mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-01-26 21:35:35 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
8,076 Commits 170 Branches 263 Tags
Commit Graph

3912 Commits

Author SHA1 Message Date
Hanno Becker
485529952f Merge branch 'opaque_psk_implementation' into development-psa-proposed 2018-11-23 11:12:38 +00:00
Andrzej Kurek
b7f3ac6504 pkwrite: add an explicit cast to size_t 2018-11-22 12:05:08 -05:00
Andrzej Kurek
158c3d10d0 pkwrite: add a safety check before calculating the buffer size 2018-11-22 12:05:08 -05:00
Andrzej Kurek
4b11407258 Cosmetic changes 
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
 2018-11-22 12:05:08 -05:00
Andrzej Kurek
5fec0860f9 pkwrite: add opaque key handling for public key exporting 
Return early from mbedtls_pk_write_pubkey_der - public opaque key
exporting is expected to contain all of the needed data, therefore it shouldn't
be written again.
 2018-11-22 12:05:08 -05:00
Manuel Pégourié-Gonnard
347a00e07e Add test utility function: wrap_as_opaque() 
The new function is not tested here, but will be in a subsequent PR.
 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
59eecb0e9e Guard against PSA generating invalid signature 
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
9a5a77ba7c Use shared function for error translation 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
45013a1d54 Fix a compliance issue in signature encoding 
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
509aff111f Improve documentation of an internal function 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
d8454bc515 Get rid of large stack buffers in PSA sign wrapper 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
69baf70984 Align names to use "opaque" only everywhere 
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
3686771dfa Implement pk_sign() for opaque ECDSA keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
920c063bad Implement can_do for opaque ECC keypairs 
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
0184b3c69b Add support for get_(bit)len on opaque keys 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
7b5fe041f1 Implement alloc/free wrappers for pk_opaque_psa 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
eaeb7b23ff Clarify return value of pk_check_pair() 2018-11-22 09:59:34 +01:00
Manuel Pégourié-Gonnard
20678b2ae2 Skeleton for PK_OPAQUE_PSA 2018-11-22 09:59:34 +01:00
Hanno Becker
7390c71609 Share code for PSK identity configuration 
This commit shares the code for setting the PSK identity hint between
the functions mbedtls_ssl_conf_psk() and mbedtls_ssl_conf_psk_opaque().
 2018-11-21 21:12:58 +00:00
Hanno Becker
a63ac3f149 Safe-guard ssl_conf_remove_psk() for simultaneous raw-opaque PSKs 
The code maintains the invariant that raw and opaque PSKs are never
configured simultaneously, so strictly speaking `ssl_conf_remove_psk()`
need not consider clearing the raw PSK if it has already cleared an
opaque one - and previously, it didn't. However, it doesn't come at
any cost to keep this check as a safe-guard to future unforeseen
situations where opaque and raw PSKs _are_ both present.
 2018-11-21 21:12:58 +00:00
Hanno Becker
f9ed7d5f76 Don't use 48 as a magic number in ssl_derive_keys() 
In multiple places, it occurrs as the fixed length of
the master secret, so use a constant with a descriptive
name instead. This is reinforced by the fact the some
further occurrences of '48' are semantically different.
 2018-11-21 21:12:58 +00:00
Hanno Becker
c1385c104f Don't use idiom if( func() ) but always add explicit value check 2018-11-21 21:12:58 +00:00
Hanno Becker
845b946d92 Add server-support for opaque PSKs 2018-11-21 21:12:58 +00:00
Hanno Becker
520224e577 Rename ssl_conf_has_[raw_]_psk to ssl_conf_has_static_[raw_]psk 
This is to differentiate the function from the functions relevant
on the server-side, which also need to take into the PSK callback.
 2018-11-21 21:12:58 +00:00
Hanno Becker
afd311ee12 Skip PMS generation on client if opaque PSK is used 
For opaque PSKs, the PSK-to-MS expansion is performed atomatically
on the PSA-side.
 2018-11-21 21:12:58 +00:00
Hanno Becker
7d0a569d38 Implement PSA-based PSK-to-MS derivation in mbedtls_ssl_derive_keys 2018-11-21 21:12:58 +00:00
Hanno Becker
35b23c7484 Simplify master secret derivation in mbedtls_ssl_derive_keys() 2018-11-21 21:12:58 +00:00
Hanno Becker
dfab8e221a Allow opaque PSKs in pure-PSK ciphersuites only 
In contrast, RSA-PSK, ECDHE-PSK and DHE-PSK are explicitly excluded
for the moment.
 2018-11-21 21:12:58 +00:00
Hanno Becker
2e4f616708 Don't suggest the use of a PSK suite if no PSK configured on client 2018-11-21 21:12:58 +00:00
Hanno Becker
d20a8ca733 Implement API for configuration of opaque PSKs 
This commit adds implementations of the two new API functions

mbedtls_ssl_conf_psk_opaque()
mbedtls_ssl_set_hs_psk_opaque().
 2018-11-21 21:12:58 +00:00
Manuel Pégourié-Gonnard
aeefa49edd Add config option for X.509/TLS to use PSA 2018-11-21 21:03:14 +00:00
Jaeden Amero
484ee33c35 psa: Add PSA Crypto configuration 
Add an option that can enable the exposure of PSA Crypto APIs from
libmbedcrypto.
 2018-11-21 12:54:57 +00:00
Jaeden Amero
30b340a760 crypto: Add mbedtls-psa as a submodule 
mbedtls-psa contains an implementation of libmbedcrypto, including the PSA
Crypto API.
 2018-11-21 12:54:57 +00:00
Jaeden Amero
4cb814e3a7 cmake: Use finer grained include directory 
Using finer grained control over include directories will allow differnt
targets to use different include files. This will be useful when the
`crypto` subcomponent wants to use its own include files instead of or in
addition to the top level ones.
 2018-11-20 18:46:43 +00:00
Simon Butcher
c1b9892177 Update library version number to 2.14.0 2018-11-19 18:31:40 +00:00
Simon Butcher
de13963d66 Merge remote-tracking branch 'restricted/pr/520' into development-restricted-proposed 2018-11-12 14:30:16 +00:00
Simon Butcher
cdd1a6c872 Merge remote-tracking branch 'restricted/pr/510' into development-restricted-proposed 2018-11-12 14:29:14 +00:00
Simon Butcher
e51d4b336b Merge remote-tracking branch 'public/pr/2054' into development-proposed 2018-11-09 19:57:53 +00:00
Ron Eldor
9924bdc792 Deprecate hardware acceleration errors 
Deprecate the module-specific XXX_HW_ACCEL_FAILED and
XXX_FEATURE_UNAVAILABLE errors, as alternative implementations should now
return `MBEDTLS_ERR_PLATFORM_HW_FAILED` and
`MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED`.
 2018-11-09 15:01:07 +00:00
Ron Eldor
bcca58c6cd Add common feature unavailable error 
Add a common error for the feature unavailable, in the
platform module.
 2018-11-09 13:57:37 +00:00
Simon Butcher
d83448b736 Merge remote-tracking branch 'public/pr/2052' into development-restricted-proposed 2018-11-07 12:59:14 +00:00
Simon Butcher
53b45ec881 Merge remote-tracking branch 'public/pr/2079' into development-restricted-proposed 2018-11-07 12:58:44 +00:00
Simon Butcher
bbc31b4827 Merge remote-tracking branch 'public/pr/2085' into development-restricted-proposed 2018-11-07 12:57:38 +00:00
Simon Butcher
93a9b497e0 Merge remote-tracking branch 'public/pr/2077' into development-restricted-proposed 2018-11-07 12:57:24 +00:00
Simon Butcher
241823aab8 Merge remote-tracking branch 'public/pr/1641' into development-restricted-proposed 2018-11-07 12:55:47 +00:00
Simon Butcher
42ab4ae033 Merge remote-tracking branch 'public/pr/2167' into development-restricted-proposed 2018-11-07 12:54:45 +00:00
Simon Butcher
51b6abbbf2 Merge remote-tracking branch 'public/pr/2165' into development-proposed 2018-11-06 22:55:14 +00:00
Ron Eldor
2981d8f161 Change to positive flow for all cases 
Use the `rs_ctx` only when `MBEDTLS_ECP_RESTARTABLE` is defined.
 2018-11-05 18:08:46 +02:00
Ron Eldor
93ace0199b Revert positive flow check 
Revert changes for checking whether `MBEDTLS_ECP_RESTARTABLE`
is defined, since it broke the CI. The context is used whether the
restartable feature is defined or not.
 2018-11-05 17:50:07 +02:00
Ron Eldor
b430d9f262 Change to positive checks 
1. Checge to check for `MBEDTLS_ECP_RESTARTABLE` for all definitions
of `rs_ctx`.
2. Remove checks for `_ALT` when using `rs_ctx` as they cannot coexist
with the Restartable configuration.
 2018-11-05 17:18:29 +02:00