Do not use the return values of
mbedtls_ssl_get_early_data_status()
(MBEDTLS_SSL_EARLY_DATA_STATUS_ macros)
for the state of the negotiation and
transfer of early data during the
handshake.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Fix errors in merge conflict resolution - change
psa_generate_random_internal() to return directly rather than jumping to
an exit label and restore the variable psa_status_t status.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Reads and writes of rng_state in psa_crypto_init() and psa_crypto_free()
were already covered by mutex.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Unfortunately this requires holding the mutex for the entire
psa_crypto_init() function, as calling psa_crypto_free() from another
thread should block until init has ended, then run.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Fix mbedtls_pk_copy_from_psa() and mbedtls_pk_copy_public_from_psa() to
still work when the algorithm in the key policy is not an RSA
algorithm (typically PSA_ALG_NONE). Add a dedicated test case and adjust the
test code. Fixes the test case "Copy from PSA: non-exportable -> public, RSA"
when MBEDTLS_PKCS1_V15 is disabled.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Document and implement mbedtls_pk_copy_public_from_psa() to export the
public key of a PSA key into PK.
Unit-test it alongside mbedtls_pk_copy_from_psa().
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If the output buffer is NULL, it either:
* Does not need wiping because it is zero-length.
* Has failed allocation of a copy.
* Has not yet been written to as a copy hasn't been allocated.
In any of these circumstances, we should not try to write the buffer,
so perform a NULL check before wiping it.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Add buffer protection to:
* psa_sign_hash_start(), which takes an input buffer for the hash.
* psa_sign_hash_complete(), which takes an output buffer for the
calculated signature.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This helps fixing a disparity between the legacy and the USE_PSA
case for rsa_sign_wrap() in pk_wrap.c.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This bugfix was due in PR #8826, but we didn't catch that.
This commit also add proper testing in test_suite_pk that was not implemented
in #8826.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is possible because after #8740 RSA_C no longer depends on
PK to parse and write private/public keys.
This commit also solves related issues that arose after this change
in "pk.c" and "test_suite_pk". In particular now we can use
rsa's module functions for parsing and writing keys without need
to rely on pk_parse and pk_write functions.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Use of volatile is more an internal implementation detail (ensuring
const-time) than part of the contract (the caller doesn't care about
volatile as such).
Signed-off-by: Janos Follath <janos.follath@arm.com>
We need the pointer, A, to be volatile, to ensure the reads happen. bits
does not need to be volatile.
Signed-off-by: Janos Follath <janos.follath@arm.com>
- These functions are used both in pkparse.c for key parsing
as well as pk.c for managing copy_from_psa(). As as consequence
they should belong to pk.c, but that would make that module
messier, so that's why a new separate module is added.
- Their guard can be changed from PKPARSE_C to PK_C.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Threads lose the mutex between locking the slot and changing the slot's state.
Make it so that threads check if another thread has completed a destruction during this period.
Also fix the issue with the incorrect status variable being used.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
The conversion back to signed short is an issue: the uint cast results
in (-1 + UINT_MAX), which is OK. But then that can't be cast back to a
signed value: "if the new type is signed and the value cannot be
represented in it; either the result is implementation-defined or an
implementation-defined signal is raised."
Signed-off-by: Janos Follath <janos.follath@arm.com>
This is the lifetime of the key used to decrypt
the ticket that should be used when parsing a
ticket, not the ticket module lifetime that
may have been changed since the key was
created.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
