We need to fully check if the provided session ticket could be
used in the handshake, so that we wouldn't cause handshake
failure in some cases. Here we bring f8e50a9 back.
Example scenario:
A client proposes to a server, that supports only the psk_ephemeral
key exchange mode, two tickets, the first one is allowed only for
pure PSK key exchange mode and the second one is psk_ephemeral only.
We need to select the second tickets instead of the first one whose
ticket_flags forbid psk_ephemeral and thus cause a handshake
failure.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
These are used in tests to determine whether there is support for
one of those keys for CBC mode.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This way we build with 32-bit gcc/clang out of the box.
We also fallback to assembly for 64-bit clang-cl if needed cpu
flags are not provided, instead of throwing an error.
Signed-off-by: Beniamin Sandu <beniaminsandu@gmail.com>
This commit splits mbedtls_cipher_info_from_psa() in 2 parts:
- mbedtls_cipher_values_from_psa() that performs parameters' validation and
return cipher's values
- mbedtls_cipher_info_from_psa() which then use those values to return
the proper cipher_info pointer. Of course this depends on CIPHER_C.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- check if it is enabled
- check if it is psk mode
- check if it is resumption
- check if it is tls13 version
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
In a hypothetical build with no curves, or in the future when we add a
new curve type and possibly forget updating this function with a new
block for the new type, we write to `ret` at the beginning or the
function then immediately overwrite it with MPI_CHK(check_privkey),
which static analyzers understandably find questionable.
Use `ret` here and check the key only if it was actually set.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
I went for "may be" as I was thinking just checking the tag technically
does not guarantee that what follows is correct, but I was wrong:
according to ASN.1, when there are variants, the tag does distinguish
unambiguously between variants, so we can be more positive here.
(Whether the thing inside that variant is correct is a different
question.)
As a welcome side effect, this makes the name more standard hence more
readable.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Using return here is only correct if we know that group_load() is atomic
(either succeeds, or allocates no ressources). I'm not sure it is, and
even if it were, goto exit is more obviously correct, so let's use that.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The recent changes in pkparse made it so ECDSA (deterministic or not) is
set as the secondary alg and ECDH the first one. This broke the wrapper
in pk_wrap as it was only checking the first alg when deciding whether
to use deterministic or not. The wrapper should not have unnecessary
requirements on how algs are set up, so make the check more flexible.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
One of the calling site needs to distinguish between "the format is
potentially valid but not supported" vs "other errors", and it uses
MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE for that.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- Fix the logic around format: we were just assuming that if the format
was not compressed, it was uncompressed, but it could also have been
just invalid.
- Remove redundant length check: the fallback does its own checks.
- Remove set_algorithm() that's not needed and introduced a depencency
on ECDSA.
- Some style / naming / scope reduction.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Also new name, for consistency, and documentation.
The signature **p, *end is mostly for parsing functions that may not
consume everything, and need to update the "current" pointer to reflect
what has been consumed. This is not the case here.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- new semantic: sets the pubkey directly in the PK context
- new name to reflect that semantic and obey the naming scheme
- trivial case first
- documentation and better parameter names
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- avoid useless use of ret in PSA code, keep only status
- improve variable names
- keep declarations closer to use
- a few internal comments
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The general order is low-level first, top-level last, for the sake of
static function and avoiding forward declarations.
The obvious exception was functions that parse files that were at the
beginning; move them to the end.
Also start defining sections in the file; this is incomplete as I don't
have a clear view of the beginning of the file yet. Will continue in
further commits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- new name starting with pk_ecc for consistency
- re-order params to match the PSA convention: buf, len, &size
- add comment about input consumption
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- centralizes decision making about which version to use when
- avoids nested #ifs in pk_ecc_set_key()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Just moving code around. The two blocks do morally the same thing: load
the key, and grouping them makes the #if #else structure clearer.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- add a comment explain potentially surprising parameters
- avoid nesting #if guards: I find the linear structure #if #elif #else
makes the three cases clearer.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
There were two places that were calling either pk_update_ecparams() or
mbedtls_ecp_group_load() depending on the same guard. Factor this into a
single function, that works in both configs, so that callers don't have
to worry about guards.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- we don't use any ECDSA function here
- we only need to include ecp.h when supporting ECC keys
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
It's also included later, guarded by support for ECC keys, and actually
that's the only case where we need it.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This changes local variable name RCON to round_constants.
RCON being definition in xc32 compiler headers for some PIC32 register.
Without this change, mynewt project for PIC32 platform fails to build due to
macro redefinition.
This does not changes behavior of library in any way.
Signed-off-by: Jerzy Kasenberg <jerzy.kasenberg@codecoup.pl>
MinGW provides both kinds of implementations of `__cpuid`,
but since `cpuid.h` is provided by GNUC, so we should choose
the implementation by the compiler type instead of OS type.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Change the type of array that stores the cpuinfo
data to int[4] to match the signature of `__cpuinfo`
in `intrin.h` header file.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
`__cpuid` has two kinds of signatures in different
headers depending on the target OS. We make it
consistent between the usages ang the included header.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
In PSA headers include psa/build_info.h instead
of mbedtls/build_info.h. In Mbed TLS, both are
equivalent but not in TF-PSA-Crypto where
psa/build_info.h is the correct one.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>