Enforce CertificateRequest, client and server Certificates, and
CertificateVerify messages, which are mandatory in DTLS-SRTP,
as defined in RFC 5764 section 4.1
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Make the key material length in mbedtls_ssl_get_dtls_srtp_key_material
to be in\out, like it is done all over the library
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
1. Add check for prerequisites in check_config.h
2. Add mki value to use_srtp extension
3. address some review comments
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
Now that transparent drivers have an "import_key" entry point, the key
creation interfaces for transparent drivers and opaque drivers are
very similar. Unify the sections that describe their behavior,
including key validation and key size determination.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the PSA crypto library, the code for verification of ECDSA is the same for
both MBEDTLS_PSA_BUILTIN_ALG_ECDSA and
MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA. So, the guards should allow for
either one to enable the code blocks. The original implementation only had
the check for ECDSA. In order to make this work, config_psa.h was updated
to ensure when MBEDTLS_CRYPTO_CONFIG is disabled, the setting for DETERMINISTIC
is only updated if MBEDTLS_ECDSA_C is also enabled.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
When importing a transparent key, the key needs to be not only
validated, but also possibly converted, if it is not already in the
canonical representation. So change the validate_key entry point to an
import_key entry point.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Removed comment referencing test driver header path and the inclusion of
the test driver directory from the build since it is not required
for that test.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Ensure that MBEDTLS_ECDSA_C is set when PSA_WANT_ALG_DETERMINISTIC_ECDSA
is requested. Also added MBEDTLS_ECDSA_C to the requirements comment in
config.h for MBEDTLS_ECDSA_DETERMINISTIC.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Now that there's a validate_key entry point for drivers, it becomes
much more important to separate the import action (where a key needs
to be validated) from the load action (where a key has been
previously validated, and thus re-validating it would be a waste of
time).
This also exposes why not storing the 'bits' attribute persistently
was a bad idea. The only reason there's a rather large function to
detect bit size is because loading from persistent storage requires
it.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
There's no need for calling export-and-import when the key is
guaranteed to have been stored in export representation.
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
This is fix for the MBEDTLS_AES_SETKEY_DEC_ALT macro switch is including the aes xts methods
and building with a custom mbedtls_aes_setkey_dec function will disable the aes xts methods.
The fix is separating the aes xts methods and the MBEDTLS_AES_SETKEY_DEC_ALT can only
switch the presence of the mbedtls_aes_setkey_dec function.
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
Changed the test name from test_ to build_ to better reflect
what the test is currently performing.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Added a new test to all.sh to confirm that using MBEDTLS_PSA_CRYPTO_CONFIG
with no test driver and the library is configured with normal configurations
that the test works.
Minor updates to other PSA crypto tests to cleanup msg output for consistency.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
When the PSA crypto features need to be setup based on the
PSA_WANT_xxx macros, the dependent features also need to be
enabled. This change corrects that for the MBEDTLS_ECDSA_DETERMINISTIC.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
Updated the test_psa_want_ecdsa_disabled_software to enable and disable
the correct macros to accomplish the desired test. The previous version
left out the disabling of additional macros to ensure items related
to MBEDTLS_ECDSA_C were also unset. The test was also missing the setting
of the accelerators MBEDTLS_PSA_ACCEL_ALG_ECDSA and DETERMINISTIC_ECDSA.
With the accelerators enabled the test portion had to be temporarily
disabled until the accelerator code is completed so the test will work
properly.
Updated the signature driver source to fix a compiler warning when
MBEDTLS_ECDSA_C is unset.
Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
* As described in issue #3801 the upcoming cmake 3.19
will not support cmake 2.6 any more
* This PR updates the mimimum required cmake version
to 2.8.12, which will not give a warning with cmake 3.19
but still compatible with MbedTLS support of RHEL/CentOS 7 LTS
* Adding ChangeLog.d/bugfix_PR3802.txt
Signed-off-by: Peter Toft <peter.toft@dirac.com>
Add context-info.sh to the test scripts linked into the cmake build
directory, so that these tests are available as well.
Signed-off-by: David Brown <david.brown@linaro.org>
Add a non-regression test for ssl_context_info to ensure the base64
decoder doesn't stop processing when it encounters a 0xFF character.
Signed-off-by: David Brown <david.brown@linaro.org>
In `read_next_b64_code()`, the result of fgetc() is stored into a char,
but later compared against EOF, which is generally -1. On platforms
where char is unsigned, this generates a compiler warning/error that the
comparison will never be true (causing a build failure). The value will
never match, with the function ultimately bailing with a "Too many bad
symbols are detected" error.
On platforms with signed char, EOF is detected, but a file containing a
0xFF character will causes a premature end of file exit of the loop.
Fix this by changing the result to an int.
Fixes#3794.
Signed-off-by: Nayna Jain <nayna@linux.ibm.com>
Signed-off-by: David Brown <david.brown@linaro.org>
Mbed TLS requires users of DTLS to configure timer callbacks
needed to implement the wait-and-retransmit logic of DTLS.
Previously, the presence of these timer callbacks was checked
at every invocation of `mbedtls_ssl_fetch_input()`, so lowest
layer of the messaging stack interfacing with the underlying
transport.
This commit removes this recurring check and instead checks the
presence of timers once at the beginning of the handshake.
The main rationale for this change is that it is a step towards
separating the various layers of the messaging stack more cleanly:
datagram layer, record layer, message layer, retransmission layer.
Signed-off-by: Hanno Becker <hanno.becker@arm.com>