The current definition of PSA_ALG_IS_HASH_AND_SIGN includes
PSA_ALG_RSA_PKCS1V15_SIGN_RAW and PSA_ALG_ECDSA_ANY, which don't strictly
follow the hash-and-sign paradigm: the algorithm does not encode a hash
algorithm that is applied prior to the signature step. The definition in
fact encompasses what can be used with psa_sign_hash/psa_verify_hash, so
it's the correct definition for PSA_ALG_IS_SIGN_HASH. Therefore this commit
moves definition of PSA_ALG_IS_HASH_AND_SIGN to PSA_ALG_IS_SIGN_HASH, and
replace the definition of PSA_ALG_IS_HASH_AND_SIGN by a correct one (based
on PSA_ALG_IS_SIGN_HASH, excluding the algorithms where the pre-signature
step isn't to apply the hash encoded in the algorithm).
In the definition of PSA_ALG_SIGN_GET_HASH, keep the condition for a nonzero
output to be PSA_ALG_IS_HASH_AND_SIGN.
Everywhere else in the code base (definition of PSA_ALG_IS_SIGN_MESSAGE, and
every use of PSA_ALG_IS_HASH_AND_SIGN outside of crypto_values.h), we meant
PSA_ALG_IS_SIGN_HASH where we wrote PSA_ALG_IS_HASH_AND_SIGN, so do a
global replacement.
```
git grep -l IS_HASH_AND_SIGN ':!include/psa/crypto_values.h' | xargs perl -i -pe 's/ALG_IS_HASH_AND_SIGN/ALG_IS_SIGN_HASH/g'
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_ssl_conf_groups allows supported groups for key
sharing to be configured via their IANA NamedGroup ID.
This is added in anticipation of PQC and Hybrid key
sharing algorithms being integrated into Mbed TLS.
mbedtls_ssl_conf_curves is deprecated in favor of
mbedtls_ssl_conf_groups. handshake_init has been
modified to translate and copy curves configured
via conf_curves into a heap allocatied array of
NamedGroup IDs. This allows the refactoring of code
interacting with conf_curve related variables (such
as curve_list) to use NamedGroup IDs while retaining
the deprecated API.
Signed-off-by: Brett Warren <brett.warren@arm.com>
Since there are no longer any alternative
MBEDTLS_DEPRECATED definitions in the codebase,
MBEDTLS_DEPRECATED can now be exported without breaking
anything.
Signed-off-by: Brett Warren <brett.warren@arm.com>
TLS 1.3: ServerHello: add utils functions used by ServerHello
Regarding the merge job, there was only one of the failure we currently encounter on almost all PR (Session resume using tickets, DTLS: openssl client test case see #5012) thus we can consider that this PR passed CI.
This is a variant of PSA_ALG_RSA_PSS which currently has exactly the same
behavior, but is intended to have a different behavior when verifying
signatures.
In a subsequent commit, PSA_ALG_RSA_PSS will change to requiring the salt
length to be what it would produce when signing, as is currently documented,
whereas PSA_ALG_RSA_PSS_ANY_SALT will retain the current behavior of
allowing any salt length (including 0).
Changes in this commit:
* New algorithm constructor PSA_ALG_RSA_PSS_ANY_SALT.
* New predicates PSA_ALG_IS_RSA_PSS_STANDARD_SALT (corresponding to
PSA_ALG_RSA_PSS) and PSA_ALG_IS_RSA_PSS_ANY_SALT (corresponding to
PSA_ALG_RSA_PSS_ANY_SALT).
* Support for the new predicates in macro_collector.py (needed for
generate_psa_constant_names).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The requirement of minimum 15 bytes for output buffer in
psa_aead_finish() and psa_aead_verify() does not apply
to the built-in implementation of the GCM.
Alternative implementations are expected to verify the
length of the provided output buffers and to return
the MBEDTLS_ERR_GCM_BUFFER_TOO_SMALL in case the
buffer length is too small.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
The previous implementation was misparsed in constructs like
`if (condition) MBEDTLS_IGNORE_RETURN(...); else ...;`.
Implement it as an expression, tested with GCC, Clang and MSVC.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This macro is not used inside the library yet, but may be used in deprecated
functions in the future, if a function returning void has to change to
returning an error. It may also be useful in user code, so it is in a public
header.
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This option only gated an ability to set a callback,
but was deemed unnecessary as it was yet another define to
remember when writing tests, or test configurations. Fixes#4653.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
MBEDTLS_CHECK_RETURN_TYPICAL defaults off, but is enabled if
MBEDTLS_CHECK_RETURN_WARNING is enabled at compile time.
(MBEDTLS_CHECK_RETURN_CRITICAL is always enabled.)
The default is off so that a plausible program that builds with one version
of Mbed TLS in the default configuration will still build under the next
version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is normally equivalent, but works even if some other header defines a
macro called warn_unused_result.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
An empty expansion is possible, but as documented its effect is to disable
the feature, so that isn't a good example. Instead, use the GCC
implementation as the default: it's plausible that it could work even on
compilers that don't advertise themselves as sufficiently GCC-like to define
__GNUC__, and if not it gives users a concrete idea of what the macro is
supposed to do.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For all of these functions, the only possible failures are a hardware
accelerator (not possible unless using an ALT implementation), an internal
error or runtime corruption.
Exception: the self-tests, which serve little purpose if their status isn't
tested.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
