Dave Rodgman
d3450da98d
Re-order mbedtls_ccm_context
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-21 10:34:45 +01:00
Gilles Peskine
67cf66b427
Add a note about the code size benefits
...
We don't normally make promises related to code size, but this one is vague
enough (just "to benefit"), and it's what a lot of users of this option
care about.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 23:19:46 +02:00
Gilles Peskine
3aa79691fc
Add a note about p256m near the option to enable secp256r1
...
Only document it with the PSA configuration, not for
MBEDTLS_ECP_DP_SECP256R1_ENABLED, since p256m can't be used with the classic
API.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 20:54:50 +02:00
Gilles Peskine
08b66cd7d7
Move MBEDTLS_PSA_P256M_DRIVER_ENABLED to keep alphabetical order
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 20:51:47 +02:00
Gilles Peskine
efaee9a299
Give a production-sounding name to the p256m option
...
Now that p256-m is officially a production feature and not just an example,
give it a more suitable name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 20:49:47 +02:00
Waleed Elmelegy
5e48cad7f0
Fix codestyle issues in pkcs12.h & pkparse.c
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-09-20 19:29:02 +01:00
Waleed Elmelegy
d527896b7e
Switch pkparse to use new mbedtls_pkcs12_pbe_ext function
...
Switch pkparse to use new mbedtls_pkcs12_pbe_ext function
and deprecate mbedtls_pkcs12_pbe function.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-09-20 19:29:02 +01:00
Waleed Elmelegy
c9f4040f7f
Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function
...
Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function
and deprecate mbedtls_pkcs5_pbes2 function.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-09-20 19:28:28 +01:00
Manuel Pégourié-Gonnard
5edb942708
Merge pull request #8041 from mpg/tfm-p256m
...
Test TF-M config with p256-m driver
2023-09-20 16:09:56 +00:00
Gilles Peskine
eda1b1f744
Merge pull request #7921 from valeriosetti/issue7613
...
TLS: Clean up ECDSA dependencies
2023-09-20 12:47:55 +00:00
Gilles Peskine
452beb9076
Merge pull request #8203 from gilles-peskine-arm/p256-m-production
...
Declare p256-m as ready for production
2023-09-20 09:36:05 +00:00
Manuel Pégourié-Gonnard
97bb726e2d
Add clarifying comment
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 11:28:32 +02:00
Gilles Peskine
67c86e626b
Merge pull request #7961 from gilles-peskine-arm/psa_crypto_config-in-full
...
Enable MBEDTLS_PSA_CRYPTO_CONFIG in the full config
2023-09-18 08:13:12 +00:00
Manuel Pégourié-Gonnard
4f119b8f21
Remove extra copies of a block of comment/define
...
Not sure how it happened, but this block was not just duplicated, but
triplicated. Keep only the first copy: the one before the code that uses
the macro being defined.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 09:57:04 +02:00
Manuel Pégourié-Gonnard
f7298cd397
Fix some issues in comments
...
Ranging from typos to outdated comment contradicting the code.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 09:55:24 +02:00
jnmeurisse
83f0a65d71
Fix issue #8215 : add missing requires documentation in mbedtls_config.h
...
Add missing requirements MBEDTLS_SSL_PROTO_TLS1_2 to option MBEDTLS_SSL_RENEGOTIATION documentation.
Signed-off-by: jnmeurisse <88129653+jnmeurisse@users.noreply.github.com>
2023-09-16 18:12:18 +02:00
Gilles Peskine
865730ec67
Merge pull request #8212 from tom-cosgrove-arm/mbedtls_ssl_max_early_data_size-default-value
...
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config
2023-09-15 05:51:59 +00:00
Tom Cosgrove
a63775b168
Move MBEDTLS_SSL_MAX_EARLY_DATA_SIZE to the correct section
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-14 13:31:19 +01:00
Tom Cosgrove
3b4471ef87
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config
...
Numeric options should be commented out with their default values in the config
file, and a separate header file should set the default value if necessary.
This was done for most other options in #8161 ; do it here for
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-14 13:18:50 +01:00
Gilles Peskine
016db89107
Update p256-m to state that it's ready for production
...
Add some guidance as to whether and how to enable it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-13 14:34:40 +02:00
Gilles Peskine
3cea3efc25
Merge pull request #8025 from AgathiyanB/accept-numericoid-hexstring-x509
...
Accept numericoid hexstring x509
2023-09-13 08:54:33 +00:00
Gilles Peskine
f22999e99f
Merge pull request #8093 from yuhaoth/pr/add-target-architecture-macros
...
Add architecture detection macros
2023-09-13 08:53:47 +00:00
Gilles Peskine
2e38a0d603
More spelling corrections
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-12 19:19:31 +02:00
Gilles Peskine
e820c0abc8
Update spelling "mbed TLS" to "Mbed TLS"
...
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":
```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```
Justification for the omissions:
* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
occurrences are significant names in certificates and such. Changing
the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
updates.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-12 19:18:17 +02:00
Ronald Cron
ad2f351c6b
Merge pull request #8171 from ronald-cron-arm/misc-minor-fixes
...
One minor fix
2023-09-12 06:00:48 +00:00
Dave Rodgman
7fda906a68
Merge pull request #8161 from gilles-peskine-arm/config-boolean-options-wrong-section-202309
...
Fix module configuration options in mbedtls_config.h
2023-09-11 15:08:56 +00:00
Yanray Wang
3caaf0c61e
Enable CIPHER_ENCRYPT_ONLY when DES is disabled
...
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-11 10:10:44 +08:00
Waleed Elmelegy
e1cb35b719
Add new mbedtls_pkcs12_pbe_ext function to replace old function
...
Add new mbedtls_pkcs12_pbe_ext function to replace
old mbedtls_pkcs12_pbe function that have security
issues.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-09-08 16:51:26 +01:00
Gilles Peskine
31d49cd57f
Merge pull request #1053 from waleed-elmelegy-arm/Improve-and-test-mbedtls_pkcs12_pbe
...
Improve & test legacy mbedtls_pkcs12_pbe
2023-09-08 13:08:05 +02:00
Agathiyan Bragadeesh
d34c4262da
Move conditionals to keep doxygen with function
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-08 11:09:50 +01:00
Gilles Peskine
86733834bc
Modernize documentation of MBEDTLS_PLATFORM_ZEROIZE_ALT
...
The documentation was not updated when we started detecting memset_s() and
such.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-07 17:29:15 +02:00
Ronald Cron
d3d566f1d8
PSA config: Add comment about HKDF
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-09-07 15:25:53 +02:00
Yanray Wang
56e27b9938
des: don't consider DES for CIPHER_ENCRYPT_ONLY
...
We only support ECB and CBC modes for DES. Those two modes require
both encrypt and decrypt directions, so we don't consider DES with
CIPHER_ENCRYPT_ONLY.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-07 18:00:35 +08:00
Yanray Wang
9b811658a8
Merge remote-tracking branch 'origin/development' into support_cipher_encrypt_only
2023-09-07 16:18:00 +08:00
Gilles Peskine
58590983c5
Merge pull request #8160 from daverodgman/warn-unreachable
...
Fix clang warnings about unreachable code
2023-09-06 09:47:03 +00:00
Dave Rodgman
85061b97b5
Improve sanity checking of MBEDTLS_HAVE_INTxx
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-06 08:41:05 +01:00
Gilles Peskine
f9e4caf388
Comment out default definition
...
This is not required (it's ok to define the default in mbedtls_config and
skip the definition in rsa.h), but comment it out for uniformity with all
the other options in this section.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 21:11:27 +02:00
Gilles Peskine
d65ea42262
Fix some TLS 1.3 settings that were required in mbedtls_config.h
...
Mbed TLS can be configured by writing a configuration file from scratch,
without copying mbedtls_config.h. As a consequence, all the macro
definitions in mbedtls_config.h must be optional. This was not the case for
some MBEDTLS_SSL_TLS1_3_xxx macros with numerical values related to session
tickets. Fix that.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 21:10:35 +02:00
Gilles Peskine
da69eaa366
TLS 1.3 support is mostly complete
...
In particular, pre-shared keys are supported.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 20:54:17 +02:00
Gilles Peskine
a8861e086e
Fix boolean options in the wrong section
...
Boolean options that modify the behavior of a module are supposed to be in
the "feature support" section, not in the "configuration options" support:
that section is documented to contain commented-out definitions with a
value, for which the comment contains the default version. In particular,
merely uncommenting a definition in the "configuration options" section is
not supposed to change anything.
Move the offending boolean options to the proper section.
This causes those options to be enabled by `config.py full` unless
explicitly excluded. For all the offending options, this is undesirable, so
make sure those options are indeed excluded.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 20:20:51 +02:00
Waleed Elmelegy
255db80910
Improve & test legacy mbedtls_pkcs12_pbe
...
* Prevent pkcs12_pbe encryption when PKCS7 padding has been
disabled since this not part of the specs.
* Allow decryption when PKCS7 padding is disabled for legacy
reasons, However, invalid padding is not checked.
* Document new behaviour, known limitations and possible
security concerns.
* Add tests to check these scenarios. Test data has been
generated by the below code using OpenSSL as a reference:
#include <openssl/pkcs12.h>
#include <openssl/evp.h>
#include <openssl/des.h>
#include <openssl/asn1.h>
#include "crypto/asn1.h"
#include <string.h>
int main()
{
char pass[] = "\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB";
unsigned char salt[] = "\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC";
unsigned char plaintext[] = "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA";
unsigned char *ciphertext = NULL;
int iter = 10;
X509_ALGOR *alg = X509_ALGOR_new();
int ciphertext_len = 0;
int alg_nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
alg->parameter = ASN1_TYPE_new();
struct asn1_object_st * aobj;
PKCS5_pbe_set0_algor(alg, alg_nid, iter,
salt, sizeof(salt)-1);
aobj = alg->algorithm;
printf("\"30%.2X", 2 + aobj->length + alg->parameter->value.asn1_string->length);
printf("06%.2X", aobj->length);
for (int i = 0; i < aobj->length; i++) {
printf("%.2X", aobj->data[i]);
}
for (int i = 0; i < alg->parameter->value.asn1_string->length; i++) {
printf("%.2X", alg->parameter->value.asn1_string->data[i]);
}
printf("\":\"");
for (int i = 0; i < sizeof(pass)-1; i++) {
printf("%.2X", pass[i] & 0xFF);
}
printf("\":\"");
for (int i = 0; i < sizeof(plaintext)-1; i++) {
printf("%.2X", plaintext[i]);
}
printf("\":");
printf("0");
printf(":\"");
unsigned char * res = PKCS12_pbe_crypt(alg, pass, sizeof(pass)-1, plaintext, sizeof(plaintext)-1, &ciphertext, &ciphertext_len, 1);
if (res == NULL)
printf("Encryption failed!\n");
for (int i = 0; i < ciphertext_len; i++) {
printf("%.2X", res[i]);
}
printf("\"\n");
return 0;
}
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
#
2023-09-05 15:45:55 +01:00
Gilles Peskine
edc237938a
Split build_info.h: create and populate mbedtls/config_adjust_ssl.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:10 +02:00
Gilles Peskine
dc720b0a70
Split build_info.h: create mbedtls/config_adjust_x509.h
...
There isn't anything to put in this file. Create it anyway for consistency
with crypto and TLS.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:10 +02:00
Gilles Peskine
9d6a63b4fb
Split build_info.h: create and populate mbedtls/config_adjust_legacy_crypto.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:10 +02:00
Gilles Peskine
4fb1542354
Split config_psa.h: create and populate mbedtls/config_adjust_legacy_from_psa.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:08 +02:00
Gilles Peskine
10c6f07963
Split config_psa.h: create and populate mbedtls/config_adjust_psa_from_legacy.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:02:13 +02:00
Gilles Peskine
eca0178cfa
Split config_psa.h: create and populate mbedtls/config_adjust_psa_superset_legacy.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 11:57:14 +02:00
Gilles Peskine
5823977981
Split config_psa.h: create and populate psa/crypto_adjust_auto_enabled.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 11:57:14 +02:00
Gilles Peskine
7b7d903cac
Split config_psa.h: create and populate psa/crypto_adjust_config_synonyms.h
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 11:57:14 +02:00
Tom Cosgrove
8bd8a462d2
Merge pull request #8141 from tom-cosgrove-arm/define-psa-macros-to-1
...
Define all PSA_xxx macros to 1 rather than have them empty, for consistency
2023-09-04 21:27:01 +00:00
Agathiyan Bragadeesh
fca0861e8e
Add asn1 get tag and len to x509 create config
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-04 15:45:37 +01:00
Agathiyan Bragadeesh
86dc08599b
Add asn1 write tag and len to x509 use c config
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-04 15:40:41 +01:00
Gilles Peskine
1a7d387072
Merge pull request #1041 from waleed-elmelegy-arm/add-new-pkcs5-pbe2-ext-fun
...
Add new pkcs5 pbe2 ext fun
2023-09-04 15:33:42 +02:00
Tom Cosgrove
d9572c0270
Move the description of MBEDTLS_TEST_DEFINES_ZEROIZE to before its use
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-02 19:22:45 +01:00
Tom Cosgrove
7eced7d1d2
Move zeroize-as-memset into a config file under tests/
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-02 19:22:45 +01:00
Tom Cosgrove
42b02a909c
Add the ability to verify mbedtls_platform_zeroize() calls with -Wsizeof-pointer-memaccess
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-02 19:22:45 +01:00
Yanray Wang
72d7bb4bca
check_config.h: add checks for CIPHER_ENCRYPT_ONLY
...
MBEDTLS_CIPHER_ENCRYPT_ONLY is an internal configuration which is
automatically enabled via the PSA. Typically,
once MBEDTLS_CIPHER_ENCRYPT_ONLY is enabled,
MBEDTLS_PSA_CRYPTO_CONFIG must be enabled. This check is only used
to prevent user explicitly enabling MBEDTLS_CIPHER_ENCRYPT_ONLY.
In addition, we shouldn't enable MBEDTLS_CIPHER_ENCRYPT_ONLY if
either CIPHER_MODE_CBC, CIPHER_MODE_XTS or NIST_KW_C is enabled.
Since three of them always need AES-decrypt.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-01 17:35:58 +08:00
Yanray Wang
9141ad1223
aria/camellia/des: guard setkey_dec by CIPHER_ENCRYPT_ONLY
...
This is a pre-step to remove *setkey_dec_func in cipher_wrap ctx
when CIPHER_ENCRYPT_ONLY is enabled.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-01 17:06:38 +08:00
Yanray Wang
67208fdba8
PSA: auto-enable CIPHER_ENCRYPT_ONLY if cipher-decrypt is not needed
...
Some cipher modes use cipher-encrypt to encrypt and decrypt.
(E.g: ECB, CBC). This commit adds support to automatically
enable CIPHER_ENCRYPT_ONLY by PSA when requested cipher modes don't
need cipher_decrypt.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-01 16:40:11 +08:00
Yanray Wang
78ee0c9e4f
aes.c: add config option to support cipher_encrypt_only
...
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-09-01 16:35:33 +08:00
Tom Cosgrove
c43c3aaf02
Define all PSA_xxx macros to 1 rather than have them empty, for consistency
...
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-08-31 17:06:58 +01:00
Dave Rodgman
a9a53a05f0
Merge remote-tracking branch 'origin/development' into misc-code-size
2023-08-31 11:53:46 +01:00
Gilles Peskine
03e9dea30b
Merge remote-tracking branch 'development' into psa_crypto_config-in-full
...
Conflicts:
* `include/psa/crypto_sizes.h`: the addition of the `u` suffix in this branch
conflicts with the rework of the calculation of `PSA_HASH_MAX_SIZE` and
`PSA_HMAC_MAX_HASH_BLOCK_SIZE` in `development`. Use the new definitions
from `development`, and add the `u` suffix to the relevant constants.
2023-08-30 18:32:57 +02:00
Agathiyan Bragadeesh
52af0d08b4
Fix unsafe behaviour in MBEDTLS_ASN1_IS_STRING_TAG
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-30 16:24:15 +01:00
Dave Rodgman
730bbee226
Merge remote-tracking branch 'origin/development' into update-restricted-2023-08-30
2023-08-30 11:22:00 +01:00
Dave Rodgman
29bf911058
Merge pull request #7839 from daverodgman/psa-sha3
...
SHA-3 via PSA
2023-08-30 08:51:36 +00:00
Waleed Elmelegy
79b6e26b1b
Improve mbedtls_pkcs5_pbes2_ext function test data
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-08-29 14:55:03 +01:00
Jerry Yu
f65f71eef3
improve various issues
...
- duplicate definition
- wrong comments
- redundant include statement
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-28 10:58:24 +08:00
Jerry Yu
926221a26e
Add target platform detection macros
...
Now we have arm/x86 32/64 detection
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-23 17:15:34 +08:00
Agathiyan Bragadeesh
af3e548c77
Make MBEDTLS_ASN1_IS_STRING_TAG to take signed int
...
Since mbedtls_asn1_buf uses a signed int for tags.
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
bdf20a0d55
Alter MBEDTLS_ASN1_IS_STRING_TAG macro
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-08-22 10:39:56 +01:00
Tom Cosgrove
17d5081ffb
Merge pull request #8099 from gilles-peskine-arm/split-config_psa-prepare
...
Prepare to split config_psa.h
2023-08-22 07:30:46 +00:00
Gilles Peskine
d50562c33c
Merge pull request #7827 from davidhorstmann-arm/reword-net-free-description-2544
...
Reword the description of `mbedtls_net_free()`
2023-08-21 22:23:08 +00:00
Gilles Peskine
796bc2b8f9
Merge pull request #7486 from AndrzejKurek/calloc-also-zeroizes
...
Document mbedtls_calloc zeroization
2023-08-21 15:47:21 +00:00
Gilles Peskine
ea4fc97cd0
Restore a comment and fix it
...
aca31654e6
removed a sentence with copypasta
refering to PBKDF2 instead of XTS. Restore that comment but fix the
copypasta.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-21 16:16:24 +02:00
Gilles Peskine
7b7ecf5e0d
Fix condition to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE
...
Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
MBEDTLS_PSA_CRYPTO_CONFIG is disabled. This didn't make sense and was an
editorial mistake when adding it: it's meant as an addition to
MBEDTLS_PSA_CRYPTO_CONFIG_FILE, so it should be included under the same
conditions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-21 16:09:14 +02:00
Gilles Peskine
a458d48e7f
Move the inclusion of the PSA config file(s) into build_info.h
...
They belong here, next to the inclusion of the mbedtls config file. We only
put them in config_psa.h in Mbed TLS 2.x because there was no build_info.h
we could use.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-21 16:06:12 +02:00
Gilles Peskine
8cd1da4b73
Remove spurious extern "C"
...
This header only contains preprocessor definitions. They are not affected by
extern "C".
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-21 16:03:41 +02:00
Valerio Setti
568799fe22
ssl_ciphersuites: fix typo
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-21 07:36:54 +02:00
Dave Rodgman
1fdc884ed8
Merge pull request #7384 from yuhaoth/pr/add-aes-accelerator-only-mode
...
AES: Add accelerator only mode
2023-08-18 20:55:44 +00:00
Gilles Peskine
73936868b8
Merge remote-tracking branch 'development' into psa_crypto_config-in-full
...
Conflicts:
* tests/scripts/all.sh: component_test_crypto_full_no_cipher was removed
in the development branch.
2023-08-17 19:46:34 +02:00
Waleed Elmelegy
12dd040374
Improve mbedtls_pkcs5_pbes2_ext function signature comments
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-08-17 15:08:03 +01:00
Waleed Elmelegy
5d3f315478
Add new mbedtls_pkcs5_pbe2_ext function
...
Add new mbedtls_pkcs5_pbe2_ext function to replace old
function with possible security issues.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-08-17 14:20:58 +01:00
Gilles Peskine
294be94922
Merge pull request #7818 from silabs-Kusumit/PBKDF2_cmac_implementation
...
PBKDF2 CMAC implementation
2023-08-17 11:15:16 +00:00
Jerry Yu
6c6b9f602c
Change document to match real status
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-17 16:53:01 +08:00
Dave Rodgman
f4efd19dd0
Reduce code size in ccm
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-16 22:37:32 +01:00
Dave Rodgman
2aaf888e0b
Adjust struct layout for small size win
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-16 22:37:31 +01:00
Dave Rodgman
864f594acc
Adjust layout of some stucts
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-16 18:04:44 +01:00
Gilles Peskine
d370f93898
Merge pull request #7898 from AndrzejKurek/csr-rfc822-dn
...
OPC UA - add support for RFC822 and DirectoryName SubjectAltNames when generating CSR's
2023-08-16 09:19:46 +00:00
Kusumit Ghoderao
9928ca1875
Code styling
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-08-16 11:48:27 +05:30
Valerio Setti
d1fba7cdf0
pk: return PK_USE_PSA_EC_DATA to pk.h
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-11 08:33:27 +02:00
Manuel Pégourié-Gonnard
26b7c93d9d
Merge pull request #7992 from valeriosetti/issue7755
...
driver-only ECC: BN.x509 testing
2023-08-10 19:41:09 +00:00
Manuel Pégourié-Gonnard
54da1a69a2
Merge pull request #7578 from daverodgman/safer-ct5
...
Improve constant-time interface
2023-08-10 16:57:39 +00:00
Valerio Setti
efe848f430
pk: fix some comments
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-10 15:48:18 +02:00
Valerio Setti
c6aeb0dc1d
check_config: remove unnecessary BIGNUM_C requirements
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-10 14:50:03 +02:00
Manuel Pégourié-Gonnard
6beec7ca5e
Merge pull request #7989 from valeriosetti/issue7754
...
driver-only ECC: BN.PK testing
2023-08-10 09:43:56 +00:00
Manuel Pégourié-Gonnard
91c8372c01
Merge pull request #6999 from ivq/ecp_doc
...
Doc: Add note on special use of A in ecp group structure
2023-08-10 08:24:05 +00:00
Jerry Yu
13696bb07b
improve check config option for i386
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-10 13:36:32 +08:00
Valerio Setti
0f6d565d26
pk: return PK_USE_PSA_EC_DATA to pk.h
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-10 07:05:47 +02:00
Valerio Setti
7c494e7211
pk: move PK_HAVE_ECC_KEYS to build_info.h
...
This is usefuls to use PK_HAVE_ECC_KEYS in check_config.h instead
of redefining it twice in different ways.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-10 07:05:47 +02:00
Manuel Pégourié-Gonnard
7dccb66d49
test: disable RSA support on the test ecc_no_bignum component
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-10 06:43:23 +02:00
Gilles Peskine
935ff2300c
More unsigned literal in size macros
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-09 19:48:02 +02:00
Janos Follath
115784bd3f
Merge pull request #1040 from waleed-elmelegy-arm/development-restricted
...
Improve & test legacy mbedtls_pkcs5_pbe2
2023-08-09 09:43:23 +01:00
Chien Wong
aa9a15833e
Fix doc
...
Signed-off-by: Chien Wong <m@xv97.com>
2023-08-09 12:35:47 +08:00
Gilles Peskine
f11cfecb6b
Merge pull request #7998 from gilles-peskine-arm/MBEDTLS_PSA_CRYPTO_CONFIG-less_experimental
...
MBEDTLS_PSA_CRYPTO_CONFIG is ready for production
2023-08-08 09:04:57 +00:00
Gilles Peskine
a79256472c
Merge pull request #7788 from marekjansta/fix-x509-ec-algorithm-identifier
...
Fixed x509 certificate generation to conform to RFCs when using ECC key
2023-08-07 19:14:54 +00:00
Chien Wong
153ae464db
Improve doc on special use of A in ecp group structure
...
Signed-off-by: Chien Wong <m@xv97.com>
2023-08-07 23:02:31 +08:00
Dave Rodgman
c98f8d996a
Merge branch 'development' into safer-ct5
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-07 11:47:35 +01:00
Dave Rodgman
003a5e1ca7
Merge pull request #1046 from Mbed-TLS/merge_3.4.1
...
Merge 3.4.1
2023-08-03 18:23:37 +01:00
Dave Rodgman
a0fc9987da
Merge branch 'development' into merge_3.4.1
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-03 15:56:59 +01:00
Waleed Elmelegy
f50767d7ab
Improve mbedtls_pkcs5_pbes2 function signature comments
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-08-03 15:42:55 +01:00
Dave Rodgman
6f80ac4979
Merge pull request #7864 from waleed-elmelegy-arm/enforce-min-RSA-key-size
...
Enforce minimum key size when generating RSA key size
2023-08-03 12:57:52 +00:00
Dave Rodgman
9a3ded10b7
Merge remote-tracking branch 'gilles-peskine-arm/3.4.0-updated-certs' into mbedtls-3.4.1rc0-pr
2023-08-03 12:00:31 +01:00
Valerio Setti
c8ccc8f86d
tls: add new symbol for generic TLS 1.2 and 1.3 support
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-02 20:00:13 +02:00
David Horstmann
df28b8d2ea
Add space to appease doxygen bug
...
See doxygen/doxygen#8706
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-08-02 16:06:32 +02:00
Gilles Peskine
550d147078
Bump version to 3.4.1
...
```
./scripts/bump_version.sh --version 3.4.1
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-08-02 12:50:23 +02:00
Gilles Peskine
267bee9be8
Merge pull request #7903 from valeriosetti/issue7773
...
Define PSA_WANT_xxx_KEY_PAIR_yyy step 2/DH
2023-08-02 10:16:44 +00:00
Jerry Yu
1414029ff0
improve document about hardware only
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:44:03 +08:00
Jerry Yu
6943681820
Improve error message and documents
...
- fix grammar error
- Add more information for AES_USE_HARDWARE_ONLY
- Improve error message
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:44:03 +08:00
Jerry Yu
e77c4d95a7
Mention the crash risk without runtime detection
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:44:02 +08:00
Jerry Yu
3660623e59
Rename plain c option and update comments
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:44:01 +08:00
Jerry Yu
3fcf2b5053
Rename HAS_NO_PLAIN_C to DONT_USE_SOFTWARE_CRYPTO
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:44:00 +08:00
Jerry Yu
1b3ab36b55
Update comments
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:43:59 +08:00
Jerry Yu
315fd30201
Rename plain c disable option
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:43:59 +08:00
Jerry Yu
0d4f4e5b01
Add option to disable built-in aes implementation.
...
For time being, there are only two aes implementations for known
architectures. I define runtime detection function as const when
built-in was disabled. In this case, compiler will remove dead
built-in code.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-08-02 17:43:54 +08:00
Bence Szépkúti
895074e3f9
Merge pull request #8002 from valeriosetti/issue7904
...
PSA maximum size macro definitions should take support into account
2023-08-02 05:57:28 +00:00
Valerio Setti
2430a70fcf
ssl_ciphersuites: adding new internal helper symbols
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-01 19:02:38 +02:00
Dave Rodgman
56e5d6887f
Fix comment typo
...
Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-08-01 15:04:11 +01:00
Gilles Peskine
d55e451b3e
Merge pull request #7997 from yanesca/fix_new_bignum_tests
...
Fix new bignum tests
2023-08-01 12:09:39 +00:00
Janos Follath
e416f03c8f
Improve wording of MBEDTLS_ECP_WITH_MPI_UINT doc
...
Use the standard "experimental" word in the description and make the
wording more similar to other experimental warnings.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-08-01 08:44:40 +01:00
Manuel Pégourié-Gonnard
de8f56e936
Merge pull request #7884 from valeriosetti/issue7612
...
TLS: Clean up (EC)DH dependencies
2023-08-01 07:13:36 +00:00
Kusumit Ghoderao
baf350c6bd
Add PSA_HAVE_SOFT_PBKDF2 to crypto_driver_context_key_derivation
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-31 20:22:33 +05:30
Dave Rodgman
ad9e5b9abe
Improve docs for mbedtls_ct_memcmp
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-31 12:43:23 +01:00
Dave Rodgman
9ee0e1f6fe
Remove GCC redundant-decls workaround for mbedtls_ct_memcmp
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-31 12:43:23 +01:00
Janos Follath
2f04582d37
Move MBEDTLS_ECP_WITH_MPI_UINT to mbedtls_config.h
...
There is a precedent for having bigger and less mature options in
mbedtls_config.h (MBEDTLS_USE_PSA_CRYPTO) for an extended period.
Having this option in mbedtls_config.h is simpler and more robust.
Signed-off-by: Janos Follath <janos.follath@arm.com>
2023-07-31 10:57:16 +01:00
Valerio Setti
43c5bf4f88
crypto_sizes: use PSA_WANT_ALG for MAX signatures and key agreement sizes
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-31 11:35:48 +02:00
Valerio Setti
8b27decc6a
Revert "crypto_sizes: check also if DH is enabled for PSA_SIGNATURE_MAX_SIZE"
...
This reverts commit 478c236938
.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-31 11:35:42 +02:00
Valerio Setti
9cd8011978
tls: fix definition of symbol KEY_EXCHANGE_SOME_XXDH_PSA_ANY
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-28 16:46:55 +02:00
Valerio Setti
478c236938
crypto_sizes: check also if DH is enabled for PSA_SIGNATURE_MAX_SIZE
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-28 16:05:53 +02:00
Manuel Pégourié-Gonnard
43cef57e51
Merge pull request #7811 from mpg/md-info
...
Optimize strings in MD
2023-07-28 08:34:09 +00:00
Kusumit Ghoderao
c22affd9ec
Fix dependencies for pbkdf2 cmac
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-28 13:31:58 +05:30
Valerio Setti
c012a2de7c
crypto_sizes: change initial MAX_SIZE value to 1
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-28 09:34:44 +02:00
Valerio Setti
644e01d767
crypto_sizes: fix typo
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-28 09:31:51 +02:00
Valerio Setti
a83d9bf0db
crypto_sizes: size PSA max symbols according to actual support
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-27 18:15:20 +02:00
Kusumit Ghoderao
a12e2d53bd
Replace AES_CMAC_128_PRF_OUTPUT_SIZE with PSA_MAC_LENGTH()
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-27 21:18:30 +05:30
Kusumit Ghoderao
9ab03c3d72
Define PSA_ALG_IS_PBKDF2
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-27 21:14:05 +05:30
Kusumit Ghoderao
2addf35855
Replace MBEDTLS_PSA_BUILTIN_PBKDF2_XXX with PSA_HAVE_SOFT_PBKDF2
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-27 21:11:09 +05:30
Kusumit Ghoderao
105f772fe8
Add PSA_HAVE_SOFT_PBKDF2
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-27 21:03:06 +05:30
Kusumit Ghoderao
ce38db1c0b
Change config_psa.h PBKDF2_CMAC dependencies
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-27 21:01:03 +05:30
Waleed Elmelegy
d7bdbbeb0a
Improve naming of mimimum RSA key size generation configurations
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 14:50:09 +00:00
Dave Rodgman
f2e3eb8bd9
Add OID for HMAC-RIPEMD160
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-27 15:46:05 +01:00
Dave Rodgman
5cc67a3ee2
Add OIDs for HMAC-SHA3
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-27 14:44:35 +01:00
Dave Rodgman
2d626cc44f
Fix missing opening brace in comments
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-27 14:43:55 +01:00
Gilles Peskine
25b4e72d6e
MBEDTLS_PSA_CRYPTO_CONFIG is ready for production
...
It's ok if people use MBEDTLS_PSA_CRYPTO_CONFIG: it's not unstable or
unpredictable. But we still reserve the right to make minor changes
(e.g. https://github.com/Mbed-TLS/mbedtls/issues/7439 ).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-07-27 15:09:24 +02:00
Waleed Elmelegy
3d158f0c28
Adapt tests to work on all possible minimum RSA key sizes
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 11:03:35 +00:00
Waleed Elmelegy
ab5707185a
Add a minimum rsa key size config to psa config
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 11:00:03 +00:00
Waleed Elmelegy
76336c3e4d
Enforce minimum key size when generating RSA key size
...
Add configuration to enforce minimum size when
generating a RSA key, it's default value is 1024
bits since this the minimum secure value currently
but it can be any value greater than or equal 128
bits. Tests were modifed to accommodate for this
change.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-27 10:58:25 +00:00
Manuel Pégourié-Gonnard
0fda0d2e5c
Fix overly specific description in public doc
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-27 12:22:52 +02:00
Valerio Setti
9c5c2a4b71
crypto_legacy: fix initial comment
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-27 11:11:19 +02:00
Gilles Peskine
7ef14bf8a2
Merge pull request #7835 from gilles-peskine-arm/ssl_premaster_secret-empty-3.4
...
Fix empty union when TLS is disabled
2023-07-27 08:28:21 +00:00
Valerio Setti
a55f042636
psa: replace DH_KEY_PAIR_LEGACY with new symbols
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-27 09:15:34 +02:00
Paul Elliott
f1c032adba
Merge pull request #7902 from valeriosetti/issue7772
...
Define PSA_WANT_xxx_KEY_PAIR_yyy step 2/RSA
2023-07-25 17:13:43 +01:00
Valerio Setti
ea59c43499
tls: fix a comment a rename a variable/symbol
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-25 11:14:03 +02:00
Valerio Setti
d0371b0a08
debug: keep ECDH_C guard for debug printf accessing ecdh_context's items
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-25 10:57:01 +02:00
Dave Rodgman
cad28ae77a
Merge remote-tracking branch 'origin/development' into psa-sha3
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-24 15:51:13 +01:00
Gilles Peskine
3c861642c8
Make sure that size constants are unsigned
...
This fixes a warning from some compilers (e.g. MSVC) about comparisons
between signed and unsigned values in perfectly reasonable code. In
particular, there was one such warning in psa_pbkdf2_hmac_set_password.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-07-21 17:50:49 +02:00
Gilles Peskine
2387bdab0f
Merge pull request #1038 from Mbed-TLS/development
...
Merge development into development-restricted
2023-07-21 15:40:36 +02:00
Ronald Cron
87f62850f3
Merge pull request #7893 from ronald-cron-arm/misc-from-psa-crypto
...
Miscellaneous fixes resulting from the work on PSA-Crypto
2023-07-21 10:54:41 +02:00
Dave Rodgman
ed70fd0c39
Merge pull request #5549 from AndrzejKurek/doxygen-bad-param-names
...
Fix wrong doxygen parameter names and misused `\p` commands
2023-07-20 14:10:10 +01:00
Manuel Pégourié-Gonnard
c844c1a771
Merge pull request #7546 from mpg/align-psa-md-identifiers
...
Align psa md identifiers
2023-07-20 11:34:28 +02:00
Dave Rodgman
6dd40642e8
Merge pull request #7932 from AgathiyanB/add-mpi-uint-size-macro
...
Use compile-time determination of which __builtin_clz() to use, with new MBEDTLS_MPI_UINT_SIZE macro
2023-07-19 14:57:39 +01:00
Waleed Elmelegy
708d78f80b
Improve & test legacy mbedtls_pkcs5_pbe2
...
* Prevent pkcs5_pbe2 encryption when PKCS7 padding has been
disabled since this not part of the specs.
* Allow decryption when PKCS7 padding is disabled for legacy
reasons, However, invalid padding is not checked.
* Add tests to check these scenarios. Test data has been
reused but with changing padding data in last block to
check for valid/invalid padding.
* Document new behaviour, known limitations and possible
security concerns.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-07-19 14:01:35 +01:00
Agathiyan Bragadeesh
eed55c6c94
Use defined macros for MBEDTLS_MPI_UINT_MAX
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-07-19 11:08:02 +01:00
Dave Rodgman
5f65acb02b
Merge pull request #7859 from gilles-peskine-arm/mbedtls_mpi-smaller
...
Reduce the size of mbedtls_mpi
2023-07-18 16:48:37 +01:00
Gilles Peskine
24a305ec22
Explain why we check 65535 (not USHORT_MAX)
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-07-18 13:53:07 +02:00
Manuel Pégourié-Gonnard
828b3acd6b
Merge pull request #7848 from valeriosetti/issue7749
...
driver-only ECC: EPCf.TLS testing
2023-07-18 10:33:21 +02:00
Agathiyan Bragadeesh
197565062a
Make consistent suffix MBEDTLS_MPI_UINT_MAX
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-07-17 16:43:19 +01:00
Agathiyan Bragadeesh
900e20d3a2
Change MBEDTLS_MPI_UINT_MAX suffix
...
Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Agathiyan Bragadeesh <48658345+AgathiyanB@users.noreply.github.com>
2023-07-17 16:27:21 +01:00
Ronald Cron
170c199829
Align guards of Windows specific configuration checks
...
In check_config.h, align the guards of Windows
specific configuration checks with the ones used
in platform.h.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-07-17 11:53:20 +02:00
Ronald Cron
03ea8f8d0a
Add dependency of builtin CCM* on builtin cipher
...
Add missing dependency of the unauthenticated
cipher CCM* without tag builtin implementation
on builtin cipher.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-07-17 11:52:32 +02:00
Agathiyan Bragadeesh
09a455e21a
Add macros for mpi uint max sizes
...
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-07-14 14:07:18 +01:00
Dave Rodgman
a02b36886c
Fix gcc warnings when -Wredundant-decls set
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-14 13:43:39 +01:00
Andrzej Kurek
f14a5c3fcb
Improve the documentation of MBEDTLS_PLATFORM_MEMORY
...
Introduce requests from review comments.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-14 06:15:15 -04:00
Andrzej Kurek
377eb5f0c3
doxygen: \p commands misuse - review comments
...
Apply comments suggested in review.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-13 10:02:32 -04:00
Andrzej Kurek
00b54e6885
doxygen: fix parameter name typos and misused \p commands
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-13 10:02:32 -04:00
Andrzej Kurek
43dfd51ab4
doxygen: fix misused \p commands in rsa.h
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-13 10:02:32 -04:00
Andrzej Kurek
3bedb5b663
doxygen: fix parameter name typos and misused \p commands
...
\p is reserved for function parameters.
\c is used to describe other values and variables.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-13 10:02:32 -04:00
Andrzej Kurek
69ed8c41fa
Fix documentation - parameter name mistakes
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-13 10:02:32 -04:00
Andrzej Kurek
7d49a1c907
doxygen: remove unnecessary description
...
Due to the nature of CTR, there is no mode parameter.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-13 10:02:32 -04:00
Jerry Yu
8bfa24b021
Update compiler versions requirement
...
For time being, we haven't verified MSVC
for sha256 and 512. So we do not add msvc
information.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-07-13 10:40:29 +08:00
Jerry Yu
8e96e78dbe
update document and error message
...
Chang the spell of armclang
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-07-13 10:40:28 +08:00
Jerry Yu
c37e260dc5
Add armclang version requirement for sha512
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-07-13 10:40:28 +08:00
Dave Rodgman
98e632f210
Re-order mbedtls_mpi to save a few extra bytes with clang
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-11 16:02:50 +01:00
Valerio Setti
980383421a
config_psa: enable KEY_PAIR_GENERATE only when GENPRIME is defined
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-11 16:32:50 +02:00
Valerio Setti
0d5c5e5a38
config_psa: enable KEY_PAIR_[IMPORT/EXPORT] as soon as BASIC is enabled
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-11 14:06:00 +02:00
Valerio Setti
a9a3c5581e
config_psa: enable GENPRIME when BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-11 14:06:00 +02:00
Valerio Setti
b2bcedbf9a
library: replace MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-11 14:06:00 +02:00
Valerio Setti
f6d4dfb745
library: replace PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY symbols with proper ones
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-11 14:06:00 +02:00
Gilles Peskine
6aca2c9613
Merge pull request #7716 from mpg/psa-util-internal
...
Split psa_util.h between internal and public
2023-07-10 18:33:23 +02:00
Valerio Setti
6f0441d11e
tls: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-10 09:13:57 +02:00
Pengyu Lv
08daebb410
Make endpoint getter parameter a pointer to const
...
It would be convenient for users to query the endpoint
type directly from a ssl context:
```
mbedtls_ssl_conf_get_endpoint(
mbedtls_ssl_context_get_config(&ssl))
```
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-07-10 11:33:23 +08:00
Pengyu Lv
accd53ff6a
Add getter access to endpoint field in mbedtls_ssl_config
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-07-10 11:33:23 +08:00
Pengyu Lv
918ebf3975
Add getter access to hostname field in mbedtls_ssl_context
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-07-10 11:33:23 +08:00
Pengyu Lv
af724dd112
ssl_cache: Add getter access to timeout field
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-07-10 11:33:23 +08:00
Valerio Setti
aa7cbd619c
build_info: replace PK_CAN_ECDH with CAN_ECDH and fix comments
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 19:02:23 +02:00
Valerio Setti
3d237b5ff1
ssl_misc: fix guards for PSA data used in XXDH key exchanges
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 19:02:16 +02:00
Valerio Setti
0a0d0d5527
ssl: keep all helper definitions in ssl_ciphersuites.h
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:31:40 +02:00
Valerio Setti
ed365e66bb
ssl: improve/fix definitions for internal helpers
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:31:40 +02:00
Valerio Setti
a15078b784
pk: do not duplicate internal symbols for ECDH/ECDSA capabilities
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:31:40 +02:00
Valerio Setti
e87915b66f
ssl: update new symbols to include also FFDH
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Valerio Setti
b302efc8d9
debug: replace ECDH_C symbol with key exchange one
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Valerio Setti
c2232eadfb
tls: replace PK_CAN_ECDH guards with new helpers
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Valerio Setti
7aeec54094
tls: replace ECDH_C guards with new helpers
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Valerio Setti
00dc4063e2
ssl: add new helpers for TLS 1.2/1.3 ECDH(E) key exchanges
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-07-07 17:23:53 +02:00
Andrzej Kurek
c508dc29f6
Unify csr and crt san writing functions
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-07 09:05:30 -04:00
Manuel Pégourié-Gonnard
9967f11066
Merge pull request #7810 from valeriosetti/issue7771
...
Define PSA_WANT_xxx_KEY_PAIR_yyy step 2/ECC
2023-07-07 10:22:47 +02:00
Manuel Pégourié-Gonnard
999ce227fc
Make the PSA-mbedtls RNG API public
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:47:28 +02:00
Manuel Pégourié-Gonnard
abfe640864
Rationalize includes in psa_util
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:47:27 +02:00
Manuel Pégourié-Gonnard
b7e8939198
Move error functions to internal header
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:47:26 +02:00
Manuel Pégourié-Gonnard
a5a8f29d7e
Move ECC and FFDH macros to internal header
...
ECC macros used in the following files:
library/pk.c
library/pk_wrap.c
library/pkparse.c
library/pkwrite.c
library/ssl_misc.h
library/ssl_tls12_client.c
FFDH macro use only in library/ssl_misc.h so could possibly be moved
there, but it seems cleaner to keep it close to the ECC macros are they
are very similar in nature.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:45:54 +02:00
Manuel Pégourié-Gonnard
f9b012f313
Remove unused function from psa_util.h
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
Manuel Pégourié-Gonnard
5c731b0afb
Use consistent guards for deprecated feature
...
Fixes an "unused static function" warning in builds with
DEPRECATED_REMOVED.
While at it, remove an include that's now useless.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
Manuel Pégourié-Gonnard
efcc1f21c8
Make cipher functions static in cipher.c
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
Manuel Pégourié-Gonnard
2be8c63af7
Create psa_util_internal.h
...
Most functions in psa_util.h are going to end up there (except those
that can be static in one file), but I wanted to have separate commits
for file creation and moving code around, so for now the new file's
pretty empty but that will change in the next few commits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-07-06 12:42:33 +02:00
Tom Cosgrove
836aed7cf8
Merge pull request #6003 from gstrauss/x509_time
...
mbedtls_x509_time performance and reduce memory use
2023-07-06 09:28:14 +01:00
Dave Rodgman
852b6c30b7
Support MBEDTLS_MD_SHA3_xxx_VIA_PSA
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-05 19:47:08 +01:00
Dave Rodgman
527f48f14d
Add OID definitions for SHA3
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-05 18:57:30 +01:00
Dave Rodgman
3d0c8255aa
Merge pull request #7825 from daverodgman/cipher_wrap_size
...
Cipher wrap size improvement
2023-07-05 15:45:48 +01:00
Dave Rodgman
761d0dcfbf
Improve doxygen formatting
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-05 12:33:53 +01:00
Dave Rodgman
ff4c2db489
Improve comments
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-07-05 12:11:32 +01:00
Kusumit Ghoderao
3fde8feaa9
FIx name of macro
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-04 15:17:02 +05:30
Kusumit Ghoderao
b3042c39fe
Define PSA_ALG_WANT_PBKDF2_AES_CMAC_PRF_128 and fix config
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-04 15:17:02 +05:30
Kusumit Ghoderao
857cd4b3ee
Add AES_CMAC_PRF_128 output size macro
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-04 15:16:59 +05:30
Kusumit Ghoderao
dd45667a18
Define struct for pbkdf2_cmac
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-04 15:16:59 +05:30
Kusumit Ghoderao
3cb6e41dfa
Add define for builtin pbkdf2_cmac
...
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
2023-07-04 15:16:59 +05:30
Andrzej Kurek
2b3c06edb3
Enable certain documented defines only when generating doxygen
...
Avoid an "unrecognized define" error.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-07-03 10:42:15 -04:00
Manuel Pégourié-Gonnard
56b159a12a
Merge pull request #7627 from mprse/ffdh_tls13_v2
...
Make use of FFDH keys in TLS 1.3 v.2
2023-07-03 10:12:33 +02:00
Valerio Setti
06dfba7fd9
config_psa: enabled EC key derivation support when ECP_C is enabled
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-30 10:16:22 +02:00
Valerio Setti
27c501a10c
lib/test: replace BASIC_IMPORT_EXPORT internal symbol with BASIC,IMPORT,EXPORT
...
Also the python script for automatic test generation is fixed accordingly
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-30 10:16:22 +02:00
Valerio Setti
6a9d0ee373
library/test: replace LEGACY symbol with BASIC_IMPORT_EXPORT
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-30 10:16:21 +02:00
Valerio Setti
73fc082fcd
config_psa: introduce new internal KEY_PAIR symbol for BASIC+IMPORT+EXPORT
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-06-30 10:16:21 +02:00
Gilles Peskine
053022fe24
Reduce the size of mbedtls_mpi
...
Reduce the size of mbedtls_mpi from 3 words to 2 on most architectures.
This also reduces the code size significantly in bignum.o and ecp_curves.o,
with negligible variations in other modules.
This removes the ability to set MBEDTLS_MPI_MAX_LIMBS to a value >=65536,
but we don't support customizing this value anyway (it's always 10000).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-06-29 19:33:44 +02:00
Andrzej Kurek
aae3208c29
Add an mbedtls_calloc(SIZE_MAX/2, SIZE_MAX/2) test
...
It should return NULL and not a valid pointer.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-27 09:26:08 -04:00
Andrzej Kurek
84356a16e9
Add a description of how mbedtls_calloc is determined
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-27 09:26:08 -04:00
Andrzej Kurek
ecaf6fb8b2
Documentation and cosmetic fixes
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-27 09:26:08 -04:00
Andrzej Kurek
2d981f092e
Extend mbedtls_calloc and mbedtls_free documentation
...
Co-authored-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-27 09:26:08 -04:00
Andrzej Kurek
c08ccd00f3
Add a test for calloc zeroization
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-27 09:26:08 -04:00
Andrzej Kurek
b9f8974c6c
Document mbedtls_calloc zeroization
...
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-06-27 09:26:08 -04:00
David Horstmann
4506e7de61
Move clarification to a separate note
...
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-27 12:20:32 +01:00
David Horstmann
5dbe17de36
Add PSA_JPAKE_FINISHED to EXPECTED_{IN,OUT}PUTS()
...
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2023-06-27 10:30:28 +01:00