yuzu-mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/yuzu-mirror/mbedtls.git synced 2025-12-06 07:12:32 +01:00
Code Issues Actions Packages Projects Releases Wiki Activity
29777 commits 89 branches 205 tags 114 MiB
Commit graph

6791 commits

Author SHA1 Message Date
Gilles Peskine 091a85a762 Promise mbedtls_ecp_read_key doesn't overwrite the public key 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-12-22 21:30:03 +01:00
Gilles Peskine ba5b5d67aa Support partial export from mbedtls_ecp_keypair 
Sometimes you don't need to have all the parts of a key pair object. Relax
the behavior of mbedtls_ecp_keypair so that you can extract just the parts
that you need.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-12-22 21:30:03 +01:00
Gilles Peskine e6886102ef New function mbedtls_ecp_keypair_get_group_id 
Add a simple function to get the group id from a key object.

This information is available via mbedtls_ecp_export, but that function
consumes a lot of memory, which is a waste if all you need is to identify
the curve.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-12-22 21:30:03 +01:00
Valerio Setti 6d3a68162c check_config: remove CIPHER_C requirement for PKCS[5/12] 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-21 16:40:03 +01:00
Valerio Setti a69e872001 pkcs[5/12]: add CIPHER_C for [en/de]crypting functions 
This commit also updates corresponding test suites.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-21 16:39:04 +01:00
Waleed Elmelegy 049cd302ed Refactor record size limit extension handling 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-12-20 17:28:31 +00:00
Tomi Fontanilles 851d8df58d fix/work around dependency issues when !MBEDTLS_ECP_C 
Signed-off-by: Tomi Fontanilles <tomi.fontanilles@nordicsemi.no>
 2023-12-20 13:09:27 +02:00
Tomi Fontanilles bad170e159 pk: remove last references to MBEDTLS_PSA_CRYPTO_C 
They are replaced by MBEDTLS_USE_PSA_CRYPTO.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
 2023-12-20 12:59:57 +02:00
Tomi Fontanilles 8174662b64 pk: implement non-PSA mbedtls_pk_sign_ext() 
This makes the function always available with its
its implementation depending on MBEDTLS_USE_PSA_CRYPTO.

Related dependencies and tests are updated as well.

Fixes #7583.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
 2023-12-20 12:59:57 +02:00
Tomi Fontanilles a70b3c24f6 rsa: minor comment/guard improvements 
This brings some improvements to comments/
function prototypes that relate to PKCS#1.

Signed-off-by: Tomi Fontanilles <129057597+tomi-font@users.noreply.github.com>
 2023-12-20 12:59:57 +02:00
Valerio Setti 689c0f71cb tests: use new CCM/GCM capability macros in tests 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-20 09:54:18 +01:00
Valerio Setti bfa675fe48 adjust_legacy_crypto: add macros for CCM/GCM capabilities with key types 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-20 09:52:08 +01:00
Gilles Peskine 1a9e05bf08 Note that domain parameters are not supported with drivers 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-12-19 12:23:22 +01:00
Gilles Peskine 5ad9539363 Remove DSA and DH domain parameters from the documentation 
Mbed TLS doesn't support DSA at all, and doesn't support domain parameters
for FFDH (only predefined groups).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-12-19 12:22:46 +01:00
Gilles Peskine 9deb54900e Document the domain_parameters_size==SIZE_MAX hack 
It was introduced in https://github.com/Mbed-TLS/mbedtls/pull/8616 but not
documented.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-12-18 21:01:18 +01:00
Bence Szépkúti a085fa8ccf
Merge pull request #8627 from tom-cosgrove-arm/ip_len 
Avoid use of `ip_len` as it clashes with a macro in AIX system headers
 2023-12-18 02:03:17 +00:00
Valerio Setti 4ff405cf80 block_cipher: remove psa_key_type from mbedtls_block_cipher_context_t 
This information was redundant with the already existing mbedtls_block_cipher_id_t.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-15 16:10:52 +01:00
Valerio Setti bd7528a592 ccm/gcm: use BLOCK_CIPHER whenever possible 
Prefer BLOCK_CIPHER instead of CIPHER_C whenever it's enabled.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti 4a5d57d225 adjust_legacy_crypto: enable BLOCK_CIPHER also when a driver is available 
As a consequence BLOCK_CIPHER will be enabled when:
- CIPHER_C is not defined
- a proper driver is present for one of AES, ARIA and/or Camellia key types

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti 2684e3f2e3 config_adjust_legacy_crypto: fix typo 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti 291571b447 block_cipher: add MBEDTLS_PRIVATE to new PSA fields in mbedtls_block_cipher_context_t 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti 849a1abfdd block_cipher: remove useless use of psa_cipher_operation_t 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti 4bc7fac99a crypto_builtin_composites: add missing guards for includes 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti c0f9bbca2c check_config: use new helpers for legacy GCM_C/CCM_C 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti 8bba087fe1 adjust_legacy_crypto: add helpers for block ciphers capabilities 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Valerio Setti c1db99d3f5 block_cipher: add PSA dispatch if possible 
"if possible" means:
- PSA has been initialized
- requested key type is available in PSA

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-14 18:08:14 +01:00
Joakim Andersson b349108b99 library: Move mbedtls_ecc helper functions to psa_util 
Move the mbedtls_ecc helper functions from psa_core to psa_util.
These files are not implemented as part of the PSA API and should not
be part of the PSA crypto implementation.

Signed-off-by: Joakim Andersson <joakim.andersson@nordicsemi.no>
 2023-12-14 13:55:11 +01:00
Tom Cosgrove 656d4b3c74 Avoid use of ip_len as it clashes with a macro in AIX system headers 
Fixes #8624

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-12-08 21:51:15 +00:00
Gilles Peskine 57e401b39f
Merge pull request #8521 from valeriosetti/issue8441 
[G4] Make CTR-DRBG fall back on PSA when AES not built in
 2023-12-06 18:25:44 +00:00
Waleed Elmelegy 9aec1c71f2 Add record size checking during handshake 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-12-06 15:18:15 +00:00
Jan Bruckner f482dcc6c7 Comply with the received Record Size Limit extension 
Fixes #7010

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
 2023-12-06 15:18:08 +00:00
Ronald Cron 40f3f1c36f
Merge pull request #7058 from yuhaoth/pr/tls13-early-data-parsing-0-rtt-data 
TLS 1.3 EarlyData SRV: Parsing 0-RTT data
 2023-12-06 06:47:32 +00:00
Valerio Setti 83e0de8481 crypto_extra: revert changes to mbedtls_psa_random_free() 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-04 11:04:42 +01:00
Valerio Setti 7ab90723c4 mbedtls_config: update descriptions of MBEDTLS_CTR_DRBG_C and MBEDTLS_PSA_CRYPTO_C 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-04 11:04:42 +01:00
Valerio Setti 402cfba4dc psa: free RNG implementation before checking for remaining open key slots 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-04 11:04:41 +01:00
Valerio Setti 5f4b28defc ctr_drbg: add alternative PSA implementation when AES_C is not defined 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-04 11:04:41 +01:00
Valerio Setti fbefe04bf3 check_config: fix requirements for CTR_DRBG 
The module now depends on either:
- AES_C, which is the default and the preferred solution for
  backward compatibility
- CRYPTO_C + KEY_TYPE_AES + ALG_ECB_NO_PADDINTG, which is the
  new solution when AES_C is not defined

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-04 11:04:41 +01:00
Manuel Pégourié-Gonnard 3d12d65946
Merge pull request #8590 from valeriosetti/fix-pkcs5-pkcs12 
pkcs[5/12]: use cipher enums for encrypt and decrypt
 2023-12-04 10:03:02 +00:00
Valerio Setti 4577bda6d5 pkcs[5|12]: use cipher enums for encrypt and decrypt 
Instead of re-defining MBEDTLS_PKCS5_[EN/DE]CRYPT and
MBEDTLS_PKCS12_PBE_[EN/DE]CRYPT from scratch, since these values
are to be used with the mbedtls_cipher_setkey() function, ensure
that their value matches with enums in cipher.h.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-12-01 16:51:24 +01:00
Jerry Yu e32fac3d23 remove wait_flight2 state 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-12-01 16:25:16 +08:00
Dave Rodgman 59059ec503 Merge remote-tracking branch 'origin/development' into msft-aarch64 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-30 09:34:41 +00:00
Janos Follath c6f1637f8c
Merge pull request #8534 from paul-elliott-arm/fix_mutex_abstraction 
Make mutex abstraction and tests thread safe
 2023-11-29 13:26:23 +00:00
Manuel Pégourié-Gonnard 6b5cedf51f
Merge pull request #8547 from valeriosetti/issue8483 
[G2] Make PSA-AEAD work with cipher-light
 2023-11-29 08:53:42 +00:00
Valerio Setti 919e3fa729 check_config: fix guards for PSA builtin implementation of cipher/AEAD 
While the PSA builtin implementation of cipher still depends on
CIPHER_C, the same is no more true for AEADs. When CIPHER_C is not
defined, BLOCK_CIPHER_C is used instead, thus making it possible
to support AEADs without CIPHER_C.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-28 11:45:38 +01:00
Valerio Setti b1cf8aeda4 adjust_psa_from_legacy: add required CIPHER_C dependencies 
Some PSA_WANT symbols do not have a 1:1 matching with legacy ones.
For example, previous to this commit:

- CCM_C enabled both PSA_WANT_ALG_CCM and PSA_WANT_ALG_CCM_STAR_NO_TAG
  even thought the two are not equivalent (authenticated VS
  non-authenticated).
- there was no legacy equivalent for ECB_NO_PADDING

What it is common to both PSA_WANT_ALG_CCM_STAR_NO_TAG and
PSA_WANT_ALG_ECB_NO_PADDING is the fact that the builtin implementation
depends on CIPHER_C. Therefore this commits adds this guards to
select whether or not to enable the above mentioned PSA_WANT symbols.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-28 11:45:38 +01:00
Manuel Pégourié-Gonnard 11c3fd1f73
Merge pull request #8568 from yanrayw/issue/8356/block_cipher_no_decrypt_cleanup 
Driver-only: G1: clean up for BLOCK_CIPHER_NO_DECRYPT
 2023-11-28 08:49:48 +00:00
Manuel Pégourié-Gonnard 294f5d7ea9
Merge pull request #8540 from valeriosetti/issue8060 
[G2] Make CCM and GCM work with the new block_cipher module
 2023-11-28 08:18:45 +00:00
Dave Rodgman 9fbac381e6
Merge pull request #8326 from daverodgman/aesce-thumb2 
Support hw-accelerated AES on Thumb and Arm
 2023-11-27 09:58:58 +00:00
Yanray Wang 16b00f9522 mbedtls_config: improve documentation for BLOCK_CIPHER_NO_DECRYPT 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-27 15:52:28 +08:00
Yanray Wang 690ee81533 Merge remote-tracking branch 'origin/development' into support_cipher_encrypt_only 2023-11-23 10:31:26 +08:00
Dave Rodgman 2e342f6938
Merge pull request #8546 from BrianX7c/development 
[cipher.h]  Arithmetic overflow in binary left shift operation
 2023-11-22 19:36:25 +00:00
Jerry Yu 7d8c3fe12c Add wait flight2 state. 
The state is come from RFC8446 section A.2

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-22 16:48:39 +08:00
Yanray Wang 55933a3e9c tls13: fix a wrong RFC reference section 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-22 16:34:16 +08:00
Manuel Pégourié-Gonnard d4dc354185
Merge pull request #8541 from yanrayw/issue/ssl-fix-missing-guard 
ssl_tls: add missing macro guard
 2023-11-21 14:57:47 +00:00
Jerry Yu 04fceb782b Add freshness check information into document 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:59:24 +08:00
Jerry Yu cf9135100e fix various issues 
- fix CI failure due to wrong usage of ticket_lifetime
- Improve document and comments

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:19 +08:00
Jerry Yu 342a555eef rename ticket received 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:19 +08:00
Jerry Yu 25ba4d40ef rename ticket_creation to ticket_creation_time 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:19 +08:00
Jerry Yu 034a8b77d1 Update document of ticket age tolerance 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:19 +08:00
Jerry Yu 8cf44953b2 guards ticket creation field 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:18 +08:00
Jerry Yu 702fc590ed Add ticket_creation field 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:18 +08:00
Jerry Yu 03511b00aa Replace c99 fmt macro 
For c99 compatible compilers, we use PRI64d
and others use official fix.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:18 +08:00
Jerry Yu cebffc3446 change time unit of ticket to milliseconds 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-21 09:58:18 +08:00
Gilles Peskine 473ff34d59
Merge pull request #8489 from valeriosetti/issue8482 
Make CCM* and CCM independent
 2023-11-20 14:07:14 +00:00
Ronald Cron 97137f91b6
Merge pull request #7071 from yuhaoth/pr/tls13-ticket-add-max_early_data_size-field 
TLS 1.3 EarlyData: add `max_early_data_size` field for ticket
 2023-11-20 08:04:57 +00:00
BrianX7c 5c7ab6fe86
[cipher.h] Arithmetic overflow in binary left shift operation (MBEDTLS_KEY_BITLEN_SHIFT) 
Fixing arithmetic overflow warning (C6297), if compiled in Visual Studio

Signed-off-by: BrianX7c <151365853+BrianX7c@users.noreply.github.com>
 2023-11-18 11:07:37 +01:00
Paul Elliott 9e25936241 Rename mutex->is_valid to mutex->state 
Rename struct member to make it more representative of its current use.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-11-16 15:14:16 +00:00
Paul Elliott 3774637518 Make threading helpers tests thread safe 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-11-16 15:13:49 +00:00
Paul Elliott 5fa986c8cb Move handling of mutex->is_valid into threading_helpers.c 
This is now a field only used for testing.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2023-11-16 15:13:05 +00:00
Valerio Setti 9b7a8b2a0c ccm/gcm: reaplace CIPHER_C functions with BLOCK_CIPHER_C ones 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-16 11:48:00 +01:00
Valerio Setti 8db46e4ee1 check_config: remove dependency check of CCM_C/GCM_C on CIPHER_C 
CCM_C/GCM_C can now work with either (in order of preference) CIPHER_C
or BLOCK_CIPHER_C and the latter is auto-enabled in case the former
is not enabled. As a consequence there is no need to enforce the
dependency on CIPHER_C.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-16 10:58:27 +01:00
Valerio Setti dbfd6a9f62 adjust_legacy_crypto: auto-enable BLOCK_CIPHER_C when CIPHER_C is not defined 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-16 10:56:00 +01:00
Yanray Wang 4ed8691f6d ssl: move MBEDTLS_SSL_HAVE_XXX to config_adjust_legacy_crypto.h 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-16 15:20:57 +08:00
Manuel Pégourié-Gonnard dc848955d6
Merge pull request #8519 from mpg/block-cipher 
[G2] Add internal module block_cipher
 2023-11-15 11:53:22 +00:00
Manuel Pégourié-Gonnard 9e80a91f27
Merge pull request #8164 from yanrayw/adjust_tfm_configs 
Adjust how we handle TF-M config files
 2023-11-15 08:21:27 +00:00
Valerio Setti a56eb46ce6 adjust_legacy_from_psa: fix comment 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-15 09:18:14 +01:00
Valerio Setti c2d68f5611 adjust_legacy_from_psa: treat CCM and CCM* separately 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-15 09:16:37 +01:00
Valerio Setti cab5eff98c adjust_config_synonyms: make CCM and CCM* indipendent 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-15 09:16:37 +01:00
Jerry Yu fedaeb21b3 improve document 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-15 13:59:07 +08:00
Jerry Yu 6c485dad44 improve document 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-15 10:18:47 +08:00
Manuel Pégourié-Gonnard 752dd39a69
Merge pull request #8508 from valeriosetti/issue6323 
[G3] Driver-only cipher+aead: TLS: ssl-opt.sh
 2023-11-14 11:39:06 +00:00
Jerry Yu 1b23bce4a2 improve brief description of conf_sig_algs 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-13 13:45:14 +08:00
Tom Cosgrove 08ea9bfa1f
Merge pull request #8487 from yanrayw/issue/6909/rename_tls13_conf_early_data 
TLS 1.3: Rename early_data and max_early_data_size configuration function
 2023-11-10 19:35:46 +00:00
Manuel Pégourié-Gonnard 5f3361c0c6 Temporary hack to pacify check_names.py 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-11-10 12:24:11 +01:00
Manuel Pégourié-Gonnard 21718769d1 Start adding internal module block_cipher.c 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-11-10 11:21:17 +01:00
Valerio Setti 01c4fa3e88 ssl: move MBEDTLS_SSL_HAVE internal symbols to ssl.h 
This is useful to properly define MBEDTLS_PSK_MAX_LEN when
it is not defined explicitly in mbedtls_config.h

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-11-10 08:12:07 +01:00
Yanray Wang 111159b89c BLOCK_CIPHER_NO_DECRYPT: call encrypt direction unconditionally 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-10 15:03:23 +08:00
Matthias Schulz 5a39c4ecf2 Fixes https://github.com/Mbed-TLS/mbedtls/issues/6910 as proposed in https://github.com/Mbed-TLS/mbedtls/issues/6910#issuecomment-1573301661 
Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
 2023-11-09 15:53:01 +01:00
Jerry Yu 53c4a0da07 Improve documents 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-11-09 10:38:17 +08:00
Gilles Peskine 4dec9ebdc2
Merge pull request #8378 from mschulz-at-hilscher/fixes/issue-8377 
Fixes "CSR parsing with critical fields fails"
 2023-11-08 18:07:04 +00:00
Dave Rodgman 9eb2abd1e0 Add docs re Everest license 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-08 11:40:17 +00:00
Dave Rodgman 28d40930ae Restore bump version 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-08 11:40:08 +00:00
Dave Rodgman edb8fec988 Add docs re Everest license 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-08 11:36:00 +00:00
Yanray Wang d137da5a93 check_config: make error message in BLOCK_CIPHER_NO_DECRYPT clearer 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-08 19:17:44 +08:00
Yanray Wang 30769696e7 Merge remote-tracking branch 'origin/development' into adjust_tfm_configs 2023-11-08 10:00:24 +08:00
Matthias Schulz c55b500343 Changed notes in x509_csr.h to better describe the behavior of mbedtls_x509_csr_parse_der and mbedtls_x509_csr_parse_der_with_ext_cb. 
Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
 2023-11-07 16:47:37 +01:00
Yanray Wang 0751761b49 max_early_data_size: rename configuration function 
Rename mbedtls_ssl_tls13_conf_max_early_data_size as
mbedtls_ssl_conf_max_early_data_size since in the future
this may not be specific to TLS 1.3.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-07 11:49:34 +08:00
Yanray Wang d5ed36ff24 early data: rename configuration function 
Rename mbedtls_ssl_tls13_conf_early_data as
mbedtls_ssl_conf_early_data since in the future this may not be
specific to TLS 1.3.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-07 11:49:24 +08:00
Yanray Wang 0d76b6ef76 Return an error if asking for decrypt under BLOCK_CIPHER_NO_DECRYPT 
If MBEDTLS_BLOCK_CIPHER_NO_DECRYPT is enabled, but decryption is
still requested in some incompatible modes, we return an error of
FEATURE_UNAVAILABLE as additional indication.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-06 10:02:10 +08:00
Yanray Wang 956aa00202 check_config: add checks for MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with PSA 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-06 10:02:10 +08:00
Gilles Peskine 8b6b41f6cd
Merge pull request #8434 from valeriosetti/issue8407 
[G2] Make TLS work without Cipher
 2023-11-04 15:05:00 +00:00
Dave Rodgman bb5a18344a Bump version 
./scripts/bump_version.sh --version 3.5.1 --so-crypto 15 --so-x509 6 --so-tls 20

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-03 12:31:30 +00:00
Dave Rodgman e3c05853d6 Header updates 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-03 12:21:36 +00:00
Dave Rodgman 16799db69a update headers 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-11-02 19:47:20 +00:00
Yanray Wang b799eea123 check_config: add checks for MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-02 12:38:01 +08:00
Yanray Wang e367e47be0 mbedtls_config: add new config option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 
With the introduction of negative option
MBEDTLS_BLOCK_CIPHER_NO_DECRYPT, we don't need to implicitly enable
it through PSA.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-11-02 12:36:41 +08:00
Dave Rodgman b351d60e99 Merge remote-tracking branch 'origin/development' into msft-aarch64 2023-11-01 13:20:53 +00:00
Yanray Wang b67b47425e Rename MBEDTLS_CIPHER_ENCRYPT_ONLY as MBEDTLS_BLOCK_CIPHER_NO_DECRYPT 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-10-31 17:22:06 +08:00
Yanray Wang 5779096753 Merge remote-tracking branch 'origin/development' into adjust_tfm_configs 2023-10-31 13:39:07 +08:00
Valerio Setti d531dab4f6 check_config: let SSL_TLS depend on either CIPHER_C or USE_PSA_CRYPTO 
TLS code already implements proper dispatching to either
builtin or PSA implementations based on USE_PSA guards, so we can
improve the check_config guards to reflect this.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-30 11:36:32 +01:00
Jerry Yu 2c46ca3474 fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-30 17:32:20 +08:00
Jerry Yu 83536c23f3 Add translation ruler into document 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-30 16:18:21 +08:00
Jerry Yu 01c7356944 Add deprecated flag in document for sig_hashes 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-27 17:03:20 +08:00
Valerio Setti c5d9dd262b adjust_psa_from_legacy: enable ALG_STREAM_CIPHER on when CIPHER_C is defined 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-27 09:12:06 +02:00
Valerio Setti c1d50b6314 check_config: fix dependency of PSA_CRYPTO_C on CIPHER_C 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-27 09:12:06 +02:00
Ronald Cron 95b735530c
Merge pull request #6719 from yuhaoth/pr/tls13-early-data-add-early-data-of-client-hello 
TLS 1.3: EarlyData SRV: Add early data extension parser.
 2023-10-26 08:31:53 +00:00
Dave Rodgman 6e51abf11d Merge remote-tracking branch 'origin/development' into msft-aarch64 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-25 15:17:11 +01:00
Dave Rodgman 48b965d941 Update clang version requirements 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-25 09:06:24 +01:00
Dave Rodgman 4b8e8dc043 Improve compiler version checking + docs + testing for armclang 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-25 09:06:24 +01:00
Dave Rodgman 18838f6c1a Fix docs for MBEDTLS_AESCE_C 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-25 09:06:24 +01:00
Dave Rodgman d69d3cda34
Merge pull request #8298 from daverodgman/sha-armce-thumb2 
Support SHA256 acceleration on Armv8 thumb2 and arm
 2023-10-24 21:23:15 +00:00
Dave Rodgman 514590210b Merge remote-tracking branch 'origin/development' into sha-armce-thumb2 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-23 15:35:07 +01:00
Valerio Setti bd24d95c27 legacy_from_psa: fix support for PSA_ACCEL_ALG_[STREAM_CIPHER/ECB_NO_PADDING] 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-23 15:01:52 +02:00
Matthias Schulz edc32eaf1a Uncrustified 
Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
 2023-10-19 16:09:08 +02:00
Yanray Wang 08e9423f14 Merge remote-tracking branch 'origin/development' into adjust_tfm_configs 2023-10-19 17:44:47 +08:00
Yanray Wang 893623fb28 PBKDF2-AES-CMAC: remove not needed preprocessor directive 
PBKDF2-AES-CMAC works if we provide the driver of AES-CMAC or
KEY-TYPE-AES or both. So if PBKDF2-AES-CMAC is requested via PSA,
we don't need to additionally enable builtin AES-CMAC or builtin
KEY-TYPE-AES.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-10-19 16:13:34 +08:00
Gilles Peskine 6407f8fc54
Merge pull request #8322 from valeriosetti/issue8257 
Improve location of MD_CAN macros
 2023-10-18 14:31:28 +00:00
Matthias Schulz ab4082290e Added parameters to add callback function to handle unsupported extensions. Similar to how the callback functions work when parsing certificates. Also added new test cases. 
Signed-off-by: Matthias Schulz <mschulz@hilscher.com>
 2023-10-18 13:20:59 +02:00
Manuel Pégourié-Gonnard c6d633ffbc
Merge pull request #8297 from valeriosetti/issue8064 
Change accel_aead component to full config
 2023-10-18 07:15:59 +00:00
Valerio Setti 2f00b7a5da cipher: reset MBEDTLS_CIPHER_HAVE_AEAD to MBEDTLS_CIPHER_MODE_AEAD 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-17 11:43:34 +02:00
Manuel Pégourié-Gonnard 6d42921633 Require at least on curve for ECP_LIGHT 
ECP_LIGHT is not usable without any curve, just the same as ECP_C.

We forgot to update this check when introducing the ECP_LIGHT subset.

Note: the message doesn't mention ECP_LIGHT as that's not a public
config knob, hence the message with "ECP_C or a subset" (that's how it's
referred to in user-facing documentation such as
docs/driver-only-builds.md).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-10-17 10:01:33 +02:00
Valerio Setti 9fc1f24331 md: restore md.h includes in source files directly using its elements 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-16 14:39:38 +02:00
Yanray Wang aa01ee303a Merge remote-tracking branch 'origin/development' into support_cipher_encrypt_only 2023-10-16 17:38:32 +08:00
Valerio Setti 596ef6c0b1 cipher: reset MBEDTLS_CIPHER_HAVE_AEAD_LEGACY to previous naming 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-16 11:26:08 +02:00
Dave Rodgman 3e52184923 Make macro definition more consistent with similar defns 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-16 09:25:59 +01:00
Dave Rodgman 0a48717b83 Simplify Windows-on-Arm macros 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-16 09:25:59 +01:00
Valerio Setti 5f5573fa90 cipher: reintroduce symbol for legacy AEAD support 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-13 17:29:27 +02:00
Dave Rodgman 7821df3e8b Adjust use of deprecated in Doxygen 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-13 09:39:11 +01:00
Dave Rodgman d85277c62e Doxygen fixes 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-13 09:22:54 +01:00
Valerio Setti 193e383686 check_config: fix typo causing build issues with only CCM enabled 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-13 09:37:24 +02:00
Maciej Zwoliński 720c638717 Add AES encrypted keys support for PKCS5 PBES2 
Signed-off-by: Maciej Zwoliński <mac.zwolinski@gmail.com>
 2023-10-12 12:00:01 +01:00
Valerio Setti db1ca8fc33 cipher: keep MBEDTLS_CIPHER_HAVE symbols private 
This commit also improve the usage of these new symbols in
cipher_wrap code

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-12 10:39:54 +02:00
Valerio Setti e570704f1f ssl: use MBEDTLS_SSL_HAVE_[CCM/GCM/CHACHAPOLY/AEAD] macros for ssl code 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-12 10:39:37 +02:00
Jerry Yu 7a799ccacd Share early_data_status between server and client 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-12 15:02:01 +08:00
Jerry Yu 02e3a074a3 Add max_early_data_size into ticket 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-10-12 15:00:26 +08:00
Bence Szépkúti 9b0c8164eb
Merge pull request #8330 from KloolK/extern-c 
Fix C++ build issue when MBEDTLS_ASN1_PARSE_C is not enabled
 2023-10-11 16:19:39 +00:00
Dave Rodgman b0d9830373
Merge branch 'development' into sha-armce-thumb2 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-11 13:53:41 +01:00
Valerio Setti 02a634decd md: remove unnecessary inclusions of mbedtls/md.h 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-11 13:15:58 +02:00
Valerio Setti 6bd3d9b166 cipher: fix missing spaces 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-11 13:10:34 +02:00
Valerio Setti d0411defa2 cipher: add internal symbols for AEAD capabilities 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-11 13:10:34 +02:00
Valerio Setti e7bac17b5d test: keep SSL_TICKET_C and SSL_CONTEXT_SERIALIZATION enabled 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-11 13:10:34 +02:00
Dave Rodgman be7915aa6c Revert renaming of SHA512 options 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-11 10:59:05 +01:00
Bence Szépkúti cffd7135c6
Merge pull request #8328 from yanrayw/sha256_context_guard 
sha256_context: guard is224 by MBEDTLS_SHA224_C
 2023-10-11 09:13:33 +00:00
Ronald Cron a89d2ba132
Merge pull request #8327 from ronald-cron-arm/adapt-psa-crypto-repo-name 
Adapt to new PSA Crypto repo name
 2023-10-11 06:45:30 +00:00
Dave Rodgman 5b89c55bb8 Rename MBEDTLS_SHAxxx_USE_ARMV8_yyy to MBEDTLS_SHAxxx_USE_ARMV8_A_yyy 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-10 15:14:57 +01:00
Dave Rodgman fe9fda81aa Rename MBEDTLS_ARCH_IS_ARMV8 to MBEDTLS_ARCH_IS_ARMV8_A 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-10 15:14:56 +01:00
Dave Rodgman f097bef6ea Refer to Armv8-A (not Armv8) in docs 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-10 15:14:30 +01:00
Dave Rodgman c5861d5bf2 Code style 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-10 14:01:54 +01:00
Dave Rodgman 6ab314f71d More config option renaming 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-10 14:00:17 +01:00
Dave Rodgman 94a634db96 Rename A64 config options 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-10 12:59:29 +01:00
Ronald Cron 7871cb14a7 Include psa/build_info.h instead of mbedtls/build_info.h 
In PSA headers include psa/build_info.h instead
of mbedtls/build_info.h. In Mbed TLS, both are
equivalent but not in TF-PSA-Crypto where
psa/build_info.h is the correct one.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-10-10 09:35:22 +02:00
Jan Bruckner 946720aac5 Fix C++ build issue when MBEDTLS_ASN1_PARSE_C is not enabled 
Signed-off-by: Jan Bruckner <jan@janbruckner.de>
 2023-10-09 16:53:41 +02:00
Yanray Wang 29db8b061d sha256.h: add guard for is224 in sha256 context 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-10-09 18:09:47 +08:00
Ronald Cron 070e8652d5 Adapt to new PSA Crypto repo name 
Patterns I looked for:
grep -i "psa-crypto"
grep -i "psa.*crypto.*repo"
grep -i "psa.*crypto.*root"

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2023-10-09 10:26:18 +02:00
Thomas Daubney 540324cd21 Correct styling of Mbed TLS in documentation 
Several bits of documentation were incorrectly styling Mbed TLS
as MbedTLS.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
 2023-10-06 17:07:24 +01:00
Valerio Setti 85d2a98549 md: move definitions of MBEDTLS_MD_CAN to config_adjust_legacy_crypto.h 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-10-06 16:04:49 +02:00
Dave Rodgman 7ed619d3fa Enable run-time detection for Thumb and Arm 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-05 09:39:56 +01:00
Dave Rodgman bfe6021e85 Improve docs 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-05 08:31:22 +01:00
Dave Rodgman ca92f50e12 Update docs for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-05 08:24:55 +01:00
Dave Rodgman 8690859097 Improve docs 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-04 17:40:25 +01:00
Minos Galanakis 31ca313efa Bump version to 3.5.0 
```
./scripts/bump_version.sh --version 3.5.0
```

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-10-03 22:02:18 +01:00
Minos Galanakis 1a3ad265cc Merge branch 'development-restricted' into mbedtls-3.5.0rc0-pr 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2023-10-03 21:57:51 +01:00
Dave Rodgman cc5bf4946f Make SHA256 depend on Armv8, not aarch64 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-03 18:02:56 +01:00
Dave Rodgman 5ed7b2dec2 Introduce MBEDTLS_ARCH_IS_ARMV8 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-10-03 18:02:31 +01:00
Dave Rodgman b51f3da354
Merge pull request #8264 from mpg/follow-up-8075 
Follow up to 8075
 2023-09-28 17:32:12 +00:00
Manuel Pégourié-Gonnard 140c08e325 Minor clarifications. 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 11:02:37 +02:00
Manuel Pégourié-Gonnard 7f22f3478d Add check for unsupported partial curves acceleration 
Manual test: run test_psa_crypto_config_accel_ecc_non_weierstrass_curves
or test_psa_crypto_config_accel_ecc_weierstrass_curves as they are now,
observe it failing with the expected #error.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 10:19:18 +02:00
Manuel Pégourié-Gonnard 842d3552b6 Add check for unsupported partial key type acceleration 
Tested manually as follows: in
component_test_psa_crypto_config_accel_ecc_some_key_types, modify
loc_accel_list to remove one of the key types between
helper_libtestdriver1_make_drivers and helper_libtestdriver1_make_main,
and observe that the 2nd build fails with the expected #error.

Note: removing one of the key types before
helper_libtestdriver1_make_drivers causes the build of libtestdriver1 to
fail, which is quite acceptable, just not what we're trying to observe.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 10:19:16 +02:00
Manuel Pégourié-Gonnard 822870bd5d Adjust handling of special case for DERIVE 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 10:19:15 +02:00
Manuel Pégourié-Gonnard e662736f4c Rename macros for consistency 
It's spelled KEY_TYPE everywhere else.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 10:19:14 +02:00
Manuel Pégourié-Gonnard dfa42b34ab Improve documentation about driver-only p256-m. 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 08:53:05 +02:00
Manuel Pégourié-Gonnard eda7086bdd Auto-enable ACCEL macros for p256-m driver 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 08:53:05 +02:00
Manuel Pégourié-Gonnard f07ce3b8ff Don't extend support for deprecated functions 
Restore guards from the previous release, instead of the new, more
permissive guards.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-28 08:51:51 +02:00
Gilles Peskine 7f288566c3
Merge pull request #8260 from gilles-peskine-arm/crypto_spe-include-fix 
Fix include path to psa/crypto_spe.h
 2023-09-27 18:10:16 +00:00
Dave Rodgman 0fc86b2ddf
Merge pull request #8075 from valeriosetti/issue8016 
driver-only ECC: curve acceleration macros
 2023-09-27 14:39:02 +00:00
Gilles Peskine 7a6836b9f2 Document that MBEDTLS_PSA_CRYPTO_SPM needs crypto_spe.h 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-27 15:48:47 +02:00
Gilles Peskine 3529285308 Fix include path to psa/crypto_spe.h 
We can't have a public header or library file reference our test
environment (except possibly under test-only options, and even so, it would
be with great reluctance). This breaks the build for other people.
Fix #8259.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-27 15:45:16 +02:00
Manuel Pégourié-Gonnard 561bce6b16 Add build with some curves accelerated but not all 
I chose to divide along the lines of Weierstrass vs other curve shapes
(currently just Montgomery), mainly because it's the first thing that
came to mind.

It happened to reveal an issue in the logic for when (deterministic)
ECDSA and ECJPAKE are built-in, which this commit is also fixing.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-26 11:36:13 +02:00
Yanray Wang 145bb2946e check_config: add check of ASN1_[WRITE/PARSE]_C 
This commit adds dependency check when PK_CAN_ECDSA_SIGN or
PK_CAN_ECDSA_VERIFY is enabled but no corresponding ASN1_WRITE_C
or ASN1_PARSE_C is enabled under PSA.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2023-09-26 17:15:52 +08:00
Xiaokang Qian 845693c513 Change comments to psa_crypto_driver_wrappers.h 
Signed-off-by: Xiaokang Qian <xiaokang.qian@arm.com>
 2023-09-26 09:09:20 +00:00
Dave Rodgman 6da7872aa2
Merge pull request #1083 from gilles-peskine-arm/development-restricted-merge-20230925 
Merge development into development-restricted
 2023-09-25 18:16:01 +01:00
Manuel Pégourié-Gonnard 702b645dce Rename new header file 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 8e82654ec4 Be more subtle about key_type -> alg interaction 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 3bc4d26f20 Special-case KEYPAIR_DERIVE (no driver support yet) 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard c2b12b17a4 Fix dependencies of built-in ECC keypair types 
More key management operations only require ECP_LIGHT, except:
- generate (scalar multiplication)
- export (exporting public from private also needs scalar
multiplication).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard b4b13ccff4 Fix deterministic ECDSA built-in dependencies 
They're a superset of the dependencies for randomized ECDSA.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 3ccda15d8f Use consistent ordering for built-in activation 
The usual order is:
- MBEDTLS_PSA_BUILTIN_xxx macro
- MBEDTLS_xxx legacy macros

But curves had it the other way round for some reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 2d04d78561 Fix logic of ECC built-in activation again 
The previous fix was enabling more than needed in some circumstances,
for example:

- requested: (`PSA_WANT`): all ECC algs, all ECC key types, all curves;
- we have acceleration (`MBEDTLS_PSA_ACCEL`) for: ECDH, all ECC key types, all curves;
- as a consequence, we need built-in: all algs except ECDH, all ECC key types, all curves.

This is what's happening in test_psa_crypto_config_accel_ecdh which,
before this commit, was failing as built-in ECDH was enabled contrary to
the component's (rightful) expectations.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 1db44dd68d Remove useless instances of MBEDTLS_SOME_BUILTIN_EC 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 1a0a4d60d9 Implement new strategy for ECC accel/built-in 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 0d99271d14 Group all ECC-related things in legacy_from_psa.h 
Just moving things, no change.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard bfc6ef7a5c Improve PSA config adjustment relate to keypair types 
Centralize it in a new file psa/config_adjust_keypair_types.h. I think
this file indeed belongs in include/psa (as opposed to include/mbedtls)
because it only touches PSA_WANT symbols (no MBEDTLS_PSA symbols), and
implements things that are described in psa-conditional-inclusion.md.

The code is not new, just moved from config_psa.h and
config_adjust_legacy_from_psa.h where is was intermingled with handling
of ACCEL/BUILTIN symbols. (git's --color-moved option will hardly help
in checking that assertion, due to the way things were intermixed.)

Note: the parts about BUILTIN in config_psa.h were not moved, just
removed for now. They belong to
include/mbedtls/config_adjust_legacy_from_psa.h and will be
re-added there in a future commit which will completely re-organize the
handling or ACCEL/BUILTIN for ECC.

See comments inside the commit about placement of this file relative to
others.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Manuel Pégourié-Gonnard 7af9d07c05 Remove unnecessary block 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-25 17:39:41 +02:00
Valerio Setti bf206b8f41 adjust_legacy_from_psa: undef SOME_BUILTIN_EC when builtin curves are used 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti 19d92108c1 config_psa: resolve symbol redefinition issue 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti ea167c39d0 check_config: remove unnecessary check about builtin curve usage 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti db6b4db7a0 Renaming all MBEDTLS_HAVE for curves to MBEDTLS_ECP_HAVE 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti b2219f633d config_psa: moving PSA_WANT auto-enabling code 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti e6f65a951f config_psa: fix comment 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti 67d82e742b build_info: add helpers to signal some support for a specific curve 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:41 +02:00
Valerio Setti 4b75a764c7 check_config: include also ECJPAKE_C as usage for builtin curves 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti dca8492043 check_config: request at least 1 builtin EC alg if there is at least 1 builtin curve 
This slightly changes the previous requirement. Instead of enabling
ALL builtin EC algs when there is at least 1 built in curve, we ask
for at least one built alg if there is at least one builtin curve.

This relaxes the previous check while still keeping the base idea:
there must be a reason for which builtin curves are included into
the build.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti 29837c7301 config_psa: include builtin algs if there is at least 1 builtin curve 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti 9aed893fb0 config_psa: check curves' support before EC ALGs 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti d6b473adcd config_psa: add internal helper to signal that some curve is builtin 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti 87076abbfb config_psa: ensure PSA_WANT_ECC is enabled for each MBEDTLS_ECP_DP 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti 8ec212098e check_config: fix comment 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti 8600de818c check_config: perform checks only when config_psa.h is evaluated 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti 3b69e3ed12 check_config: skip check on SECP224K1 because the PSA is never enabled 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Valerio Setti a7a18313a6 check_config: verify that each ECP_DP has the corresponding PSA_WANT_ECC 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2023-09-25 17:39:40 +02:00
Gilles Peskine ffe590d197
Merge pull request #1058 from waleed-elmelegy-arm/check-set_padding-is-called 
Check set_padding has been called in mbedtls_cipher_finish
 2023-09-25 17:12:36 +02:00
Gilles Peskine ca1e605b9c Merge remote-tracking branch 'upstream-public/development' into development-restricted-merge-20230925 
Conflicts:
* `include/mbedtls/build_info.h`: a new fragment to auto-enable
  `MBEDTLS_CIPHER_PADDING_PKCS7` was added in
  c9f4040f7f in `development-restricted`.
  In `development`, this section of the file has moved to
  `include/mbedtls/config_adjust_legacy_crypto.h`.
* `library/bignum.c`: function name change in `development-restricted` vs
  comment change in development. The comment change in `development` is not
  really relevant, so just take the line from `development-restricted`.
 2023-09-25 16:16:26 +02:00
Waleed Elmelegy a86b776f94 Remove invalid comment from mbedtls_cipher_set_padding_mode() 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-22 17:44:58 +01:00
Dave Rodgman aaebc9be51
Merge pull request #8235 from daverodgman/misc-size 2023-09-21 18:42:37 +01:00
Dave Rodgman d3450da98d Re-order mbedtls_ccm_context 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2023-09-21 10:34:45 +01:00
Gilles Peskine 67cf66b427 Add a note about the code size benefits 
We don't normally make promises related to code size, but this one is vague
enough (just "to benefit"), and it's what a lot of users of this option
care about.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-20 23:19:46 +02:00
Gilles Peskine 3aa79691fc Add a note about p256m near the option to enable secp256r1 
Only document it with the PSA configuration, not for
MBEDTLS_ECP_DP_SECP256R1_ENABLED, since p256m can't be used with the classic
API.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-20 20:54:50 +02:00
Gilles Peskine 08b66cd7d7 Move MBEDTLS_PSA_P256M_DRIVER_ENABLED to keep alphabetical order 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-20 20:51:47 +02:00
Gilles Peskine efaee9a299 Give a production-sounding name to the p256m option 
Now that p256-m is officially a production feature and not just an example,
give it a more suitable name.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-20 20:49:47 +02:00
Waleed Elmelegy 5e48cad7f0 Fix codestyle issues in pkcs12.h & pkparse.c 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-20 19:29:02 +01:00
Waleed Elmelegy d527896b7e Switch pkparse to use new mbedtls_pkcs12_pbe_ext function 
Switch pkparse to use new mbedtls_pkcs12_pbe_ext function
and deprecate mbedtls_pkcs12_pbe function.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-20 19:29:02 +01:00
Waleed Elmelegy c9f4040f7f Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function 
Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function
and deprecate mbedtls_pkcs5_pbes2 function.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-09-20 19:28:28 +01:00
Manuel Pégourié-Gonnard 5edb942708
Merge pull request #8041 from mpg/tfm-p256m 
Test TF-M config with p256-m driver
 2023-09-20 16:09:56 +00:00
Gilles Peskine eda1b1f744
Merge pull request #7921 from valeriosetti/issue7613 
TLS: Clean up ECDSA dependencies
 2023-09-20 12:47:55 +00:00
Gilles Peskine 452beb9076
Merge pull request #8203 from gilles-peskine-arm/p256-m-production 
Declare p256-m as ready for production
 2023-09-20 09:36:05 +00:00
Manuel Pégourié-Gonnard 97bb726e2d Add clarifying comment 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-18 11:28:32 +02:00
Gilles Peskine 67c86e626b
Merge pull request #7961 from gilles-peskine-arm/psa_crypto_config-in-full 
Enable MBEDTLS_PSA_CRYPTO_CONFIG in the full config
 2023-09-18 08:13:12 +00:00
Manuel Pégourié-Gonnard 4f119b8f21 Remove extra copies of a block of comment/define 
Not sure how it happened, but this block was not just duplicated, but
triplicated. Keep only the first copy: the one before the code that uses
the macro being defined.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-18 09:57:04 +02:00
Manuel Pégourié-Gonnard f7298cd397 Fix some issues in comments 
Ranging from typos to outdated comment contradicting the code.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2023-09-18 09:55:24 +02:00
jnmeurisse 83f0a65d71
Fix issue #8215 : add missing requires documentation in mbedtls_config.h 
Add missing requirements MBEDTLS_SSL_PROTO_TLS1_2 to option MBEDTLS_SSL_RENEGOTIATION documentation.

Signed-off-by: jnmeurisse <88129653+jnmeurisse@users.noreply.github.com>
 2023-09-16 18:12:18 +02:00
Gilles Peskine 865730ec67
Merge pull request #8212 from tom-cosgrove-arm/mbedtls_ssl_max_early_data_size-default-value 
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config
 2023-09-15 05:51:59 +00:00
Tom Cosgrove a63775b168 Move MBEDTLS_SSL_MAX_EARLY_DATA_SIZE to the correct section 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-14 13:31:19 +01:00
Tom Cosgrove 3b4471ef87 MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config 
Numeric options should be commented out with their default values in the config
file, and a separate header file should set the default value if necessary.
This was done for most other options in #8161; do it here for
MBEDTLS_SSL_MAX_EARLY_DATA_SIZE.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2023-09-14 13:18:50 +01:00
Gilles Peskine 016db89107 Update p256-m to state that it's ready for production 
Add some guidance as to whether and how to enable it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-13 14:34:40 +02:00
Gilles Peskine 3cea3efc25
Merge pull request #8025 from AgathiyanB/accept-numericoid-hexstring-x509 
Accept numericoid hexstring x509
 2023-09-13 08:54:33 +00:00
Gilles Peskine f22999e99f
Merge pull request #8093 from yuhaoth/pr/add-target-architecture-macros 
Add architecture detection macros
 2023-09-13 08:53:47 +00:00
Gilles Peskine 2e38a0d603 More spelling corrections 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-12 19:19:31 +02:00
Gilles Peskine e820c0abc8 Update spelling "mbed TLS" to "Mbed TLS" 
The official spelling of the trade mark changed from all-lowercase "mbed"
to normal proper noun capitalization "Mbed" a few years ago. We've been
using the new spelling in new text but still have the old spelling in a
lot of text. This commit updates most occurrences of "mbed TLS":

```
sed -i -e 's/mbed TLS/Mbed TLS/g' $(git ls-files ':!ChangeLog' ':!tests/data_files/**' ':!tests/suites/*.data' ':!programs/x509/*' ':!configs/tfm*')
```

Justification for the omissions:

* `ChangeLog`: historical text.
* `test/data_files/**`, `tests/suites/*.data`, `programs/x509/*`: many
  occurrences are significant names in certificates and such. Changing
  the spelling would invalidate many signatures and tests.
* `configs/tfm*`: this is an imported file. We'll follow the upstream
  updates.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2023-09-12 19:18:17 +02:00
Ronald Cron ad2f351c6b
Merge pull request #8171 from ronald-cron-arm/misc-minor-fixes 
One minor fix
 2023-09-12 06:00:48 +00:00
Dave Rodgman 7fda906a68
Merge pull request #8161 from gilles-peskine-arm/config-boolean-options-wrong-section-202309 
Fix module configuration options in mbedtls_config.h
 2023-09-11 15:08:56 +00:00