Removed 3DES from PSA config

Author: danielinux

docs/DICE.md

@@ -65,6 +65,8 @@ families must implement the appropriate subset based on hardware support.
   - Test-only fallback: when `WOLFBOOT_UDS_UID_FALLBACK_FORTEST=1`, targets
     may derive UDS from the device UID for demo purposes. This should not be
     used in production builds.
+  - HKDF hash selection follows the configured measurement hash; for
+    `WOLFBOOT_HASH_SHA3_384`, HKDF uses SHA3-384 as well.
 - `hal_attestation_get_ueid(uint8_t *buf, size_t *len)`
   - Returns a stable UEID. If unavailable, the UEID is derived from UDS.
 - `hal_attestation_get_implementation_id(uint8_t *buf, size_t *len)`

include/user_settings.h

@@ -378,8 +378,12 @@ extern int tolower(int c);
 #   define HAVE_AES_ECB
 #   define WOLFSSL_AES_CFB
 #   define WOLFSSL_AES_OFB
-#   define WOLFSSL_DES3
-#   define WOLFSSL_DES_ECB
+#   ifndef NO_DES3
+#       define NO_DES3
+#   endif
+#   ifndef NO_DES3_TLS_SUITES
+#       define NO_DES3_TLS_SUITES
+#   endif
 #   define HAVE_CHACHA
 #   define HAVE_POLY1305
 #   define WOLFSSL_CMAC
@@ -510,7 +514,9 @@ extern int tolower(int c);
 #define NO_CERT
 #define NO_SESSION_CACHE
 #define NO_HC128
+#ifndef NO_DES3
 #define NO_DES3
+#endif
 #define NO_WRITEV
 #ifndef WOLFBOOT_PARTITION_FILENAME
 #define NO_FILESYSTEM
@@ -532,7 +538,6 @@ extern int tolower(int c);
 
 #if defined(WOLFCRYPT_TZ_PSA)
 #undef NO_CMAC
-#undef NO_DES3
 #undef NO_KDF
 #endif
 

options.mk

@@ -769,6 +769,7 @@ ifeq ($(WOLFCRYPT_TZ_PSA),1)
   CFLAGS+=-DWOLFCRYPT_TZ_PSA
   CFLAGS+=-DWOLFSSL_PSA_ENGINE
   CFLAGS+=-DWOLFPSA_CUSTOM_STORE
+  CFLAGS+=-DNO_DES3 -DNO_DES3_TLS_SUITES
   WOLFPSA_CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA)
   WOLFPSA_CFLAGS+=-I$(WOLFBOOT_LIB_WOLFPSA)/wolfpsa
   LDFLAGS+=--specs=nano.specs
@@ -779,7 +780,6 @@ ifeq ($(WOLFCRYPT_TZ_PSA),1)
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/hmac.o
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/dh.o
   WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/chacha.o
-  WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/des3.o
   ifeq ($(findstring random.o,$(WOLFCRYPT_OBJS)),)
     WOLFCRYPT_OBJS+=$(WOLFBOOT_LIB_WOLFSSL)/wolfcrypt/src/random.o
   endif

src/dice/dice.c

@@ -93,7 +93,7 @@
 #define WOLFBOOT_DICE_KDF_HASH_SIZE SHA384_DIGEST_SIZE
 #define WOLFBOOT_MEASUREMENT_HASH_NAME "sha-384"
 #elif defined(WOLFBOOT_HASH_SHA3_384)
-#define WOLFBOOT_DICE_KDF_HASH_TYPE WC_HASH_TYPE_SHA384
+#define WOLFBOOT_DICE_KDF_HASH_TYPE WC_HASH_TYPE_SHA3_384
 #define WOLFBOOT_DICE_KDF_HASH_SIZE 48
 #define WOLFBOOT_MEASUREMENT_HASH_NAME "sha3-384"
 #else
@@ -661,9 +661,6 @@ static int wolfboot_attest_get_private_key(ecc_key *key,
         uint8_t priv[WOLFBOOT_DICE_KEY_LEN];
         size_t priv_len = sizeof(priv);
 
-        if (hal_attestation_get_iak_private_key == NULL) {
-            return -1;
-        }
         if (hal_attestation_get_iak_private_key(priv, &priv_len) != 0) {
             return -1;
         }

test-app/wcs/user_settings.h

@@ -132,7 +132,9 @@ extern int tolower(int c);
 #define NO_CERT
 #define NO_SESSION_CACHE
 #define NO_HC128
+#ifndef NO_DES3
 #define NO_DES3
+#endif
 #define NO_WRITEV
 #define NO_DEV_RANDOM
 #define NO_FILESYSTEM