Commit graph

6342 commits

Author SHA1 Message Date
Dave Rodgman
aaebc9be51
Merge pull request #8235 from daverodgman/misc-size 2023-09-21 18:42:37 +01:00
Dave Rodgman
d3450da98d Re-order mbedtls_ccm_context
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-21 10:34:45 +01:00
Gilles Peskine
67cf66b427 Add a note about the code size benefits
We don't normally make promises related to code size, but this one is vague
enough (just "to benefit"), and it's what a lot of users of this option
care about.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 23:19:46 +02:00
Gilles Peskine
3aa79691fc Add a note about p256m near the option to enable secp256r1
Only document it with the PSA configuration, not for
MBEDTLS_ECP_DP_SECP256R1_ENABLED, since p256m can't be used with the classic
API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 20:54:50 +02:00
Gilles Peskine
08b66cd7d7 Move MBEDTLS_PSA_P256M_DRIVER_ENABLED to keep alphabetical order
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 20:51:47 +02:00
Gilles Peskine
efaee9a299 Give a production-sounding name to the p256m option
Now that p256-m is officially a production feature and not just an example,
give it a more suitable name.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-20 20:49:47 +02:00
Manuel Pégourié-Gonnard
5edb942708
Merge pull request #8041 from mpg/tfm-p256m
Test TF-M config with p256-m driver
2023-09-20 16:09:56 +00:00
Gilles Peskine
eda1b1f744
Merge pull request #7921 from valeriosetti/issue7613
TLS: Clean up ECDSA dependencies
2023-09-20 12:47:55 +00:00
Gilles Peskine
452beb9076
Merge pull request #8203 from gilles-peskine-arm/p256-m-production
Declare p256-m as ready for production
2023-09-20 09:36:05 +00:00
Manuel Pégourié-Gonnard
97bb726e2d Add clarifying comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 11:28:32 +02:00
Gilles Peskine
67c86e626b
Merge pull request #7961 from gilles-peskine-arm/psa_crypto_config-in-full
Enable MBEDTLS_PSA_CRYPTO_CONFIG in the full config
2023-09-18 08:13:12 +00:00
Manuel Pégourié-Gonnard
4f119b8f21 Remove extra copies of a block of comment/define
Not sure how it happened, but this block was not just duplicated, but
triplicated. Keep only the first copy: the one before the code that uses
the macro being defined.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 09:57:04 +02:00
Manuel Pégourié-Gonnard
f7298cd397 Fix some issues in comments
Ranging from typos to outdated comment contradicting the code.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 09:55:24 +02:00
jnmeurisse
83f0a65d71
Fix issue #8215 : add missing requires documentation in mbedtls_config.h
Add missing requirements MBEDTLS_SSL_PROTO_TLS1_2 to option MBEDTLS_SSL_RENEGOTIATION documentation.

Signed-off-by: jnmeurisse <88129653+jnmeurisse@users.noreply.github.com>
2023-09-16 18:12:18 +02:00
Gilles Peskine
865730ec67
Merge pull request #8212 from tom-cosgrove-arm/mbedtls_ssl_max_early_data_size-default-value
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config
2023-09-15 05:51:59 +00:00
Tom Cosgrove
a63775b168 Move MBEDTLS_SSL_MAX_EARLY_DATA_SIZE to the correct section
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-14 13:31:19 +01:00
Tom Cosgrove
3b4471ef87 MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config
Numeric options should be commented out with their default values in the config
file, and a separate header file should set the default value if necessary.
This was done for most other options in #8161; do it here for
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-14 13:18:50 +01:00
Gilles Peskine
016db89107 Update p256-m to state that it's ready for production
Add some guidance as to whether and how to enable it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-13 14:34:40 +02:00
Gilles Peskine
3cea3efc25
Merge pull request #8025 from AgathiyanB/accept-numericoid-hexstring-x509
Accept numericoid hexstring x509
2023-09-13 08:54:33 +00:00
Gilles Peskine
f22999e99f
Merge pull request #8093 from yuhaoth/pr/add-target-architecture-macros
Add architecture detection macros
2023-09-13 08:53:47 +00:00
Gilles Peskine
2e38a0d603 More spelling corrections
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-12 19:19:31 +02:00
Gilles Peskine
e820c0abc8 Update spelling "mbed TLS" to "Mbed TLS"
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":

```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```

Justification for the omissions:

* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
  occurrences are significant names in certificates and such. Changing
  the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
  updates.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-12 19:18:17 +02:00
Ronald Cron
ad2f351c6b
Merge pull request #8171 from ronald-cron-arm/misc-minor-fixes
One minor fix
2023-09-12 06:00:48 +00:00
Dave Rodgman
7fda906a68
Merge pull request #8161 from gilles-peskine-arm/config-boolean-options-wrong-section-202309
Fix module configuration options in mbedtls_config.h
2023-09-11 15:08:56 +00:00
Agathiyan Bragadeesh
d34c4262da Move conditionals to keep doxygen with function
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-08 11:09:50 +01:00
Gilles Peskine
86733834bc Modernize documentation of MBEDTLS_PLATFORM_ZEROIZE_ALT
The documentation was not updated when we started detecting memset_s() and
such.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-07 17:29:15 +02:00
Ronald Cron
d3d566f1d8 PSA config: Add comment about HKDF
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-09-07 15:25:53 +02:00
Gilles Peskine
58590983c5
Merge pull request #8160 from daverodgman/warn-unreachable
Fix clang warnings about unreachable code
2023-09-06 09:47:03 +00:00
Dave Rodgman
85061b97b5 Improve sanity checking of MBEDTLS_HAVE_INTxx
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-09-06 08:41:05 +01:00
Gilles Peskine
f9e4caf388 Comment out default definition
This is not required (it's ok to define the default in mbedtls_config and
skip the definition in rsa.h), but comment it out for uniformity with all
the other options in this section.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 21:11:27 +02:00
Gilles Peskine
d65ea42262 Fix some TLS 1.3 settings that were required in mbedtls_config.h
Mbed TLS can be configured by writing a configuration file from scratch,
without copying mbedtls_config.h. As a consequence, all the macro
definitions in mbedtls_config.h must be optional. This was not the case for
some MBEDTLS_SSL_TLS1_3_xxx macros with numerical values related to session
tickets. Fix that.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 21:10:35 +02:00
Gilles Peskine
da69eaa366 TLS 1.3 support is mostly complete
In particular, pre-shared keys are supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 20:54:17 +02:00
Gilles Peskine
a8861e086e Fix boolean options in the wrong section
Boolean options that modify the behavior of a module are supposed to be in
the "feature support" section, not in the "configuration options" support:
that section is documented to contain commented-out definitions with a
value, for which the comment contains the default version. In particular,
merely uncommenting a definition in the "configuration options" section is
not supposed to change anything.

Move the offending boolean options to the proper section.

This causes those options to be enabled by `config.py full` unless
explicitly excluded. For all the offending options, this is undesirable, so
make sure those options are indeed excluded.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 20:20:51 +02:00
Gilles Peskine
edc237938a Split build_info.h: create and populate mbedtls/config_adjust_ssl.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:10 +02:00
Gilles Peskine
dc720b0a70 Split build_info.h: create mbedtls/config_adjust_x509.h
There isn't anything to put in this file. Create it anyway for consistency
with crypto and TLS.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:10 +02:00
Gilles Peskine
9d6a63b4fb Split build_info.h: create and populate mbedtls/config_adjust_legacy_crypto.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:10 +02:00
Gilles Peskine
4fb1542354 Split config_psa.h: create and populate mbedtls/config_adjust_legacy_from_psa.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:03:08 +02:00
Gilles Peskine
10c6f07963 Split config_psa.h: create and populate mbedtls/config_adjust_psa_from_legacy.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 12:02:13 +02:00
Gilles Peskine
eca0178cfa Split config_psa.h: create and populate mbedtls/config_adjust_psa_superset_legacy.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 11:57:14 +02:00
Gilles Peskine
5823977981 Split config_psa.h: create and populate psa/crypto_adjust_auto_enabled.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 11:57:14 +02:00
Gilles Peskine
7b7d903cac Split config_psa.h: create and populate psa/crypto_adjust_config_synonyms.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-09-05 11:57:14 +02:00
Tom Cosgrove
8bd8a462d2
Merge pull request #8141 from tom-cosgrove-arm/define-psa-macros-to-1
Define all PSA_xxx macros to 1 rather than have them empty, for consistency
2023-09-04 21:27:01 +00:00
Agathiyan Bragadeesh
fca0861e8e Add asn1 get tag and len to x509 create config
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-04 15:45:37 +01:00
Agathiyan Bragadeesh
86dc08599b Add asn1 write tag and len to x509 use c config
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
2023-09-04 15:40:41 +01:00
Tom Cosgrove
d9572c0270 Move the description of MBEDTLS_TEST_DEFINES_ZEROIZE to before its use
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-02 19:22:45 +01:00
Tom Cosgrove
7eced7d1d2 Move zeroize-as-memset into a config file under tests/
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-02 19:22:45 +01:00
Tom Cosgrove
42b02a909c Add the ability to verify mbedtls_platform_zeroize() calls with -Wsizeof-pointer-memaccess
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-09-02 19:22:45 +01:00
Tom Cosgrove
c43c3aaf02 Define all PSA_xxx macros to 1 rather than have them empty, for consistency
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-08-31 17:06:58 +01:00
Dave Rodgman
a9a53a05f0 Merge remote-tracking branch 'origin/development' into misc-code-size 2023-08-31 11:53:46 +01:00
Gilles Peskine
03e9dea30b Merge remote-tracking branch 'development' into psa_crypto_config-in-full
Conflicts:
* `include/psa/crypto_sizes.h`: the addition of the `u` suffix in this branch
  conflicts with the rework of the calculation of `PSA_HASH_MAX_SIZE` and
  `PSA_HMAC_MAX_HASH_BLOCK_SIZE` in `development`. Use the new definitions
  from `development`, and add the `u` suffix to the relevant constants.
2023-08-30 18:32:57 +02:00