Explicitly document that when using TLS 1.3, you must initialize PSA crypto
before starting a handshake.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
There's no renegotiation in TLS 1.3, so this option should have no effect.
Insist on having it disabled, to avoid the risk of accidentally having
different behavior in TLS 1.3 if the option is enabled (as happened in
https://github.com/Mbed-TLS/mbedtls/issues/6200).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
As tested in https://github.com/Mbed-TLS/mbedtls/issues/6790,
after introducing side-channel counter-measures to bignum,
the performance of RSA decryption in correlation to the
MBEDTLS_ECP_WINDOW_SIZE has changed.
The default value of 2 has been chosen as it provides best
or close-to-best results for tests on Cortex-M4 and Intel i7.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
If MBEDTLS_PSA_CRYPTO_C is enabled, we always enable
MBEDTLS_PSA_CRYPTO_CLIENT, since the client-side functions are part of the
full PSA crypto feature set. Historically, we didn't have a good place for
configuration modification, so we did this early in the crypto.h include
tree. Since Mbed TLS 3.0, we have mbedtls/build_info.h for that.
Addresses https://github.com/Mbed-TLS/mbedtls/issues/7144 .
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Restore same PSK length enforcement in
conf_psk and set_hs_psk, whether the
negotiated protocol is TLS 1.2 or TLS 1.3.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Integrators of Mbed TLS may override the header files
"psa/crypto_platform.h" and "psa/crypto_struct.h" by overwriting the files
or by placing alternative versions earlier in the include file search path.
These two methods are sometimes inconvenient, so allow a third method which
doesn't require overwriting files or having a precise order for the include
path: integrators can now specify alternative names for the headers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This patch introduces the following changes:
* Documentation for `mbedtls_ecp_modulus_setup()`
moved to `ecp_invasive.h`.
* Added invalid modulus selector `MBEDTLS_ECP_MOD_NONE`.
* Adjusted negative tests to use invalid selectors.
* Reworded documentation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
This patch introduces a new static method, responsible
for automatically initialising an modulus structure,
based on the curve id and a modulus type selector.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
See docs/architecture/psa-migration/md-cipher-dispatch.md
Regarding testing, the no_md component was never very useful, as that's
not something people are likely to want to do: it was mostly useful as
executable documentation of what depends on MD. It's going to be even
less useful when more and more modules auto-enable MD_LIGHT or even
MD_C. So, recycle it to test the build with only MD_LIGHT, which is
something that might happen in practice, and is necessary to ensure that
the division is consistent.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
It was already marked as internal use only, and no longer used
internally. Also, it won't work when we dispatch to PSA.
Remove it before the MD_LIGHT split to avoid a corner case: it's
technically a hashing function, no HMAC or extra metadata, but we still
don't want it in MD_LIGHT really.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Make public the versions of ECSDA sign and verify which return raw signatures
rather than returning ASN.1 encoded signatures, in order to use them for the
internal implemention of psa_sign/verify_hash_interruptible.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
A CMS signature can have internal data, but mbedTLS does not support
verifying such signatures. Reject them during parsing.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
Since only one content type (signed data) is supported, storing the
content type just wastes memory.
Signed-off-by: Demi Marie Obenour <demiobenour@gmail.com>
The contentInfo field of PKCS7 Signed Data structures can
optionally contain the content of the signature. Per RFC 2315
it can also contain any of the PKCS7 data types. Add test and
comments making it clear that the current implementation
only supports the DATA content type and the data must be empty.
Return codes should be clear whether content was invalid or
unsupported.
Identification and fix provided by:
- Demi Marie Obenour <demiobenour@gmail.com>
- Dave Rodgman <dave.rodgman@arm.com>
Signed-off-by: Nick Child <nick.child@ibm.com>
This makes it possible to verify RSA PSS signatures with the pk module,
which was inadvertently broken since Mbed TLS 3.0. Fixes#7040.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Several PKCS7 invalid ASN1 Tests were failing due to extra
data bytes or incorrect content lengths going unnoticed. Make
the parser aware of possible malformed ASN1 data.
Signed-off-by: Nick Child <nick.child@ibm.com>
A parsed CSR struct (`mbedtls_x509_csr`) now includes some of the
X.509v3 extensions included in the CSR -- the key usage, Netscape
cert-type, and Subject Alternative Names.
Author: Jens Alfke <jens@couchbase.com>
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
Add PSA_WANT_KEY_TYPE_PASSWORD and PSA_WANT_KEY_TYPE_PASSWORD_HASH to
psa/crypto_config.h, since the types PSA_KEY_TYPE_PASSWORD and
PSA_KEY_TYPE_PASSWORD_HASH are used by ECJPAKE.
The two key types are always enabled, like PSA_KEY_TYPE_DERIVE.
Add the key types to the metadata test suite as well.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When ticket_flags used as parameter, use unsigned int,
instead of uint8_t or mbedtls_ssl_tls13_ticket_flags.Also
remove the definition of mbedtls_ssl_tls13_ticket_flags.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Return MBEDTLS_ERR_ERROR_GENERIC_ERROR when ticket_flags
are not compatible with advertised key exchange mode.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Move the kex mode check in ticket_flags to
ssl_tls13_offered_psks_check_identity_match_ticket and add new error
'MBEDTLS_ERR_SSL_TICKET_INVALID_KEX_MODE' to indicate the check
failure.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Using proper configuration options (i.e. MBEDTLS_SHA224_C and
MBEDTLS_SHA256_C) it is now possible to build SHA224 and SHA256
independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
Using proper configuration options (i.e. MBEDTLS_SHA384_C and
MBEDTLS_SHA512_C) it is now possible to build SHA384 and SHA512
independently from each other.
Signed-off-by: Valerio Setti <vsetti@baylibre.com>
This is not new, it had always been the case, just not documented.
Pointed out by depends.py pkalgs (again, now that restartable is part of
full).
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
muladd() (restartable or not) is only available when at least one short
weirstrass curve is enabled.
Found by depends.py curves (now that restartable is part of full).
Also, document that restartable only work for short weierstrass curves
(actually unrelated, but this made me think of that).
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is only the beginning:
- some test failures in test_suite_pk, test_suite_x509 and ssl-opt.sh
will be fixed in the next few commits;
- then the interactions between those options will be documented and
tested.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
It might not be obvious that this option goes beyond adding new
functions, but also automagically modifies the behaviour of TLS
in some circumstances. Moreover, the exact modifications and
circumstances were not documented anywhere outside the ChangeLog.
Fix that.
While at it, adjust the test that checks no restartable behaviour with
other key exchanges, to use a key exchange that allows cert-based client
authentication so that we can check that this is not restartable either.
We don't have any automated test checking that the server is never
affected. That would require adding an ec_max_ops command-line option to
ssl_server2 that never has any effect, just to check that it indeed
doesn't. I'm not sure that's worth it. I tested manually and could
confirm that the server never has restartable behaviour, even for the
parts that are shared between client and server such as cert chain
verification.
Note (from re-reading the code): all restartable behaviour is controlled
by the flag ssl->handshake->ecrs_enabled which is only client-side with
the ECDHE-ECDSA key exchange (TLS 1.2).
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- disable reuse of max_early_data_size.
- make conf_early_data available for server.
- various comment issues
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
Warns about the removal of the legacy DTLS Connection ID feature in a future version of Mbed TLS.
Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Added deprecated keyword to MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT
Signed-off-by: Hannes Tschofenig <hannes.tschofenig@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Having multiple definitions was cumbersome, and meant we might forget the
definition when adding an inline definition to a file that didn't have one
before (as I did when I added an inline definition in common.h).
Resolves#6649.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
