1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-30 22:43:08 +03:00
Commit Graph

31771 Commits

Author SHA1 Message Date
0b2bd071f8 Add overflow check for maximum key slot length
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-08-21 21:49:17 +02:00
68a4b7453f Tweak macro check to allow 3 extra key slices
We are technically allowed to use all possible values of key slice index
that will fit into the bit width we have allocated, so allow all values.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-08-21 21:49:16 +02:00
fdcc47c426 Fix incorrect comments on slice numbering
The persistent key cache slice is the last slice (not the first as
previously stated). Update the numbering-related comments accordingly.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-08-21 21:49:14 +02:00
f72a510590 Edit ChangeLog entry
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-21 11:12:34 +01:00
8b0908aaa7 Merge pull request #1270 from sezrab/memory_allocation_cleanup_psa_crypto_rsa-development
Fix: Memory allocation cleanup in internal crypto api functions
2024-08-19 15:50:37 +01:00
16f0e18e41 Update ChangeLog
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-19 12:12:34 +01:00
ddc080073c Merge pull request #9462 from waleed-elmelegy-arm/add-psa_key_agreement
Add psa_key_agreement() API
2024-08-19 08:05:15 +00:00
f48bfb00bd Add test cases for extKeyUsage
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-16 17:24:44 +01:00
6a04b168b2 Rationalize extKeyUsage tests
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-16 17:24:34 +01:00
aeda1fd0a8 Use P_CLI when O_CLI's status is not reliable
Generally speaking, in this group of test we use O_SRV when testing our
client's behaviour, and O_CLI when testing our server's behaviour. I
don't think that's essential, but why not.

Well, for these two tests there's a reason why not: O_CLI often exits 0,
seemingly not minding that the server aborted the handshake with a fatal
alert, but sometimes it exits 1. (I've observed 0 on my machine, on two
runs of OpenCI and Internal CI, and 1 in some test in one run of
Internal CI.)

So, use our client instead, which exits non-zero consistently.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:24:26 +01:00
19d6d3421c Rationalize keyUsage testing, round 2
- cli-auth 1.2 was missing a test with an irrelevant bit set in addition
to the relevant bit (which was added for 1.3 previously)
- use consistent naming for fail (hard/soft)

Note: currently there are no "fail (soft)" cases for 1.3 authentication
of server by client, as server auth is mandatory in 1.3 (this will
change in 3.6.1).

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:24:16 +01:00
92a391e0fe Always print detailed cert errors in test programs
Previously the client was only printing them on handshake success, and
the server was printing them on success and some but not all failures.

This makes ssl-opt.sh more consistent as we can always check for the
presence of the expected message in the output, regardless of whether
the failure is hard or soft.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:24:05 +01:00
4956e32538 Fix 1.3 failure to update flags for (ext)KeyUsage
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:23:47 +01:00
5a4c8f0ba0 Rationalize ssl-opt tests for keyUsage
- consistent naming with explicit version
- in each section, have a positive case with just the needed bit set,
and one with an irrelevant bit set in addition (cli 1.3 only had the
former, and cli-auth 1.3 only the later)
- when auth_mode optional is supported failing cases should come in
pairs: soft+hard, this wasn't the case for cli-auth 1.3. (Note: cli 1.3
currently does not support auth_mode optional.)
- failing cases should check that the correct flag is printed and the
expected alert is sent.

The last (two) points have uncovered a bug in 1.3 code:
- In fail (hard) cases the correct alert isn't send, but a more generic
one instead.
- In fail (soft) cases the issue with the certificate is not reported,
actually the certificate is reported as valid.

Both share the same root cause: the flags are not updated properly when
checking the keyUsage extension. This will be addressed in future
commits.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:23:40 +01:00
8e70c2bcd9 Test cert alert KEY_USAGE -> UNSUPPORTED_CERT
In terms of line coverage, this was covered, except we never checked the
behaviour was as intended.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:23:31 +01:00
2547cd3535 Free allocated memory where methods were returning
without freeing

Signed-off-by: Sam Berry <sam.berry@arm.com>
2024-08-16 16:38:34 +01:00
e25cb1bcda Fix formatting issue in psa_key_agreement() documentation
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:37:46 +01:00
d1562407c3 Fix possible issues in testing and implementation of psa_key_agreement()
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:37:46 +01:00
8faeee24ae Improve documentation of psa_key_agreement()
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:37:46 +01:00
cb0ed88df1 Add change log entry for adding psa_key_agreement() API
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:37:46 +01:00
bdf2c98a27 Add psa_key_agreement() API
Add psa_key_agreement() API and basic testing.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-08-16 14:36:47 +01:00
659f9e78fd Merge pull request #9441 from paul-elliott-arm/add_docs_iop_key_generation
Add documentation for interruptible ECC key generation
2024-08-16 08:34:24 +00:00
9e088847ae Clarify IOP key generation restriction
Public keys can't be generated.

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-15 13:51:05 +01:00
9f48917b88 Improve IOP documentation
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-15 13:51:05 +01:00
7311600fd5 Constrain interruptible key generation to key-pairs
Erroring on a symmetric-key type would actually be an extra line of
code.

In theory we could try to save that one line of code, but it is
premature optimisation at this point. Also, this is a predominantly
asymmetric crypto feature, it is less confusing/more user friendly if we
don't allow symmetric keys here.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-15 13:51:05 +01:00
211ebb51da Don't return success on a stub
We shouldn't return PSA_SUCCESS from a function that isn't implemented.
PSA_ERROR_NOT_SUPPORTED seems like the most appropriate return status
for a function that isn't implemented.

Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-15 13:51:05 +01:00
2dc5fa3a19 Add generated files for new iop key generation funcs
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-08-15 13:51:05 +01:00
0c1aa4af38 Add psa_generate_key_iop_abort() documentation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-08-15 13:51:04 +01:00
08afb00a9b Add psa_generate_key_iop_complete() documentation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-08-15 13:51:04 +01:00
6044f3e444 Add psa_generate_key_iop_setup() documentation
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-08-15 13:51:04 +01:00
f712452a0e Add psa_generate_key_iop_get_num_ops() docs
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-08-15 13:51:04 +01:00
9e143a73ea Add psa_generate_key_iop_t structs and docs
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
2024-08-15 13:50:52 +01:00
2bb83bd885 Merge pull request #9480 from gilles-peskine-arm/psa-keystore-static-release-update-development
Key store spec: update release target for the static key store
2024-08-15 11:09:54 +01:00
4ed0fded12 Fix Mbed-TLS build when WIN32_LEAN_AND_MEAN macro is defined globally
Signed-off-by: Sergey Markelov <sergey@solidstatenetworks.com>
2024-08-14 15:15:14 -07:00
59602d3929 The fully static key store will miss the 3.6.1 release
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-14 11:41:34 +02:00
3c1d287f8d Mention the option name for the dynamic key store
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-14 11:41:33 +02:00
8067879c1f Merge pull request #9313 from sezrab/psa_util_in_builds_without_psa-development
psa_util.c included in builds without PSA, which can break the build
2024-08-14 07:16:21 +00:00
a7b0e55efc Merge pull request #9474 from gilles-peskine-arm/framework-update-20240813-development
Update framework to the head of the main branch
2024-08-14 07:11:29 +00:00
d11025027b Merge pull request #9362 from eleuzi01/replace-key-camellia
Replace MBEDTLS_SSL_HAVE_CAMELLIA with PSA_WANT_KEY_TYPE_CAMELLIA
2024-08-13 13:55:34 +00:00
26769f190b Changelog entry
Signed-off-by: Sam Berry <sam.berry@arm.com>
2024-08-13 14:40:22 +01:00
1176e6f90e Merge pull request #9410 from paul-elliott-arm/add_docs_iop_key_agreement
Add IOP Key agreement Documentation
2024-08-13 13:25:22 +00:00
2ae2f451a9 Update framework to the head of the main branch
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-13 11:45:07 +02:00
da41b60cef Replace MBEDTLS_SSL_HAVE_CAMELLIA with PSA_WANT_KEY_TYPE_CAMELLIA
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-13 09:58:00 +01:00
b8457fff9f Merge pull request #9353 from eleuzi01/replace-ecp-have-secp384r1
Replace MBEDTLS_ECP_HAVE_SECP384R1 with PSA_WANT_ECC_SECP_R1_384
2024-08-12 14:37:10 +00:00
0858fdca38 Merge pull request #9189 from misch7/fix-v3.6-issues-9186-and-9188
Fix build of v3.6 (issues #9186 and #9188)
2024-08-12 09:34:17 +00:00
1782cc8b95 Merge pull request #1264 from Mbed-TLS/pre3.6.1_test_merge_upstream_dev
Merge development into -restricted
2024-08-12 11:24:35 +02:00
b77c419add Update the submodule to the head of PR in the framework repository
See Mbed-TLS/mbedtls-framework#23

Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 20:39:28 +02:00
88f3dd9f78 Merge pull request #9402 from tom-daubney-arm/remove_function_level_alt_interface
Remove function level alt interface
2024-08-09 17:59:51 +00:00
a52952dcb1 Update the submodule to the head of PR in the framework repository
See Mbed-TLS/mbedtls-framework#23

Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 14:58:54 +01:00
d339aefd91 Clarify some internal documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-09 15:41:11 +02:00