yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
27827 commits 1 branch 0 tags 94 MiB
Commit graph

6454 commits

Author SHA1 Message Date
Waleed Elmelegy
d527896b7e Switch pkparse to use new mbedtls_pkcs12_pbe_ext function 
Switch pkparse to use new mbedtls_pkcs12_pbe_ext function
and deprecate mbedtls_pkcs12_pbe function.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-20 19:29:02 +01:00
Waleed Elmelegy
c9f4040f7f Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function 
Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function
and deprecate mbedtls_pkcs5_pbes2 function.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-20 19:28:28 +01:00
Manuel Pégourié-Gonnard
5edb942708
Merge pull request #8041 from mpg/tfm-p256m 
Test TF-M config with p256-m driver
 2023-09-20 16:09:56 +00:00
Gilles Peskine
eda1b1f744
Merge pull request #7921 from valeriosetti/issue7613 
TLS: Clean up ECDSA dependencies
 2023-09-20 12:47:55 +00:00
Gilles Peskine
452beb9076
Merge pull request #8203 from gilles-peskine-arm/p256-m-production 
Declare p256-m as ready for production
 2023-09-20 09:36:05 +00:00
Manuel Pégourié-Gonnard
97bb726e2d Add clarifying comment 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-18 11:28:32 +02:00
Gilles Peskine
67c86e626b
Merge pull request #7961 from gilles-peskine-arm/psa_crypto_config-in-full 
Enable MBEDTLS_PSA_CRYPTO_CONFIG in the full config
 2023-09-18 08:13:12 +00:00
Manuel Pégourié-Gonnard
4f119b8f21 Remove extra copies of a block of comment/define 
Not sure how it happened, but this block was not just duplicated, but
triplicated. Keep only the first copy: the one before the code that uses
the macro being defined.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-18 09:57:04 +02:00
Manuel Pégourié-Gonnard
f7298cd397 Fix some issues in comments 
Ranging from typos to outdated comment contradicting the code.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-18 09:55:24 +02:00
jnmeurisse
83f0a65d71
Fix issue #8215 : add missing requires documentation in mbedtls_config.h 
Add missing requirements MBEDTLS_SSL_PROTO_TLS1_2 to option MBEDTLS_SSL_RENEGOTIATION documentation.

Signed-off-by: jnmeurisse <88129653+jnmeurisse@users.noreply.github.com>
 2023-09-16 18:12:18 +02:00
Gilles Peskine
865730ec67
Merge pull request #8212 from tom-cosgrove-arm/mbedtls_ssl_max_early_data_size-default-value 
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config
 2023-09-15 05:51:59 +00:00
Tom Cosgrove
a63775b168 Move MBEDTLS_SSL_MAX_EARLY_DATA_SIZE to the correct section 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-14 13:31:19 +01:00
Tom Cosgrove
3b4471ef87 MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config 
Numeric options should be commented out with their default values in the config
file, and a separate header file should set the default value if necessary.
This was done for most other options in #8161; do it here for
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-14 13:18:50 +01:00
Gilles Peskine
016db89107 Update p256-m to state that it's ready for production 
Add some guidance as to whether and how to enable it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-13 14:34:40 +02:00
Gilles Peskine
3cea3efc25
Merge pull request #8025 from AgathiyanB/accept-numericoid-hexstring-x509 
Accept numericoid hexstring x509
 2023-09-13 08:54:33 +00:00
Gilles Peskine
f22999e99f
Merge pull request #8093 from yuhaoth/pr/add-target-architecture-macros 
Add architecture detection macros
 2023-09-13 08:53:47 +00:00
Gilles Peskine
2e38a0d603 More spelling corrections 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-12 19:19:31 +02:00
Gilles Peskine
e820c0abc8 Update spelling "mbed TLS" to "Mbed TLS" 
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":

```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```

Justification for the omissions:

* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
  occurrences are significant names in certificates and such. Changing
  the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
  updates.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-12 19:18:17 +02:00
Ronald Cron
ad2f351c6b
Merge pull request #8171 from ronald-cron-arm/misc-minor-fixes 
One minor fix
 2023-09-12 06:00:48 +00:00
Dave Rodgman
7fda906a68
Merge pull request #8161 from gilles-peskine-arm/config-boolean-options-wrong-section-202309 
Fix module configuration options in mbedtls_config.h
 2023-09-11 15:08:56 +00:00
Waleed Elmelegy
e1cb35b719 Add new mbedtls_pkcs12_pbe_ext function to replace old function 
Add new mbedtls_pkcs12_pbe_ext function to replace
old mbedtls_pkcs12_pbe function that have security
issues.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-08 16:51:26 +01:00
Gilles Peskine
31d49cd57f
Merge pull request #1053 from waleed-elmelegy-arm/Improve-and-test-mbedtls_pkcs12_pbe 
Improve & test legacy mbedtls_pkcs12_pbe
 2023-09-08 13:08:05 +02:00
Agathiyan Bragadeesh
d34c4262da Move conditionals to keep doxygen with function 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-09-08 11:09:50 +01:00
Gilles Peskine
86733834bc Modernize documentation of MBEDTLS_PLATFORM_ZEROIZE_ALT 
The documentation was not updated when we started detecting memset_s() and
such.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-07 17:29:15 +02:00
Ronald Cron
d3d566f1d8 PSA config: Add comment about HKDF 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-09-07 15:25:53 +02:00
Gilles Peskine
58590983c5
Merge pull request #8160 from daverodgman/warn-unreachable 
Fix clang warnings about unreachable code
 2023-09-06 09:47:03 +00:00
Dave Rodgman
85061b97b5 Improve sanity checking of MBEDTLS_HAVE_INTxx 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-09-06 08:41:05 +01:00
Gilles Peskine
f9e4caf388 Comment out default definition 
This is not required (it's ok to define the default in mbedtls_config and
skip the definition in rsa.h), but comment it out for uniformity with all
the other options in this section.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 21:11:27 +02:00
Gilles Peskine
d65ea42262 Fix some TLS 1.3 settings that were required in mbedtls_config.h 
Mbed TLS can be configured by writing a configuration file from scratch,
without copying mbedtls_config.h. As a consequence, all the macro
definitions in mbedtls_config.h must be optional. This was not the case for
some MBEDTLS_SSL_TLS1_3_xxx macros with numerical values related to session
tickets. Fix that.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 21:10:35 +02:00
Gilles Peskine
da69eaa366 TLS 1.3 support is mostly complete 
In particular, pre-shared keys are supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 20:54:17 +02:00
Gilles Peskine
a8861e086e Fix boolean options in the wrong section 
Boolean options that modify the behavior of a module are supposed to be in
the "feature support" section, not in the "configuration options" support:
that section is documented to contain commented-out definitions with a
value, for which the comment contains the default version. In particular,
merely uncommenting a definition in the "configuration options" section is
not supposed to change anything.

Move the offending boolean options to the proper section.

This causes those options to be enabled by `config.py full` unless
explicitly excluded. For all the offending options, this is undesirable, so
make sure those options are indeed excluded.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 20:20:51 +02:00
Waleed Elmelegy
255db80910 Improve & test legacy mbedtls_pkcs12_pbe 
* Prevent pkcs12_pbe encryption when PKCS7 padding has been
  disabled since this not part of the specs.
* Allow decryption when PKCS7 padding is disabled for legacy
  reasons, However, invalid padding is not checked.
* Document new behaviour, known limitations and possible
  security concerns.
* Add tests to check these scenarios. Test data has been
  generated by the below code using OpenSSL as a reference:

#include <openssl/pkcs12.h>
#include <openssl/evp.h>
#include <openssl/des.h>
#include <openssl/asn1.h>
#include "crypto/asn1.h"
#include <string.h>

int main()
{
    char pass[] = "\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB\xBB";
    unsigned char salt[] = "\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC\xCC";
    unsigned char plaintext[] = "\xAA\xAA\xAA\xAA\xAA\xAA\xAA\xAA";
    unsigned char *ciphertext = NULL;
    int iter = 10;
    X509_ALGOR *alg =  X509_ALGOR_new();
    int ciphertext_len = 0;
    int alg_nid = NID_pbe_WithSHA1And3_Key_TripleDES_CBC;
    alg->parameter = ASN1_TYPE_new();
    struct asn1_object_st * aobj;
    PKCS5_pbe_set0_algor(alg, alg_nid, iter,
                         salt, sizeof(salt)-1);

    aobj = alg->algorithm;
    printf("\"30%.2X", 2 + aobj->length + alg->parameter->value.asn1_string->length);
    printf("06%.2X", aobj->length);
    for (int i = 0; i < aobj->length; i++) {
        printf("%.2X", aobj->data[i]);
    }

    for (int i = 0; i < alg->parameter->value.asn1_string->length; i++) {
        printf("%.2X", alg->parameter->value.asn1_string->data[i]);
    }
    printf("\":\"");

    for (int i = 0; i < sizeof(pass)-1; i++) {
        printf("%.2X", pass[i] & 0xFF);
    }
    printf("\":\"");
    for (int i = 0; i < sizeof(plaintext)-1; i++) {
        printf("%.2X", plaintext[i]);
    }
    printf("\":");
    printf("0");
    printf(":\"");

    unsigned char * res = PKCS12_pbe_crypt(alg, pass, sizeof(pass)-1, plaintext, sizeof(plaintext)-1, &ciphertext, &ciphertext_len, 1);

    if (res == NULL)
        printf("Encryption failed!\n");
    for (int i = 0; i < ciphertext_len; i++) {
        printf("%.2X", res[i]);
    }
    printf("\"\n");

    return 0;
}

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
#
 2023-09-05 15:45:55 +01:00
Gilles Peskine
edc237938a Split build_info.h: create and populate mbedtls/config_adjust_ssl.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 12:03:10 +02:00
Gilles Peskine
dc720b0a70 Split build_info.h: create mbedtls/config_adjust_x509.h 
There isn't anything to put in this file. Create it anyway for consistency
with crypto and TLS.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 12:03:10 +02:00
Gilles Peskine
9d6a63b4fb Split build_info.h: create and populate mbedtls/config_adjust_legacy_crypto.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 12:03:10 +02:00
Gilles Peskine
4fb1542354 Split config_psa.h: create and populate mbedtls/config_adjust_legacy_from_psa.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 12:03:08 +02:00
Gilles Peskine
10c6f07963 Split config_psa.h: create and populate mbedtls/config_adjust_psa_from_legacy.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 12:02:13 +02:00
Gilles Peskine
eca0178cfa Split config_psa.h: create and populate mbedtls/config_adjust_psa_superset_legacy.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 11:57:14 +02:00
Gilles Peskine
5823977981 Split config_psa.h: create and populate psa/crypto_adjust_auto_enabled.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 11:57:14 +02:00
Gilles Peskine
7b7d903cac Split config_psa.h: create and populate psa/crypto_adjust_config_synonyms.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-05 11:57:14 +02:00
Tom Cosgrove
8bd8a462d2
Merge pull request #8141 from tom-cosgrove-arm/define-psa-macros-to-1 
Define all PSA_xxx macros to 1 rather than have them empty, for consistency
 2023-09-04 21:27:01 +00:00
Agathiyan Bragadeesh
fca0861e8e Add asn1 get tag and len to x509 create config 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-09-04 15:45:37 +01:00
Agathiyan Bragadeesh
86dc08599b Add asn1 write tag and len to x509 use c config 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-09-04 15:40:41 +01:00
Gilles Peskine
1a7d387072
Merge pull request #1041 from waleed-elmelegy-arm/add-new-pkcs5-pbe2-ext-fun 
Add new pkcs5 pbe2 ext fun
 2023-09-04 15:33:42 +02:00
Tom Cosgrove
d9572c0270 Move the description of MBEDTLS_TEST_DEFINES_ZEROIZE to before its use 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-02 19:22:45 +01:00
Tom Cosgrove
7eced7d1d2 Move zeroize-as-memset into a config file under tests/ 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-02 19:22:45 +01:00
Tom Cosgrove
42b02a909c Add the ability to verify mbedtls_platform_zeroize() calls with -Wsizeof-pointer-memaccess 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-02 19:22:45 +01:00
Tom Cosgrove
c43c3aaf02 Define all PSA_xxx macros to 1 rather than have them empty, for consistency 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-08-31 17:06:58 +01:00
Dave Rodgman
a9a53a05f0 Merge remote-tracking branch 'origin/development' into misc-code-size 2023-08-31 11:53:46 +01:00
Gilles Peskine
03e9dea30b Merge remote-tracking branch 'development' into psa_crypto_config-in-full 
Conflicts:
* `include/psa/crypto_sizes.h`: the addition of the `u` suffix in this branch
  conflicts with the rework of the calculation of `PSA_HASH_MAX_SIZE` and
  `PSA_HMAC_MAX_HASH_BLOCK_SIZE` in `development`. Use the new definitions
  from `development`, and add the `u` suffix to the relevant constants.
 2023-08-30 18:32:57 +02:00
Agathiyan Bragadeesh
52af0d08b4 Fix unsafe behaviour in MBEDTLS_ASN1_IS_STRING_TAG 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-08-30 16:24:15 +01:00
Dave Rodgman
730bbee226 Merge remote-tracking branch 'origin/development' into update-restricted-2023-08-30 2023-08-30 11:22:00 +01:00
Dave Rodgman
29bf911058
Merge pull request #7839 from daverodgman/psa-sha3 
SHA-3 via PSA
 2023-08-30 08:51:36 +00:00
Waleed Elmelegy
79b6e26b1b Improve mbedtls_pkcs5_pbes2_ext function test data 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-08-29 14:55:03 +01:00
Jerry Yu
f65f71eef3 improve various issues 
- duplicate definition
- wrong comments
- redundant include statement

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-28 10:58:24 +08:00
Jerry Yu
926221a26e Add target platform detection macros 
Now we have arm/x86 32/64 detection

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-23 17:15:34 +08:00
Agathiyan Bragadeesh
af3e548c77 Make MBEDTLS_ASN1_IS_STRING_TAG to take signed int 
Since mbedtls_asn1_buf uses a signed int for tags.

Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-08-22 10:39:56 +01:00
Agathiyan Bragadeesh
bdf20a0d55 Alter MBEDTLS_ASN1_IS_STRING_TAG macro 
Signed-off-by: Agathiyan Bragadeesh <agathiyan.bragadeesh2@arm.com>
 2023-08-22 10:39:56 +01:00
Tom Cosgrove
17d5081ffb
Merge pull request #8099 from gilles-peskine-arm/split-config_psa-prepare 
Prepare to split config_psa.h
 2023-08-22 07:30:46 +00:00
Gilles Peskine
d50562c33c
Merge pull request #7827 from davidhorstmann-arm/reword-net-free-description-2544 
Reword the description of `mbedtls_net_free()`
 2023-08-21 22:23:08 +00:00
Gilles Peskine
796bc2b8f9
Merge pull request #7486 from AndrzejKurek/calloc-also-zeroizes 
Document mbedtls_calloc zeroization
 2023-08-21 15:47:21 +00:00
Gilles Peskine
ea4fc97cd0 Restore a comment and fix it 
aca31654e6 removed a sentence with copypasta
refering to PBKDF2 instead of XTS. Restore that comment but fix the
copypasta.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-08-21 16:16:24 +02:00
Gilles Peskine
7b7ecf5e0d Fix condition to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE 
Don't try to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE when
MBEDTLS_PSA_CRYPTO_CONFIG is disabled. This didn't make sense and was an
editorial mistake when adding it: it's meant as an addition to
MBEDTLS_PSA_CRYPTO_CONFIG_FILE, so it should be included under the same
conditions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-08-21 16:09:14 +02:00
Gilles Peskine
a458d48e7f Move the inclusion of the PSA config file(s) into build_info.h 
They belong here, next to the inclusion of the mbedtls config file. We only
put them in config_psa.h in Mbed TLS 2.x because there was no build_info.h
we could use.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-08-21 16:06:12 +02:00
Gilles Peskine
8cd1da4b73 Remove spurious extern "C" 
This header only contains preprocessor definitions. They are not affected by
extern "C".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-08-21 16:03:41 +02:00
Valerio Setti
568799fe22 ssl_ciphersuites: fix typo 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-21 07:36:54 +02:00
Dave Rodgman
1fdc884ed8
Merge pull request #7384 from yuhaoth/pr/add-aes-accelerator-only-mode 
AES: Add accelerator only mode
 2023-08-18 20:55:44 +00:00
Gilles Peskine
73936868b8 Merge remote-tracking branch 'development' into psa_crypto_config-in-full 
Conflicts:
* tests/scripts/all.sh: component_test_crypto_full_no_cipher was removed
  in the development branch.
 2023-08-17 19:46:34 +02:00
Waleed Elmelegy
12dd040374 Improve mbedtls_pkcs5_pbes2_ext function signature comments 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-08-17 15:08:03 +01:00
Waleed Elmelegy
5d3f315478 Add new mbedtls_pkcs5_pbe2_ext function 
Add new mbedtls_pkcs5_pbe2_ext function to replace old
function with possible security issues.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-08-17 14:20:58 +01:00
Gilles Peskine
294be94922
Merge pull request #7818 from silabs-Kusumit/PBKDF2_cmac_implementation 
PBKDF2 CMAC implementation
 2023-08-17 11:15:16 +00:00
Jerry Yu
6c6b9f602c Change document to match real status 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-17 16:53:01 +08:00
Dave Rodgman
f4efd19dd0 Reduce code size in ccm 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-08-16 22:37:32 +01:00
Dave Rodgman
2aaf888e0b Adjust struct layout for small size win 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-08-16 22:37:31 +01:00
Dave Rodgman
864f594acc Adjust layout of some stucts 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-08-16 18:04:44 +01:00
Gilles Peskine
d370f93898
Merge pull request #7898 from AndrzejKurek/csr-rfc822-dn 
OPC UA - add support for RFC822 and DirectoryName SubjectAltNames when generating CSR's
 2023-08-16 09:19:46 +00:00
Kusumit Ghoderao
9928ca1875 Code styling 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-08-16 11:48:27 +05:30
Valerio Setti
d1fba7cdf0 pk: return PK_USE_PSA_EC_DATA to pk.h 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-11 08:33:27 +02:00
Manuel Pégourié-Gonnard
26b7c93d9d
Merge pull request #7992 from valeriosetti/issue7755 
driver-only ECC: BN.x509 testing
 2023-08-10 19:41:09 +00:00
Manuel Pégourié-Gonnard
54da1a69a2
Merge pull request #7578 from daverodgman/safer-ct5 
Improve constant-time interface
 2023-08-10 16:57:39 +00:00
Valerio Setti
efe848f430 pk: fix some comments 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-10 15:48:18 +02:00
Valerio Setti
c6aeb0dc1d check_config: remove unnecessary BIGNUM_C requirements 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-10 14:50:03 +02:00
Manuel Pégourié-Gonnard
6beec7ca5e
Merge pull request #7989 from valeriosetti/issue7754 
driver-only ECC: BN.PK testing
 2023-08-10 09:43:56 +00:00
Manuel Pégourié-Gonnard
91c8372c01
Merge pull request #6999 from ivq/ecp_doc 
Doc: Add note on special use of A in ecp group structure
 2023-08-10 08:24:05 +00:00
Jerry Yu
13696bb07b improve check config option for i386 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-10 13:36:32 +08:00
Valerio Setti
0f6d565d26 pk: return PK_USE_PSA_EC_DATA to pk.h 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-10 07:05:47 +02:00
Valerio Setti
7c494e7211 pk: move PK_HAVE_ECC_KEYS to build_info.h 
This is usefuls to use PK_HAVE_ECC_KEYS in check_config.h instead
of redefining it twice in different ways.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-10 07:05:47 +02:00
Manuel Pégourié-Gonnard
7dccb66d49 test: disable RSA support on the test ecc_no_bignum component 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-10 06:43:23 +02:00
Gilles Peskine
935ff2300c More unsigned literal in size macros 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-08-09 19:48:02 +02:00
Janos Follath
115784bd3f
Merge pull request #1040 from waleed-elmelegy-arm/development-restricted 
Improve & test legacy mbedtls_pkcs5_pbe2
 2023-08-09 09:43:23 +01:00
Chien Wong
aa9a15833e
Fix doc 
Signed-off-by: Chien Wong <m@xv97.com>
 2023-08-09 12:35:47 +08:00
Gilles Peskine
f11cfecb6b
Merge pull request #7998 from gilles-peskine-arm/MBEDTLS_PSA_CRYPTO_CONFIG-less_experimental 
MBEDTLS_PSA_CRYPTO_CONFIG is ready for production
 2023-08-08 09:04:57 +00:00
Gilles Peskine
a79256472c
Merge pull request #7788 from marekjansta/fix-x509-ec-algorithm-identifier 
Fixed x509 certificate generation to conform to RFCs when using ECC key
 2023-08-07 19:14:54 +00:00
Chien Wong
153ae464db
Improve doc on special use of A in ecp group structure 
Signed-off-by: Chien Wong <m@xv97.com>
 2023-08-07 23:02:31 +08:00
Dave Rodgman
c98f8d996a
Merge branch 'development' into safer-ct5 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-08-07 11:47:35 +01:00
Dave Rodgman
003a5e1ca7
Merge pull request #1046 from Mbed-TLS/merge_3.4.1 
Merge 3.4.1
 2023-08-03 18:23:37 +01:00
Dave Rodgman
a0fc9987da Merge branch 'development' into merge_3.4.1 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-08-03 15:56:59 +01:00
Waleed Elmelegy
f50767d7ab Improve mbedtls_pkcs5_pbes2 function signature comments 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-08-03 15:42:55 +01:00
Dave Rodgman
6f80ac4979
Merge pull request #7864 from waleed-elmelegy-arm/enforce-min-RSA-key-size 
Enforce minimum key size when generating RSA key size
 2023-08-03 12:57:52 +00:00
Dave Rodgman
9a3ded10b7 Merge remote-tracking branch 'gilles-peskine-arm/3.4.0-updated-certs' into mbedtls-3.4.1rc0-pr 2023-08-03 12:00:31 +01:00
Valerio Setti
c8ccc8f86d tls: add new symbol for generic TLS 1.2 and 1.3 support 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-02 20:00:13 +02:00
David Horstmann
df28b8d2ea Add space to appease doxygen bug 
See doxygen/doxygen#8706

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2023-08-02 16:06:32 +02:00
Gilles Peskine
550d147078 Bump version to 3.4.1 
```
./scripts/bump_version.sh --version 3.4.1
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-08-02 12:50:23 +02:00
Gilles Peskine
267bee9be8
Merge pull request #7903 from valeriosetti/issue7773 
Define PSA_WANT_xxx_KEY_PAIR_yyy step 2/DH
 2023-08-02 10:16:44 +00:00
Jerry Yu
1414029ff0 improve document about hardware only 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:44:03 +08:00
Jerry Yu
6943681820 Improve error message and documents 
- fix grammar error
- Add more information for AES_USE_HARDWARE_ONLY
- Improve error message

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:44:03 +08:00
Jerry Yu
e77c4d95a7 Mention the crash risk without runtime detection 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:44:02 +08:00
Jerry Yu
3660623e59 Rename plain c option and update comments 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:44:01 +08:00
Jerry Yu
3fcf2b5053 Rename HAS_NO_PLAIN_C to DONT_USE_SOFTWARE_CRYPTO 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:44:00 +08:00
Jerry Yu
1b3ab36b55 Update comments 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:43:59 +08:00
Jerry Yu
315fd30201 Rename plain c disable option 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:43:59 +08:00
Jerry Yu
0d4f4e5b01 Add option to disable built-in aes implementation. 
For time being, there are only two aes implementations for known
architectures. I define runtime detection function as const when
built-in was disabled. In this case, compiler will remove dead
built-in code.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-08-02 17:43:54 +08:00
Bence Szépkúti
895074e3f9
Merge pull request #8002 from valeriosetti/issue7904 
PSA maximum size macro definitions should take support into account
 2023-08-02 05:57:28 +00:00
Valerio Setti
2430a70fcf ssl_ciphersuites: adding new internal helper symbols 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-08-01 19:02:38 +02:00
Dave Rodgman
56e5d6887f
Fix comment typo 
Co-authored-by: Tom Cosgrove <tom.cosgrove@arm.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-08-01 15:04:11 +01:00
Gilles Peskine
d55e451b3e
Merge pull request #7997 from yanesca/fix_new_bignum_tests 
Fix new bignum tests
 2023-08-01 12:09:39 +00:00
Janos Follath
e416f03c8f Improve wording of MBEDTLS_ECP_WITH_MPI_UINT doc 
Use the standard "experimental" word in the description and make the
wording more similar to other experimental warnings.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2023-08-01 08:44:40 +01:00
Manuel Pégourié-Gonnard
de8f56e936
Merge pull request #7884 from valeriosetti/issue7612 
TLS: Clean up (EC)DH dependencies
 2023-08-01 07:13:36 +00:00
Kusumit Ghoderao
baf350c6bd Add PSA_HAVE_SOFT_PBKDF2 to crypto_driver_context_key_derivation 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-31 20:22:33 +05:30
Dave Rodgman
ad9e5b9abe Improve docs for mbedtls_ct_memcmp 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-07-31 12:43:23 +01:00
Dave Rodgman
9ee0e1f6fe Remove GCC redundant-decls workaround for mbedtls_ct_memcmp 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-07-31 12:43:23 +01:00
Janos Follath
2f04582d37 Move MBEDTLS_ECP_WITH_MPI_UINT to mbedtls_config.h 
There is a precedent for having bigger and less mature options in
mbedtls_config.h (MBEDTLS_USE_PSA_CRYPTO) for an extended period.
Having this option in mbedtls_config.h is simpler and more robust.

Signed-off-by: Janos Follath <janos.follath@arm.com>
 2023-07-31 10:57:16 +01:00
Valerio Setti
43c5bf4f88 crypto_sizes: use PSA_WANT_ALG for MAX signatures and key agreement sizes 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-31 11:35:48 +02:00
Valerio Setti
8b27decc6a Revert "crypto_sizes: check also if DH is enabled for PSA_SIGNATURE_MAX_SIZE" 
This reverts commit 478c236938.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-31 11:35:42 +02:00
Valerio Setti
9cd8011978 tls: fix definition of symbol KEY_EXCHANGE_SOME_XXDH_PSA_ANY 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-28 16:46:55 +02:00
Valerio Setti
478c236938 crypto_sizes: check also if DH is enabled for PSA_SIGNATURE_MAX_SIZE 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-28 16:05:53 +02:00
Manuel Pégourié-Gonnard
43cef57e51
Merge pull request #7811 from mpg/md-info 
Optimize strings in MD
 2023-07-28 08:34:09 +00:00
Kusumit Ghoderao
c22affd9ec Fix dependencies for pbkdf2 cmac 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-28 13:31:58 +05:30
Valerio Setti
c012a2de7c crypto_sizes: change initial MAX_SIZE value to 1 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-28 09:34:44 +02:00
Valerio Setti
644e01d767 crypto_sizes: fix typo 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-28 09:31:51 +02:00
Valerio Setti
a83d9bf0db crypto_sizes: size PSA max symbols according to actual support 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-27 18:15:20 +02:00
Kusumit Ghoderao
a12e2d53bd Replace AES_CMAC_128_PRF_OUTPUT_SIZE with PSA_MAC_LENGTH() 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-27 21:18:30 +05:30
Kusumit Ghoderao
9ab03c3d72 Define PSA_ALG_IS_PBKDF2 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-27 21:14:05 +05:30
Kusumit Ghoderao
2addf35855 Replace MBEDTLS_PSA_BUILTIN_PBKDF2_XXX with PSA_HAVE_SOFT_PBKDF2 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-27 21:11:09 +05:30
Kusumit Ghoderao
105f772fe8 Add PSA_HAVE_SOFT_PBKDF2 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-27 21:03:06 +05:30
Kusumit Ghoderao
ce38db1c0b Change config_psa.h PBKDF2_CMAC dependencies 
Signed-off-by: Kusumit Ghoderao <Kusumit.Ghoderao@silabs.com>
 2023-07-27 21:01:03 +05:30
Waleed Elmelegy
d7bdbbeb0a Improve naming of mimimum RSA key size generation configurations 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-07-27 14:50:09 +00:00
Dave Rodgman
f2e3eb8bd9 Add OID for HMAC-RIPEMD160 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-07-27 15:46:05 +01:00
Dave Rodgman
5cc67a3ee2 Add OIDs for HMAC-SHA3 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-07-27 14:44:35 +01:00
Dave Rodgman
2d626cc44f Fix missing opening brace in comments 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-07-27 14:43:55 +01:00
Gilles Peskine
25b4e72d6e MBEDTLS_PSA_CRYPTO_CONFIG is ready for production 
It's ok if people use MBEDTLS_PSA_CRYPTO_CONFIG: it's not unstable or
unpredictable. But we still reserve the right to make minor changes
(e.g. https://github.com/Mbed-TLS/mbedtls/issues/7439).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-07-27 15:09:24 +02:00
Waleed Elmelegy
3d158f0c28 Adapt tests to work on all possible minimum RSA key sizes 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-07-27 11:03:35 +00:00
Waleed Elmelegy
ab5707185a Add a minimum rsa key size config to psa config 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-07-27 11:00:03 +00:00
Waleed Elmelegy
76336c3e4d Enforce minimum key size when generating RSA key size 
Add configuration to enforce minimum size when
generating a RSA key, it's default value is 1024
bits since this the minimum secure value currently
but it can be any value greater than or equal 128
bits. Tests were modifed to accommodate for this
change.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-07-27 10:58:25 +00:00
Manuel Pégourié-Gonnard
0fda0d2e5c Fix overly specific description in public doc 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-07-27 12:22:52 +02:00
Valerio Setti
9c5c2a4b71 crypto_legacy: fix initial comment 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-27 11:11:19 +02:00
Gilles Peskine
7ef14bf8a2
Merge pull request #7835 from gilles-peskine-arm/ssl_premaster_secret-empty-3.4 
Fix empty union when TLS is disabled
 2023-07-27 08:28:21 +00:00
Valerio Setti
a55f042636 psa: replace DH_KEY_PAIR_LEGACY with new symbols 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-27 09:15:34 +02:00
Paul Elliott
f1c032adba
Merge pull request #7902 from valeriosetti/issue7772 
Define PSA_WANT_xxx_KEY_PAIR_yyy step 2/RSA
 2023-07-25 17:13:43 +01:00
Valerio Setti
ea59c43499 tls: fix a comment a rename a variable/symbol 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-07-25 11:14:03 +02:00