This is only done when MBEDTLS_DEBUG_C is declared in order not to inflate
the library size.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- let the macro be an initializer for the array of known TLS IDs, not
a variable declarator;
- last item's group name is NULL, not an empty string
- change then name of the macro from MBEDTLS_TLS_ID_GROUP_NAME_TABLE to
MBEDTLS_SSL_IANA_TLS_GROUPS_INFO
- define a new public structure "mbedtls_ssl_iana_tls_group_info_t" to
hold each element of the table and that can be used the go over the
list from user code.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- adjust function name to mbedtls_ssl_get_fatal_alert
- fix missing property name changes for mbedtls_ssl_context
Signed-off-by: Nico Geyso <ng@gsmk.de>
Being a macro allow the table to be instatiated only when/if necessary
by the consuming code.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Keep MBEDTLS_PK_WRITE_C as guard only for "debug_print_pk" but let
"mbedtls_debug_print_crt" to work also when MBEDTLS_PK_WRITE_C is disabled.
In this case the only public key won't be printed, but the rest of the
certificate will be.
This commit also updates test coverage by duplicating test cases: now there
will be one case for when MBEDTLS_PK_WRITE_C is enabled and another one
for !MBEDTLS_PK_WRITE_C.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
In tf-psa-crypto "mbedtls_pk_write_pubkey_psa()" is only available when
MBEDTLS_PK_WRITE_C is defined. Therefore we need to add this guard also
in mbedtls to "debug_print_pk" (and indirectly to
"mbedtls_debug_print_crt") and the corresponding tests using it.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Move single line printing to a separate function named
mbedtls_debug_print_buf_one_line(). This accepts one extra parameter
'add_text' to tell if the final text chars are to be printed at the end
of the line or not.
Add also mbedtls_debug_print_buf_ext() as a generalized version of
mbedtls_debug_print_buf() by adding the extra 'add_text' param.
debug_print_pk() will now use mbedtls_debug_print_buf_ext() in order not
to print chars while dumping the buffer.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Remove usage of mbedtls_pk_debug stuff and related functions
(mbedtls_debug_print_psa_rsa(), mbedtls_debug_print_psa_ec(),
mbedtls_debug_print_integer() and debug_count_valid_bits()) and use
mbedtls_pk_write_pubkey_psa() to get the public key from the PK context.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
"Move crypto-specific code from library/Makefile to a new file" accidentally
copied two lines instead of moving them. Remove the copy that's now in
`crypto-library.make`, since the variables are defined earlier in
`crypto-common.make`. The variables aren't actually used in
`crypto-common.make`, but they could be (arguably should be used to
define `TF_PSA_CRYPTO_LIBRARY_PRIVATE_INCLUDE`).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The new file is in Mbed TLS for now. Once we have finished moving code to
it, it will move to TF-PSA-Crypto.
What got moved:
* List of object files from crypto
* List of generated .c files in crypto
* Rules to build generated .c files in crypto
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Use separate variables for the crypto part of lists of generated C files,
generated objects, sample programs and test data files.
No behavior change.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define variables that are meant to be possibly overridden on the make
command line (or in a parent makefile) at the top. In particular, define
them before including the crypto and framework makefiles, so these makefiles
can use the default values if there's no parent setting.
Also move some internal variables earlier or later, so that a subsequent
refactoring step can have things in the right order in the mbedtls
per-directory makefile:
1. Define variables consumed by the per-directory crypto makefile.
2. Include the per-directory crypto makefile.
3. Use variables defined by the per-directory crypto makefile.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Define these intermediate variables in the crypto helper file.
No behavior change except possibly an inconsequential reordering of compiler
options.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Currently, Mbed TLS can be built with make, and we rely on this in many
`all.sh` components. Mbed TLS knows how to build TF-PSA-Crypto, but this
changes from time to time, and it's hard to do the necessary changes in both
repositories at the same time.
Create a file that Mbed TLS can consume to find out some information needed
to build TF-PSA-Crypto, such as the locations of various files.
Create this file in Mbed TLS. Once we have finished moving code to it, the
file will move to TF-PSA-Crypto.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We put that in 3.6.0 because we wanted to minimize changes in a minor
release, and in particular we wanted users to be able to build the library
if they were checking out a release tag without checking out submodules
recursively. That was possible because 3.6.x release tags contain the
generated files.
Since 4.0.0, it's completely impossible to build Mbed TLS without the
`tf-psa-crypto` submodule. So there's no point in trying to allow a build
without the `framework` submodule.
In the libtestdriver1 build, where we copy part of the framework, copy the
framework makefile as well, which is what we use to check for the presence
of the framework (even though the framework makefile doesn't do anything
useful after all).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Even though the TLS RFCs do not mandate libraries to expose *Error
Alerts* (as defined in RFC8446 6.2 for TLS 1.3 and in RFC5246 7.2.2 for
TLS 1.2) to the user, there are use cases when it is handy to get the
actual last received fatal error instead of a generic one. For instance
this enables the user to differ between received fatal errors in case
`mbedtls_ssl_handshake()`, `mbedtls_ssl_handshake_step()` or
`mbedtls_ssl_read()` returned `MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE`.
This changesets stores the last incoming fatal alert in
`mbedtls_ssl_context` and provides `mbedtls_ssl_get_alert()` as a getter
for retrieving it. Another option would be to provide a callback
mechanisms for all kinds of alerts (not only fatals) but for simplicity
I discarded this option.
Signed-off-by: Nico Geyso <ng@gsmk.de>
Since the hash algorithm is known, this can be used when calling
"mbedtls_pk_can_do_psa()" to get a more accurate answer.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The correct return type should have been "psa_algorithm_t" since the
beginning because this is what the function really returns and this is
what the returned value is then used for in the calling functions.
Change also the returned value in the default case from
MBEDTLS_PK_SIGALG_NONE to PSA_ALG_NONE in order to return the same type
as in other cases of the switch case.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Checking that parent PK type is OK is definitely faster than computing
an hash, so invert the checks.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
