Commit graph

1821 commits

Author SHA1 Message Date
Andrzej Kurek
8a045ce5e6 Unify PSA to Mbed TLS error translation
Move all error translation utilities to psa_util.c.
Introduce macros and functions to avoid having
a local copy of the error translating function in
each place.
Identify overlapping errors and introduce a
generic function.
Provide a single macro for all error translations
(unless one file needs a couple of different ones).
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-03-03 05:23:44 -05:00
Manuel Pégourié-Gonnard
8e176f747c Fix wrong return statement
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
626aaed213 Fix unused variable warnings in some builds
Found by depends.py MBEDTLS_SHA512_C

In principle, the case where neither SHA-256 nor SHA-384 are available
should never occur, as both TLS 1.2 and TLS 1.3 depend on one of those
being defined. However for now dependencies for TLS 1.2 are not as tight
as they should be; this will be fixed later and is tracked as #6441.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
43cc127d3a Fix code style
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
e1a4caa934 Handle hash errors in calc_finished
That's the last family of functions. All calls to mbedtls_sha* and
psa_hash_* in library/ssl_tls.c are now checked for errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b9b564e64b Handle hash errors in calc_verify
On top on some calls not being checked, the PSA path was missing a call
to abort() on errors.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
df94901566 Handle hash errors in update_checksum
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b72ff498c9 Handle hash errors in reset_checksum
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
b8b07aa24a Handle errors from functions that now return int
A few functions were changed from returning void to returning int three
commits ago. Make sure their callers check the return values.

This commits was basically a matter of declaring newly-int-returning
functions MBEDTLS_CHECK_RETURN_CRITICAL and then fixing the resulting
warnings. A few functions had to be made int in the process; they were
applied the same process as well.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
537f231fd9 Split hash start out of handshake_params_init
This part can fail, so it shouldn't be intermixed with the part that
can't fail and is there to ensure all structures are in a clean state,
should any error happen.

Fortunately, the part that should be split out already had a function
doing it: reset_checksum. Also, handshake_params_init had only one
calling site to update.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Manuel Pégourié-Gonnard
226aa15702 Make handshake hashing functions return int
There are three family of functions: update_checksum, calc_verify,
calc_finished, that perform hashing operations and were returning void
so far. This is not correct, as hashing functions can return errors (for
example, on hardware failure when accelerated). Change them to return
int.

This commit just changes the types: for now the functions always return
0, and their return value is not checked; this will be fixed in the
next few commits.

There is a related function in TLS 1.3,
mbedtls_ssl_reset_transcript_for_hrr, which also handles hashes, and
already returns int but does not correctly check for errors from hashing
functions so far, it will also be handled in the next few commits.

There's a special case with handshake_params_init: _init functions
should return void, so we'll need to split out the part that can return
errors, see the next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-02-21 15:39:12 +01:00
Pengyu Lv
4938a566bf refine ticket_flags printing helper
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 11:28:49 +08:00
Pengyu Lv
acecf9c95b make ticket_flags param types consistent
When ticket_flags used as parameter, use unsigned int,
instead of uint8_t or mbedtls_ssl_tls13_ticket_flags.Also
remove the definition of mbedtls_ssl_tls13_ticket_flags.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 11:23:24 +08:00
Pengyu Lv
ee455c01ce move ticket_flags debug helpers
The debug helpers printing ticket_flags status are
moved to ssl_tls.c and ssl_debug_helpers.h.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-13 11:06:01 +08:00
Gilles Peskine
449bd8303e Switch to the new code style
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-11 14:50:10 +01:00
Manuel Pégourié-Gonnard
28d4d43416
Merge pull request #6863 from valeriosetti/issue6830
Remove uses of mbedtls_ecp_curve_info in TLS (with USE_PSA)
2023-01-10 10:01:17 +01:00
Gilles Peskine
cd0a565644
Merge pull request #6703 from yuhaoth/pr/tls13-misc-from-prototype
TLS 1.3: Upstream misc fix from prototype
2023-01-05 14:35:54 +01:00
Valerio Setti
67419f0e11 tls: fix + save code size when DEBUG_C is not enabled
Some PSA curves' symbols (PSA_WANT_) were not matching the corresponding
MBEDTLS_ECP_DP_. This was fixed together with the removal of extra code
when DEBUG_C is not enabled.

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-04 17:36:00 +01:00
Valerio Setti
18c9fed857 tls: remove dependency from mbedtls_ecp_curve functions
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2023-01-03 13:03:34 +01:00
Manuel Pégourié-Gonnard
c98624af3c
Merge pull request #6680 from valeriosetti/issue6599
Allow isolation of EC J-PAKE password when used in TLS
2022-12-14 11:04:33 +01:00
Valerio Setti
016f682796 tls: pake: small code refactoring for password setting functions
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-09 14:17:50 +01:00
Jerry Yu
0c2a738c23 fix various issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Jerry Yu
ddda050604 tls13: Upstream various fix in prototype
- Adjust max input_max_frag_len
- Guard transform_negotiate
- Adjust function position
- update comments
- fix wrong requirements

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Jerry Yu
2e19981e17 tls13: guards transform negotiate
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-09 09:51:20 +08:00
Valerio Setti
eb3f788b03 tls: pake: do not destroy password key in TLS
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-08 18:42:58 +01:00
Valerio Setti
ae7fe7ee53 tls: pake: avoid useless psa_pake_abort in setting opaque password
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-07 17:36:59 +01:00
Valerio Setti
70d1fa538a tls: pake: fix missing return values check
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-07 16:20:27 +01:00
Valerio Setti
c689ed8633 tls: pake: minor adjustments
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-07 14:40:38 +01:00
Dave Rodgman
90af1a10ab
Merge pull request #6734 from daverodgman/fix_test_dep_spelling
Fix spelling of test dependency
2022-12-07 09:06:29 +00:00
Dave Rodgman
556e8a3219 Fix additional mis-spelling
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-12-06 16:31:25 +00:00
Jerry Yu
6ee56aa18f Add default values for conf->*early_data*
- early_data default to disable
- max_early_data_size default to built-in value

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-06 18:00:47 +08:00
Jerry Yu
39da9857df remove limitation of max_early_data_size
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-06 16:58:36 +08:00
Jerry Yu
12c46bd14f fix various issues
- disable reuse of max_early_data_size.
- make conf_early_data available for server.
- various comment issues

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-06 11:02:51 +08:00
Valerio Setti
757f359474 tls: pake: do not destroy key on errors while setting opaque password
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-02 11:07:11 +01:00
Jerry Yu
cc4e007ff6 Add max_early_data_size to mbedtls_ssl_config
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-12-01 23:11:48 +08:00
Valerio Setti
0944329036 tls: pake: add check for empty passwords in mbedtls_ssl_set_hs_ecjpake_password()
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-12-01 15:06:09 +01:00
Valerio Setti
a9a97dca63 psa_pake: add support for opaque password
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-28 18:26:16 +01:00
Jerry Yu
3d9b590f02 guards transform_earlydata
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-28 17:34:06 +08:00
Manuel Pégourié-Gonnard
ef25a99f20
Merge pull request #6533 from valeriosetti/issue5847
Use PSA EC-JPAKE in TLS (1.2) - Part 2
2022-11-23 13:27:30 +01:00
Valerio Setti
99d88c1ab4 tls: psa_pake: fix missing casting in mbedtls_psa_ecjpake_write_round
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 16:03:43 +01:00
Valerio Setti
d4a9b1ab8d tls: psa_pake: remove useless defines and fix a comment
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-22 11:11:10 +01:00
Valerio Setti
79f6b6bb1b tls: psa_pake: fixing mbedtls_psa_ecjpake_write_round()
It might happen that the psa_pake_output() function returns
elements which are not exactly 32 or 65 bytes as expected, but
1 bytes less.
As a consequence, insted of hardcoding the expected value for
the length in the output buffer, we write the correct one as
obtained from psa_pake_output()

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-21 14:17:03 +01:00
Jerry Yu
1fb3299ad7 Replace internal usage of is_handshake_over.
NEW_SESSION_TICKETS* are processed in handshake_step.
Change the stop condition from `mbedtls_ssl_is_handshake_over`
to directly check.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Jerry Yu
5ed73ff6de Add NEW_SESSION_TICKET* into handshake over states
All state list after HANDSHAKE_OVER as is_handshakeover

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Jerry Yu
6848a61922 Revert "Replace internal usage of mbedtls_ssl_is_handshake_over"
This reverts commit 1d3ed2975e7ef0d84050a3aece02eec1f890dec3.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Jerry Yu
e219c11b4e Replace internal usage of mbedtls_ssl_is_handshake_over
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-11-19 20:12:34 +08:00
Valerio Setti
61ea17d30a tls: psa_pake: fix return values in parse functions
Ensure they all belong to the MBEDTLS_ERR_SSL_* group

Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-18 12:11:00 +01:00
Valerio Setti
aca21b717c tls: psa_pake: enforce not empty passwords
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 18:20:50 +01:00
Valerio Setti
819de86895 tls: removed extra white spaces and other minor fix
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 18:05:19 +01:00
Valerio Setti
6b3dab03b5 tls: psa_pake: use a single function for round one and two in key exchange read/write
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
2022-11-17 17:14:54 +01:00