We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The comments were about the time we were using mbedtls_pk_ec(), which
can return NULL, which we don't want to propagate to other functions.
Now we're using mbedtls_pk_get_ec_group_id() with is a safer interface
(and works even when EC is provided by drivers).
The check for GROUP_NONE was an heritage from the previous NULL check.
However it's actually useless: if NONE were returned (which can't happen
or parsing of the certificate would have failed and we wouldn't be
here), then mbedtls_ssl_check_curve() would work and just say that the
curve wasn't valid, which is OK.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
* public/mbedtls-3.6: (251 commits)
Call in_mbedtls_repo
Move some proj detection code inside pre_check_environment
Match spacing in pointer types in documentation with the code style
Rename one more deprecated identifier
Documentation improvements
Rename internal function psa_key_production_parameters_are_default
key_custom: update analyze_outcomes.py
Test cpp_dummy_build in pedantic mode
Changelog entry for the move from key_ext to key_custom functions
Remove some tests of psa_generate_key_ext
Document the key_ext functions as deprecated
Documentation: point to key_custom instead of key_ext
Update PSA wrappers
Implement psa_generate_key_custom
all.sh/components: Removed components.sh
all.sh/components: Moved build_aes_via_padlock to platform component.
all.sh/components: Moved driver components to configuration crypto.
all.sh/components: Moved more components to configuration crypto.
all.sh/components: Fixed a typo in configuration-tls.
all.sh/components: Moved more components to configuration tls.
...
Implement `psa_generate_key_custom()` and
`psa_key_derivation_output_key_custom()`. These functions replace
`psa_generate_key_ext()` and `psa_key_derivation_output_key_ext()`.
They have the same functionality, but a slightly different interface:
the `ext` functions use a structure with a flexible array member to pass
variable-length data, while the `custom` functions use a separate parameter.
Keep the `ext` functions for backward compatibility with Mbed TLS 3.6.0.
But make them a thin wrapper around the new `custom` functions.
Duplicate the test code and data. The test cases have to be duplicated
anyway, and the test functions are individually more readable this way.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If MBEDTLS_CTR_DRBG_C is enabled, force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE to be
disabled. This resolves the former inconsistency in builds where
MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is explicitly defined but MBEDTLS_CTR_DRBG_C
remains enabled, where PSA called the CTR_DRBG functions but other parts of
the code based assumed that HMAC was in use, in particular error code
conversions (leading to a test failure in test_suite_psa_crypto_init).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Unfortunately this compiler complains about a variable potentially being
used un-initialized. Silence the warning by initializing it to a sane
default.
Signed-off-by: Patrick Wildt <pwildt@google.com>
Issue #9179 (MBEDTLS_SSL_CID_OUT_LEN_MAX changed to
MBEDTLS_SSL_CID_IN_LEN_MAX in library\ssl.h and library\ssl_tls.c)
Signed-off-by: Sam Berry <sam.berry@arm.com>
This is ok in practice since we don't support 16-bit platforms, but it makes
`arm-none-eabi-gcc-10 -mthumb -Wformat` complain.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
A large block of code is only reachable if MBEDTLS_PK_USE_PSA_EC_DATA is
enabled, i.e. if MBEDTLS_USE_PSA_CRYPTO is enabled with driver-only ECC.
Compilers are likely to figure it out, but still, for clarity and
robustness, do guard that block of code with the appropriate conditional
compilation guard.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It isn't detected on the CI because we only test this with an ancient Clang
that doesn't warn. Old GCC, modern GCC and modern Clang do
warn (-Wunused-but-set-variable).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When trying to decrypt data with an invalid key, we found that `mbedtls`
returned `0x6200` (`-25088`), which means "_CIPHER - Input data contains
invalid padding and is rejected_" from `mbedtls_cipher_finish`, but it also
set the output len as `18446744073709551516`.
In case we detect an error with padding, we leave the output len zero'ed
and return `MBEDTLS_ERR_CIPHER_INVALID_PADDING`.
Here's a reference for the way `openssl` checks the padding length:
- 1848c561ec/crypto/evp/evp_enc.c (L1023)
- b554eef43b
So add a check ensuring output is set to the least-harmful value in the
error cases.
With the robustness fix:
`PASSED (125 suites, 26644 tests run)`
Without the robustness fix:
`FAILED (125 suites, 26644 tests run)`
Signed-off-by: Andre Goddard Rosa <andre.goddard@gmail.com>
Signed-off-by: Andre Goddard Rosa <agoddardrosa@roku.com>
This should be CRYPTO_CLIENT and not CRYPTO_C as this function
can be used even when CRYPTO_C is not defined.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
A bug existed previously where this guarantee was not met,
causing some issues in multi-threaded code.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
If psa_get_and_lock_key_slot fails, the slot must be wiped.
This fixes a bug where a pointer to some valid key slot can
be incorrectly returned
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
With multipart AEAD, if we attempt to add zero length additional data,
then with the buffer sharing fixes this can now lead to undefined
behaviour when using gcm. Fix this by returning early, as there is
nothing to do if the input length is zero.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
