Add config.h option MBEDTLS_PK_SINGLE_HASH

No effect for now, just declaring it here, implemented in subsequent commits.

The option requires MBEDTLS_USE_TINYCRYPT and is incompatible with
MBEDTLS_PK_RSA_ALT_SUPPORT and MBEDTLS_RSA_C.

Currently users (including the X.509 and SSL libraries) assume that if both PK
and RSA are enabled, then RSA is available through PK. If we allowed RSA to be
enabled together with PK_SINGLE_TYPE, we'd break that assumption. Going
through the code to find all place that rely on that assumption and fix them
would be cumbersome, and people who want PK_SINGLE_TYPE are unlikely to care
about RSA anyway, so let's just make them incompatible.

This is also consistent with what's done in the MD module: MD_SINGLE_HASH
requires that exactly one hash be enabled.

configs/baremetal.h

@@ -52,7 +52,9 @@
 #define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_MD_ID MBEDTLS_MD_SHA256
 #define MBEDTLS_SSL_CONF_SINGLE_SIG_HASH_TLS_ID MBEDTLS_SSL_HASH_SHA256
 
+/* Harcoded options in abstraction layers */
 #define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
+#define MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
 
 /* Key exchanges */
 #define MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED

include/mbedtls/check_config.h

@@ -853,6 +853,18 @@
 #undef MBEDTLS_HASHES_ENABLED
 #endif /* MBEDTLS_MD_SINGLE_HASH */
 
+#if defined(MBEDTLS_PK_SINGLE_TYPE) && !defined(MBEDTLS_USE_TINYCRYPT)
+#error "MBEDTLS_PK_SINGLE_TYPE can only be used with MBEDTLS_USE_TINYCRYPT"
+#endif
+
+#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_PK_RSA_ALT_SUPPORT)
+#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_PK_RSA_ALT_SUPPORT"
+#endif
+
+#if defined(MBEDTLS_PK_SINGLE_TYPE) && defined(MBEDTLS_RSA_C)
+#error "MBEDTLS_PK_SINGLE_TYPE is not compatible with MBEDTLS_RSA_C"
+#endif
+
 #if defined(MBEDTLS_THREADING_ALT)
 #if !defined(MBEDTLS_THREADING_C) || defined(MBEDTLS_THREADING_IMPL)
 #error "MBEDTLS_THREADING_ALT defined, but not all prerequisites"

include/mbedtls/config.h

@@ -3840,6 +3840,17 @@
  */
 //#define MBEDTLS_MD_SINGLE_HASH MBEDTLS_MD_INFO_SHA256
 
+/* Enable support for a single PK type in the PK layer.
+ *
+ * This is mainly intented to reduce code size on highly constrained system
+ * with large control over the set of algorithms they need to support. It will
+ * also reduce dynamic memory allocation.
+ *
+ * Currently this is only supported with EC keys in conjunction with the
+ * MBEDTLS_USE_TINYCRYPT option. Set this to MBEDTLS_PK_INFO_ECKEY to enable.
+ */
+//#define MBEDTLS_PK_SINGLE_TYPE    MBEDTLS_PK_INFO_ECKEY
+
 /* \} SECTION: Compile-time SSL configuration */
 
 /* Target and application specific configurations

include/mbedtls/pk_internal.h

@@ -33,6 +33,9 @@
 
 #include "pk.h"
 
+/* Dummy definition to keep check-names.sh happy - don't uncomment */
+//#define MBEDTLS_PK_INFO_ECKEY
+
 struct mbedtls_pk_info_t
 {
     /** Public key type */

programs/ssl/query_config.c

@@ -2922,6 +2922,14 @@ int query_config( const char *config )
     }
 #endif /* MBEDTLS_MD_SINGLE_HASH */
 
+#if defined(MBEDTLS_PK_SINGLE_TYPE)
+    if( strcmp( "MBEDTLS_PK_SINGLE_TYPE", config ) == 0 )
+    {
+        MACRO_EXPANSION_TO_STR( MBEDTLS_PK_SINGLE_TYPE );
+        return( 0 );
+    }
+#endif /* MBEDTLS_PK_SINGLE_TYPE */
+
     /* If the symbol is not found, return an error */
     return( 1 );
 }

tests/scripts/all.sh

@@ -1494,6 +1494,47 @@ component_test_default_tinycrypt_without_legacy_ecc () {
     if_build_succeeded tests/compat.sh -f 'ECDHE-ECDSA\|ECDHE-PSK\|ECDH-ECDSA'
 }
 
+component_test_hardcoded_pk_type () {
+    msg "build: default config + single PK type harcoded (tinycrypt)"
+    # need to enable tinycrypt first - copied from tinycrypt component
+    scripts/config.pl set MBEDTLS_USE_TINYCRYPT
+    scripts/config.pl set MBEDTLS_SSL_CONF_RNG rng_wrap
+    scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC
+    scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_EC_TLS_ID 23
+    scripts/config.pl set MBEDTLS_SSL_CONF_SINGLE_UECC_GRP_ID MBEDTLS_UECC_DP_SECP256R1
+    scripts/config.pl unset MBEDTLS_ECP_C
+    scripts/config.pl unset MBEDTLS_ECDH_C
+    scripts/config.pl unset MBEDTLS_ECDSA_C
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP192R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP224R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP256R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP384R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP521R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_BP256R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_BP384R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_BP512R1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP192K1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP224K1_ENABLED
+    scripts/config.pl unset MBEDTLS_ECP_DP_SECP256K1_ENABLED
+    # now single-PK specific configs
+    scripts/config.pl set MBEDTLS_PK_SINGLE_TYPE MBEDTLS_PK_INFO_ECKEY
+    scripts/config.pl unset MBEDTLS_PK_RSA_ALT_SUPPORT
+    scripts/config.pl unset MBEDTLS_RSA_C
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
+    scripts/config.pl unset MBEDTLS_KEY_EXCHANGE_RSA_ENABLED
+    scripts/config.pl unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
+    make CFLAGS='-Werror -O1'
+
+    msg "test: default config + single PK type harcoded (tinycrypt)"
+    make test
+    if_build_succeeded tests/ssl-opt.sh -f '^Default, DTLS$'
+}
+
 component_test_baremetal () {
     msg "build: lib+test+programs for baremetal.h + baremetal_test.h"
     record_status scripts/baremetal.sh --ram --build-only