Commit graph

8042 commits

Author SHA1 Message Date
Hanno Becker
ee618f7241 Merge branch 'iotssl-2574-pk-opaque-tls' into development-psa-proposed 2018-11-23 10:31:00 +00:00
Hanno Becker
9aa921f336 Merge branch 'iotssl-2580-pk-opaque-psa' into development-psa-proposed 2018-11-23 10:17:36 +00:00
Manuel Pégourié-Gonnard
cfdf8f4d8f Implement key_opaque option to ssl_client2 2018-11-22 14:35:11 +00:00
Manuel Pégourié-Gonnard
ef68be4553 Add option key_opaque to ssl_client2 (skeleton)
This is just the plumbing for the option itself, implementation of the option
will be the next commit.
2018-11-22 14:35:11 +00:00
Manuel Pégourié-Gonnard
23a1ccd23f Fix test that wasn't actually effective
psa_destroy_key() returns success even if the slot is empty.
2018-11-22 12:21:20 +01:00
Hanno Becker
e10f191543 Remove MBEDTLS_PSA_CRYPTO_SPM from config.pl
This configuration option has been removed by now.
2018-11-22 09:43:35 +00:00
Manuel Pégourié-Gonnard
fa9a1ca967 Improve description of a test 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
347a00e07e Add test utility function: wrap_as_opaque()
The new function is not tested here, but will be in a subsequent PR.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
59eecb0e9e Guard against PSA generating invalid signature
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
9a5a77ba7c Use shared function for error translation 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
45013a1d54 Fix a compliance issue in signature encoding
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
509aff111f Improve documentation of an internal function 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
d8454bc515 Get rid of large stack buffers in PSA sign wrapper 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
2f2b396b7a Add new macro to detemine ECDSA signature length
Revived from a previous PR by Gilles, see:
https://github.com/ARMmbed/mbedtls/pull/1293/files#diff-568ef321d275f2035b8b26a70ee9af0bR71

This will be useful in eliminating temporary stack buffers for transcoding the
signature: in order to do that in place we need to be able to make assumptions
about the size of the output buffer, which this macro will provide. (See next
commit.)
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
392dc045c9 Improve documentation of mbedtls_pk_setup_opaque() 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
69baf70984 Align names to use "opaque" only everywhere
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
3686771dfa Implement pk_sign() for opaque ECDSA keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
d97390e97d Add tests for unsupported operations/functions 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
920c063bad Implement can_do for opaque ECC keypairs
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
0184b3c69b Add support for get_(bit)len on opaque keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
01a12c49aa Add key generation to opaque test function
While at it, clarify who's responsible for destroying the underlying key. That
can't be us because some keys cannot be destroyed and we wouldn't know. So
let's leave that up to the caller.
2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
7b5fe041f1 Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
eaeb7b23ff Clarify return value of pk_check_pair() 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
20678b2ae2 Skeleton for PK_OPAQUE_PSA 2018-11-22 09:59:34 +01:00
Hanno Becker
6e02197e24 Refer to PSA through MBEDTLS_USE_PSA_CRYPTO, not USE_PSA, in all.sh 2018-11-21 21:08:43 +00:00
Hanno Becker
4d30776826 Remove double white space 2018-11-21 21:08:43 +00:00
Hanno Becker
186b65ac61 Use MBEDTLS_PSA_UTIL_H instead of MBEDTLS_PSA_COMPAT_H in psa_util.h
This is still an artifact from when psa_util.h was called psa_compat.h.
2018-11-21 21:08:43 +00:00
Hanno Becker
51560b62ed State explicitly that any API depending on PSA is unstable 2018-11-21 21:08:43 +00:00
Hanno Becker
f0cd6191ef Update VisualC files 2018-11-21 21:08:43 +00:00
Hanno Becker
f5f9ea26bb Improve documentation of mbedtls_psa_err_translate_pk() 2018-11-21 21:08:43 +00:00
Hanno Becker
010cf7eced Add AEAD tag length parameter to mbedtls_psa_translate_cipher_mode()
In case of AEAD ciphers, the cipher mode (and not even the entire content
of mbedtls_cipher_info_t) doesn't uniquely determine a psa_algorithm_t
because it doesn't specify the AEAD tag length, which however is included
in psa_algorithm_t identifiers.

This commit adds a tag length value to mbedtls_psa_translate_cipher_mode()
to account for that ambiguity.
2018-11-21 21:08:43 +00:00
Hanno Becker
000334f398 Add function to translate PSA errors to PK module errors 2018-11-21 21:08:43 +00:00
Hanno Becker
afebf5a153 Fix Doxygen annotation in psa_util.h 2018-11-21 21:08:43 +00:00
Hanno Becker
5a9942e7d2 Initialize PSA Crypto implementation in ssl_server2 2018-11-21 21:08:43 +00:00
Hanno Becker
b2b468ba45 Initialize PSA Crypto implementation in ssl_client2.c 2018-11-21 21:08:43 +00:00
Hanno Becker
1cfc5ddb11 Initialize PSA Crypto implementation at the start of each test suite 2018-11-21 21:08:43 +00:00
Hanno Becker
b26c1938d2 Make PSA utility functions static inline
Compilers warn about unused static functions.
2018-11-21 21:08:43 +00:00
Hanno Becker
5525126ed8 Add PSA-to-Mbed TLS translations for cipher module 2018-11-21 21:08:43 +00:00
Hanno Becker
87837b2ec6 Add internal header for PSA utility functions
This commit adds the header file mbedtls/psa_util.h which contains
static utility functions `mbedtls_psa_xxx()` used in the integration
of PSA Crypto into Mbed TLS.

Warning: These functions are internal only and may change at any time.
2018-11-21 21:08:42 +00:00
Manuel Pégourié-Gonnard
655c0a8d76 Add build using PSA to all.sh 2018-11-21 21:08:40 +00:00
Manuel Pégourié-Gonnard
aeefa49edd Add config option for X.509/TLS to use PSA 2018-11-21 21:03:14 +00:00
Simon Butcher
55517ae95f Merge remote-tracking branch 'public/pr/2146' into development-proposed 2018-11-21 16:27:47 +00:00
Gilles Peskine
bc554f66ef Document Mbed Crypto and the PSA API
Briefly explain that this is experimental, and document how to try it out.
2018-11-21 12:54:57 +00:00
Jaeden Amero
3f6470a517 psa: Add ChangeLog entry for adding Mbed Crypto 2018-11-21 12:54:57 +00:00
Jaeden Amero
acaabe796e crypto: Test without crypto as a submodule
Add a test to ensure that when the crypto submodule is not used, the crypto
library is not created and that libmbedcrypto.a does not contain symbols
from files contained within the crypto submodule.
2018-11-21 12:54:57 +00:00
Jaeden Amero
ed93bdc8aa crypto: Test with crypto as a submodule
- Check that libmbedcrypto was not built at the top level.
- Check that we've built libmbedcrypto with the correct files. Build
  libmbedcrypto with debug symbols and verify that files used are from the
  crypto submodule.
- Check that config.h is handled properly. Enable a feature at the top
  level that the crypto library submodule has disabled in its config.h, and
  check that the library symboles indicate that the feature is present in
  libmbedcrypto.
- Ensure basic functionality of the resulting build with a run of
  `make test` and `ssl-opt.sh`.
2018-11-21 12:54:57 +00:00
Jaeden Amero
ffeb1b8ab6 abi_check: Update submodules
When grabbing a fresh copy of a branch, it's required to also fetch the
submodule. Add fetching the submodule to abi_check.py.
2018-11-21 12:54:57 +00:00
Jaeden Amero
7acb0cf01e abi_check: Allow checking current checkout
Without a "--detach" option, git worktree will refuse to checkout a branch
that's already checked out. This makes the abi_check.py script not very
useful for checking the currently checked out branch, as git will error
that the branch is already checked out. Add the "--detach" option to check
out the new temporary worktree in detached head mode. This is acceptable
because we aren't planning on working on the branch and just want a
checkout to do ABI checking from.
2018-11-21 12:54:57 +00:00
Jaeden Amero
484ee33c35 psa: Add PSA Crypto configuration
Add an option that can enable the exposure of PSA Crypto APIs from
libmbedcrypto.
2018-11-21 12:54:57 +00:00
Jaeden Amero
30b340a760 crypto: Add mbedtls-psa as a submodule
mbedtls-psa contains an implementation of libmbedcrypto, including the PSA
Crypto API.
2018-11-21 12:54:57 +00:00