From 1b70084bd9ef584a8facfb4d4eb061b20d38938e Mon Sep 17 00:00:00 2001 From: Anton Matkin Date: Mon, 10 Mar 2025 18:51:20 +0100 Subject: [PATCH 1/7] TF-PSA-Crypto submodule link fixup Signed-off-by: Anton Matkin --- library/ssl_tls.c | 5 ++--- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- tests/suites/test_suite_ssl.function | 2 +- tf-psa-crypto | 2 +- 5 files changed, 6 insertions(+), 7 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 8cf23f2d3b..76430b593b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1753,12 +1753,11 @@ static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( size_t user_len = 0; const uint8_t *peer = NULL; size_t peer_len = 0; - psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_pake_cs_set_primitive(&cipher_suite, PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256)); - psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, pwd, &cipher_suite); if (status != PSA_SUCCESS) { @@ -1809,7 +1808,7 @@ int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, } psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, pw, pw_len, diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 1ce4e46b1c..ae77a173fb 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2059,7 +2059,7 @@ usage: psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index c5f22c4116..3b07c8d368 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3336,7 +3336,7 @@ reset: psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 3335e5c84e..3fbeac2479 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3973,7 +3973,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg) /* First try with an invalid usage */ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); PSA_ASSERT(psa_import_key(&attributes, pwd_string, diff --git a/tf-psa-crypto b/tf-psa-crypto index 71adc72ae3..bd17dc8bcc 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 71adc72ae31bd6096741955be12422d41355c5fb +Subproject commit bd17dc8bcc4cbb00c7bd3481a107a2b0e940d277 From e8073180ac995f4c4dc3efe8f70a955ea01f33f8 Mon Sep 17 00:00:00 2001 From: Anton Matkin Date: Thu, 13 Mar 2025 15:10:52 +0100 Subject: [PATCH 2/7] Create a changelog entry Signed-off-by: Anton Matkin --- ChangeLog.d/9321.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/9321.txt diff --git a/ChangeLog.d/9321.txt b/ChangeLog.d/9321.txt new file mode 100644 index 0000000000..b6c90e6a0e --- /dev/null +++ b/ChangeLog.d/9321.txt @@ -0,0 +1,3 @@ +Changes + * Use the new `PSA_ALG_XXX` related macros for JPAKE instead of old macros, + which do not conform to the standard PAKE interface \ No newline at end of file From e2c5ca332ff66e655664774799186a46b9a8c74f Mon Sep 17 00:00:00 2001 From: Anton Matkin Date: Thu, 3 Apr 2025 13:38:43 +0200 Subject: [PATCH 3/7] Fixed the changelog entry, missing trailing newline Signed-off-by: Anton Matkin --- ChangeLog.d/9321.txt | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ChangeLog.d/9321.txt b/ChangeLog.d/9321.txt index b6c90e6a0e..816817dce8 100644 --- a/ChangeLog.d/9321.txt +++ b/ChangeLog.d/9321.txt @@ -1,3 +1,3 @@ Changes * Use the new `PSA_ALG_XXX` related macros for JPAKE instead of old macros, - which do not conform to the standard PAKE interface \ No newline at end of file + which do not conform to the standard PAKE interface From e8be4ee08ca729348cf031c0de3fdfa701e3ab11 Mon Sep 17 00:00:00 2001 From: Anton Matkin Date: Mon, 7 Apr 2025 16:26:06 +0200 Subject: [PATCH 4/7] Fixed the changelog entry wording Signed-off-by: Anton Matkin --- ChangeLog.d/9321.txt | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/9321.txt b/ChangeLog.d/9321.txt index 816817dce8..672d6e4304 100644 --- a/ChangeLog.d/9321.txt +++ b/ChangeLog.d/9321.txt @@ -1,3 +1,3 @@ Changes - * Use the new `PSA_ALG_XXX` related macros for JPAKE instead of old macros, - which do not conform to the standard PAKE interface + * Use the new `PSA_ALG_XXX` related macros for JPAKE to be conformant to + the PSA API 1.2 PAKE extension \ No newline at end of file From 143d5d8a3a50642bef0af85ed89c50139e1d72e0 Mon Sep 17 00:00:00 2001 From: Anton Matkin Date: Wed, 9 Apr 2025 12:24:40 +0200 Subject: [PATCH 5/7] Deleted the changelog entry as requested Signed-off-by: Anton Matkin --- ChangeLog.d/9321.txt | 3 --- 1 file changed, 3 deletions(-) delete mode 100644 ChangeLog.d/9321.txt diff --git a/ChangeLog.d/9321.txt b/ChangeLog.d/9321.txt deleted file mode 100644 index 672d6e4304..0000000000 --- a/ChangeLog.d/9321.txt +++ /dev/null @@ -1,3 +0,0 @@ -Changes - * Use the new `PSA_ALG_XXX` related macros for JPAKE to be conformant to - the PSA API 1.2 PAKE extension \ No newline at end of file From 6eb5335ef0caa8bb77d5ec1b94a1736677acac0a Mon Sep 17 00:00:00 2001 From: Anton Matkin Date: Wed, 28 May 2025 20:02:35 +0200 Subject: [PATCH 6/7] Fixed issues with policy verification, since wildcard JPAKE policy is now disallowed, changed to concrete jpake algorithm (with SHA256 hash) Signed-off-by: Anton Matkin --- library/ssl_tls.c | 2 +- programs/ssl/ssl_client2.c | 2 +- programs/ssl/ssl_server2.c | 2 +- tests/suites/test_suite_ssl.function | 2 +- 4 files changed, 4 insertions(+), 4 deletions(-) diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 76430b593b..9144f9222b 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1808,7 +1808,7 @@ int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, } psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, pw, pw_len, diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index ae77a173fb..40304dd381 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -2059,7 +2059,7 @@ usage: psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 3b07c8d368..64fd45952f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -3336,7 +3336,7 @@ reset: psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 3fbeac2479..5b6500898e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3973,7 +3973,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg) /* First try with an invalid usage */ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE_BASE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); PSA_ASSERT(psa_import_key(&attributes, pwd_string, From eca92dcdeb1aee4f1a73f2cd5bf2ee462525475f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Wed, 13 Aug 2025 09:50:12 +0200 Subject: [PATCH 7/7] Update tf-psa-crypto to current development MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Manuel Pégourié-Gonnard --- tf-psa-crypto | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tf-psa-crypto b/tf-psa-crypto index bd17dc8bcc..f0b51e354b 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit bd17dc8bcc4cbb00c7bd3481a107a2b0e940d277 +Subproject commit f0b51e354bb69071d3fab28650894287fac2348e