Commit graph

16388 commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard 218abe081c
Merge pull request #5284 from gabor-mezei-arm/4926_bp2x_base64_move_constant-time_functions
[Backport 2.x] Move base64 constant-time functions to the new module
2021-12-09 12:40:24 +01:00
Gabor Mezei 00e08a3a21
Update generated files
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-09 10:05:48 +01:00
Manuel Pégourié-Gonnard 9ac32eb123
Merge pull request #863 from davidhorstmann-arm/2.x-fix-session-copy-bug
Backport 2.x: [session] fix a session copy bug
2021-12-09 09:21:33 +01:00
Gabor Mezei 3a755f511f
Add documentation for the functions
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:24:22 +01:00
Gabor Mezei 46ca2f76c4
Unify function parameters
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:22:45 +01:00
Gabor Mezei df29332d4b
Make mbedtls_ct_uchar_mask_of_range function static
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:39 +01:00
Gabor Mezei f554ce21b8
Delete base64_invasive.h due to functions are moved to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:27 +01:00
Gabor Mezei 3d4dba84b7
Move mbedtls_ct_base64_dec_value function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:16 +01:00
Gabor Mezei 200708d30a
Move mbedtls_ct_base64_enc_char function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:20:04 +01:00
Gabor Mezei 46f79c388d
Move mbedtls_ct_uchar_mask_of_range function to the constant-time module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:19:41 +01:00
Gabor Mezei 7464f37e7b
Rename functions to have suitable name
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2021-12-08 16:19:23 +01:00
David Horstmann 0add7f96ac Add changelog entry for session copy bugfix
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-08 13:29:55 +00:00
Manuel Pégourié-Gonnard 9a4a9c66a4
Merge pull request #860 from ronald-cron-arm/fix-cipher-iv_2.x
Backport 2.x: Avoid using encryption output buffer to pass generated IV to PSA driver
2021-12-08 13:30:11 +01:00
吴敬辉 0f6c6bc0dc [session] fix a session copy bug
fix a possible double reference on 'ticket'
when peer_cert/peer_cert_digest calloc failed.

Signed-off-by: 吴敬辉 <11137405@vivo.com>
2021-12-07 17:27:31 +00:00
David Horstmann b56f38f57b Reword documentation of CMAC operations
Change the wording of the documentation for some CMAC functions,
as the existing wording, while technically correct, can be
easy to misunderstand. The reworded docs explain the flow of
a CMAC computation a little more fully.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2021-12-07 12:16:33 +00:00
Gilles Peskine 582f2398d4
Merge pull request #5167 from tom-cosgrove-arm/fix-builds-with-only-mbedtls_bignum_c-defined
Backport 2.x: Fix builds when config.h only defines MBEDTLS_BIGNUM_C
2021-12-07 12:38:04 +01:00
Ronald Cron e7a5e985ae Add change log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-12-07 09:23:27 +01:00
Gilles Peskine ad47e6d160 Add changelog entry for build error fixes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-06 20:58:51 +01:00
Gilles Peskine 1e313165f3
Merge pull request #5258 from gilles-peskine-arm/pip-requirements-2.x
Backport 2.x: In-tree Python package requirements
2021-12-03 17:25:56 +01:00
Gilles Peskine 5d6de4ebc4
Merge pull request #5254 from adeaarm/development_2.x
Backport 2.x: Align function parameter names for mbedtls_set_key_owner_id
2021-12-03 17:24:49 +01:00
Gilles Peskine 4b71e9b96a Correct default requirements file name in help
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-03 13:32:10 +01:00
Xiaofei Bai f40545d919 Fix (d)tls1_2 into (d)tls12 in version options
Signed-off-by: Xiaofei Bai <xiaofei.bai@arm.com>
2021-12-03 08:13:30 +00:00
Gilles Peskine f3564bfe99 Add Cryptodome to maintainer requirements
See e.g. https://github.com/ARMmbed/mbedtls/pull/5218

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine 3f5f7df75b Remove accidental requirement on the worktree content
This made the build impossible since mbedtls isn't available when building
the container.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine ca07ea0802 Allow passing options to pip
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine c31780f62f Use a method to invoke pip that works on Windows
Passing arguments on the command line apparently didn't work due to quoting
issues. Use a temporary file instead.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:19 +01:00
Gilles Peskine 6d253cc4fc Travis: use the in-tree Python package requirements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:19:02 +01:00
Gilles Peskine ce8ccaf55b Docker: Python requirements are now managed in-tree
Neither mbed-host-tests nor mock are currently used.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:07:58 +01:00
Gilles Peskine e4d142f1e7 Script to install minimum versions of the requirements
Wherever we have a requirement on foo>=N, install foo==N. This is for
testing, to ensure that we don't accidentally depend on features that are
not present in the minimum version we declare support for.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:07:58 +01:00
Gilles Peskine 12fe74e360 Declare which Python packages we use
Add pip requirements files. We'll have separate requirements files for
different target audiences. Each file can use `-r` lines to include other
files.

This commit adds two requirement files: one with everything that's needed to
pass the CI, and one with additional tools that are suggested for Mbed TLS
maintainers to install locally.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-12-02 13:07:20 +01:00
Antonio de Angelis bf672336ae Align function parameter names for mbedtls_set_key_owner_id in PSA headers
static function mbedtls_set_key_owner() is declared in psa/crypto.h
and defined in psa/crypto_struct.h with different parameter name for
the  mbedtls_key_owner_id_t parameter and that may trigger errors
from static code analysis tool as cppcheck.

Signed-off-by: Antonio de Angelis <antonio.deangelis@arm.com>
2021-12-01 22:43:57 +00:00
Gilles Peskine ebe6caa869
Merge pull request #5089 from ronald-cron-arm/psa-test-driver
Introduce PSA test driver library to test PSA configuration
2021-12-01 16:45:53 +01:00
Ronald Cron 9ecdd970d0 psa: Fix obsolete code guard
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron bdea4d4d8b psa: Fix and improve comments
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 0962370acf all.sh: psa: Add cipher acceleration test component
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron f7e483c0b4 all.sh: psa: Add hash acceleration test component
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 9130eadde8 tests: psa: Add dependencies on built-in hash
Add dependencies on built-in hash of signature/
signature verification and asymmetric
encryption/decryption tests. The dependency is
not added for tests based on SHA-256 as SHA-256
is always present when PSA is involved (necessary
to the PSA core) and that way most of PSA signature
/verification tests are still run when PSA hash
operations are accelerated.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron ef14af04c7 tests: psa: Refine choice of default hash algorithm for signature
As PSA signatures rely on built-in hash implementations
(cannot take an advantage of an accelerator for the
time being), chose an available built-in hash for
tests exercising a signature key.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron d2c53e60ca all.sh: psa: Add ECDSA and RSA signature acceleration component
Add ECDSA and RSA signature acceleration testing
with signature capabilitites removed from the
Mbed TLS library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron d98ec4b1e7 psa: Fix some dependencies in config_psa.h
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 0d5a27b195 psa: Fix Mbed TLS hash operation definition
Use PSA_BUILTIN macros instead of the Mbed TLS ones
as in the hash operation contexts the context for a
given hash is needed only if the support for it
through PSA is enabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron cfc3c7b593 psa: Remove test code in the library
The current testing of the PSA configuration is
based on test code located in the library itself.

Remove this code as we are moving to using a
test library instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron b814bdabe4 Move to separately compiled PSA test driver library
This commit removes the test_psa_crypto_config_basic
all.sh component that can no longer work without
adapting it to the separately compiled test driver
library. This component is replaced by several
components in the following commits to test various
type of acceleration independently.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron df885c052c tests: Add build of a PSA test driver library
PR #3959 has proven that by adding a prefix
(LIBTESTDRIVER1/libtestdriver1_ in this commit) to
all MBEDTLS/PSA_* and mbedtls/psa_* symbols of a copy
of the Mbed TLS library, we can build a library that
can be linked with the Mbed TLS library.

This commit leverages this to build a PSA test driver
library based on the Mbed TLS library code.

The cryptographic features supported by the test
library are defined by:
. a minimal configuration (in the sense of config.h),
  see config_test_driver.h
. PSA_WANT_* and PSA_ACCEL_* defined macros.

The PSA_WANT_* macros have to be the same as the ones
used to build the Mbed TLS library the test driver
library is supposed to be linked to as the PSA_WANT_*
macros are used in the definition of structures and
macros that are shared by the PSA crypto core,
Mbed TLS drivers and the driver test library.

The PSA_ACCEL_* macros are intended to define the
cryptographic features that have to be removed
from the Mbed TLS library and thus supported by the
test library in test scenarios. The PSA_ACCEL_* macros
to build the test library are thus mirrored from the
ones to build the Mbed TLS library by extended the
crypto_config.h: see
crypto_config_test_driver_entension.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 7b7854ed4b tests: Rename test driver entry points
Rename test driver entry points to
libtestdriver1_<name of the Mbed TLS entry point>.

This aligns with the renaming of all Mbed TLS APIs
for the test driver library (that will be put in place
in the following commits) to avoid name conflicts
when linking it with the Mbed TLS library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron d54303da7c psa: test driver: Move driver test entry points prototypes
In preparation of the driver test entry points to be
provided by a test driver library, move their prototypes
to tests directory.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 088d5d0c1b psa: Add driver initialization and termination
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 485559eeb5 psa: Fix unused variable warnings
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:49:19 +01:00
Ronald Cron 7207d574ab psa: asymmetric_encrypt/decrypt: Improve error code consistency
In psa_asymmetric_encrypt/decrypt(), always return
PSA_ERROR_INVALID_ARGUMENT if the key is a PSA key
and the algorithm is not a PSA algorithm we know
about, whether RSA is supported or not.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 14:48:35 +01:00
Ronald Cron 2091eed609 psa: driver: Reduce the scope of test driver entry points
Define test driver entry points that provide an alternative
to Mbed TLS driver entry points only when the PSA configuration
is used. Their purpose is only to test the PSA configuration
thus there is no good reason to use them out of this scope.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-11-30 13:24:47 +01:00