Gilles Peskine
e2f62ba9ec
Fix unused variable in builds without storage
2019-05-16 00:31:48 +02:00
Gilles Peskine
c9d910bed6
EC key pair import: check the buffer size
...
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allow to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-16 00:18:48 +02:00
Gilles Peskine
6c9514427b
New macro to get the bit size of an elliptic curve
2019-05-16 00:16:46 +02:00
Gilles Peskine
049c7535af
Split long lines after psa_import_key refactoring
2019-05-15 23:16:07 +02:00
Gilles Peskine
73676cbc50
Put handle parameter last: psa_import_key
...
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
806051f17e
Update an obsolete use of psa_import_key in documentation
...
psa_import_key now takes an attribute structure, not a type.
2019-05-15 23:15:49 +02:00
Gilles Peskine
98dd779eb5
Put handle parameter last: psa_generate_derived_key
...
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
dd835cbea6
Add a few tests for persistent attributes
...
psa_set_key_lifetime and psa_set_key_id aren't pure setters: they also
set the other attribute in some conditions. Add dedicated tests for
this behavior.
2019-05-15 19:14:05 +02:00
Gilles Peskine
9de5eb0a2f
Remove psa_make_key_persistent
2019-05-15 19:14:05 +02:00
Gilles Peskine
c87af66325
Replace psa_make_key_persistent by id/lifetime setters in tests
...
Remove all internal uses of psa_make_key_persistent.
2019-05-15 19:14:05 +02:00
Gilles Peskine
dc8219a10d
Replace psa_make_key_persistent by id/lifetime setters
...
Use individual setters for the id and lifetime fields of an attribute
structure, like the other attributes.
This commit updates the specification and adds an implementation of
the new setters.
2019-05-15 19:14:05 +02:00
Gilles Peskine
80b39ae753
Remove obsolete use of key policy structure in API text
2019-05-15 19:14:05 +02:00
Gilles Peskine
f9fbc38e66
Declare key id 0 as invalid
...
In keeping with other integral types, declare 0 to be an invalid key
identifier.
Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
Ron Eldor
51c4507b9c
Remove unneeded whitespaces
...
Delete extra whitespace in Changelog and in paramter alignment.
2019-05-15 17:49:54 +03:00
Ron Eldor
801faf0fa1
Fix mingw CI failures
...
Change `%z` formatting of `size_t` to `%u` and casting to unsigned.
2019-05-15 17:45:24 +03:00
Ron Eldor
6b9b1b88fb
Initialize psa_crypto in ssl test
...
Call `psa_crypto_init()` in `tls_prf` ssl test in case
`MBEDTLS_USE_PSA_CRYPTO` is defined since tls_prf may use psa crypto.
2019-05-15 17:04:33 +03:00
Ron Eldor
dbbd96652c
Check that SAN is not malformed when parsing
...
Add a call to `mbedtls_x509_parse_subject_alt_name()` during
certificate parsing, to verify the certificate is not malformed.
2019-05-15 15:46:03 +03:00
Ron Eldor
c8b5f3f520
Documentation fixes
...
Rephrase documentation of the SAN to make it clearer.
2019-05-15 15:15:55 +03:00
Ron Eldor
2e06a9fb24
Fix ChangeLog entry
...
Move the ChangeLog entries to correct location, and
mention sppecifically the support for hardware module name othername.
2019-05-15 15:14:46 +03:00
Ron Eldor
d2f25f7ea8
Fix missing tls version test failures
...
Add checks for tls_prf tests with the relevant tls version configuration.
2019-05-15 14:54:22 +03:00
Ron Eldor
0810f0babd
Fix typo
...
Fix typo `returnn` -> `return`
2019-05-15 13:58:13 +03:00
Ron Eldor
aa947f1cef
Fix ChangeLog entry location
...
Move the ChangeLog entries to correct section, as it was in an
already released section, due to rebase error.
2019-05-15 13:58:13 +03:00
Ron Eldor
780d8158f7
Add changeLog entry
...
Add changeLog entry describing the new `mbedtls_ssl_tls_prf()` API.
2019-05-15 13:57:39 +03:00
Ron Eldor
f75e252909
Add test for export keys functionality
...
Add test in `ssl-opts.sh` that the export keys callback
is actually called.
2019-05-15 13:57:39 +03:00
Ron Eldor
cf28009839
Add function to retrieve the tls_prf type
...
Add `tls_prf_get_type()` static function that returns the
`mbedtls_tls_prf_types` according to the used `tls_prf` function.
2019-05-15 13:57:39 +03:00
Ron Eldor
824ad7b351
Add tests for the public tls_prf API
...
Add tests for `mbedtls_ssl_tls_prf` wiht and without
the function types dependencies.
2019-05-15 13:57:39 +03:00
Ron Eldor
51d3ab544f
Add public API for tls_prf
...
Add a public API for key derivation, introducing an enum for `tls_prf`
type.
2019-05-15 13:53:02 +03:00
Ron Eldor
b7fd64ce2b
Add eap-tls key derivation in the examples.
...
Add support for eap-tls key derivation functionality,
in `ssl_client2` and `ssl_server2` reference applications.
2019-05-15 13:41:42 +03:00
Ron Eldor
c4d3ef4721
Add ChangeLog entry
...
Add ChangeLog entry describing the new key export feature.
2019-05-15 13:38:39 +03:00
Ron Eldor
f5cc10d93b
Add an extra key export function
...
Add an additional function `mbedtls_ssl_export_keys_ext_t()`
for exporting key, that adds additional information such as
the used `tls_prf` and the random bytes.
2019-05-15 13:38:39 +03:00
Ron Eldor
3b350856ff
Have the temporary buffer allocated dynamically
...
Change `tmp` buffer to be dynamically allocated, as it is now
dependent on external label given as input, in `tls_prf_generic()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
a9f9a73920
Zeroize secret data in the exit point
...
Zeroize the secret data in `mbedtls_ssl_derive_keys()`
in the single exit point.
2019-05-15 13:38:39 +03:00
Ron Eldor
e699270908
Add a single exit point in key derivation function
...
Add a single exit point in `mbedtls_ssl_derive_keys()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
8b0c3c91e6
Fail in case critical crt policy not supported
...
In case the certificate policy is not of type `AnyPolicy`
set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE`
and continue parsing. If the extension is critical, return error anyway,
unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured.
Fail parsing on any other error.
2019-05-15 12:20:00 +03:00
Ron Eldor
cc45cd177f
Update SAN parsing documentation
...
1) Fix typo in `mbedtls_x509_parse_subject_alt_name()` documentation.
2) Add a not in `mbedtls_x509_parse_subject_alt_name()` documentation,
stating that the lifetime of the target structure is restricted
by the lifetime ofthe parsed certificate.
2019-05-15 10:20:09 +03:00
Gilles Peskine
d6a8f5f1b5
Improve description of PSA_KEY_USAGE_COPY
...
Be more clear about when EXPORT is also required.
2019-05-14 16:25:50 +02:00
Gilles Peskine
ac99e32b79
Documentation improvements
2019-05-14 16:11:07 +02:00
Gilles Peskine
003a4a97d3
Use PSA_AEAD_{ENCRYPT,DECRYPT}_OUTPUT_SIZE in tests
2019-05-14 16:11:07 +02:00
Gilles Peskine
36d477de44
Fix copypasta in PSA_AEAD_DECRYPT_OUTPUT_SIZE
2019-05-14 16:11:07 +02:00
Gilles Peskine
248010caa0
Fix calculation in PSA_AEAD_UPDATE_OUTPUT_SIZE
2019-05-14 16:11:07 +02:00
Gilles Peskine
c160d9ec83
psa_copy_key: enforce PSA_KEY_USAGE_COPY
...
Implement the check and add a negative test.
2019-05-14 14:32:03 +02:00
Gilles Peskine
f9f4a4849c
Update psa_copy_key tests to use PSA_KEY_USAGE_COPY
...
Pass the new flag to the existing tests and add a few more test cases
to explore more variations of flag sets.
2019-05-14 14:24:49 +02:00
Gilles Peskine
8e0206aa26
New usage flag PSA_KEY_USAGE_COPY
...
Document the new flag and allow its use.
2019-05-14 14:24:28 +02:00
Gilles Peskine
4318dfc8ec
psa_export_key, psa_export_public_key: document the EXPORT flag
2019-05-14 14:23:32 +02:00
Jaeden Amero
81f9539037
Merge pull request #105 from ARMmbed/test-link-seedfile-02
...
Add a link to the seedfile for out-of-tree cmake builds
2019-05-14 08:42:46 +01:00
Ron Eldor
f05f594acb
change the type of hardware_module_name member
...
Change the type of `hardware_module_name` struct from
`mbedtls_x509_name` to a unique struct, to distinguish it from the
named data type.
2019-05-13 19:23:08 +03:00
Ron Eldor
890819a597
Change mbedtls_x509_subject_alternative_name
...
Make `mbedtls_x509_subject_alternative_name` to be a single item
rather than a list. Adapt the subject alternative name parsing function,
to receive a signle `mbedtls_x509_buf` item from the subject_alt_names
sequence of the certificate.
2019-05-13 19:23:07 +03:00
Ron Eldor
0806379e3e
Add length checking in certificate policy parsing
...
Change the extension parsing to `policy_end` and verify that
the policy and qualifiers length don't exceed the end of the extension.
2019-05-13 16:38:39 +03:00
Ron Eldor
78c3040347
Rephrase x509_crt extension member description
...
Rephrase doxygen comments for subject alternative name
and certificate policies.
2019-05-13 15:49:53 +03:00
Ron Eldor
26cfd1361d
Rephrase changeLog entries
...
Rephrase the changeLog entries for clarity and capitalize RFC.
2019-05-13 15:48:38 +03:00