Skip to content

Mbedtls aes keyid alt #3335

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
ThePassionate wants to merge 2 commits into
base: master
Choose a base branch
from
Open

Mbedtls aes keyid alt #3335

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
c7708ff
crypto/mbedtls: add AES key ID support in AES-ALT
ThePassionate Jan 15, 2026
ecd5fc5
crypto/mbedtls: add patch for mbedtls cipher-wrap with key ID support
ThePassionate Jan 15, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
268 changes: 268 additions & 0 deletions crypto/mbedtls/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,268 @@
diff --git a/include/mbedtls/cipher.h b/include/mbedtls/cipher.h
index 970a343802..6002668ac0 100644
--- a/include/mbedtls/cipher.h
+++ b/include/mbedtls/cipher.h
@@ -101,9 +101,19 @@ typedef enum {
MBEDTLS_CIPHER_AES_128_ECB, /**< AES cipher with 128-bit ECB mode. */
MBEDTLS_CIPHER_AES_192_ECB, /**< AES cipher with 192-bit ECB mode. */
MBEDTLS_CIPHER_AES_256_ECB, /**< AES cipher with 256-bit ECB mode. */
+#if defined(MBEDTLS_AES_ALT)
+ MBEDTLS_CIPHER_AES_128_ECB_KEYID, /**< AES cipher with 128-bit ECB mode in keyid type. */
+ MBEDTLS_CIPHER_AES_192_ECB_KEYID, /**< AES cipher with 192-bit ECB mode in keyid type. */
+ MBEDTLS_CIPHER_AES_256_ECB_KEYID, /**< AES cipher with 256-bit ECB mode in keyid type. */
+#endif
MBEDTLS_CIPHER_AES_128_CBC, /**< AES cipher with 128-bit CBC mode. */
MBEDTLS_CIPHER_AES_192_CBC, /**< AES cipher with 192-bit CBC mode. */
MBEDTLS_CIPHER_AES_256_CBC, /**< AES cipher with 256-bit CBC mode. */
+#if defined(MBEDTLS_AES_ALT)
+ MBEDTLS_CIPHER_AES_128_CBC_KEYID, /**< AES cipher with 128-bit CBC mode in keyid type. */
+ MBEDTLS_CIPHER_AES_192_CBC_KEYID, /**< AES cipher with 192-bit CBC mode in keyid type. */
+ MBEDTLS_CIPHER_AES_256_CBC_KEYID, /**< AES cipher with 256-bit CBC mode in keyid type. */
+#endif
MBEDTLS_CIPHER_AES_128_CFB128, /**< AES cipher with 128-bit CFB128 mode. */
MBEDTLS_CIPHER_AES_192_CFB128, /**< AES cipher with 192-bit CFB128 mode. */
MBEDTLS_CIPHER_AES_256_CFB128, /**< AES cipher with 256-bit CFB128 mode. */
diff --git a/library/cipher_wrap.c b/library/cipher_wrap.c
index a05c66e9ec..5c8738501a 100644
--- a/library/cipher_wrap.c
+++ b/library/cipher_wrap.c
@@ -202,6 +202,44 @@ static int aes_setkey_enc_wrap(void *ctx, const unsigned char *key,
return mbedtls_aes_setkey_enc((mbedtls_aes_context *) ctx, key, key_bitlen);
}

+#if defined(MBEDTLS_AES_ALT)
+static int aes_set128key_dec_keyid_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_set128key_dec_keyid((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static int aes_set192key_dec_keyid_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_set192key_dec_keyid((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static int aes_set256key_dec_keyid_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_set256key_dec_keyid((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static int aes_set128key_enc_keyid_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_set128key_enc_keyid((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static int aes_set192key_enc_keyid_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_set256key_enc_keyid((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+
+static int aes_set256key_enc_keyid_wrap(void *ctx, const unsigned char *key,
+ unsigned int key_bitlen)
+{
+ return mbedtls_aes_set256key_enc_keyid((mbedtls_aes_context *) ctx, key, key_bitlen);
+}
+#endif
+
static void *aes_ctx_alloc(void)
{
mbedtls_aes_context *aes = mbedtls_calloc(1, sizeof(mbedtls_aes_context));
@@ -248,6 +286,89 @@ static const mbedtls_cipher_base_t aes_info = {
aes_ctx_free
};

+#if defined(MBEDTLS_AES_ALT)
+static const mbedtls_cipher_base_t aes_128keyid_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ aes_set128key_enc_keyid_wrap,
+ aes_set128key_dec_keyid_wrap,
+ aes_ctx_alloc,
+ aes_ctx_free
+};
+
+static const mbedtls_cipher_base_t aes_192keyid_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ aes_set192key_enc_keyid_wrap,
+ aes_set192key_dec_keyid_wrap,
+ aes_ctx_alloc,
+ aes_ctx_free
+};
+
+static const mbedtls_cipher_base_t aes_256keyid_info = {
+ MBEDTLS_CIPHER_ID_AES,
+ aes_crypt_ecb_wrap,
+#if defined(MBEDTLS_CIPHER_MODE_CBC)
+ aes_crypt_cbc_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CFB)
+ aes_crypt_cfb128_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_OFB)
+ aes_crypt_ofb_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_CTR)
+ aes_crypt_ctr_wrap,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_XTS)
+ NULL,
+#endif
+#if defined(MBEDTLS_CIPHER_MODE_STREAM)
+ NULL,
+#endif
+ aes_set256key_enc_keyid_wrap,
+ aes_set256key_dec_keyid_wrap,
+ aes_ctx_alloc,
+ aes_ctx_free
+};
+#endif
+
static const mbedtls_cipher_info_t aes_128_ecb_info = {
MBEDTLS_CIPHER_AES_128_ECB,
MBEDTLS_MODE_ECB,
@@ -281,6 +402,41 @@ static const mbedtls_cipher_info_t aes_256_ecb_info = {
&aes_info
};

+#if defined(MBEDTLS_AES_ALT)
+static const mbedtls_cipher_info_t aes_128_ecb_keyid_info = {
+ MBEDTLS_CIPHER_AES_128_ECB,
+ MBEDTLS_MODE_ECB,
+ 32,
+ "AES-128-ECB-KEYID",
+ 0,
+ 0,
+ 16,
+ &aes_128keyid_info
+};
+
+static const mbedtls_cipher_info_t aes_192_ecb_keyid_info = {
+ MBEDTLS_CIPHER_AES_192_ECB,
+ MBEDTLS_MODE_ECB,
+ 32,
+ "AES-192-ECB-KEYID",
+ 0,
+ 0,
+ 16,
+ &aes_192keyid_info
+};
+
+static const mbedtls_cipher_info_t aes_256_ecb_keyid_info = {
+ MBEDTLS_CIPHER_AES_256_ECB,
+ MBEDTLS_MODE_ECB,
+ 32,
+ "AES-256-ECB-KEYID",
+ 0,
+ 0,
+ 16,
+ &aes_256keyid_info
+};
+#endif
+
#if defined(MBEDTLS_CIPHER_MODE_CBC)
static const mbedtls_cipher_info_t aes_128_cbc_info = {
MBEDTLS_CIPHER_AES_128_CBC,
@@ -314,6 +470,41 @@ static const mbedtls_cipher_info_t aes_256_cbc_info = {
16,
&aes_info
};
+
+#if defined(MBEDTLS_AES_ALT)
+static const mbedtls_cipher_info_t aes_128_cbc_keyid_info = {
+ MBEDTLS_CIPHER_AES_128_CBC_KEYID,
+ MBEDTLS_MODE_CBC,
+ 32,
+ "AES-128-CBC-KEYID",
+ 16,
+ 0,
+ 16,
+ &aes_128keyid_info
+};
+
+static const mbedtls_cipher_info_t aes_192_cbc_keyid_info = {
+ MBEDTLS_CIPHER_AES_192_CBC_KEYID,
+ MBEDTLS_MODE_CBC,
+ 32,
+ "AES-192-CBC-KEYID",
+ 16,
+ 0,
+ 16,
+ &aes_192keyid_info
+};
+
+static const mbedtls_cipher_info_t aes_256_cbc_keyid_info = {
+ MBEDTLS_CIPHER_AES_256_CBC_KEYID,
+ MBEDTLS_MODE_CBC,
+ 32,
+ "AES-256-CBC-KEYID",
+ 16,
+ 0,
+ 16,
+ &aes_256keyid_info
+};
+#endif
#endif /* MBEDTLS_CIPHER_MODE_CBC */

#if defined(MBEDTLS_CIPHER_MODE_CFB)
@@ -2358,10 +2549,20 @@ const mbedtls_cipher_definition_t mbedtls_cipher_definitions[] =
{ MBEDTLS_CIPHER_AES_128_ECB, &aes_128_ecb_info },
{ MBEDTLS_CIPHER_AES_192_ECB, &aes_192_ecb_info },
{ MBEDTLS_CIPHER_AES_256_ECB, &aes_256_ecb_info },
+#if defined(MBEDTLS_AES_ALT)
+ { MBEDTLS_CIPHER_AES_128_ECB_KEYID, &aes_128_ecb_keyid_info },
+ { MBEDTLS_CIPHER_AES_192_ECB_KEYID, &aes_192_ecb_keyid_info },
+ { MBEDTLS_CIPHER_AES_256_ECB_KEYID, &aes_256_ecb_keyid_info },
+#endif
#if defined(MBEDTLS_CIPHER_MODE_CBC)
{ MBEDTLS_CIPHER_AES_128_CBC, &aes_128_cbc_info },
{ MBEDTLS_CIPHER_AES_192_CBC, &aes_192_cbc_info },
{ MBEDTLS_CIPHER_AES_256_CBC, &aes_256_cbc_info },
+#if defined(MBEDTLS_AES_ALT)
+ { MBEDTLS_CIPHER_AES_128_CBC_KEYID, &aes_128_cbc_keyid_info },
+ { MBEDTLS_CIPHER_AES_192_CBC_KEYID, &aes_192_cbc_keyid_info },
+ { MBEDTLS_CIPHER_AES_256_CBC_KEYID, &aes_256_cbc_keyid_info },
+#endif
#endif
#if defined(MBEDTLS_CIPHER_MODE_CFB)
{ MBEDTLS_CIPHER_AES_128_CFB128, &aes_128_cfb128_info },
2 changes: 2 additions & 0 deletions crypto/mbedtls/CMakeLists.txt
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,8 @@ if(CONFIG_CRYPTO_MBEDTLS)
${CMAKE_CURRENT_LIST_DIR}/0002-mbedtls-add-mbedtls-x509-crt-pool.patch
&& patch -p1 -d ${MBEDTLS_DIR} <
${CMAKE_CURRENT_LIST_DIR}/0003-Fix-MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT-warning.patch
&& patch -p1 -d ${MBEDTLS_DIR} <
${CMAKE_CURRENT_LIST_DIR}/0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch
DOWNLOAD_NO_PROGRESS true
TIMEOUT 30)

Expand Down
1 change: 1 addition & 0 deletions crypto/mbedtls/Makefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,7 @@ $(MBEDTLS_UNPACKNAME): $(MBEDTLS_ZIP)
$(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0001-mbedtls-entropy_poll-use-getrandom-to-get-the-system.patch
$(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0002-mbedtls-add-mbedtls-x509-crt-pool.patch
$(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0003-Fix-MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT-warning.patch
$(Q) patch -p1 -d $(MBEDTLS_UNPACKNAME) < 0004-mbedtls-cipher-wrap-support-aes-with-keyid.patch
$(Q) touch $(MBEDTLS_UNPACKNAME)

$(MBEDTLS_FRAMEWORK_UNPACKNAME): $(MBEDTLS_FRAMEWORK_ZIP)
Expand Down
25 changes: 25 additions & 0 deletions crypto/mbedtls/include/aes_alt.h
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,10 +37,35 @@
typedef struct mbedtls_aes_context
{
cryptodev_context_t dev;
int mode;
unsigned char key[MAX_KEY_SIZE];
}
mbedtls_aes_context;

#define mbedtls_aes_xts_context mbedtls_aes_context

int mbedtls_aes_set128key_dec_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits);

int mbedtls_aes_set192key_dec_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits);

int mbedtls_aes_set256key_dec_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits);

int mbedtls_aes_set128key_enc_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits);

int mbedtls_aes_set192key_enc_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits);

int mbedtls_aes_set256key_enc_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits);

#endif /* __APPS_CRYPTO_MBEDTLS_INCLUDE_AES_ALT_H */
56 changes: 55 additions & 1 deletion crypto/mbedtls/source/aes_alt.c
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -78,6 +78,60 @@ int mbedtls_aes_setkey_dec(FAR mbedtls_aes_context *ctx,
return mbedtls_aes_setkey_enc(ctx, key, keybits);
}

int mbedtls_aes_set128key_enc_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits)
{
memcpy(ctx->key, key, keybits / 8);
ctx->dev.session.key = (caddr_t)ctx->key;
ctx->dev.session.keylen = keybits / 8;
ctx->mode = CRYPTO_AES_CBC;
return 0;
}

int mbedtls_aes_set192key_enc_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits)
{
memcpy(ctx->key, key, keybits / 8);
ctx->dev.session.key = (caddr_t)ctx->key;
ctx->dev.session.keylen = keybits / 8;
ctx->mode = CRYPTO_AES_192_CBC;
return 0;
}

int mbedtls_aes_set256key_enc_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits)
{
memcpy(ctx->key, key, keybits / 8);
ctx->dev.session.key = (caddr_t)ctx->key;
ctx->dev.session.keylen = keybits / 8;
ctx->mode = CRYPTO_AES_256_CBC;
return 0;
}

int mbedtls_aes_set128key_dec_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits)
{
return mbedtls_aes_set128key_enc_keyid(ctx, key, keybits);
}

int mbedtls_aes_set192key_dec_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits)
{
return mbedtls_aes_set192key_enc_keyid(ctx, key, keybits);
}

int mbedtls_aes_set256key_dec_keyid(FAR mbedtls_aes_context *ctx,
FAR const unsigned char *key,
unsigned int keybits)
{
return mbedtls_aes_set256key_enc_keyid(ctx, key, keybits);
}

/* AES-ECB block encryption/decryption */

int mbedtls_aes_crypt_ecb(FAR mbedtls_aes_context *ctx,
Expand All @@ -93,7 +147,7 @@ int mbedtls_aes_crypt_ecb(FAR mbedtls_aes_context *ctx,
return MBEDTLS_ERR_AES_BAD_INPUT_DATA;
}

ctx->dev.session.cipher = CRYPTO_AES_CBC;
ctx->dev.session.cipher = ctx->mode ? ctx->mode : CRYPTO_AES_CBC;
ret = cryptodev_get_session(&ctx->dev);
if (ret != 0)
{
Expand Down
Loading