MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER has been compatible with
MBEDTLS_USE_PSA_CRYPTO since https://github.com/Mbed-TLS/mbedtls/pull/5380.
We still don't want to enable it in the full config because it's a behavior
change, even an interface change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix PSA_CRYPTO_CONFIG_H being treated as a configuration setting in
include/psa/crypto_config.h.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that p256-m is officially a production feature and not just an example,
give it a more suitable name.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Boolean options that modify the behavior of a module are supposed to be in
the "feature support" section, not in the "configuration options" support:
that section is documented to contain commented-out definitions with a
value, for which the comment contains the default version. In particular,
merely uncommenting a definition in the "configuration options" section is
not supposed to change anything.
Move the offending boolean options to the proper section.
This causes those options to be enabled by `config.py full` unless
explicitly excluded. For all the offending options, this is undesirable, so
make sure those options are indeed excluded.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The EXCLUDE_FROM_FULL list in config.py should be, and used to be, but
no longer is, in alphabetical order, and with a comma on the last
element.
Signed-off-by: Janos Follath <janos.follath@arm.com>
By default, the full configuration enables all options. But we
specifically don't want to enable MBEDTLS_ECP_WITH_MPI_UINT except where
it's done explicitly, because it disables the old ecp. So it needs to be
added to the exceptions in config.py (EXCLUDE_FROM_FULL).
Signed-off-by: Janos Follath <janos.follath@arm.com>
Back when we introduced MBEDTLS_PSA_CRYPTO_CONFIG and it was still
experimental, it made sense that we tested it separately. Nowadays, the
feature is fully implemented, and the full config without
MBEDTLS_PSA_CRYPTO_CONFIG keeps cryptographic mechanisms that only have a
PSA implementation and aren't in the default build disabled (currently:
PBKDF2). So enable MBEDTLS_PSA_CRYPTO_CONFIG in the full config.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit adds configuration check in check_config.h if
MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH enabled.
Furthermore, MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH is disabled
by default in scripts/config.py for full configuration.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
The build option MBEDTLS_PSA_INJECT_ENTROPY requires some extra platform
functions, for historical reasons. To enable us to test this option, provide
a version of these functions for testing.
(These versions would actually work in production, but providing them in the
library in a way that doesn't break existing users might be slightly tricky,
so it's out of scope of this commit.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
(Reapplying changes as one commit on top of development post codestyle change instead of rewriting old branch)
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
We provide windows and posix implementation for it.
With MBEDTLS_PLATFORM_MS_TIME_ALT, user can provide
their own implementation.
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
This is only the beginning:
- some test failures in test_suite_pk, test_suite_x509 and ssl-opt.sh
will be fixed in the next few commits;
- then the interactions between those options will be documented and
tested.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
PKCS7 signing format is used by OpenPOWER Key Management, which is
using mbedtls as its crypto library.
This patch adds the limited support of pkcs7 parser and verification
to the mbedtls. The limitations are:
* Only signed data is supported.
* CRLs are not currently handled.
* Single signer is supported.
Signed-off-by: Daniel Axtens <dja@axtens.net>
Signed-off-by: Eric Richter <erichte@linux.ibm.com>
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
