Gilles Peskine
80b39ae753
Remove obsolete use of key policy structure in API text
2019-05-15 19:14:05 +02:00
Gilles Peskine
f9fbc38e66
Declare key id 0 as invalid
...
In keeping with other integral types, declare 0 to be an invalid key
identifier.
Documented, implemented and tested.
2019-05-15 18:42:09 +02:00
Ron Eldor
51c4507b9c
Remove unneeded whitespaces
...
Delete extra whitespace in Changelog and in paramter alignment.
2019-05-15 17:49:54 +03:00
Ron Eldor
801faf0fa1
Fix mingw CI failures
...
Change `%z` formatting of `size_t` to `%u` and casting to unsigned.
2019-05-15 17:45:24 +03:00
Ron Eldor
6b9b1b88fb
Initialize psa_crypto in ssl test
...
Call `psa_crypto_init()` in `tls_prf` ssl test in case
`MBEDTLS_USE_PSA_CRYPTO` is defined since tls_prf may use psa crypto.
2019-05-15 17:04:33 +03:00
Ron Eldor
dbbd96652c
Check that SAN is not malformed when parsing
...
Add a call to `mbedtls_x509_parse_subject_alt_name()` during
certificate parsing, to verify the certificate is not malformed.
2019-05-15 15:46:03 +03:00
Ron Eldor
c8b5f3f520
Documentation fixes
...
Rephrase documentation of the SAN to make it clearer.
2019-05-15 15:15:55 +03:00
Ron Eldor
2e06a9fb24
Fix ChangeLog entry
...
Move the ChangeLog entries to correct location, and
mention sppecifically the support for hardware module name othername.
2019-05-15 15:14:46 +03:00
Ron Eldor
d2f25f7ea8
Fix missing tls version test failures
...
Add checks for tls_prf tests with the relevant tls version configuration.
2019-05-15 14:54:22 +03:00
Ron Eldor
0810f0babd
Fix typo
...
Fix typo `returnn` -> `return`
2019-05-15 13:58:13 +03:00
Ron Eldor
aa947f1cef
Fix ChangeLog entry location
...
Move the ChangeLog entries to correct section, as it was in an
already released section, due to rebase error.
2019-05-15 13:58:13 +03:00
Ron Eldor
780d8158f7
Add changeLog entry
...
Add changeLog entry describing the new `mbedtls_ssl_tls_prf()` API.
2019-05-15 13:57:39 +03:00
Ron Eldor
f75e252909
Add test for export keys functionality
...
Add test in `ssl-opts.sh` that the export keys callback
is actually called.
2019-05-15 13:57:39 +03:00
Ron Eldor
cf28009839
Add function to retrieve the tls_prf type
...
Add `tls_prf_get_type()` static function that returns the
`mbedtls_tls_prf_types` according to the used `tls_prf` function.
2019-05-15 13:57:39 +03:00
Ron Eldor
824ad7b351
Add tests for the public tls_prf API
...
Add tests for `mbedtls_ssl_tls_prf` wiht and without
the function types dependencies.
2019-05-15 13:57:39 +03:00
Ron Eldor
51d3ab544f
Add public API for tls_prf
...
Add a public API for key derivation, introducing an enum for `tls_prf`
type.
2019-05-15 13:53:02 +03:00
Ron Eldor
b7fd64ce2b
Add eap-tls key derivation in the examples.
...
Add support for eap-tls key derivation functionality,
in `ssl_client2` and `ssl_server2` reference applications.
2019-05-15 13:41:42 +03:00
Ron Eldor
c4d3ef4721
Add ChangeLog entry
...
Add ChangeLog entry describing the new key export feature.
2019-05-15 13:38:39 +03:00
Ron Eldor
f5cc10d93b
Add an extra key export function
...
Add an additional function `mbedtls_ssl_export_keys_ext_t()`
for exporting key, that adds additional information such as
the used `tls_prf` and the random bytes.
2019-05-15 13:38:39 +03:00
Ron Eldor
3b350856ff
Have the temporary buffer allocated dynamically
...
Change `tmp` buffer to be dynamically allocated, as it is now
dependent on external label given as input, in `tls_prf_generic()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
a9f9a73920
Zeroize secret data in the exit point
...
Zeroize the secret data in `mbedtls_ssl_derive_keys()`
in the single exit point.
2019-05-15 13:38:39 +03:00
Ron Eldor
e699270908
Add a single exit point in key derivation function
...
Add a single exit point in `mbedtls_ssl_derive_keys()`.
2019-05-15 13:38:39 +03:00
Ron Eldor
8b0c3c91e6
Fail in case critical crt policy not supported
...
In case the certificate policy is not of type `AnyPolicy`
set the returned error code to `MBEDTLS_ERR_X509_FEATURE_UNAVAILABLE`
and continue parsing. If the extension is critical, return error anyway,
unless `MBEDTLS_X509_ALLOW_UNSUPPORTED_CRITICAL_EXTENSION` is configured.
Fail parsing on any other error.
2019-05-15 12:20:00 +03:00
Ron Eldor
cc45cd177f
Update SAN parsing documentation
...
1) Fix typo in `mbedtls_x509_parse_subject_alt_name()` documentation.
2) Add a not in `mbedtls_x509_parse_subject_alt_name()` documentation,
stating that the lifetime of the target structure is restricted
by the lifetime ofthe parsed certificate.
2019-05-15 10:20:09 +03:00
Gilles Peskine
d6a8f5f1b5
Improve description of PSA_KEY_USAGE_COPY
...
Be more clear about when EXPORT is also required.
2019-05-14 16:25:50 +02:00
Gilles Peskine
ac99e32b79
Documentation improvements
2019-05-14 16:11:07 +02:00
Gilles Peskine
003a4a97d3
Use PSA_AEAD_{ENCRYPT,DECRYPT}_OUTPUT_SIZE in tests
2019-05-14 16:11:07 +02:00
Gilles Peskine
36d477de44
Fix copypasta in PSA_AEAD_DECRYPT_OUTPUT_SIZE
2019-05-14 16:11:07 +02:00
Gilles Peskine
248010caa0
Fix calculation in PSA_AEAD_UPDATE_OUTPUT_SIZE
2019-05-14 16:11:07 +02:00
Gilles Peskine
c160d9ec83
psa_copy_key: enforce PSA_KEY_USAGE_COPY
...
Implement the check and add a negative test.
2019-05-14 14:32:03 +02:00
Gilles Peskine
f9f4a4849c
Update psa_copy_key tests to use PSA_KEY_USAGE_COPY
...
Pass the new flag to the existing tests and add a few more test cases
to explore more variations of flag sets.
2019-05-14 14:24:49 +02:00
Gilles Peskine
8e0206aa26
New usage flag PSA_KEY_USAGE_COPY
...
Document the new flag and allow its use.
2019-05-14 14:24:28 +02:00
Gilles Peskine
4318dfc8ec
psa_export_key, psa_export_public_key: document the EXPORT flag
2019-05-14 14:23:32 +02:00
Jaeden Amero
81f9539037
Merge pull request #105 from ARMmbed/test-link-seedfile-02
...
Add a link to the seedfile for out-of-tree cmake builds
2019-05-14 08:42:46 +01:00
Ron Eldor
f05f594acb
change the type of hardware_module_name member
...
Change the type of `hardware_module_name` struct from
`mbedtls_x509_name` to a unique struct, to distinguish it from the
named data type.
2019-05-13 19:23:08 +03:00
Ron Eldor
890819a597
Change mbedtls_x509_subject_alternative_name
...
Make `mbedtls_x509_subject_alternative_name` to be a single item
rather than a list. Adapt the subject alternative name parsing function,
to receive a signle `mbedtls_x509_buf` item from the subject_alt_names
sequence of the certificate.
2019-05-13 19:23:07 +03:00
Ron Eldor
0806379e3e
Add length checking in certificate policy parsing
...
Change the extension parsing to `policy_end` and verify that
the policy and qualifiers length don't exceed the end of the extension.
2019-05-13 16:38:39 +03:00
Ron Eldor
78c3040347
Rephrase x509_crt extension member description
...
Rephrase doxygen comments for subject alternative name
and certificate policies.
2019-05-13 15:49:53 +03:00
Ron Eldor
26cfd1361d
Rephrase changeLog entries
...
Rephrase the changeLog entries for clarity and capitalize RFC.
2019-05-13 15:48:38 +03:00
Jaeden Amero
1fe90fab30
Merge pull request #101 from gilles-peskine-arm/psa-key_attributes-verify_attributes
...
Check unused attributes in import and copy
2019-05-13 11:48:40 +01:00
Janos Follath
293c3dae6d
Remove redundant memset()
...
The preceding calloc() already zeroizes that memory area, therfore the
memset() is not necessary. Compilers are likely to optimize this out,
but it still can be confusing to readers.
2019-05-10 15:53:03 +01:00
Janos Follath
6c379b4b80
Propogate error when parsing SubjectAltNames
...
The previous behaviour of mbedtls_x509_parse_subject_alternative_name()
was to silently ignore errors coming from x509_get_other_name(). The
current commit fixes it and returns with an error.
2019-05-10 14:17:16 +01:00
Janos Follath
2f0ec1e3bf
Tidy up style in x509_info_subject_alt_name
2019-05-10 11:06:31 +01:00
Janos Follath
22f605fbab
Print unparseable SubjectAlternativeNames
...
In x509_info_subject_alt_name() we silently dropped names that we
couldn't parse because they are not supported or are malformed. (Being
malformed might mean damaged file, but can be a sign of incompatibility
between applications.)
This commit adds code notifying the user that there is something, but
we can't parse it.
2019-05-10 10:57:44 +01:00
Janos Follath
ab23cd1eae
Remove unneeded checks from x509_get_other_name
...
Lengths are aleady checked in mbedtls_asn1_get_len() which is called in
mbedtls_asn1_get_tag(), therefore it is not necessary to check
the lengths explicitly afterwards.
Also with the previous flow data was left in the output buffer on some
errors.
2019-05-09 15:05:30 +01:00
Darryl Green
d2dba36f44
Only use submodule if present
...
Enabling the USE_CRYPTO_SUBMODULE option causes problems if the
crypto submodule isn't present. For example, when building
mbed-crypto as a submodule, it should use error.c from the parent
project if USE_CRYPTO_SUBMODULE is set. However if the parent
project isn't present, then the build will fail. Only enable it
if the submodule actually exists.
2019-05-09 13:17:53 +01:00
Janos Follath
11b41eb12b
Fix typos in x509_crt.h
2019-05-08 15:30:33 +01:00
Janos Follath
5091bec3ea
Fix doxygen for new x509 structures
...
The documentation for some new structures and members was only a C style
comment and wasn't picked up by doxygen. This commit adds the missing
asterisks.
2019-05-08 15:23:08 +01:00
Ron Eldor
3c4734a2a5
Add Wisun Fan device certificate
...
Add certificate with Wisun fan device extended key usage,
support parsing it and add tests.
2019-05-07 17:06:47 +03:00
Ron Eldor
226991e624
Add ChangeLog entry for new extensions change
...
Add an entry for the new x509 extension parsing support.
2019-05-07 17:05:45 +03:00