Replace MBEDTLS_PSA_COPY_CALLER_BUFFERS with inverse:
!MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. This ensures that buffer
protection is enabled by default without any change to the Mbed TLS
config file.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Move definition of MBEDTLS_SSL_EARLY_DATA_STATE_xyz
from ssl.h(public) to ssl_misc.h(private) even if
that means we cannot use the enum type for
early_data_state in ssl.h.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Do not use the return values of
mbedtls_ssl_get_early_data_status()
(MBEDTLS_SSL_EARLY_DATA_STATUS_ macros)
for the state of the negotiation and
transfer of early data during the
handshake.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Document and implement mbedtls_pk_copy_public_from_psa() to export the
public key of a PSA key into PK.
Unit-test it alongside mbedtls_pk_copy_from_psa().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Since the merge of #8574 it is not the case
anymore that the lifetime of keys is twice
the lifetime of tickets.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit also:
- updates changelog
- add a stub function to be used in component_test_psa_crypto_client()
test
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Having a non-const `key` parameter was anotherf defect of
mbedtls_ecp_write_key(). Take this opportunity to fix it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Same as mbedtls_ecp_write_key(), but doesn't require the caller to figure out
the length of the output and possibly distinguish between Weierstrass and
Montgomery curves.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The `flags` field in `psa_key_attributes_t` was a general mechanism that
only ever got used for a single flag: to indicate that the `slot_number`
field has been set. We have switched to a dedicated indicator for that, so
we can now remove `flags`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `psa_key_attributes_t`, keep track of whether `slot_number` has been set
through a dedicated field, rather than using a flag.
This paves the way to removing `flags`, which is not used for anything else.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The `psa_core_key_attributes_t` structure is no longer used. Remove it.
Switch `psa_key_attributes_t` back to a simple struct, now containing
the fields that were formerly inside its `psa_core_key_attributes_t core`
member. This repairs the build with non-C11 compilers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Access the fields of `psa_key_attributes_t` directly rather than through the
`core` field. This makes the `core` field obsolete.
This commit is fully automated:
```
git ls-files '*.h' '*.c' '*.function' '*.jinja' | xargs perl -l -i -pe '$core = qr/\b(core\b|MBEDTLS_PRIVATE\(core\))/; s/->$core\./->/g; s/&(\w+)\.$core\./&$1./g; s/(\w+)\.$core/$1/g'
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Switch `psa_key_slot_t` to the full `psa_key_attributes_t`, now that this
structure only has psa_core_key_attributes_t`.
To minimize the diff without breaking the build much, temporarily make
`psa_key_attributes_t` contain either the `core` field or all the fields.
This allows both things like `slot->attr.core.type` and `slot->attr.type`
to exist. The build breaks with compilers that don't support anonymous
unions and structs, which are only standard C since C11.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Move the `slot_number` field of `psa_key_attributes_t` to
`psa_core_key_attributes_t`. This makes ``psa_core_key_attributes_t` core`
the sole field of `psa_key_attributes_t`. This paves the way to unifying
the two structures.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Re-restore mbedtls_x509_string_to_names() to public as our example
programs use it, and it is the reverse of mbedtls_x509_dn_gets().
Add a docstring, so that it is a properly documented public function.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
It means that mbedtls_psa_get_random() goes through the PSA interface
all the times. Fallbacks to CTR_DRBG or HMAC_DRBG are still possible,
but that depends on how the crypto provider is built.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This function should be internal, being exposed only via functions like
mbedtls_x509write_crt_set_subject_name().
Signed-off-by: David Horstmann <david.horstmann@arm.com>
"Key generation method" was misleading since it also applies to key
derivation. Change "key generation" to "key production", which we aren't
using yet and has roughly the right intuition. Change "method" to
"parameters" which there seems to be a slight preference for. Discussion
thread: https://github.com/Mbed-TLS/mbedtls/pull/8815#discussion_r1486524295
Identifiers renamed:
psa_key_generation_method_t → psa_key_production_parameters_t
psa_key_generation_method_s → psa_key_production_parameters_s
PSA_KEY_GENERATION_METHOD_INIT → PSA_KEY_PRODUCTION_PARAMETERS_INIT
method → params
method_data_length → params_data_length
default_method → default_production_parameters
psa_key_generation_method_is_default → psa_key_production_parameters_are_default
setup_key_generation_method → setup_key_production_parameters
key_generation_method_init → key_production_parameters_init
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Assigning the return value of a function that returns a struct with a
flexible array member does not fill the flexible array member, which leaves
a gap in the initialization that could be surprising to programmers. Also,
this is a borderline case in ABI design which could cause interoperability
problems. So remove this function.
This gets rid of an annoying note from GCC about ABI compatibility on
(at least) x86_64.
```
In file included from include/psa/crypto.h:4820,
from <stdin>:1:
include/psa/crypto_struct.h: In function ‘psa_key_generation_method_init’:
include/psa/crypto_struct.h:244:1: note: the ABI of passing struct with a flexible array member has changed in GCC 4.4
244 | {
| ^
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Document and test the current behavior, even if it is weird:
* For Weierstrass keys, the error is MBEDTLS_ERR_MPI_BUFFER_TOO_SMALL,
not MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL.
* For Weierstrass keys, a smaller output buffer is ok if the output fits.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When exporting a key, MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE should not happen.
This error indicates that the curve is not supported, but that would prevent
the creation of the key.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that we have padding verification after decryption and since
this can be used to validate the password as well there is no
need to parse ASN1 content any more, so we can simplify/remove
that dependency.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Remove exception warnings about PKCS1v1.5, since now both padding
formats are treated properly no matter if USE_PSA_CRYPTO is
defined or not.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Instead of passing the size of the whole structure, just pass the data
length and let the implementation worry about adding the size of the
structure. The intent with passing the structure size was to allow
the client code in a client-server implementation to know nothing
about the structure and just copy the bytes to the server. But that was not
really a useful consideration since the application has to know the
structure layout, so it has to be available in the client implementation's
headers. Passing the method data length makes life simpler for everyone by
not having to worry about possible padding at the end of the structure, and
removes a potential error condition
(method_length < sizeof(psa_key_generation_method_t)).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The default window size as default is set to the value that believed to
give the best performance. Since the algorithm changed, the fastest
window size has changed as well.
Signed-off-by: Janos Follath <janos.follath@arm.com>
Document proposed additions to the PSA API: psa_generate_key_ext(),
psa_key_derivation_output_key_ext(). For psa_generate_key_ext(), document
the one use case we intend to implement immediately, which is generating an
RSA key with a custom public exponent.
Subsequent commits will implement the documented functionality.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
MBEDTLS_PK_WRITE_C requires MBEDTLS_ASN1_WRITE_C, but there is no
corresponding check in check_config.h. In addition, corresponding
documentation for `Requires` is updated in mbedtls_config.h.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
- check_config.h: combine separate check for MBEDTLS_PK_PARSE_C
- mbedtls_config.h: update documentation for `Requires`
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
In pk.h, MBEDTLS_PK_HAVE_ECC_KEYS is enabled if ECP_C is defined or
USE_PSA_CRYPTO && PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY are defined.
But this logic is duplicate with its definition in
config_adjust_legacy_crypto.h.
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
When PK_HAVE_ECC_KEYS is set with PK_[PARSE/WRITE]_C, it needs OID_C
to be enabled. This commit adds proper checks in check_config.h
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
ctx->buflen now returns the amount of valid data in ctx->buf.
Unencrypted buffers were already ok, but encrypted ones were
used to return the length of the encrypted buffer, not the
unencrypted one.
This commit fix this behavior for encrypted buffers.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
ECJPAKE_C only needs MD_LIGHT and it allready auto-enables it in
config_adjust_legacy_crypto.h, so nothing to check here.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
We're already making sure of that in
include/mbedtls/config_adjust_psa_superset_legacy.h - no need to
double-check here.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
After this change, check_config.h does not have any #defined except:
- the standard header double-inclusion guard
- short-lived helpers that are #undef-ed in the same paragraph
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Those were only used for KEY_EXCHANGE_ECJPAKE, but had a much larger
scope than needed. We actually don't need those macros if we distinguish
between cases when expressing dependencies for this key exchange.
The remaining helper macros are all short lived.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
It always uses MD now. (The "fall back" to PSA Crypto was only in the
1st iteration of driver-only hash support, before we changed the
architecture to make everything go through MD.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
None of the TLS code is calling low-level hash functions directly. So
the correct dependencies here are MD_CAN.
(I checked and this was the only occurrence.)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Simplify: let's take advantage of the MD_CAN macros instead of doing it
again ourselves.
Fix: SHA-3 was forgotten.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Similarly to check_config.h, also build_info.h should consider
MBEDTLS_PSA_CRYPTO_CLIENT as the define which signals that PSA
Crypto APIs feature are being required in the build (possibly
due to the client/service architecture). It is automatically
enabled if CRYPTO_C is enabled, but only at config_adjust_legacy_crypto.h
which happens after the inclusion of the config_psa.h is needed
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
When check_config needs to evaluate the availability of a feature
through a PSA API, it should look for MBEDTLS_PSA_CRYPTO_CLIENT
instead of MBEDTLS_PSA_CRYPTO_C, to be able to cover the case
where the API is provided through a client/service interface.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
The main purpose of the change is to
know from the status, at any point in
the handshake, if early data can be
sent or not and why.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The only real contraint on the raw buffer is that it is large
enough to contain 2 coordinates. Larger buffers are therefore
allowed and the extra data will simply be ignored.
Note = trying to impose a strict sizing on the raw buffer causes
several failures in test suites. This suggests that it is
quite common to use larger buffer to store raw signatures.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Allow the function to support DER buffers than what it is nominally
required by the provided coordinates. In other words let's ignore
padding zeros in the raw number.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Add discard_early_data_record in SSL context for
the record layer to know if it has to discard
some potential early data record and how.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Add a client view layout (and update related initializers)
for PSA sign/verify hash interruptible operation struct and
PAKE operation struct
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
Make sure the layout of psa_key_attributes_s is commented
enough so that it does not accidentally get reorganized
by mistake in the future.
Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
The test code to construct test keys and the implementation had matching
errors: both assumed that there was a PSA public key object. Fix this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the MBEDTLS_PK_OPAQUE, have mbedtls_pk_get_psa_attributes() require the
specified usage to be enabled for the specified key. Otherwise the following
call to mbedtls_pk_import_into_psa() is unlikely to result in a key with a
useful policy, so the call to mbedtls_pk_get_psa_attributes() was probably
an error.
Adjust the existing test cases accordingly and add a few negative test
cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Due to the scope reduction for
mbedtls_ssl_read_early_data(), on
server as early data state variable
we now only need a flag in the
handshake context indicating if
the server has accepted early data
or not.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This reverts commit 0883b8b625.
Due to the scope reduction of mbedtls_ssl_read_early_data()
it is not necessary anymore to refine the usage
of early_data_status/state rather the opposite.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Do not progress the handshake in the API, just
read early data if some has been detected by
a previous call to mbedtls_ssl_handshake(),
mbedtls_ssl_handshake_step(),
mbedtls_ssl_read() or mbedtls_ssl_write().
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Introduce early_data_state SSL context field to
distinguish better this internal state from
the status values defined for the
mbedtls_ssl_get_early_data_status() API.
Distinguish also between the client and
server states. Note that the client state
are going to be documented and reworked
as part of the implementation of
mbedtls_ssl_write_early_data().
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
MBEDTLS_SSL_EARLY_DATA implies
MBEDTLS_SSL_PROTO_TLS1_3 thus
MBEDTLS_SSL_PROTO_TLS1_3 && MBEDTLS_SSL_EARLY_DATA
is equivalent to MBEDTLS_SSL_EARLY_DATA.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This function, and mbedtls_psa_crypto_free, are not thread safe as they wipe slots
regardless of state. They are not part of the PSA Crypto API, untrusted applications
cannot call these functions in a crypto service.
In a service intergration, mbedtls_psa_crypto_free on the client cuts the communication
with the crypto service.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
