We are technically allowed to use all possible values of key slice index
that will fit into the bit width we have allocated, so allow all values.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The persistent key cache slice is the last slice (not the first as
previously stated). Update the numbering-related comments accordingly.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Actually moved the function rather than trying to edit guards around it,
because the relevant guards are not nearby, the function was part of
larger blocks, so it seemed risky.
Also, that seems logically correct: the function is no longer part of
the "TLS 1.2 handshake functions common to server and client" section,
it's part of the "helper functions common to 1.2 and 1.3 server and
client" block. Ideally in the future perhaps the file structure should
reflect that (`ssl_generic.c` vs `ssl_tls12_generic.c`?) but that's out
of scope here.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Rename as there was a name collision with a static function in another
file: ssl_parse_certificate_verify in ssl_tls12_server.c is the function
that parses the CertificateVerify message, which seems appropriate. Here
it meant "the 'verify' step after parsing the Certificate message".
Use a name that focuses on what it does: verify, not parse.
Also, take ciphersuite_info as an argument: when TLS 1.3 calls this
function, it can pass NULL as the ciphersuite has no influence there.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
In particular, make sure pointer variables are initialized right after
being declared.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.
In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The comments were about the time we were using mbedtls_pk_ec(), which
can return NULL, which we don't want to propagate to other functions.
Now we're using mbedtls_pk_get_ec_group_id() with is a safer interface
(and works even when EC is provided by drivers).
The check for GROUP_NONE was an heritage from the previous NULL check.
However it's actually useless: if NONE were returned (which can't happen
or parsing of the certificate would have failed and we wouldn't be
here), then mbedtls_ssl_check_curve() would work and just say that the
curve wasn't valid, which is OK.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
The new test hooks allow to check whether there was an unsafe call of an
optionally safe function in the codepath. For the sake of simplicity the
MBEDTLS_MPI_IS_* macros are reused for signalling safe/unsafe codepaths
here too.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The allocated size can be significantly larger than the actual size. In
the unsafe case we can use the actual size and gain some performance.
Signed-off-by: Janos Follath <janos.follath@arm.com>
It is easier to read if the parameter controlling constant timeness with
respect to a parameter is next to that parameter.
Signed-off-by: Janos Follath <janos.follath@arm.com>
In Thumb instructions, constant can be:
- any constant that can be produced by shifting an 8-bit value left by any
number of bits within a 32-bit word
- any constant of the form 0x00XY00XY
- any constant of the form 0xXY00XY00
- any constant of the form 0xXYXYXYXY.
Signed-off-by: Janos Follath <janos.follath@arm.com>
These macros are not part of any public or internal API, ideally they
would be defined in the source files. The reason to put them in
bignum_core.h to avoid duplication as macros for this purpose are
needed in both bignum.c and bignum_core.c.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The complexity of having functions whose security properties depend on a
runtime argument can be dangerous. Limit risk by isolating such code in
small functions with limited scope.
Signed-off-by: Janos Follath <janos.follath@arm.com>
The complexity of having functions whose security properties depend on a
runtime argument can be dangerous. Limit misuse by making any such
functions local.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Reassure both humans and compilers that the places where we assign an
integer to a smaller type are safe.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add a practical way to fill the dynamic key store by artificially limiting
the slice length through a test hook.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is enabled, key slots are now organized in
multiple slices. The slices are allocated on demand, which allows the key
store to grow. The size of slices grows exponentially, which allows reaching
a large number of slots with a small (static) number of slices without too
much overhead.
Maintain a linked list of free slots in each slice. This way, allocating a
slot takes O(1) time unless a slice needs to be allocated.
In this commit, slices are only ever freed when deinitializing the key
store. This should be improved in the future to free empty slices.
To avoid growing the persistent key cache without control, the persistent
key cache has a fixed size (reusing MBEDTLS_PSA_KEY_SLOT_COUNT to avoid
creating yet another option).
When MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled. no semantic change and
minimal changes to the code.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Place some fields of psa_key_slot_t in a union, to prepare for a new field
in free slots that should not require extra memory.
For occupied slots, place only the registered_readers field in the union,
not other fields, to minimize textual changes. All fields could move to the
union except state (also needed in free slots) and attr (which must stay
first to reduce the code size, because it is accessed at many call sites).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add some abstractions around code that traverses the key store, in
preparation for adding support for MBEDTLS_PSA_KEY_STORE_DYNAMIC.
No intended behavior change. The generated machine code should be
almost the same with an optimizing compiler (in principle, it could be the
same with sufficient constant folding and inlining, but in practice it will
likely be a few byes larger),
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* public/mbedtls-3.6: (251 commits)
Call in_mbedtls_repo
Move some proj detection code inside pre_check_environment
Match spacing in pointer types in documentation with the code style
Rename one more deprecated identifier
Documentation improvements
Rename internal function psa_key_production_parameters_are_default
key_custom: update analyze_outcomes.py
Test cpp_dummy_build in pedantic mode
Changelog entry for the move from key_ext to key_custom functions
Remove some tests of psa_generate_key_ext
Document the key_ext functions as deprecated
Documentation: point to key_custom instead of key_ext
Update PSA wrappers
Implement psa_generate_key_custom
all.sh/components: Removed components.sh
all.sh/components: Moved build_aes_via_padlock to platform component.
all.sh/components: Moved driver components to configuration crypto.
all.sh/components: Moved more components to configuration crypto.
all.sh/components: Fixed a typo in configuration-tls.
all.sh/components: Moved more components to configuration tls.
...
