Commit graph

5022 commits

Author SHA1 Message Date
Gabor Mezei
2a02051286
Use PSA in TLS ticket handling
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-10 17:09:59 +01:00
Jerry Yu
e0a6412d8d tls13_only: check_config pass
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Manuel Pégourié-Gonnard
e14b644f4d
Merge pull request #5456 from mpg/cleanup-ecdh-psa
Cleanup PSA-based ECDHE in TLS 1.2
2022-02-15 09:09:07 +01:00
Gilles Peskine
bebeae9428
Merge pull request #5504 from gstrauss/mbedtls_pem_get_der
Add accessor to get der from mbedtls_pem_context
2022-02-10 23:56:57 +01:00
Glenn Strauss
a941b62985 Create public macros for ssl_ticket key,name sizes
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-09 15:28:28 -05:00
Glenn Strauss
a950938ff0 Add mbedtls_ssl_ticket_rotate for ticket rotation.
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-09 14:33:15 -05:00
Manuel Pégourié-Gonnard
62b49cd06a
Merge pull request #5472 from yuhaoth/pr/move-client-auth
Move client_auth to handshake
2022-02-09 10:57:00 +01:00
Glenn Strauss
72bd4e4d6a Add accessor to get buf from mbedtls_pem_context
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-08 14:53:46 -05:00
Jerry Yu
0ff8ac89f5 fix comments issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-08 10:10:48 +08:00
Manuel Pégourié-Gonnard
4a0ac1f160 Remove mbedtls_psa_tls_ecpoint_to_psa_ec()
Same reasons as for the previous commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:15 +01:00
Manuel Pégourié-Gonnard
58d2383ef4 Remove mbedtls_psa_tls_psa_ec_to_ecpoint()
Initially this function was doing something because the output format of
psa_export_public() didn't match the ECPoint format that TLS wants.

Then it became a no-op then the output format of psa_export_public()
changed, but it made sense to still keep the function in case the format
changed again. Now that the PSA Crypto API has reached 1.0 status, this
is unlikely to happen, so the no-op function is no longer useful.

Removing it de-clutters the code a bit; while at it we can remove a
temporary stack buffer (that was up to 133 bytes).

It's OK to remove this function even if it was declared in a public
header, as there's a warning at the top of the file saying it's not part
of the public API.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:14 +01:00
Manuel Pégourié-Gonnard
59753768f0 Simplify the definition of a macro
Relying on a PSA_VENDOR macro is not ideal, since the standard doesn't
guarantee this macro exists, but OTOH relying on
MBEDTLS_ECP_DP_xxx_ENABLED was even less ideal, so I believe this is
still an improvement.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:14 +01:00
Manuel Pégourié-Gonnard
bc4069596b Group related functions together
We had ECC then PK then ECC, move PK to the end, now all ECC things are
together. (The comments suggest that was the intention all along.)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-02-03 11:08:13 +01:00
Manuel Pégourié-Gonnard
1ab2d6966c
Merge pull request #5385 from AndrzejKurek/use-psa-crypto-reduced-configs
Resolve problems with reduced configs using USE_PSA_CRYPTO
2022-02-02 10:20:26 +01:00
Jerry Yu
fb28b88e26 move client_auth to handshake
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-28 11:05:58 +08:00
Jerry Yu
7ce0f2aa6b Wrap client_auth.
The variable is used for client side only

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-27 18:26:06 +08:00
XiaokangQian
647719a172 Add hello retry request in client side
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-01-26 10:50:06 +00:00
Ronald Cron
f51b79c297
Merge pull request #5355 from yuhaoth/pr/remove-duplicate-sig-alg-ext
Remove duplicate write signature algorithms extension
The failure of ABI-API-checking is expected.
2022-01-26 10:05:26 +01:00
Gilles Peskine
cfb151889f
Merge pull request #5457 from AndrzejKurek/key-id-encodes-owner-psa-fixes-follow-up
Remove incorrect incompatibility information about `MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER` from mbedtls_config.h
2022-01-25 17:02:35 +01:00
Andrzej Kurek
cfc920a960 Remove incorrect incompatibility information from mbedtls_config.h
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-25 06:33:08 -05:00
Jerry Yu
7ddc38cedb fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-25 12:46:17 +08:00
Jerry Yu
713013fa80 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-25 12:46:17 +08:00
Jerry Yu
6106fdc085 fix build fail without TLS13
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-01-25 12:46:17 +08:00
Jerry Yu
f017ee4203 merge write sig_alg of tls12 and tls13
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>

# Conflicts:
#	library/ssl_misc.h
2022-01-25 12:46:17 +08:00
Gilles Peskine
a5c1bf0b8d
Merge pull request #5367 from AndrzejKurek/doxygen-closure-fixes
doxygen: add missing asterisk to group closures
2022-01-24 21:40:39 +01:00
Andrzej Kurek
cead70dbe5 doxygen: fix missing asterisk in ecp.h
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-24 10:48:10 -05:00
Manuel Pégourié-Gonnard
fcca7cfa97
Merge pull request #5428 from gstrauss/mbedtls_ssl_ciphersuite
Add accessors for ciphersuite info
2022-01-24 11:13:31 +01:00
Gilles Peskine
6249603e7c
Merge pull request #5438 from SebastianBoe/check_config
Add missing config check for PKCS5.
2022-01-22 00:52:07 +01:00
Andrzej Kurek
8d2864d6bc Force usage of MBEDTLS_PK_WRITE_C when PK_C and USE_PSA_CRYPTO is used
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-19 12:34:30 -05:00
Sebastian Bøe
24e88018d2 Add missing config check for PKCS5.
PKCS5 depends on MD, but is missing a config check resulting in
obscure errors on invalid configurations.

Signed-off-by: Sebastian Bøe <sebastian.boe@nordicsemi.no>
2022-01-19 12:04:35 +01:00
Glenn Strauss
8f52690956 Add accessors for ciphersuite info
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-01-13 00:05:48 -05:00
Andrzej Kurek
03e01461ad Make KEY_ID_ENCODES_OWNER compatible with USE_PSA_CRYPTO
Fix library references, tests and programs.
Testing is performed in the already present all.sh test.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-01-03 12:53:24 +01:00
Andrzej Kurek
01404dfaa2 doxygen: remove empty platform_time configuration section
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-30 12:34:00 +01:00
Andrzej Kurek
a0defed667 doxygen: move addtogroup closures to include more elements
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-30 12:33:31 +01:00
Andrzej Kurek
38d4fddcd8 Add missing asterisk to doxygen closures
Clarify section names next to closing braces
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2021-12-28 16:22:52 +01:00
Ronald Cron
17b1e2f6c3 Bump version to 3.1.0
Executed ./scripts/bump_version.sh --version 3.1.0 --so-crypto 11 --so-tls 17
+ fix of build_info.h

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-15 09:02:53 +01:00
Gilles Peskine
a5c18512b9
Merge pull request #5155 from paul-elliott-arm/pcks12_fix
Fixes for pkcs12 with NULL and/or zero length password
2021-12-13 14:52:36 +01:00
Dave Rodgman
050ad4bb50
Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac
Check HMAC return values
2021-12-13 10:51:27 +00:00
Gilles Peskine
ecf6bebb9c Catch failures of md_hmac operations
Declare mbedtls_md functions as MBEDTLS_CHECK_RETURN_TYPICAL, meaning that
their return values should be checked.

Do check the return values in our code. We were already doing that
everywhere for hash calculations, but not for HMAC calculations.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-11 15:00:57 +01:00
Ronald Cron
bb27b43013 build: Fix TLS 1.3 prerequisites
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 14:22:52 +01:00
Ronald Cron
6f135e1148 Rename MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL to MBEDTLS_SSL_PROTO_TLS1_3
As we have now a minimal viable implementation of TLS 1.3,
let's remove EXPERIMENTAL from the config option enabling
it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:47:55 +01:00
Ronald Cron
0abf07ca2c Make PSA crypto mandatory for TLS 1.3
As we want to move to PSA for cryptographic operations
let's mandate PSA crypto from the start.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-10 13:22:21 +01:00
Ronald Cron
6b07916e40
Merge pull request #5230 from ronald-cron-arm/tls13_ccs_client
Add initial support for "Middlebox Compatibility Mode"
2021-12-10 11:58:05 +01:00
Gilles Peskine
d31da1c673
Merge pull request #5270 from davidhorstmann-arm/improve-cmac-docs
Reword documentation of CMAC operations
2021-12-09 23:28:36 +01:00
Ronald Cron
49ad6197ca Add injection of dummy's ChangeCipherSpec for middlebox compatibility
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-09 13:40:22 +01:00
Ronald Cron
ab65c52944 Add MBEDTLS_SSL_TLS1_3_COMPATIBILITY_MODE config option
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-09 13:40:22 +01:00
Manuel Pégourié-Gonnard
c38c1f2411
Merge pull request #5268 from gilles-peskine-arm/struct_reordering_3.0
Reorder structure fields to maximize usage of immediate offset access
2021-12-09 12:54:09 +01:00
Gilles Peskine
b3ec69dba5 mbedtls_ssl_config: better document former bit-fields
Ensure that the documentation of fields affected by
"mbedtls_ssl_config: Replace bit-fields by separate bytes"
conveys information that may have been lost by removing the exact size of
the type. Extend the preexisting pattern "do this?" for formerly 1-bit
boolean fields. Indicate the possible values for non-boolean fields.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-08 18:32:12 +01:00
Gilles Peskine
392113434a
Merge pull request #5263 from ronald-cron-arm/psa-test-driver_3.x
Forward port to 3.x: Introduce PSA test driver library to test PSA configuration
2021-12-07 12:52:20 +01:00
David Horstmann
3d5dfa598b Reword documentation of CMAC operations
Change the wording of the documentation for some CMAC functions,
as the existing wording, while technically correct, can be
easy to misunderstand. The reworded docs explain the flow of
a CMAC computation a little more fully.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-06 18:58:02 +00:00