Commit Graph

10177 Commits

Author SHA1 Message Date
Gilles Peskine
e3dbdd8d90 Gate entropy injection through a dedicated configuration option
Entropy injection has specific testing requirements. Therefore it
should depend on a specific option.
2019-03-15 11:15:21 +01:00
Gilles Peskine
6bf4baef95 Remove compilation option MBEDTLS_PSA_HAS_ITS_IO
MBEDTLS_PSA_HAS_ITS_IO is not really useful since it doesn't actually
enable anything except the entropy seed file support, which only
requires the ITS interface and not a native implemetation. Remove it.
2019-03-15 11:15:13 +01:00
Gilles Peskine
5e80d91dbf Remove psa_crypto_storage_backend.h
Since there is now a single storage backend, we don't need a backend
interface. Make the functions that were declared in
psa_crypto_storage_backend.h and are now both defined and used in
psa_crypto_storage.c static, except for psa_is_key_present_in_storage
which is used by the gray-box tests and is now declared in
psa_crypto_storage.h.
2019-03-15 11:15:04 +01:00
Gilles Peskine
088b77f39c Merge psa_crypto_storage_its into psa_crypto_storage
Since the ITS API has stabilized and we don't plan to make use of more
than ITS, we don't need an abstraction layer between key storage and
key storage over ITS. Merge the ITS code into the generic storage
module.
2019-03-15 11:15:01 +01:00
Gilles Peskine
e435f23019 Remove psa_crypto_storage_file
Now that we have ITS over files, we no longer need a direct backend
for key storage over files. Remove psa_crypto_storage_file and its
tests.

Switch MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C and MBEDTLS_PSA_ITS_FILE_C on
by default. This preserves functionality and test coverage in the
default configuration, but forgets any key previously stored using the
file backend.
2019-03-15 11:14:51 +01:00
Gilles Peskine
23793482ac Support ITS over file in PSA crypto 2019-03-15 11:14:37 +01:00
Gilles Peskine
b0c642abae Tests for PSA ITS over stdio files 2019-03-15 11:14:35 +01:00
Gilles Peskine
bc1f272750 Tests for PSA ITS over files 2019-03-15 11:14:29 +01:00
Gilles Peskine
6194dc2062 Implement PSA ITS over files
Implement the PSA ITS API over stdio files.
2019-03-15 11:14:09 +01:00
Gilles Peskine
601bd53b80 Fix up ITS header files for internal use in crypto
Merge storage_common.h and internal_trusted_storage.h into a single
file for convenience.

Remove #include of <psa/error.h> which crypto doesn't have yet and
include <psa/crypto_types.h> and <psa/crypto_values.h> instead.

Drop __cplusplus support which we don't need.

Tweak style (whitespace, line breaks, comment formatting) to satisfy
check-names.sh and check-files.sh.
2019-03-15 11:13:33 +01:00
Gilles Peskine
5f54497cf3 Import ITS header files
Commit a72c10c44d5d54d05aceb00e0368f02f9f62151a in the
psa_trusted_storage_api repository, from which the PSA ITS
specification version 1.1 is derived.
2019-03-15 11:13:33 +01:00
Jaeden Amero
a52c0593cc
Merge pull request #74 from Patater/break-non-crypto-dependencies
Break non-crypto dependencies
2019-03-13 10:39:20 +00:00
Jaeden Amero
b478bb6ddb tests: Add a crypto prefix to submodule tests
Prepend ".crypto" to tests that came from the crypto submodule. This
allows, when this project is used as a submodule, for tests with names
the same between the parent and this project when used as a submodule to
both be built and run.
2019-03-11 16:51:37 +00:00
Jaeden Amero
1264c2a86f tests: Exclude version suite when used as a submodule
The version test suite is duplicated between Mbed TLS and Mbed Crypto.
Use TLS's copy and not Crypto's copy when Crypto is used as a submodule
of TLS.

The version test is the only test that is tested from both TLS and
Crypto, despite being entirely in libmbedcrypto. This is because the
test data is code-gen'd from the version updating script and the version
between Mbed TLS and Mbed Crypto don't necessarily always agree. The
test data must come from the top level module, as only the top level
module will have test data that matches the expected version.
2019-03-11 16:50:30 +00:00
Jaeden Amero
120d571e8e tests: Use parent module includes when used as a submodule
For Makefiles, enable overriding where includes can come from in order
to enable the parent module to set the include path. This allows the
parent module to specify that its config.h should be used, even when the
submodule when built standalone would use a different config.h.

For CMake, always look in the parent's include folder and our own. List
the parent's include folder first, so that preference is given to parent
include files.
2019-03-11 16:50:25 +00:00
Jaeden Amero
9afb2e9921 Remove tests that depend on TLS or X.509 2019-03-11 16:49:26 +00:00
Jaeden Amero
2b725ef727 cpp_dummy_build: Remove dependency on compat-1.3.h 2019-03-11 16:48:36 +00:00
Jaeden Amero
fa30c3382d programs: psa: Remove dependency on platform.h
platform.h should only be used internally by the library implementation
itself, not the examples. Remove the dependency on platform.h from all
PSA programs.
2019-03-11 16:48:36 +00:00
Jaeden Amero
e23737c618 recursion.pl: Don't depend on X.509 2019-03-11 16:48:36 +00:00
Jaeden Amero
4c1fdb5129 cpp_dummy_build: Remove X.509 dependency 2019-03-11 16:48:36 +00:00
Jaeden Amero
03c60de0e0 query_config: Move to programs/test
As the SSL programs, like ssl_client2 and ssl_server2, are dependent on
SSL and therefore about to be removed, the only consumer of query_config
is the query_compile_time_config test. As such, it makes sense to move
query_config to be next to what uses it.
2019-03-11 16:48:36 +00:00
Jaeden Amero
d8087713ae asn1: Remove dependency on X.509
Doxygen will fail to build if we have references to files that don't
exist. Since we are planning on removing X.509 soon, we even need to
remove explicit Doxygen references to X.509 things as those will no
longer resolve once the X.509 files are deleted.

fixup! asn1: Remove dependency on X.509
2019-03-11 16:48:36 +00:00
Jaeden Amero
9b90f2e294 all.sh: Remove dependency on TLS, NET, and X.509 2019-03-11 16:48:35 +00:00
Jaeden Amero
ed16ca7b63 dhm: Remove dependency on TLS 2019-03-11 16:46:20 +00:00
Jaeden Amero
de0a41b716 ecp: Remove dependency on TLS and X.509 2019-03-11 16:46:20 +00:00
Jaeden Amero
ebbc5f7940 md: Remove dependency on X.509 2019-03-11 16:46:20 +00:00
Jaeden Amero
bf564c77fa pkey: Remove dependency on X.509 2019-03-11 16:46:20 +00:00
Jaeden Amero
47a3635fc7 selftest: Remove X.509 selftest 2019-03-11 16:46:20 +00:00
Jaeden Amero
95666b78ac pkey/rsa_genkey: Remove commented out code
There is some commented out X.509 certificate writing code present in
rsa_genkey. It looks like it has been commented out since the beginning
of time. Let's remove it, since commented out code is not in good style.
2019-03-11 16:46:20 +00:00
Jaeden Amero
bce557dbb9 configs: Update example PSA config
Our default configuration file, include/mbedtls/config.h, should always
match configs/config-psa-crypto.h. It had gotten out of sync, so put it
back into sync.
2019-03-11 16:46:20 +00:00
Jaeden Amero
30fae8ee7d programs/Makefile: List all programs one by one
This makes it easier to add or remove programs as well as see which
programs were added or removed in diffs.
2019-03-11 16:46:18 +00:00
Jaeden Amero
6d9cb25642
Merge pull request #82 from gilles-peskine-arm/psa-crypto-docs-1.0-beta2
The specification document is now a single PDF
2019-03-07 13:41:39 +00:00
Jaeden Amero
98c2208573
Merge pull request #80 from yanesca/iotcrypt-685-rewrite-dh-example
Remove Diffie-Hellman examples
2019-03-07 12:58:06 +00:00
Jaeden Amero
2b9eb0bd6c Merge remote-tracking branch 'tls/development' into development
* origin/development: (113 commits)
  Update query_config.c
  Fix failure in SSLv3 per-version suites test
  Adjust DES exclude lists in test scripts
  Clarify 3DES changes in ChangeLog
  Fix documentation for 3DES removal
  Exclude 3DES tests in test scripts
  Fix wording of ChangeLog and 3DES_REMOVE docs
  Reduce priority of 3DES ciphersuites
  Fix unused variable warning in ssl_parse_certificate_coordinate()
  Update the crypto submodule to a78c958
  Fix ChangeLog entry to correct release version
  Fix typo in x509write test data
  Add ChangeLog entry for unused bits in bitstrings
  Improve docs for named bitstrings and their usage
  Add tests for (named) bitstring to suite_asn1write
  Add new function mbedtls_asn1_write_named_bitstring()
  Add missing compile time guard in ssl_client2
  Update programs/ssl/query_config.c
  ssl_client2: Reset peer CRT info string on reconnect
  Add further debug statements on assertion failures
  ...
2019-03-07 12:02:18 +00:00
Jaeden Amero
03a60301d7
Merge pull request #248 from ARMmbed/dreemkiller_rename_driver
Various Changes for the PSA Driver Model
2019-03-06 18:59:46 +00:00
Gilles Peskine
32668ce268 Pacify check-names.sh 2019-03-06 18:29:57 +01:00
Gilles Peskine
c079f5692d Pass check-files.py 2019-03-06 18:01:52 +01:00
Gilles Peskine
e5c025c7ab Fix Doxygen warnings 2019-03-06 18:01:43 +01:00
Gilles Peskine
c3044a6a36 Remove trailing whitespace
check-files.py doesn't like trailing whitespace.
2019-03-06 17:56:28 +01:00
Janos Follath
bea98b4581 Remove Diffie-Hellman examples
These examples rely on the NET module, which we want to remove. In
theory we could remove just the dependency, but we decided to remove the
whole example because:

 - They showcase some bad crypto: custom, undocumented protocol (not
   obviously broken though, apart from authenticating only one side);
   hard-coded limit of 512-bit size for the DH modulus (2048 is the
   recommended minimum these days); direct use of the shared secret as a
   key (instead of applying a KDF); encryption with ECB, custom
   parameters and the client not having the ability to verify them.
 - The programs use the DH API in the same way that TLS does, so they
   have limited demonstration value.
 - The programs only show finite-field DH, which is not used all that
   much these days. What people want to see is mostly ECDH.
2019-03-06 15:39:48 +00:00
Jaeden Amero
a96f4fe94e Merge remote-tracking branch 'origin/pr/2380' into development
* origin/pr/2380:
  Fix backwards config dependency on oid.c
  Fix backwards include of x509.h in oid.h
2019-03-05 16:37:40 +00:00
Jaeden Amero
eb0195d55b Merge remote-tracking branch 'origin/pr/2239' into development
* origin/pr/2239:
  Add ChangeLog entry
  Fix private DER output shifted by one byte.
2019-03-05 16:35:48 +00:00
Jaeden Amero
0a9f9b20b6 Merge remote-tracking branch 'origin/pr/2317' into development
* origin/pr/2317:
  Update ChangeLog
  all.sh: Test MBEDTLS_MPI_WINDOW_SIZE=1
  Fix DEADCODE in mbedtls_mpi_exp_mod()
2019-03-05 16:33:42 +00:00
Jaeden Amero
41e1986ed0 Merge remote-tracking branch 'origin/pr/2293' into development
* origin/pr/2293:
  Declare test_suite_aes.ofb to CMake
  Add a facility to skip running some test suites
  run-test-suites: update the documentation
2019-03-05 16:30:37 +00:00
Jaeden Amero
db2c2ce881 Merge remote-tracking branch 'origin/pr/2158' into development
* origin/pr/2158:
  Whitespace fix for ccm, gcm, and pkcs5
  Rename remaining test data
  Rename globals to avoid shadowing by various function arguments
2019-03-05 16:29:53 +00:00
Jaeden Amero
6b47a6ceac Merge remote-tracking branch 'origin/pr/2100' into development
* origin/pr/2100:
  Fix test data missing some fake-random input
  Add tests for RSA encrypt/decrypt with NULL for empty message
2019-03-05 16:29:27 +00:00
Jaeden Amero
c851b08a49 Merge remote-tracking branch 'origin/pr/1818' into development
* origin/pr/1818:
  Move ChangeLog entry from Bugfix to Changes section
  Adapt ChangeLog
  Return from debugging functions if SSL context is unset
2019-03-05 16:27:38 +00:00
Jaeden Amero
7df1bec82b Merge remote-tracking branch 'origin/pr/1520' into development
* origin/pr/1520:
  Use certificates from data_files and refer them
  Specify server certificate to use in SHA-1 test
  refactor CA and SRV certificates into separate blocks
  refactor SHA-1 certificate defintions and assignment
  refactor server SHA-1 certificate definition into a new block
  define TEST_SRV_CRT_RSA_SOME in similar logic to TEST_CA_CRT_RSA_SOME
  server SHA-256 certificate now follows the same logic as CA SHA-256 certificate
  add entry to ChangeLog
2019-03-05 16:24:11 +00:00
Gilles Peskine
800a71cc79 The specification document is now a single PDF 2019-03-05 16:03:46 +01:00
Simon Butcher
535ee4a35b Merge remote-tracking branch 'public/pr/2421' into development
* public/pr/2421: (68 commits)
  Fix unused variable warning in ssl_parse_certificate_coordinate()
  Add missing compile time guard in ssl_client2
  Update programs/ssl/query_config.c
  ssl_client2: Reset peer CRT info string on reconnect
  Add further debug statements on assertion failures
  Fix typo in documentation of ssl_parse_certificate_chain()
  Add debug output in case of assertion failure
  Fix typo in SSL ticket documentation
  Add config sanity check for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
  ssl_client2: Zeroize peer CRT info buffer when reconnecting
  Reintroduce numerous ssl-opt.sh tests if !MBEDTLS_SSL_KEEP_PEER_CERT
  ssl_client2: Extract peer CRT info from verification callback
  Improve documentation of mbedtls_ssl_get_peer_cert()
  Improve documentation of MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
  Fix indentation of Doxygen comment in ssl_internal.h
  Set peer CRT length only after successful allocation
  Remove question in comment about verify flags on cli vs. server
  Remove misleading and redundant guard around restartable ECC field
  Add test for !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE to all.sh
  Free peer CRT chain immediately after verifying it
  ...
2019-03-01 12:46:07 +00:00