Jaeden Amero
99e8d26a75
Merge pull request #104 from gilles-peskine-arm/psa-global_key_id
...
Make key ids global and define their range
2019-05-16 17:11:59 +01:00
Ron Eldor
11818f2c17
Add some negative test cases
...
Add some invalid certificate tests for certifiate policies extension.
2019-05-16 18:17:02 +03:00
Gilles Peskine
f1b7694768
Minor documentation improvements
2019-05-16 16:10:59 +02:00
Gilles Peskine
280948a32b
Fix copypasta in the documentation of PSA_KEY_ID_xxx_{MIN,MAX}
2019-05-16 15:27:14 +02:00
Ron Eldor
a291391775
Fix minor issues
...
1. Typo fix.
2. Change byte by byte coipy to `memcpy`.
3. Remove parenthesis in switch cases.
2019-05-16 16:17:38 +03:00
Jaeden Amero
16ab39102e
Merge pull request #102 from gilles-peskine-arm/psa-aead_multipart-delay
...
Multipart AEAD buffer output sizes
2019-05-16 13:34:21 +01:00
Jaeden Amero
76be7f9c70
Merge pull request #108 from gilles-peskine-arm/psa-copy_key-policy
...
Add policy usage flag to copy a key
2019-05-16 12:08:13 +01:00
Jaeden Amero
826e326d2e
Merge pull request #107 from gilles-peskine-arm/psa-curve_size_macro
...
PSA: EC curve size macro
2019-05-16 11:59:41 +01:00
Jaeden Amero
beb0cc270e
Merge pull request #111 from gilles-peskine-arm/psa-handle-param-order
...
Pass handle parameter last on key creation
2019-05-16 10:52:06 +01:00
Ron Eldor
e269537b80
Add ChangeLog entry about listing all SAN
...
Add a ChangeLog entry that indicates that all SAN types are
now listed in the corresponding certificate field.
2019-05-16 11:52:57 +03:00
Gilles Peskine
e2f62ba9ec
Fix unused variable in builds without storage
2019-05-16 00:31:48 +02:00
Gilles Peskine
c9d910bed6
EC key pair import: check the buffer size
...
When importing a private elliptic curve key, require the input to have
exactly the right size. RFC 5915 requires the right size (you aren't
allow to omit leading zeros). A different buffer size likely means
that something is wrong, e.g. a mismatch between the declared key type
and the actual data.
2019-05-16 00:18:48 +02:00
Gilles Peskine
6c9514427b
New macro to get the bit size of an elliptic curve
2019-05-16 00:16:46 +02:00
Gilles Peskine
049c7535af
Split long lines after psa_import_key refactoring
2019-05-15 23:16:07 +02:00
Gilles Peskine
73676cbc50
Put handle parameter last: psa_import_key
...
In psa_import_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 23:16:07 +02:00
Gilles Peskine
806051f17e
Update an obsolete use of psa_import_key in documentation
...
psa_import_key now takes an attribute structure, not a type.
2019-05-15 23:15:49 +02:00
Gilles Peskine
98dd779eb5
Put handle parameter last: psa_generate_derived_key
...
In psa_generate_derived_key, change the order of parameters to pass
the pointer where the newly created handle will be stored last.
This is consistent with most other library functions that put inputs
before outputs.
2019-05-15 20:15:31 +02:00
Gilles Peskine
dd835cbea6
Add a few tests for persistent attributes
...
psa_set_key_lifetime and psa_set_key_id aren't pure setters: they also
set the other attribute in some conditions. Add dedicated tests for
this behavior.
2019-05-15 19:14:05 +02:00
Gilles Peskine
9de5eb0a2f
Remove psa_make_key_persistent
2019-05-15 19:14:05 +02:00
Gilles Peskine
c87af66325
Replace psa_make_key_persistent by id/lifetime setters in tests
...
Remove all internal uses of psa_make_key_persistent.
2019-05-15 19:14:05 +02:00
Gilles Peskine
dc8219a10d
Replace psa_make_key_persistent by id/lifetime setters
...
Use individual setters for the id and lifetime fields of an attribute
structure, like the other attributes.
This commit updates the specification and adds an implementation of
the new setters.
2019-05-15 19:14:05 +02:00
Gilles Peskine
80b39ae753
Remove obsolete use of key policy structure in API text
2019-05-15 19:14:05 +02:00
Gilles Peskine
f9fbc38e66
Declare key id 0 as invalid
...
In keeping with other integral types, declare 0 to be an invalid key
identifier.
Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
Gilles Peskine
13f97dc164
all.sh: invoke check-names.sh in print-trace-on-exit mode
2019-05-15 17:55:33 +02:00
Gilles Peskine
36428d34c9
Print a command trace if the check-names.sh exits unexpectedly
...
We've observed that sometimes check-names.sh exits unexpectedly with
status 2 and no error message. The failure is not reproducible. This
commits makes the script print a trace if it exits unexpectedly.
2019-05-15 17:29:15 +02:00
Ron Eldor
51c4507b9c
Remove unneeded whitespaces
...
Delete extra whitespace in Changelog and in paramter alignment.
2019-05-15 17:49:54 +03:00
Ron Eldor
801faf0fa1
Fix mingw CI failures
...
Change `%z` formatting of `size_t` to `%u` and casting to unsigned.
2019-05-15 17:45:24 +03:00
Ron Eldor
6b9b1b88fb
Initialize psa_crypto in ssl test
...
Call `psa_crypto_init()` in `tls_prf` ssl test in case
`MBEDTLS_USE_PSA_CRYPTO` is defined since tls_prf may use psa crypto.
2019-05-15 17:04:33 +03:00
Ron Eldor
dbbd96652c
Check that SAN is not malformed when parsing
...
Add a call to `mbedtls_x509_parse_subject_alt_name()` during
certificate parsing, to verify the certificate is not malformed.
2019-05-15 15:46:03 +03:00
Ron Eldor
c8b5f3f520
Documentation fixes
...
Rephrase documentation of the SAN to make it clearer.
2019-05-15 15:15:55 +03:00
Ron Eldor
2e06a9fb24
Fix ChangeLog entry
...
Move the ChangeLog entries to correct location, and
mention sppecifically the support for hardware module name othername.
2019-05-15 15:14:46 +03:00
Ron Eldor
d2f25f7ea8
Fix missing tls version test failures
...
Add checks for tls_prf tests with the relevant tls version configuration.
2019-05-15 14:54:22 +03:00
Ron Eldor
0810f0babd
Fix typo
...
Fix typo `returnn` -> `return`
2019-05-15 13:58:13 +03:00
Ron Eldor
aa947f1cef
Fix ChangeLog entry location
...
Move the ChangeLog entries to correct section, as it was in an
already released section, due to rebase error.
2019-05-15 13:58:13 +03:00
Ron Eldor
780d8158f7
Add changeLog entry
...
Add changeLog entry describing the new `mbedtls_ssl_tls_prf()` API.
2019-05-15 13:57:39 +03:00
Ron Eldor
f75e252909
Add test for export keys functionality
...
Add test in `ssl-opts.sh` that the export keys callback
is actually called.
2019-05-15 13:57:39 +03:00
Ron Eldor
cf28009839
Add function to retrieve the tls_prf type
...
Add `tls_prf_get_type()` static function that returns the
`mbedtls_tls_prf_types` according to the used `tls_prf` function.
2019-05-15 13:57:39 +03:00
Ron Eldor
824ad7b351
Add tests for the public tls_prf API
...
Add tests for `mbedtls_ssl_tls_prf` wiht and without
the function types dependencies.
2019-05-15 13:57:39 +03:00
Ron Eldor
51d3ab544f
Add public API for tls_prf
...
Add a public API for key derivation, introducing an enum for `tls_prf`
type.
2019-05-15 13:53:02 +03:00
Ron Eldor
b7fd64ce2b
Add eap-tls key derivation in the examples.
...
Add support for eap-tls key derivation functionality,
in `ssl_client2` and `ssl_server2` reference applications.
2019-05-15 13:41:42 +03:00
Ron Eldor
c4d3ef4721
Add ChangeLog entry
...
Add ChangeLog entry describing the new key export feature.
2019-05-15 13:38:39 +03:00
Ron Eldor
f5cc10d93b
Add an extra key export function
...
Add an additional function `mbedtls_ssl_export_keys_ext_t()`
for exporting key, that adds additional information such as
the used `tls_prf` and the random bytes.
2019-05-15 13:38:39 +03:00
Ron Eldor
3b350856ff
Have the temporary buffer allocated dynamically
...
Change `tmp` buffer to be dynamically allocated, as it is now
dependent on external label given as input, in `tls_prf_generic()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
a9f9a73920
Zeroize secret data in the exit point
...
Zeroize the secret data in `mbedtls_ssl_derive_keys()`
in the single exit point.
2019-05-15 13:38:39 +03:00
Ron Eldor
e699270908
Add a single exit point in key derivation function
...
Add a single exit point in `mbedtls_ssl_derive_keys()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
8b0c3c91e6
Fail in case critical crt policy not supported
...
In case the certificate policy is not of type `AnyPolicy`
set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE`
and continue parsing. If the extension is critical, return error anyway,
unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured.
Fail parsing on any other error.
2019-05-15 12:20:00 +03:00
Ron Eldor
cc45cd177f
Update SAN parsing documentation
...
1) Fix typo in `mbedtls_x509_parse_subject_alt_name()` documentation.
2) Add a not in `mbedtls_x509_parse_subject_alt_name()` documentation,
stating that the lifetime of the target structure is restricted
by the lifetime ofthe parsed certificate.
2019-05-15 10:20:09 +03:00
Gilles Peskine
d6a8f5f1b5
Improve description of PSA_KEY_USAGE_COPY
...
Be more clear about when EXPORT is also required.
2019-05-14 16:25:50 +02:00
Gilles Peskine
ac99e32b79
Documentation improvements
2019-05-14 16:11:07 +02:00
Gilles Peskine
003a4a97d3
Use PSA_AEAD_{ENCRYPT,DECRYPT}_OUTPUT_SIZE in tests
2019-05-14 16:11:07 +02:00