Finish working out the RSA-PSS example in terms of what it implies about the
interface. The key takeaway is that a mixed-domain module must support
algorithms if they are available through either interface, and that's all
there is to it. The details of how dispatch is done don't matter, what
matters is only the availability, and it's just the disjunction of
availabilities.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add TLS 1.3 specific configuration options
to enable/disable the support for TLS 1.3
key exchange modes.
These configurations are introduced to
move away from the aforementioned
enablement/disablement based on
MBEDTLS_KEY_EXCHANGE_xxx_ENABLED options
that relate to group of TLS 1.2
ciphersuites.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Instead of having a list of test suites of interest, have a list of
suites to ignore and look at all the others.
In order for this to only yield interesting results, we need to tune the
reference configuration a bit, in order to exclude STREAM and ECB to
more closely match the driver-based configuration.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Quite unrelated to the other commits in this branch, but I happened to
spot it, so I fixed it.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- Some things that were indicated as in the near future are now done.
- Clarify when these macros are needed and when they're not.
- Prepare to make the header public.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Currently just replacing existing uses, but the real point of having
these conditions as a single macro is that we'll be able to use them in
tests case dependencies, see next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Strategy for dependencies inside libmbecrypto, in particular in the PSA
Crypto core, are outside the scope of the present study.
Note: PR 6065, referenced in a few places, is the one that also
introduces the present commit. It kicks of the work towards G5 in parts
of the code governed by MBEDTLS_USE_PSA_CRYPTO.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- lack of support for PSA_CRYPTO_CONFIG is not really a reason not to
enable MBEDTLS_USE_PSA_CRYPTO by default - while it's true that
currently X.509/TLS do not behave as expected when PSA_CRYPTO_CONFIG and
MBEDTLS_USE_PSA_CRYPTO are both enabled, it's no worse than when
MBEDTLS_USE_PSA_CRYPTO is disabled.
- as a consequence of removing the paragraph mentioned above, the
sub-section about PSA_CRYPTO_CONFIG no longer belongs in the
"compile-time option" section. Also, it's superseded by the study work
that happened in the meantime (of which this PR is part). So let's
remove it, and the new commit will add something more up-to-date
instead.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Not related to the changes in this PR, except in the next commit I'll
update the strategy document for changes in this PR and to outline
likely follow-ups, and while looking at the document I noticed a few
things that needed updated, so here there are in their own commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- misc updates about on-going/recent work
- removal of the section about mixed-PSK: being done in #5762
- clarifications in some places
- some typo fixes
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We hadn't updated the storage specification in a while. There have been no
changes to the storage layout, but the details of the contents of some
fields have changed.
Since this is now a de facto stable format (unchanged between 2.25 and 3.2),
describe it fully, avoiding references to previous versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Also have check_config.h enforce this. And MBEDTLS_SSL_EXPORT_KEYS has been removed,
so no longer mention it.
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
Add a check list with what typically needs to be done when adding a new
algorithm, key type or operation. There are a few explanations but this is
primarily intended as a list of places to look and not as a detailed
explanation of exactly what to do.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Remaining hits seem to be hex data, certificates,
and other miscellaneous exceptions.
List generated by running codespell -w -L
keypair,Keypair,KeyPair,keyPair,ciph,nd
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
The dependencies-xxx.md documents where merely a support for study,
now distilled to strategy.md, psa-limitation.md, and tasks-xx.md
and/or github issues.
The tasks-g1.md document has now been fully converted to a list of
github issues.
These documents would quickly become out-of-date and there's little
point in updating them, so it's better to remove them. They're still in
the github history if anyone wants to have a look.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Replace descriptions with links just to double-check nothing has been
forgotten.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- fix inaccuracy about PSA hash implementation
- add note about context-less operations
- provide summary
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Data gathered with:
for c in server9*.crt; do echo $c; openssl x509 -noout -text -in $c |
grep '^ Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
for c in crl-rsa-pss-*; do echo $c; openssl crl -noout -text -in $c |
grep '^ Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
for c in server9.req.*; do echo $c; openssl req -noout -text -in $c |
grep '^ Signature Algorithm: rsassaPss' -A3 | sed '1d'; done
Unfortunately there is no record of how these files have been generated.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Work in progress, some tasks have very explicit definitions and details
on how to execute, others much less so; some may need splitting.
These documents are temporary anyway, to give a rough idea of the work
remaining to reach those goals (both of which we started, but only for
some use case so far). Ultimately the result will be actionable and
estimated tasks on github.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Note: removed `mbedtls_x509write_crt_set_subject_key()` from the list of
things that should be tested, as it's taking public key rather than a
keypair.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is an updated version of the study that was done a few years ago.
The script `syms` was used to list symbols form libmbedtls.a /
libmbedx509.a that are defined externally. It was run with config.py
full minus MBEDTLS_USE_PSA_CRYPTO minus
MBEDTLS_SSL_PROTO_TLS1_3_EXPERIMENTAL.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>