AES-192-ECB-KEYID", ++ 0, ++ 0, ++ 16, ++ &aes_192keyid_info ++}; ++ ++static const mbedtls_cipher_info_t aes_256_ecb_keyid_info = { ++ MBEDTLS_CIPHER_AES_256_ECB, ++ MBEDTLS_MODE_ECB, ++ 32, ++ "AES-256-ECB-KEYID", ++ 0, ++ 0, ++ 16, ++ &aes_256keyid_info ++}; ++#endif ++ + #if defined(MBEDTLS_CIPHER_MODE_CBC) + static const mbedtls_cipher_info_t aes_128_cbc_info = { + MBEDTLS_CIPHER_AES_128_CBC, +@@ -314,6 +470,41 @@ static const mbedtls_cipher_info_t aes_256_cbc_info = { + 16, + &aes_info + }; ++ ++#if defined(MBEDTLS_AES_ALT) ++static const mbedtls_cipher_info_t aes_128_cbc_keyid_info = { ++ MBEDTLS_CIPHER_AES_128_CBC_KEYID, ++ MBEDTLS_MODE_CBC, ++ 32, ++ "AES-128-CBC-KEYID", ++ 16, ++ 0, ++ 16, ++ &aes_128keyid_info ++}; ++ ++static const mbedtls_cipher_info_t aes_192_cbc_keyid_info = { ++ MBEDTLS_CIPHER_AES_192_CBC_KEYID, ++ MBEDTLS_MODE_CBC, ++ 32, ++ "AES-192-CBC-KEYID", ++ 16, ++ 0, ++ 16, ++ &aes_192keyid_info ++}; ++ ++static const mbedtls_cipher_info_t aes_256_cbc_keyid_info = { ++ MBEDTLS_CIPHER_AES_256_CBC_KEYID, ++ MBEDTLS_MODE_CBC, ++ 32, ++ "AES-256-CBC-KEYID", ++ 16, ++ 0, ++ 16, ++ &aes_256keyid_info ++}; ++#endif + #endif /* MBEDTLS_CIPHER_MODE_CBC */ + + #if defined(MBEDTLS_CIPHER_MODE_CFB) +@@ -2358,10 +2549,20 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] = + { MBEDTLS_CIPHER_AES_128_ECB, &aes_128_ecb_info }, + { MBEDTLS_CIPHER_AES_192_ECB, &aes_192_ecb_info }, + { MBEDTLS_CIPHER_AES_256_ECB, &aes_256_ecb_info }, ++#if defined(MBEDTLS_AES_ALT) ++ { MBEDTLS_CIPHER_AES_128_ECB_KEYID, &aes_128_ecb_keyid_info }, ++ { MBEDTLS_CIPHER_AES_192_ECB_KEYID, &aes_192_ecb_keyid_info }, ++ { MBEDTLS_CIPHER_AES_256_ECB_KEYID, &aes_256_ecb_keyid_info }, ++#endif + #if defined(MBEDTLS_CIPHER_MODE_CBC) + { MBEDTLS_CIPHER_AES_128_CBC, &aes_128_cbc_info }, + { MBEDTLS_CIPHER_AES_192_CBC, &aes_192_cbc_info }, + { MBEDTLS_CIPHER_AES_256_CBC, &aes_256_cbc_info }, ++#if defined(MBEDTLS_AES_ALT) ++ { MBEDTLS_CIPHER_AES_128_CBC_KEYID, &aes_128_cbc_keyid_info }, ++ { MBEDTLS_CIPHER_AES_192_CBC_KEYID, &aes_192_cbc_keyid_info }, ++ { MBEDTLS_CIPHER_AES_256_CBC_KEYID, &aes_256_cbc_keyid_info }, ++#endif + #endif + #if defined(MBEDTLS_CIPHER_MODE_CFB) + { MBEDTLS_CIPHER_AES_128_CFB128, &aes_128_cfb128_info }, diff --git a/crypto/mbedtls/CMakeLists.txt b/crypto/mbedtls/CMakeLists.txt index 9a80ffab92c..09b16574e02 100644 --- a/crypto/mbedtls/CMakeLists.txt +++ b/crypto/mbedtls/CMakeLists.txt @@ -42,6 +42,8 @@ if(CONFIG_CRYPTO_MBEDTLS) ${CMAKE_CURRENT_LIST_DIR}/0002-mbedtls-add-mbedtls-x509-crt-pool.patch && patch -p1 -d ${MBEDTLS_DIR} < ${CMAKE_CURRENT_LIST_DIR}/0003-Fix-MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT-warning.patch + && patch -p1 -d ${MBEDTLS_DIR} < + ${CMAKE_CURRENT_LIST_DIR}/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch DOWNLOAD_NO_PROGRESS true TIMEOUT 30) diff --git a/crypto/mbedtls/Makefile b/crypto/mbedtls/Makefile index 33038411132..5f81f9edcc4 100644 --- a/crypto/mbedtls/Makefile +++ b/crypto/mbedtls/Makefile @@ -82,6 +82,7 @@ $(MBEDTLS_UNPACKNAME): $(MBEDTLS_ZIP) $(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0001-mbedtls-entropy_poll-use-getrandom-to-get-the-system.patch $(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0002-mbedtls-add-mbedtls-x509-crt-pool.patch $(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0003-Fix-MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT-warning.patch + $(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch $(Q) touch $(MBEDTLS_UNPACKNAME) $(MBEDTLS_FRAMEWORK_UNPACKNAME): $(MBEDTLS_FRAMEWORK_ZIP)