Commit graph

12622 commits

Author SHA1 Message Date
Gilles Peskine
758d8c7631 mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_OPAQUE
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
ace7c7721e mbedtls_pk_get_psa_attributes: ECC support
Add code and unit tests for MBEDTLS_PK_ECxxx in
mbedtls_pk_get_psa_attributes().

This commit only supports built-in ECC (MBEDTLS_ECP_C). A subsequent commit
will handle driver-only ECC.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
6ea18361df mbedtls_pk_get_psa_attributes: RSA support
Add code and unit tests for MBEDTLS_PK_RSA in mbedtls_pk_get_psa_attributes().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
1f97e73114 mbedtls_pk_get_psa_attributes: force enrollment algorithm off
This avoids a possible gotcha when if the application code reuses an
existing attribute structure.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Gilles Peskine
0b17255da1 Introduce mbedtls_pk_get_psa_attributes
Follow the specification in https://github.com/Mbed-TLS/mbedtls/pull/8657
as of dd77343381, i.e.
dd77343381/docs/architecture/psa-migration/psa-legacy-bridges.md (api-to-create-a-psa-key-from-a-pk-context)

This commit introduces the function declaration, its documentation, the
definition without the interesting parts and a negative unit test function.
Subsequent commits will add RSA, ECC and PK_OPAQUE support.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-01-23 20:09:38 +01:00
Tom Cosgrove
bc5d9165ae
Merge pull request #8554 from yanrayw/issue/8221/fix-tls-suiteB-profile
TLS: remove RSA signature algorithms in `suite B` profile
2024-01-12 14:34:28 +00:00
Tom Cosgrove
f1ba1933cf
Merge pull request #8526 from yanrayw/issue/7011/send_record_size_limit_ext
TLS1.3: SRV/CLI: add support for sending Record Size Limit extension
2024-01-12 13:39:15 +00:00
Waleed Elmelegy
f0ccf46713 Add minor cosmetic changes to record size limit changelog and comments
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-12 10:52:45 +00:00
Ronald Cron
ae2213c307
Merge pull request #8414 from lpy4105/issue/uniform-ssl-check-function
Harmonise the names and return values of check functions in TLS code
2024-01-11 13:51:39 +00:00
Ronald Cron
7c14afcaaa
Merge pull request #8595 from yanrayw/issue/8593/srv-CH-fix-version-check
TLS1.3: SRV: check `min_tls_version` when parsing ClientHello
2024-01-11 13:34:09 +00:00
Paul Elliott
f149cd1a3a
Merge pull request #8688 from jwinzig-at-hilscher/development
Fix bug in mbedtls_x509_set_extension
2024-01-10 16:57:16 +00:00
Waleed Elmelegy
3ff472441a Fix warning in ssl_tls13_generic.c
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:28 +00:00
Waleed Elmelegy
f501790ff2 Improve comments across record size limit changes
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:28 +00:00
Waleed Elmelegy
fbe42743eb Fix issue in checking in writing extensions
Fix issue in checking if server received
record size limit extension.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Waleed Elmelegy
e1ac98d888 remove mbedtls_ssl_is_record_size_limit_valid function
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Waleed Elmelegy
d2fc90e024 Stop sending record size limit extension if it's not sent from client
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Waleed Elmelegy
148dfb6457 Change record size limit writing function
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Waleed Elmelegy
47d2946943 tls13: server: write Record Size Limit ext in EncryptedExtensions
- add the support in library
- update corresponding test cases.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Yanray Wang
42017cd4c9 tls13: cli: write Record Size Limit ext in ClientHello
- add the support in library
- update corresponding test case

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2024-01-10 16:17:27 +00:00
Yanray Wang
faf70bdf9d ssl_tls13_generic: check value of RecordSizeLimit in helper function
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2024-01-10 16:17:27 +00:00
Yanray Wang
a8b4291836 tls13: add generic function to write Record Size Limit ext
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2024-01-10 16:17:27 +00:00
Jonathan Winzig
5caf20ea80
Update fix to be more platform-independent
Co-authored-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: Jonathan Winzig <jwinzig@hilscher.com>
2024-01-09 16:41:10 +01:00
Tom Cosgrove
3a6059beca
Merge pull request #7455 from KloolK/record-size-limit/comply-with-limit
Comply with the received Record Size Limit extension
2024-01-09 15:22:17 +00:00
Jonathan Winzig
05c722bfd0 Fix Issue #8687
Signed-off-by: Jonathan Winzig <jwinzig@hilscher.com>
2024-01-09 15:20:03 +01:00
Manuel Pégourié-Gonnard
4aad0ff510
Merge pull request #8632 from valeriosetti/issue8598
[G5] Make block_cipher work with PSA
2024-01-08 08:07:53 +00:00
Waleed-Ziad Maamoun-Elmelegy
e2d3db5cfc
Update mbedtls_ssl_get_output_record_size_limit signature
Co-authored-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Waleed-Ziad Maamoun-Elmelegy <122474370+waleed-elmelegy-arm@users.noreply.github.com>
2024-01-05 14:19:16 +00:00
Dave Rodgman
a021d63bf7
Merge pull request #8642 from daverodgman/default-compiler-all
CI perf: Use clang by default in all.sh
2024-01-04 12:58:54 +00:00
Manuel Pégourié-Gonnard
5bad043c06
Merge pull request #8641 from valeriosetti/issue8358
G3-G4 wrap-up
2024-01-04 10:48:00 +00:00
Valerio Setti
c1c6858bfc cipher_wrap: fix guards for some CCM/GCM functions
Legacy CCM and GCM can work even when AES_C is not defined thanks
to the block_cipher module, so we can relax guards in
cipher_wrap.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-02 17:20:58 +01:00
Dave Rodgman
84125a167e Merge remote-tracking branch 'origin/development' into default-compiler-all
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2024-01-02 11:42:38 +00:00
Valerio Setti
e581e140cc oid/pkparse: add missing guards for PKCS[5/12] functions when !CIPHER_C
This commit also updates test_suite_pkparse.data file adding
MBEDTLS_CIPHER_C dependencies whenever PKCS[5/12] is used.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-29 16:35:58 +01:00
Waleed Elmelegy
6a971fd61a Refactor and improve Record size limit handling
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-12-28 17:48:16 +00:00
Valerio Setti
1fff4f2012 psa: add key_type as input parameter of psa_can_do_cipher()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-28 18:33:17 +01:00
Valerio Setti
1994e72e18 check_config/block_cipher: minor improvements
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-28 18:33:04 +01:00
Valerio Setti
a69e872001 pkcs[5/12]: add CIPHER_C for [en/de]crypting functions
This commit also updates corresponding test suites.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-21 16:39:04 +01:00
Dave Rodgman
3bc249959c
Merge branch 'development' into default-compiler-all
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-12-21 14:35:14 +00:00
Tom Cosgrove
c6088eceb4
Merge pull request #8384 from paul-elliott-arm/remove_ssl_null_tls12
Remove NULLing of ssl context in TLS1.2 transform population
2023-12-21 13:28:09 +00:00
Gilles Peskine
4bf4473ef0
Merge pull request #8633 from Wenxing-hou/clear_clienthello_comment
Make clienthello comment clear
2023-12-21 12:09:23 +00:00
Gilles Peskine
0e6fdc4f1d
Merge pull request #8342 from yanesca/threading_test_pc
Threading test proof of concept and plan
2023-12-21 12:08:41 +00:00
Waleed Elmelegy
65e3046e18 Fix code style in ssl_tls.c
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-12-20 17:55:10 +00:00
Waleed Elmelegy
049cd302ed Refactor record size limit extension handling
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-12-20 17:28:31 +00:00
Tomi Fontanilles
851d8df58d fix/work around dependency issues when !MBEDTLS_ECP_C
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
2023-12-20 13:09:27 +02:00
Tomi Fontanilles
9f41770313 pk_*: remove remaining references to MBEDTLS_PSA_CRYPTO_C
For real this time.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 13:05:55 +02:00
Tomi Fontanilles
bad170e159 pk: remove last references to MBEDTLS_PSA_CRYPTO_C
They are replaced by MBEDTLS_USE_PSA_CRYPTO.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 12:59:57 +02:00
Tomi Fontanilles
1941af087c pk_wrap: remove last references to MBEDTLS_PSA_CRYPTO_C
Deprecated functions are removed and #ifdefs are updated accordingly.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 12:59:57 +02:00
Tomi Fontanilles
573dc23141 rsa: introduce rsa_internal_rsassa_pss_sign_no_mode_check()
And use it in the non-PSA version of mbedtls_pk_sign_ext()
to bypass checks that didn't succeed when used by TLS 1.3.

That is because in the failing scenarios the padding of
the RSA context is not set to PKCS_V21.

See the discussion on PR #7930 for more details.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 12:59:57 +02:00
Tomi Fontanilles
8174662b64 pk: implement non-PSA mbedtls_pk_sign_ext()
This makes the function always available with its
its implementation depending on MBEDTLS_USE_PSA_CRYPTO.

Related dependencies and tests are updated as well.

Fixes #7583.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
2023-12-20 12:59:57 +02:00
Valerio Setti
689c0f71cb tests: use new CCM/GCM capability macros in tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-20 09:54:18 +01:00
Manuel Pégourié-Gonnard
a4b38f24fd
Merge pull request #8579 from valeriosetti/issue7995
PK: clean up pkwrite
2023-12-20 08:20:10 +00:00
Valerio Setti
50333977c6 cipher_wrap: fix guards for alloc/free functions of CCM/GCM
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-20 07:36:05 +01:00