We put that in 3.6.0 because we wanted to minimize changes in a minor
release, and in particular we wanted users to be able to build the library
if they were checking out a release tag without checking out submodules
recursively. That was possible because 3.6.x release tags contain the
generated files.
Since 4.0.0, it's completely impossible to build Mbed TLS without the
`tf-psa-crypto` submodule. So there's no point in trying to allow a build
without the `framework` submodule.
In the libtestdriver1 build, where we copy part of the framework, copy the
framework makefile as well, which is what we use to check for the presence
of the framework (even though the framework makefile doesn't do anything
useful after all).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't print the differences: interested users can just run `git diff` (or
save the old file and run `comm`).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test that `scripts/data_files/config-options-current.txt` is up-to-date.
This file needs to change every time we add or remove a config option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This script may be generalized to check other files that need lists of
current options. But for now, the script just checks
`scripts/data_files/config-options-current.txt`.
This script is identical to the file in crypto. If the file grows to support
multiple targets, we'll probably want to split it, with a generic part in
the framework and a project-specific part (probably little more than the
list of targets) in each project. But for now the file is too simple to split.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It doesn't matter how a macro was used in a previous minor version of the
library. What matters is current information about options and internal
symbols, and information about past versions from which a macro may have
been removed.
The output is mostly the same, but:
* Macros that were options in 3.6, became internal in 4.0 and have now
been completely removed are now shown as removed, not internal.
* Macros that were options in 3.6, were completely removed in 4.0, and are
now back but internal, are now shown as internal, not removed.
* Macros that were options in 3.6, were removed in 4.0 and are back to
being options are no longer rejected.
* Macros that were options in 3.6, were removed in 4.0 and are back to
being internal derived macros in TF-PSA-Crypto are no longer rejected.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
secp192 curves are no more supported in tf-psa-crypto and also all the
temporary fixes has been removed. This one can be removed as well.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Even though the TLS RFCs do not mandate libraries to expose *Error
Alerts* (as defined in RFC8446 6.2 for TLS 1.3 and in RFC5246 7.2.2 for
TLS 1.2) to the user, there are use cases when it is handy to get the
actual last received fatal error instead of a generic one. For instance
this enables the user to differ between received fatal errors in case
`mbedtls_ssl_handshake()`, `mbedtls_ssl_handshake_step()` or
`mbedtls_ssl_read()` returned `MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE`.
This changesets stores the last incoming fatal alert in
`mbedtls_ssl_context` and provides `mbedtls_ssl_get_alert()` as a getter
for retrieving it. Another option would be to provide a callback
mechanisms for all kinds of alerts (not only fatals) but for simplicity
I discarded this option.
Signed-off-by: Nico Geyso <ng@gsmk.de>
Since the hash algorithm is known, this can be used when calling
"mbedtls_pk_can_do_psa()" to get a more accurate answer.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The correct return type should have been "psa_algorithm_t" since the
beginning because this is what the function really returns and this is
what the returned value is then used for in the calling functions.
Change also the returned value in the default case from
MBEDTLS_PK_SIGALG_NONE to PSA_ALG_NONE in order to return the same type
as in other cases of the switch case.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
We're going to remove ecdh.c soon, so use another way of testing whether
builtin ECDH is included in the build.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
In `scripts/common.make`, used by `tests/Makefile` and `programs/Makefile`,
we have the following rules to build the library:
```
$(MBEDLIBS):
$(MAKE) -C ../library
```
$(MBEDLIBS) contains three library files but the command is for all
the 3 files instead of single target generation. This would cause a
race when doing parallel build. This commit fixes command so that
the recipe could generate a single library file.
Fix https://github.com/Mbed-TLS/mbedtls/issues/8229
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
Checking that parent PK type is OK is definitely faster than computing
an hash, so invert the checks.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Add a simple helper to convert from PK sigalg to PSA algorithm. This is
handy when calling mbedtls_pk_can_do_psa() knowing the PK sigalg and the
used MD type.
This is being added in a separate file because it's meant to be consumed
by both ssl and x509 modules. It was not added to tf-psa-crypto because
this is only needed on the mbedtls repo and doing so reduce interdependencies
between the repos.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The check being removed is already done few lines above so there is no
need to repeat it twice.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
