If there is a PSK involved in the key exchange
and thus no certificate we do not go through the
MBEDTLS_SSL_CERTIFICATE_REQUEST state thus there
is no reason to check that in the coordination
function of that state.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ECDHE operations have to be done in
ephemeral and PSK-ephemeral key exchange
mode, not just ephemeral key exhange mode.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
lstat is not available on some platforms (e.g. Ubuntu 16.04). In this
particular case stat is sufficient.
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
On non-windows environments, when loading certificates from a given
path through mbedtls_x509_crt_parse_path() function, if a symbolic
link is found and is broken (meaning the target file don't exists),
the function is returning MBEDTLS_ERR_X509_FILE_IO_ERROR which is
not honoring the default behavior of just skip the bad certificate file
and increase the counter of wrong files.
The problem have been raised many times in our open source project
called Fluent Bit which depends on MbedTLS:
https://github.com/fluent/fluent-bit/issues/843#issuecomment-486388209
The expected behavior is that if a simple certificate cannot be processed,
it should just be skipped.
This patch implements a workaround with lstat(2) and stat(2) to determinate
first if the entry found in the directory is a symbolic link or not, if is
a simbolic link, do a proper stat(2) for the target file, otherwise process
normally. Upon find a broken symbolic link it will increase the counter of
not processed certificates.
Signed-off-by: Eduardo Silva <eduardo@treaure-data.com>
Again, the guards are slightly different, let's see in the CI if this
causes any trouble.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
There is a small difference: the global function only works for hashes
that are included in the build, while the old one worked for all hashes
regardless of whether they were enabled or not.
We'll see in the CI is this causes any issues.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This is mostly:
sed -i 's/mbedtls_psa_translate_md/mbedtls_hash_info_psa_from_md/' \
library/*.c tests/suites/*.function
This should be good for code size as the old inline function was used
from 10 translation units inside the library, so we have 10 copies at
least.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Using static inline functions is bad for code size; the function from
md_internal.h was already used from 3 different C files, so already was
copied at least 3 times in the library, and this would only get worse
over time.
Use actual functions, and also share the actual data between them.
Provide a consistent set of operations. Conversion to/from
human-readable string was omitted for now but could be added later if
needed.
In the future, this can be used to replace other similar (inline)
functions that are currently scattered, including (but perhaps not
limited to):
- mbedtls_psa_translate_md() from psa_util.h
- mbedtls_md_info_from_psa() (indirectly) from psa_crypto_hash.h
- get_md_alg_from_psa() from psa_crypto_rsa.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Fixes#1910
With ebx added to the MULADDC_STOP clobber list to fix#1550, the inline
assembly fails to build with GCC < 5 in PIC mode with the following error:
include/mbedtls/bn_mul.h:46:13: error: PIC register clobbered by ‘ebx’ in ‘asm’
This is because older GCC versions treated the x86 ebx register (which is
used for the GOT) as a fixed reserved register when building as PIC.
This is fixed by an improved register allocator in GCC 5+. From the release
notes:
Register allocation improvements: Reuse of the PIC hard register, instead of
using a fixed register, was implemented on x86/x86-64 targets. This
improves generated PIC code performance as more hard registers can be used.
https://www.gnu.org/software/gcc/gcc-5/changes.html
As a workaround, detect this situation and disable the inline assembly,
similar to the MULADDC_CANNOT_USE_R7 logic.
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
It was only used in test_suite_pk which was fixed to no longer compute
hashes in a temporary buffer.
Also, it's not entirely clear is this macro was really a good idea:
perhaps it's better for each user to have an explicit #if
defined(MBEDTSL_USE_PSA_CRYPTO) and use either MBEDTLS_MD_MAX_SIZE or
PSA_HASH_MAX_SIZE in each branch of that #if.
So, removing it for the time being.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Currently just replacing existing uses, but the real point of having
these conditions as a single macro is that we'll be able to use them in
tests case dependencies, see next commit.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
While at it, also fix buffer size for functions that already depend on
USE_PSA: it should be PSA_HASH_MAX_SIZE for functions that always use
PSA, and the new macro MBEDTLS_USE_PSA_MD_MAX_SIZE for functions that
use it or not depending on USE_PSA.
The only case where MBEDTLS_MD_MAX_SIZE is OK is when the function
always uses MD - currently this is the case with
pk_sign_verify_restart() as it is incompatible with USE_PSA anyway.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
For now in an internal header as it's the safest option and that way we
can change whenever we want.
Later on if we think the macros can be useful to applications as well then we
can move them to a public location.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
