Hanno Becker
e322d3edd5
Merge branch 'opaque_psk_implementation_CRYPTO' into feature-psa-tls-integration-proposed
2018-11-23 15:53:24 +00:00
Hanno Becker
a96cc8a9fd
Merge branch 'iotssl-2596-opaque-csr-creation_CRYPTO' into feature-psa-tls-integration-proposed
2018-11-23 15:47:22 +00:00
Hanno Becker
7fde035ddc
Merge branch 'iotssl-2580-pk-opaque-psa_CRYPTO' into feature-psa-tls-integration-proposed
2018-11-23 15:47:20 +00:00
Jaeden Amero
82df32e3fd
psa: Unused key_bits is OK
...
When MD or CMAC are disabled, let the compiler know that it is OK that
`key_bits` is set but not used by casting `key_bits` to `(void)`.
2018-11-23 15:20:56 +00:00
Andrzej Kurek
3bd69dda1a
pkwrite: add an explicit cast to size_t
2018-11-22 12:43:53 -05:00
Andrzej Kurek
16d6000577
pkwrite: add a safety check before calculating the buffer size
2018-11-22 12:43:53 -05:00
Andrzej Kurek
2f31122585
Cosmetic changes
...
Adjust whitespaces, reduce test dependencies and reduce buffer size passed by 1.
2018-11-22 12:43:53 -05:00
Andrzej Kurek
6f249de706
pkwrite: add opaque key handling for public key exporting
...
Return early from mbedtls_pk_write_pubkey_der - public opaque key
exporting is expected to contain all of the needed data, therefore it shouldn't
be written again.
2018-11-22 12:43:53 -05:00
Manuel Pégourié-Gonnard
2614562212
Add test utility function: wrap_as_opaque()
...
The new function is not tested here, but will be in a subsequent PR.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
29a1325b0d
Guard against PSA generating invalid signature
...
The goal is not to double-check everything PSA does, but to ensure that it
anything goes wrong, we fail cleanly rather than by overwriting a buffer.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
f4427678ae
Use shared function for error translation
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
1e48ebd306
Fix a compliance issue in signature encoding
...
The issue is not present in the normal path because asn1write_mpi() does it
automatically, but we're not using that here...
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
615530728f
Improve documentation of an internal function
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
f127e6080e
Get rid of large stack buffers in PSA sign wrapper
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
276cb64e6c
Align names to use "opaque" only everywhere
...
It's better for names in the API to describe the "what" (opaque keys) rather
than the "how" (using PSA), at least since we don't intend to have multiple
function doing the same "what" in different ways in the foreseeable future.
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
7d51255ca7
Implement pk_sign() for opaque ECDSA keys
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
07b103fe07
Implement can_do for opaque ECC keypairs
...
Unfortunately the can_do wrapper does not receive the key context as an
argument, so it cannot check psa_get_key_information(). Later we might want to
change our internal structures to fix this, but for now we'll just restrict
opaque PSA keys to be ECDSA keypairs, as this is the only thing we need for
now. It also simplifies testing a bit (no need to test each key type).
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
683632b78e
Add support for get_(bit)len on opaque keys
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
274f521b9a
Implement alloc/free wrappers for pk_opaque_psa
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
3bc2029a33
Clarify return value of pk_check_pair()
2018-11-22 16:39:39 +00:00
Manuel Pégourié-Gonnard
1ecf92c364
Skeleton for PK_OPAQUE_PSA
2018-11-22 16:39:39 +00:00
Hanno Becker
e9bf0f4c32
Share code for PSK identity configuration
...
This commit shares the code for setting the PSK identity hint between
the functions mbedtls_ssl_conf_psk() and mbedtls_ssl_conf_psk_opaque().
2018-11-22 16:30:20 +00:00
Hanno Becker
bffefae305
Safe-guard ssl_conf_remove_psk()
for simultaneous raw-opaque PSKs
...
The code maintains the invariant that raw and opaque PSKs are never
configured simultaneously, so strictly speaking `ssl_conf_remove_psk()`
need not consider clearing the raw PSK if it has already cleared an
opaque one - and previously, it didn't. However, it doesn't come at
any cost to keep this check as a safe-guard to future unforeseen
situations where opaque and raw PSKs _are_ both present.
2018-11-22 16:30:20 +00:00
Hanno Becker
4d057f61a7
Don't use 48 as a magic number in ssl_derive_keys()
...
In multiple places, it occurrs as the fixed length of
the master secret, so use a constant with a descriptive
name instead. This is reinforced by the fact the some
further occurrences of '48' are semantically different.
2018-11-22 16:30:20 +00:00
Hanno Becker
5916c99cc3
Don't use idiom if( func() )
but always add explicit value check
2018-11-22 16:30:20 +00:00
Hanno Becker
4855c2d4c2
Add server-support for opaque PSKs
2018-11-22 16:30:20 +00:00
Hanno Becker
8bb28b9470
Rename ssl_conf_has_[raw_]_psk to ssl_conf_has_static_[raw_]psk
...
This is to differentiate the function from the functions relevant
on the server-side, which also need to take into the PSK callback.
2018-11-22 16:30:20 +00:00
Hanno Becker
21e98b4114
Skip PMS generation on client if opaque PSK is used
...
For opaque PSKs, the PSK-to-MS expansion is performed atomatically
on the PSA-side.
2018-11-22 16:30:20 +00:00
Hanno Becker
b7aaf1e641
Implement PSA-based PSK-to-MS derivation in mbedtls_ssl_derive_keys
2018-11-22 16:30:20 +00:00
Hanno Becker
1e414e5d1d
Simplify master secret derivation in mbedtls_ssl_derive_keys()
2018-11-22 16:30:20 +00:00
Hanno Becker
a32400bc6b
Allow opaque PSKs in pure-PSK ciphersuites only
...
In contrast, RSA-PSK, ECDHE-PSK and DHE-PSK are explicitly excluded
for the moment.
2018-11-22 16:30:20 +00:00
Hanno Becker
a5ce0fd77f
Don't suggest the use of a PSK suite if no PSK configured on client
2018-11-22 16:30:20 +00:00
Hanno Becker
c6b8d400a0
Implement API for configuration of opaque PSKs
...
This commit adds implementations of the two new API functions
mbedtls_ssl_conf_psk_opaque()
mbedtls_ssl_set_hs_psk_opaque().
2018-11-22 16:30:20 +00:00
Manuel Pégourié-Gonnard
26fd730876
Add config option for X.509/TLS to use PSA
2018-11-22 16:25:36 +00:00
Gilles Peskine
a678f233a7
Merge pull request #197 from netanelgonen/entropy-inject
...
Add entropy inject API (#197 )
2018-11-21 19:21:05 +01:00
avolinski
0d2c266c06
change MBEDTLS_RANDOM_SEED_ITS define to be PSA_CRYPTO_ITS_RANDOM_SEED_UID
2018-11-21 17:31:07 +02:00
avolinski
1c66205df6
Remove trailing space in psa_crypto.c
2018-11-21 16:54:09 +02:00
Gilles Peskine
83146e10bb
Merge pull request #211 from ARMmbed/bug_fix_210
...
Fix memory allocation check in psa_save_generated_persistent_key (#211 )
2018-11-21 15:51:07 +01:00
avolinski
13beb100c2
Adjust psa entropy inject tests to take as minimum seed size
...
the maximum of MBEDTLS_ENTROPY_MIN_PLATFORM and MBEDTLS_ENTROPY_BLOCK_SIZE
2018-11-21 16:24:53 +02:00
avolinski
7cc8229d80
Replace MBED_RANDOM_SEED_ITS_UID with MBEDTLS_RANDOM_SEED_ITS_UID
...
Update mbedtls_psa_inject_entropy function documentation
2018-11-21 16:24:53 +02:00
Netanel Gonen
21f37cbbec
Add Tests for psa crypto entropy incjection
...
Adjust code to handle and work with MBEDTLS_ENTROPY_BLOCK_SIZE definition option
2018-11-21 16:24:52 +02:00
Netanel Gonen
2bcd312cda
Add entropy injection function to psa cripto APIs
2018-11-21 16:15:14 +02:00
itayzafrir
910c76b3d1
Check that memory allocation was successful in psa_save_generated_persistent_key
2018-11-21 16:10:33 +02:00
Gilles Peskine
3d5d8372a5
Merge pull request #198 from ARMmbed/psa_crypto_its
...
PSA Crypto Storage backend implementation over PSA ITS APIs (#198 )
2018-11-21 15:04:03 +01:00
Jaeden Amero
c6e4ab00a8
Use parent module includes when used as a submodule
...
For Makefiles, enable overriding where includes can come from in order to
enable the parent module to set the include path. This allows the parent
module to specify that its config.h should be used, even when the submodule
when built standalone would use a different config.h.
For CMake, always look in the parent's include folder and our own. List the
parent's include folder first, so that preference is given to parent
include files.
2018-11-21 12:17:31 +00:00
Jaeden Amero
5ae1fb6f69
CMake: Don't build non-crypto when a subproject
...
When building Mbed Crypto as a subproject, don't add targets for
libmbedx509 or libmbedtls, as the parent project should build these. The
parent project will define USE_CRYPTO_SUBMODULE variable when using Mbed
Crypto as a submodule, so we can depend on that variable to control whether
or not we build non-crypto libraries.
2018-11-21 12:16:40 +00:00
Moran Peker
a26d764bae
Add new PSA Crypto Storage backend implementation using ITS APIs
...
The new file is conditionally compiled with the new mbedtls
configuration option that Mbed OS would set by default -
`MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C`.
-
2018-11-21 13:28:10 +02:00
Moran Peker
a90abf13b6
add MBEDTLS_PSA_HAS_ITS_IO
...
update config.h,config-psa-crypto.h, version_features.c and config.pl
2018-11-21 13:28:09 +02:00
Moran Peker
4611956560
Add new MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C configuration option
...
- update configuration requires
- update check_config.h to include MBEDTLS_PSA_CRYPTO_STORAGE_ITS_C
- update con and config.h
2018-11-21 13:28:09 +02:00
Darryl Green
0c6575a84d
psa: Extend psa_generate_key to support persistent lifetimes
2018-11-20 15:40:32 +00:00