Commit graph

8506 commits

Author SHA1 Message Date
Ronald Cron
e44d8e7eea
Merge pull request #5369 from xkqian/add_2nd_client_hello
Add 2nd client hello
2022-03-28 12:18:41 +02:00
Przemek Stekiel
ab5274bb19 Remove parameters validation using ECP_VALIDATE_RET
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-28 07:23:08 +02:00
Gabor Mezei
ed6d6589b3
Use hash algoritm for parameter instead of HMAC
To be compatible with the other functions `mbedtls_psa_hkdf_extract` and
`mbedtls_psa_hkdf_expand` use hash algorithm for parameter.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-26 17:28:06 +01:00
Gabor Mezei
07732f7015
Translate from mbedtls_md_type_t to psa_algorithm_t
Do the translation as early as possible from mbedtls_md_type_t to psa_algorithm_t.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-26 17:04:19 +01:00
Gabor Mezei
5d9a1fe9e9
PSA code depends on MBEDTLS_SSL_PROTO_TLS1_3
With TLS 1.3 support MBEDTLS_PSA_CRYPTO_C is enabled so PSA support
is always enabled.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-26 15:47:15 +01:00
Ronald Cron
fb39f15fa1 ssl_tls.c: Use ETM status only in CBC mode case
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-25 16:50:18 +01:00
Ronald Cron
862902dd57 ssl_srv.c: Mark ETM as disabled if cipher is not CBC
Encrypt-Then-Mac (ETM) is supported in Mbed TLS TLS
1.2 server only for the CBC cipher mode thus make it
clear in the SSL context.

The previous code was ok as long as the check of
the ETM status was done only in the case of the CBC
cipher mode but fragile as #5573 revealed.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-25 16:50:18 +01:00
Manuel Pégourié-Gonnard
cefa904759
Merge pull request #5622 from paul-elliott-arm/timing_delay_accessor
Accessor for mbedtls_timing_delay_context final delay
2022-03-25 09:14:41 +01:00
XiaokangQian
20438976f9 Change comments and styles base on review
Change-Id: Idde76114aba0a47b61355677dd33ea9de7deee9d
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 08:09:29 +00:00
XiaokangQian
c02768a399 Replace ssl->handshake with handshake in write_cookie_ext()
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
XiaokangQian
9b93c0dd8d Change cookie parameters for dtls and tls 1.3
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
XiaokangQian
25c9c9023c Refine cookie len to fix compile issues
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
XiaokangQian
9deb90f74e Change parameter names and code style
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
XiaokangQian
5e3c947841 Fix right-shift data loss issue with MBEDTLS_PUT_UINT16_BE in cookie
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
XiaokangQian
233397ef88 Update code base on comments
Remove state MBEDTLS_SSL_CLIENT_CCS_AFTER_CLIENT_HELLO cause no early data
Change code styles and comments
Fix cookie write issues

Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
XiaokangQian
0b64eedba8 Add cookies write in client hello
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-03-25 07:50:56 +00:00
Ronald Cron
90045241e7
Merge pull request #5659 from yuhaoth/pr/fix-wrong-check-certificate-verify
TLS1.3: Fix incorrect check for certificate verify
2022-03-25 08:35:41 +01:00
Jerry Yu
6c6f10265d fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-25 11:09:50 +08:00
Paul Elliott
27b0d94e25 Use mbedtls_ssl_is_handshake_over()
Switch over to using the new function both internally and in tests.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-24 14:43:52 +00:00
Jerry Yu
bd1b3278b1 Remove useless code
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-24 13:07:28 +08:00
Tom Cosgrove
b7f5b97650 Minor changes to sha256.c to bring it in line with sha512.c
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-03-23 21:40:56 +00:00
Tom Cosgrove
87fbfb5d82 SECLIB-667: Accelerate SHA-512 with A64 crypto extensions
Provide an additional pair of #defines, MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
and MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY. At most one of them may be
specified. If used, it is necessary to compile with -march=armv8.2-a+sha3.

The MBEDTLS_SHA512_PROCESS_ALT and MBEDTLS_SHA512_ALT mechanisms
continue to work, and are mutually exclusive with SHA512_USE_A64_CRYPTO.

There should be minimal code size impact if no A64_CRYPTO option is set.

The SHA-512 implementation was originally written by Simon Tatham for PuTTY,
under the MIT licence; dual-licensed as Apache 2 with his kind permission.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-03-23 21:40:53 +00:00
Jerry Yu
e26acee896 Refactor guards for sig algs
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 21:01:33 +08:00
Jerry Yu
f8aa9a44aa fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 20:54:38 +08:00
Manuel Pégourié-Gonnard
5e4bf95d09
Merge pull request #5602 from superna9999/5174-md-hmac-dtls-cookies
MD: HMAC in DTLS cookies
2022-03-23 13:05:24 +01:00
Jerry Yu
8c3388620d create sig_alg decode function
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 13:34:04 +08:00
Jerry Yu
0c23fc39c3 fix various guards issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 12:20:01 +08:00
Jerry Yu
7533982f68 guard pk_error_from_psa_ecdsa with USE_PSA_CRYPTO
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 12:06:31 +08:00
Jerry Yu
e010de4be3 Rename ctx to rsa_ctx
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 11:45:55 +08:00
Jerry Yu
fb0621d841 fix pk_sign_ext issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-23 11:42:06 +08:00
Jerry Yu
cef3f33012 Guard rsa sig algs with rsa_c and pkcs1_v{15,21}
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 23:16:42 +08:00
Jerry Yu
e91a51a539 Refactor get_sig_alg_from pk
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 21:42:50 +08:00
Jerry Yu
bf455e7516 rename pk_psa_rsa_sign_ext param
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 21:39:41 +08:00
Jerry Yu
3616533d26 tls13:remove ec check from validate certification
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 19:46:05 +08:00
Neil Armstrong
488a40eecb Rename psa_hmac to psa_hmac_key in mbedtls_ssl_cookie_ctx
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-22 10:41:38 +01:00
Jerry Yu
dddf5a0e18 Refactor get_sig_alg_from_pk
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:47:19 +08:00
Jerry Yu
89107d1bc2 fix ci fail without RSA_C
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:14:53 +08:00
Jerry Yu
406cf27cb5 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:14:53 +08:00
Jerry Yu
848ecce990 fix wrong typo in function name
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:14:52 +08:00
Jerry Yu
07869e804c fix psa crypto test fail
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:35 +08:00
Jerry Yu
b02ee18e64 replace use_psa_crypto with psa_crypto_c
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:35 +08:00
Jerry Yu
b6875bc17a change rsa_pss salt type
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:35 +08:00
Jerry Yu
704cfd2a86 fix comments and style issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:35 +08:00
Jerry Yu
718a9b4a3f fix doxgen fail
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:34 +08:00
Jerry Yu
1d172a3483 Add pk_psa_sign_ext
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:34 +08:00
Jerry Yu
8beb9e173d Change prototype of pk_sign_ext
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:34 +08:00
Jerry Yu
67eced0132 replace pk_sign with pk_sign_ext
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:34 +08:00
Jerry Yu
d69439aa61 add mbedtls_pk_sign_ext
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:34 +08:00
Jerry Yu
3a58b462b6 add pss_rsae_sha{384,512}
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:34 +08:00
Jerry Yu
bfcfe74b4e add signature algorithm debug helper
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:33 +08:00
Jerry Yu
919130c035 Add rsa_pss_rsae_sha256 support
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-03-22 15:13:33 +08:00
Gabor Mezei
1e64f7a643
Use MBEDTLS_USE_PSA_CRYPTO macro guard for testing instead of MBEDTLS_PSA_CRYPTO_C
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-21 17:00:54 +01:00
Gabor Mezei
1bf075fffd
Use SSL error codes
The `psa_ssl_status_to_mbedtls` function is not only used for
cipher operations so transalte to TLS error codes.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-21 17:00:53 +01:00
Gabor Mezei
adfeadc6e5
Extend PSA error translation
Add new error codes to the PSA to mbedtls error translation.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-21 17:00:53 +01:00
Gabor Mezei
58db65354b
Use the PSA-based HKDF functions
Use the `mbedtls_psa_hkdf_extract` and `mbedtls_psa_hkdf_expand`
functions in the HKDF handling.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-21 17:00:53 +01:00
Paul Elliott
b9af2db4cf Add accessor for timing final delay
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-21 15:26:19 +00:00
Neil Armstrong
79daea25db Handle and return translated PSA errors in ssl_cookie.c
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-21 12:05:51 +01:00
Neil Armstrong
2d5e343c75 Use inline PSA code instead of using ssl_cookie_hmac in mbedtls_ssl_cookie_write()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-21 11:39:52 +01:00
Manuel Pégourié-Gonnard
f4042f076b
Merge pull request #5573 from superna9999/5176-5177-5178-5179-tsl-record-hmac
TLS record HMAC
2022-03-21 11:36:44 +01:00
Manuel Pégourié-Gonnard
706f6bae27
Merge pull request #5518 from superna9999/5274-ecdsa-signing
PK: ECDSA signing
2022-03-21 09:57:57 +01:00
Manuel Pégourié-Gonnard
472044f21e
Merge pull request #5525 from superna9999/5161-pk-rsa-encryption
PK: RSA encryption
2022-03-21 09:57:38 +01:00
Ronald Cron
8d7afc642c
Merge pull request #5523 from ronald-cron-arm/one-flush-output-development
TLS 1.3: One flush output
2022-03-21 08:44:04 +01:00
Neil Armstrong
62e6ea2c22 Avoid spurious write to *olen in PSA version of rsa_encrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 15:39:49 +01:00
Neil Armstrong
17a0655c8d Add documentation to find_ecdsa_private_key()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 15:27:38 +01:00
Neil Armstrong
05132ed490 md_alg is used in ecdsa_sign_wrap(), cleanup code
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 15:14:57 +01:00
Neil Armstrong
cb753a6945 Use mbedtls_eckey_info directly in ecdsa_sign_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 15:14:48 +01:00
Przemek Stekiel
711d0f5e29 Add implemetation of ECP keypair export function
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-18 13:52:26 +01:00
Manuel Pégourié-Gonnard
e5b53193e0
Merge pull request #5636 from mprse/tls_ecdh_2b
TLS ECDH 2b: client-side static ECDH (1.2)
2022-03-18 11:36:53 +01:00
Neil Armstrong
29c0c040fc Only make PSA HMAC key exportable when NULL or CBC & not EtM in ssl_tls12_populate_transform()
This requires moving the HMAC init after CIPHER init.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:10:09 +01:00
Neil Armstrong
9ebb9ff60c Reduce HMAC buffer usage in PSA version of mbedtls_ct_hmac()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:09:58 +01:00
Neil Armstrong
72c2f76c43 Assume MAC key length is always exactly the output size in PSA version of mbedtls_ct_hmac()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:09:36 +01:00
Neil Armstrong
36cc13b340 Use PSA defines for buffers in PSA version of mbedtls_ct_hmac()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:09:20 +01:00
Neil Armstrong
ae57cfd3e7 Use psa_ssl_status_to_mbedtls in PSA version of mbedtls_ct_hmac()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 10:00:10 +01:00
Neil Armstrong
28d9c631b8 Fix comments in PSA version of mbedtls_ct_hmac()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 10:00:10 +01:00
Manuel Pégourié-Gonnard
8d4bc5eeb9
Merge pull request #5481 from gabor-mezei-arm/5401_implement_hkdf_extract_based_on_psa_hmac
HKDF 1a: Implement Extract in TLS 1.3 based on PSA HMAC
2022-03-17 11:55:48 +01:00
Manuel Pégourié-Gonnard
15c0e39fff
Merge pull request #5519 from superna9999/5150-pk-rsa-decryption
PK: RSA decryption
2022-03-17 11:02:13 +01:00
Manuel Pégourié-Gonnard
7c92fe966a
Merge pull request #5614 from gabor-mezei-arm/5203_tls_cipher_tickets_use_psa_for_protection
TLS Cipher 2a: tickets: use PSA for protection
2022-03-17 09:50:09 +01:00
Manuel Pégourié-Gonnard
560ef5975c
Merge pull request #5613 from mprse/tls_ecdh_2a
TLS ECDH 2a: server-side ECDHE-ECDSA and ECDHE-RSA (1.2)
2022-03-17 09:29:41 +01:00
Przemek Stekiel
068a6b4013 ssl_check_server_ecdh_params():Adapt build flags
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-17 07:54:09 +01:00
Neil Armstrong
da1d80db19 Use mbedtls_rsa_info directly in rsa_encrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-16 15:36:32 +01:00
Neil Armstrong
7b1dc85919 Simplify padding check and get rid of psa_sig_md in rsa_encrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-16 15:36:06 +01:00
Neil Armstrong
6b03a3de5c Use mbedtls_rsa_info directly in rsa_decrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-16 15:31:07 +01:00
Neil Armstrong
8e80504b46 Simplify padding check and get rid of psa_sig_md in rsa_decrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-16 15:30:31 +01:00
Gabor Mezei
103e08aab9
Fix return value handling
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-16 13:45:41 +01:00
Przemek Stekiel
561a42392a ssl_parse_signature_algorithm(): refactor PSA CRYPTO code
- use mbedtls_ecp_point_write_binary() instead mbedtls_mpi_write_binary().
- add check for ECDH curve type in server's certificate

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 13:16:24 +01:00
Gabor Mezei
5b8b890a61
Check PSA functions' return value before converting
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-16 12:56:58 +01:00
Gabor Mezei
36c9f51ef2
Use size_t instead of int to silence compiler warnings
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-16 12:55:32 +01:00
Gabor Mezei
4f4bac7e22
Remove blank lines
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-16 12:54:27 +01:00
Przemek Stekiel
dd482bfd6a Modify own_pubkey_max_len calculation
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 11:43:22 +01:00
Przemek Stekiel
a4e15cc0d5 Fix comment: add fields size
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 11:32:42 +01:00
Przemek Stekiel
855938e17d Move mbedtls_ecdh_setup() to no-psa path
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 11:29:29 +01:00
Przemek Stekiel
338b61d6e4 Fix code style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 11:24:09 +01:00
Przemek Stekiel
d905d33488 ssl_write_client_key_exchange(): enable psa support for ECDH-ECDSA and ECDH-RSA key exchange
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 09:50:56 +01:00
Przemek Stekiel
ea4000f897 ssl_parse_signature_algorithm(): populate psa handshake fields when psa crypto is enabled
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-16 09:49:33 +01:00
Dave Rodgman
2cecd8aaad
Merge pull request #3624 from daxtens/timeless
RFC: Fix builds with MBEDTLS_HAVE_TIME disabled and test
2022-03-15 16:43:19 +00:00
Przemek Stekiel
ce1d792315 Remove duplicated code
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 16:16:25 +01:00
Neil Armstrong
169e61add6 Zeroise stack buffer containing private key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-14 14:26:49 +01:00
Neil Armstrong
3aca61fdfc Zeroise stack buffer containing private key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-14 14:24:48 +01:00
Dave Rodgman
868d38f50f
Merge pull request #5547 from tom-cosgrove-arm/seclib-667-sha256-acceleration-mbedtls-internal
SECLIB-667: Accelerate SHA-256 with A64 crypto extensions
2022-03-14 12:57:37 +00:00
Przemek Stekiel
fc91a1f030 Use PSA for private key generation and public key export only for ECDHE keys
This should be cleaned when server-side static ECDH (1.2) support is added (#5320).

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 12:05:27 +01:00
Przemek Stekiel
a21af3da00 Use mbedtls_psa_parse_tls_ecc_group() instead PSA_KEY_TYPE_ECC_KEY_PAIR( mbedtls_ecc_group_to_psa() )
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 10:09:13 +01:00
Przemek Stekiel
0a60c129de Add intermediate variables to increase code readability
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 09:54:51 +01:00
Przemek Stekiel
e9f00445bc Destroy ecdh_psa_privkey on failure
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 09:42:32 +01:00
Przemek Stekiel
130c4b5567 Use PSA version of key agreement only for ECDHE keys
This should be cleaned when server-side static ECDH (1.2) support is added (#5320).

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-14 09:18:24 +01:00
Manuel Pégourié-Gonnard
c11bffe989
Merge pull request #5139 from mprse/key_der_ecc
PSA: implement key derivation for ECC keys
2022-03-14 09:17:13 +01:00
Gilles Peskine
81d903f5aa
Merge pull request #5510 from SiliconLabs/feature/PSEC-3269-MD-X.509-hashing
feat: MD: X.509 hashing
2022-03-10 20:16:43 +01:00
Gilles Peskine
afb482897b
Merge pull request #5292 from mprse/asym_encrypt
Driver dispatch for PSA asymmetric encryption + RSA tests
2022-03-10 20:07:38 +01:00
Gabor Mezei
49c8eb3a5a
Enable chachcapoly cipher for SSL tickets
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-10 17:09:59 +01:00
Gabor Mezei
2a02051286
Use PSA in TLS ticket handling
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-10 17:09:59 +01:00
Gabor Mezei
e6d867f476
Typo
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-10 15:04:58 +01:00
Ronald Cron
a8b38879e1 Move state change from CLIENT_CERTIFICATE_VERIFY to its main handler
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-10 13:58:17 +01:00
Ronald Cron
7a94aca81a Move state change from CLIENT_CERTIFICATE to its main handler
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-10 13:58:04 +01:00
Manuel Pégourié-Gonnard
10e5cdbbbf
Merge pull request #5454 from gstrauss/cert_cb-user_data
server certificate selection callback
2022-03-10 11:51:42 +01:00
Przemek Stekiel
fd32e9609b ssl_parse_client_key_exchange(): read the curve identifier and the peer's public key and compute the shared secret using PSA
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-09 16:01:59 +01:00
Przemek Stekiel
b6ce0b6cd8 ssl_prepare_server_key_exchange(): generate a private/public key and write out the curve identifier and public key using PSA
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-09 16:01:50 +01:00
Ronald Cron
5bb8fc830a Call Certificate writing generic handler only if necessary
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
3f20b77517 Improve comment
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
00d012f2be Fix type of force_flush parameter
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
9f55f6316e Move state change from CSS states to their main handler
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
3addfa4964 Move state change from WRITE_CLIENT_HELLO to its main handler
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
66dbf9118e TLS 1.3: Do not send handshake data in handshake step handlers
Send data (call to mbedtls_ssl_flush_output()) only from
the loop over the handshake steps. That way, we do not
have to take care of the partial writings (MBEDTLS_ERR_SSL_WANT_WRITE
error code) on the network in handshake step handlers.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:51:52 +01:00
Ronald Cron
9df7c80c78 TLS 1.3: Always go through the CLIENT_CERTIFICATE state
Even if certificate authentication is disabled at build
time, go through the MBEDTLS_SSL_CLIENT_CERTIFICATE state.
It simplifies overall the code for a small code size
cost when certificate authentication is disabled at build
time. Furthermore that way we have only one point in the
code where we switch to the handshake keys for record
encryption.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-09 07:50:08 +01:00
Paul Elliott
17f452aec4
Merge pull request #5448 from lhuang04/tls13_alpn
Port ALPN support for tls13 client from tls13-prototype
2022-03-08 17:53:38 +00:00
Manuel Pégourié-Gonnard
d815114f93
Merge pull request #5524 from mprse/tls_ecdh_2c
TLS ECDH 2c: ECHDE in TLS 1.3 (client-side)
2022-03-08 11:43:45 +01:00
Przemek Stekiel
c85f0912c4 psa_crypto.c, test_suite_psa_crypto.function: fix style
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-08 11:37:54 +01:00
Gilles Peskine
44311f5c98
Merge pull request #5571 from superna9999/5162-pk-rsa-signing
PK: RSA signing
2022-03-07 17:09:14 +01:00
Gilles Peskine
15364ffb03
Merge pull request #5579 from SiliconLabs/erase_secret_before_free
Erase secrets in allocated memory before freeing said memory
2022-03-07 17:04:04 +01:00
Neil Armstrong
6d5baf5f1e Use PSA MAC verify API in mbedtls_ssl_cookie_check()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-07 14:33:21 +01:00
Neil Armstrong
be52f500c8 Use PSA_ALG_TRUNCATED_MAC() to limit to COOKIE_HMAC_LEN in mbedtls_ssl_cookie_setup()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-07 14:33:21 +01:00
Neil Armstrong
7cd0270d6c Drop mutex in mbedtls_ssl_cookie_ctx when PSA is used
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-07 14:33:21 +01:00
Neil Armstrong
2217d6f825 Generate cookie MAC key with psa_generate_key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-07 14:33:21 +01:00
pespacek
b9ca22dead Improving readability of x509_crt and x509write_crt for PR
Signed-off-by: pespacek <peter.spacek@silabs.com>
2022-03-07 13:59:44 +01:00
pespacek
d924e55944 Improving readability of x509_crt and x509write_crt
Signed-off-by: pespacek <peter.spacek@silabs.com>
2022-03-07 13:31:54 +01:00
Przemek Stekiel
7fc0751f78 Restore build options for mbedtls_ecc_group_of_psa() and related functions
Additional issue created to simplifiy usage of BUILTIN_KEY_TYPE_xxx && BUILTIN_ALG_yy macros https://github.com/ARMmbed/mbedtls/issues/5596

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-03-06 20:43:46 +01:00
Neil Armstrong
77b69ab971 Remove non-PSA MAC key in mbedtls_ssl_cookie_ctx
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-04 14:45:45 +01:00
Neil Armstrong
23d34ce372 Use PSA HMAC API in ssl_cookie_hmac()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-04 14:45:45 +01:00
Neil Armstrong
d633201279 Import PSA HMAC key in mbedtls_ssl_cookie_setup()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-04 14:45:18 +01:00
Andrzej Kurek
09e803ce0d Provide a dummy implementation of timing.c
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-03-04 05:07:45 -05:00
Andrzej Kurek
108bf520e0 Add a missing guard for time.h in net_sockets.c
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-03-04 05:07:45 -05:00
Daniel Axtens
f071024bf8 Do not include time.h without MBEDTLS_HAVE_TIME
MBEDTLS_HAVE_TIME is documented as: "System has time.h and time()."

If that is not defined, do not attempt to include time.h.

A particular problem is platform-time.h, which should only be included if
MBEDTLS_HAVE_TIME is defined, which makes everything messier. Maybe it
should be refactored to have the check inside the header.

Signed-off-by: Daniel Axtens <dja@axtens.net>
2022-03-04 05:07:45 -05:00
Neil Armstrong
bca99ee0ac Add PSA key in mbedtls_ssl_cookie_ctx
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-04 10:20:20 +01:00
Neil Armstrong
e87804920a Use new PSA to mbedtls PK error mapping functions in rsa_decrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:54:16 +01:00
Neil Armstrong
b556a42656 Use now shared RSA_PRV_DER_MAX_BYTES define in pk_wrap.c
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:52:47 +01:00
Neil Armstrong
f47135756c Map INVALID_PADDING from PSA to MbedTLS error in rsa_decrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:52:47 +01:00
Neil Armstrong
0d46786034 Fix style issue in rsa_decrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:52:47 +01:00
Neil Armstrong
f1b564bb8d Check psa_destroy_key() return in rsa_decrypt_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:52:47 +01:00
Neil Armstrong
18f43c7304 PK: RSA decrypt PSA wrap implementation
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:52:47 +01:00
Neil Armstrong
e4edcf761d Use new PSA to mbedtls PK error mapping functions in ecdsa_sign_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:46:41 +01:00
Neil Armstrong
ff70f0bf77 Check psa_destroy_key() return in rsa_sign_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:44:06 +01:00
Neil Armstrong
edcc73c992 Fix 80 characters indentation in ecdsa_sign_wrap()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-03 16:44:06 +01:00