Fix usage with sed:
s/MBEDTLS_OR_PSA_WANT_\([A-Z_0-9]*\)/MBEDTLS_HAS_\1_VIA_LOWLEVEL_OR_PSA/
s/MBEDTLS_USE_PSA_WANT_\([A-Z_0-9]*\)/MBEDTLS_HAS_\1_VIA_MD_OR_PSA_BASED_ON_USE_PSA/
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
If there is a PSK involved in the key exchange
and thus no certificate we do not go through the
MBEDTLS_SSL_CERTIFICATE_REQUEST state thus there
is no reason to check that in the coordination
function of that state.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ECDHE operations have to be done in
ephemeral and PSK-ephemeral key exchange
mode, not just ephemeral key exhange mode.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
lstat is not available on some platforms (e.g. Ubuntu 16.04). In this
particular case stat is sufficient.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
On non-windows environments, when loading certificates from a given
path through mbedtls_x509_crt_parse_path() function, if a symbolic
link is found and is broken (meaning the target file don't exists),
the function is returning MBEDTLS_ERR_X509_FILE_IO_ERROR which is
not honoring the default behavior of just skip the bad certificate file
and increase the counter of wrong files.
The problem have been raised many times in our open source project
called Fluent Bit which depends on MbedTLS:
https://github.com/fluent/fluent-bit/issues/843#issuecomment-486388209
The expected behavior is that if a simple certificate cannot be processed,
it should just be skipped.
This patch implements a workaround with lstat(2) and stat(2) to determinate
first if the entry found in the directory is a symbolic link or not, if is
a simbolic link, do a proper stat(2) for the target file, otherwise process
normally. Upon find a broken symbolic link it will increase the counter of
not processed certificates.
Signed-off-by: Eduardo Silva <eduardo@treaure-data.com>
Again, the guards are slightly different, let's see in the CI if this
causes any trouble.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
There is a small difference: the global function only works for hashes
that are included in the build, while the old one worked for all hashes
regardless of whether they were enabled or not.
We'll see in the CI is this causes any issues.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is mostly:
sed -i 's/mbedtls_psa_translate_md/mbedtls_hash_info_psa_from_md/' \
library/*.c tests/suites/*.function
This should be good for code size as the old inline function was used
from 10 translation units inside the library, so we have 10 copies at
least.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Using static inline functions is bad for code size; the function from
md_internal.h was already used from 3 different C files, so already was
copied at least 3 times in the library, and this would only get worse
over time.
Use actual functions, and also share the actual data between them.
Provide a consistent set of operations. Conversion to/from
human-readable string was omitted for now but could be added later if
needed.
In the future, this can be used to replace other similar (inline)
functions that are currently scattered, including (but perhaps not
limited to):
- mbedtls_psa_translate_md() from psa_util.h
- mbedtls_md_info_from_psa() (indirectly) from psa_crypto_hash.h
- get_md_alg_from_psa() from psa_crypto_rsa.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Fixes#1910
With ebx added to the MULADDC_STOP clobber list to fix#1550, the inline
assembly fails to build with GCC < 5 in PIC mode with the following error:
include/mbedtls/bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’
This is because older GCC versions treated the x86 ebx register (which is
used for the GOT) as a fixed reserved register when building as PIC.
This is fixed by an improved register allocator in GCC 5+. From the release
notes:
Register allocation improvements: Reuse of the PIC hard register, instead of
using a fixed register, was implemented on x86/x86-64 targets. This
improves generated PIC code performance as more hard registers can be used.
https://www.gnu.org/software/gcc/gcc-5/changes.html
As a workaround, detect this situation and disable the inline assembly,
similar to the MULADDC_CANNOT_USE_R7 logic.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It was only used in test_suite_pk which was fixed to no longer compute
hashes in a temporary buffer.
Also, it's not entirely clear is this macro was really a good idea:
perhaps it's better for each user to have an explicit #if
defined(MBEDTSL_USE_PSA_CRYPTO) and use either MBEDTLS_MD_MAX_SIZE or
PSA_HASH_MAX_SIZE in each branch of that #if.
So, removing it for the time being.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Within the M-profile of the Arm architecture, some instructions
admit both a 16-bit and a 32-bit encoding. For those instructions,
some assemblers support the use of the .n (narrow) and .w (wide)
suffixes to force a choice of instruction encoding width.
Forcing the size of encodings may be useful to ensure alignment
of code, which can have a significant performance impact on some
microarchitectures.
It is for this reason that a previous commit introduced explicit
.w suffixes into what was believed to be M-profile only assembly
in library/bn_mul.h.
This change, however, introduced two issues:
- First, the assembly block in question is used also for Armv7-A
systems, on which the .n/.w distinction is not meaningful
(all instructions are 32-bit).
- Second, compiler support for .n/.w suffixes appears patchy,
leading to compilation failures even when building for M-profile
targets.
This commit removes the .w annotations in order to restore working
code, deferring controlled re-introduction for the sake of performance.
Fixes#6089.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
Currently just replacing existing uses, but the real point of having
these conditions as a single macro is that we'll be able to use them in
tests case dependencies, see next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
