When we are doing PSK, we'd like to set verify_result to
MBEDTLS_X509_BADCERT_SKIP_VERIFY. Previously this was done in
mbedtls_ssl_set_hs_psk() but this is inadequate since this function may
be called for early data (where certificate verification happens later
in the handshake.
Instead, set this value after writing / processing the encrypted
extensions on the server / client respectively, so that we know whether
we are doing certificate verification or not for sure. This change is
effective only for TLS 1.3 as TLS 1.2 sets verify_result for PSK in
ssl_parse_certificate_coordinate().
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The check was wrongly removed by the commit
"ssl_tls12_server.c: Move ClientHello message_seq adjustment".
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move back the digest update just after
the call to mbedtls_ssl_read_record().
It fits well here as we explain in the
comment associated to the call to
mbedtls_ssl_read_record() that we
update it manually.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The recursion tests for the crypto code
are run in a TF-PSA-Crypto component.
No need to run them in an Mbed TLS
component as well.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Define `_POSIX_C_SOURCE` and `_XOPEN_SOURCE` in a single place that
applies everywhere, to make things simple.
This may break some platforms that require special handling for POSIX
functions and types. Subsequent commits will add platform-specific hacks
as needed.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were using slightly different guards to decide whether to include
`<unistd.h>` in different places. Unify those.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
On MingW, temporarily force the use of the standard versions of `snprintf()`
and `vsnprintf()` (since we set `__USE_MINGW_ANSI_STDIO` in
`mbedtls_platform_requirements.h`). Do not honor `platform.h` configuration,
because with the current TF-PSA-Crypto, `MBEDTLS_PLATFORM_VSNPRINTF_ALT and
`MBEDTLS_PLATFORM_SNPRINTF_ALT` are always enabled on MinGW, so what matters
is the setting of `__USE_MINGW_ANSI_STDIO` when `platform.c` is built, and
until https://github.com/Mbed-TLS/TF-PSA-Crypto/pull/694, the legacy printf
functions are used there.
Revert this commit once the `tf-psa-crypto` module is updated with the merge
of https://github.com/Mbed-TLS/TF-PSA-Crypto/pull/694.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Since Mbed TLS 3.6.0, all officially supported versions of Visual Studio
a printf function family that is sufficiently compliant to C99 for our
purposes, in particular supporting `%zu` for `size_t`. The only platform
without `%zu` that we semi-officially support is older versions of MinGW,
still used in our CI. MinGW provides either a Windows legacy printf or a
standards-compliant printf depending on the value of
`__USE_MINGW_ANSI_STDIO` when compiling each C file. Force the use of the
compliant version. Don't rely on `MBEDTLS_PRINTF_SIZET`, which is defined in
`<mbedtls/debug.h>` and no longer considers the Windows legacy version in
Mbed TLS >= 4.1.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Always activate `__USE_MINGW_ANSI_STDIO` unless overridden on the command
line. This is necessary with older versions of MingW and/or Windows,
where snprintf does not always zero-terminate the buffer, and does
not support formats such as `"%zu"` for size_t and `"%lld"` for long long.
Simplify debug.h accordingly. The macros `MBEDTLS_PRINTF_SIZET`,
`MBEDTLS_PRINTF_SIZET_HAX` and `MBEDTLS_PRINTF_LONGLONG` are no longer
needed, but they are still used in our code base and must stay in debug.h
for backward compatibility.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `test_suite_debug`, test `mbedtls_debug_snprintf()`, which uses
`mbedtls_vsnprintf()` like `mbedtls_debug_print_msg()`. Do this instead of
testing `mbedtls_snprintf()`, which might be subtly different (older
Windows runtimes had slightly different behavior for vsnprintf() vs
snprintf(); TF-PSA-Crypto might pick up a different function if the
platform configuration is different in TF-PSA-Crypto and Mbed TLS).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
On some platforms, the system headers expose different interfaces depending
on what macros are defined, for example to provide different standards
compliance level. Create a common place where we can declare such macros,
so that our code can behave in the same way when it's in different files.
Individual .c files can still override these requirements by defining
macros before including the common header, if it's really necessary.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We already have `x509_internal.h` which is common to all parts of the X.509
library, and `ssl_misc.h` which is common to all parts of the TLS library.
Also create `mbedtls_common.h` which is for the Mbed TLS project as a whole.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
