Commit graph

531 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
f88b1b5375 Introduce MBEDTLS_OR_PSA_WANT_xxx helper macros
Currently just replacing existing uses, but the real point of having
these conditions as a single macro is that we'll be able to use them in
tests case dependencies, see next commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-15 12:08:14 +02:00
Manuel Pégourié-Gonnard
af8cf5c04e Add a partial plan towards G5
Strategy for dependencies inside libmbecrypto, in particular in the PSA
Crypto core, are outside the scope of the present study.

Note: PR 6065, referenced in a few places, is the one that also
introduces the present commit. It kicks of the work towards G5 in parts
of the code governed by MBEDTLS_USE_PSA_CRYPTO.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
c0d78e9e69 Remove outdated paragraphs about G5
- lack of support for PSA_CRYPTO_CONFIG is not really a reason not to
enable MBEDTLS_USE_PSA_CRYPTO by default - while it's true that
currently X.509/TLS do not behave as expected when PSA_CRYPTO_CONFIG and
MBEDTLS_USE_PSA_CRYPTO are both enabled, it's no worse than when
MBEDTLS_USE_PSA_CRYPTO is disabled.
- as a consequence of removing the paragraph mentioned above, the
sub-section about PSA_CRYPTO_CONFIG no longer belongs in the
"compile-time option" section. Also, it's superseded by the study work
that happened in the meantime (of which this PR is part). So let's
remove it, and the new commit will add something more up-to-date
instead.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
481846c82f General update of PSA strategy documentation
Not related to the changes in this PR, except in the next commit I'll
update the strategy document for changes in this PR and to outline
likely follow-ups, and while looking at the document I noticed a few
things that needed updated, so here there are in their own commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
b5b27c1114 Misc clean-ups in docs/use-psa-crypto.md
Note: limitations of opaque PSKs changed from "TLS 1.2 only" to "none"
since TLS 1.3 does not support PSK at all so far, and it is expected to
support opaque PSKs as soon as it gains PSK support, it will be just a
matter of selecting between psa_key_derivation_input_bytes() and
psa_key_derivation_input_key() - and testing obviously.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:44:37 +02:00
Manuel Pégourié-Gonnard
0dba51cfad Fix list of what's common to TLS 1.2 and 1.3
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:44:37 +02:00
Manuel Pégourié-Gonnard
9bf9b9e269 Link to restartable ECC EPIC
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:44:37 +02:00
Manuel Pégourié-Gonnard
f3f79a00fc Now compatible with MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER
Also make a few general clarifications/improvements while at it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:44:37 +02:00
Manuel Pégourié-Gonnard
3e83098e01 Clarify the TLS 1.3 situation
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:44:32 +02:00
Manuel Pégourié-Gonnard
103b9929d1 Remove HKDF-Extract/Expand
Being resolved in https://github.com/Mbed-TLS/mbedtls/issues/5784

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
b2bd34ecdc Update docs/use-psa-crypto.md
The scope of the option has been expanded, now it makes more sense to
describe it as "everything except ...".

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
ff43ff6e78 Remove stability waiver from USE_PSA
It was initially motivated by the fact that the PSA Crypto APIs
themselves were not stable. In the meantime, PSA Crypto has reached
1.0.0 so this no longer applies.

If we want user to be able to fully benefit from PSA in order to
isolate long-term secrets, they need to be able to use the new APIs with
confidence. There is no reason to think those APIs are any more likely
to change than any of our other APIs, and if they do, we'll follow the
normal process (deprecated in favour of a new variant).

For reference, the APIs in question are:

mbedtls_pk_setup_opaque() // to use PSA-held ECDSA/RSA keys in TLS

mbedtls_ssl_conf_psk_opaque()   // for PSA-held PSKs in TLS
mbedtls_ssl_set_hs_psk_opaque() // for PSA-held PSKs in TLS

mbedtls_cipher_setup_psa() (deprecated in 3.2)
mbedtls_pk_wrap_as_opaque() (documented internal, to be removed in 3.2)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
97ec0b7bfa Clarify effect of USE_PSA on TLS 1.3
The previous wording was wrong, there are parts that are affected.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
2a47d23927 Update strategy.md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
83c538869e Update psa-limitations
- misc updates about on-going/recent work
- removal of the section about mixed-PSK: being done in #5762
- clarifications in some places
- some typo fixes

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
b8a6c2320e Update testing.md
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
2ffb93a83b Rm tasks-g2.md
That document was always temporary (said so at the top). Now superseded
by https://github.com/orgs/Mbed-TLS/projects/1#column-18338322

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-04 12:38:43 +02:00
Paul Elliott
7c6b0e4464
Merge pull request #5972 from wernerlewis/migration_guide_removals
Add guidance for deprecated functions and macros to migration guide
2022-07-01 17:40:21 +01:00
Ronald Cron
3cb707dc6d Fix and improve logs and documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-07-01 14:36:52 +02:00
Ronald Cron
2ba0d23c65 Update TLS 1.3 support documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-07-01 11:25:49 +02:00
Manuel Pégourié-Gonnard
11ccb35987
Merge pull request #5994 from gilles-peskine-arm/storage-format-doc-2.25-development
Update storage format specification for Mbed TLS 2.25.0+
2022-07-01 09:25:35 +02:00
Gilles Peskine
0b7ee23fe0 Historical update: the layout on stdio changed in Mbed Crypto 1.1.0
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-30 12:16:50 +02:00
Gilles Peskine
38989612d6 Typos
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-30 12:16:32 +02:00
Gilles Peskine
219a34839c Repeat the seed file documentation in 2.25.0
This way the 2.25.0 section is now fully self-contained.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-30 12:15:53 +02:00
Gilles Peskine
3d65a19ee3 Fix wrong type in C snippet
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-30 12:15:35 +02:00
Tom Cosgrove
d7adb3c7d9 Add comments about MBEDTLS_PSA_CRYPTO_C also being required by MBEDTLS_SSL_PROTO_TLS1_3
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-06-30 09:48:40 +01:00
Gilles Peskine
25e39f24b9 Add section for Mbed TLS 2.25.0+
We hadn't updated the storage specification in a while. There have been no
changes to the storage layout, but the details of the contents of some
fields have changed.

Since this is now a de facto stable format (unchanged between 2.25 and 3.2),
describe it fully, avoiding references to previous versions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-30 09:16:53 +02:00
Tom Cosgrove
afb2fe1acf Document that MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is required by MBEDTLS_SSL_PROTO_TLS1_3
Also have check_config.h enforce this. And MBEDTLS_SSL_EXPORT_KEYS has been removed,
so no longer mention it.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-06-29 16:36:12 +01:00
Werner Lewis
05d5f81c20 Fix spelling and formatting consistency
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-29 09:19:29 +01:00
Ronald Cron
6b14c69277 Improve documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
139d0aa9d3 Fix typo in documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
44b23b10e1 tls13: Document TLS 1.3 handshake implementation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Werner Lewis
4abd7c2545 Minor phrasing changes
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:42:34 +01:00
Werner Lewis
129d6adc0e Use mbedtls-2.28 branch for documentation link
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:42:34 +01:00
Werner Lewis
4b8aaa4e60 Add clarification on 2.x branch choice
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:41:54 +01:00
Werner Lewis
f5b86f3b16 Add clarification for 2.x section
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:20:01 +01:00
Werner Lewis
f8a478795c Add guidance for generating deprecated list
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-24 11:10:48 +01:00
Werner Lewis
016cec17e8 Add deprecated macros to migration guide
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-23 16:55:52 +01:00
Werner Lewis
745fcde406 Add reference to 2.x docs to migration guide
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-23 16:51:45 +01:00
bootstrap-prime
6dbbf44d78
Fix typos in documentation and constants with typo finding tool
Signed-off-by: bootstrap-prime <bootstrap.prime@gmail.com>
2022-05-18 14:15:33 -04:00
Dave Rodgman
65a141a7b0 Fix minor grammatical error
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:54 +01:00
Andrzej Kurek
5c65c5781f Fix additional misspellings found by codespell
Remaining hits seem to be hex data, certificates,
and other miscellaneous exceptions.
List generated by running codespell -w -L 
keypair,Keypair,KeyPair,keyPair,ciph,nd

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-05-11 21:25:54 +01:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Dave Rodgman
017a19997a Update references to old Github organisation
Replace references to ARMmbed organisation with the new
org, Mbed-TLS, following project migration.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-03-31 14:43:16 +01:00
Ronald Cron
8f6d39a81d Make some handshake TLS 1.3 utility routines available for TLS 1.2
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 14:42:17 +02:00
Gilles Peskine
fdfc10b250
Merge pull request #4408 from gilles-peskine-arm/storage-format-check-mononicity
Check storage format tests for regressions
2022-03-07 17:02:34 +01:00
Gilles Peskine
e356f075f5
Merge pull request #5512 from gilles-peskine-arm/psa-driver-interface-tweaks-202201
PSA driver description spec: minor tweaks to the JSON format
2022-03-01 20:46:14 +01:00
Gilles Peskine
790f7428d2 Storage format test regressions are now checked mechanically
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-22 19:16:42 +01:00
Jerry Yu
bd19287a8e fix docs issue
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00
Jerry Yu
adb1869f8d fix document about tls13
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00