Return a const char* instead of taking a char* as an argument.
This aligns us with the interface used in TF PSA Crypto.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
`check_config.h` only needs to run once on the configuration. It doesn't
need to run every time an application is built. It used to be public up to
Mbed TLS 2.x because it was included from `config.h`, and users could
substitute that file completely and should still include `check_config.h`
from their file. But since Mbed TLS 3.x, including `check_config.h` is a
purely internal thing (done in `build_info.h`). So make the file itself
purely internal.
We don't need to include `check_config.h` when building every library file,
just one: `mbedtls_config.c`, that's its job.
Give the file a unique name, to avoid any clashes with TF-PSA-Crypto's
`check_config.h`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix compilation error when `mbedtls/oid.h` is included without having first
included `mbedtls/asn1.h`. Fix#10326
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Following the removal of the legacy hash, cipher,
CMAC, AEAD, and RSA configuration options in
TF-PSA-Crypto, update the "requires" comments that
referred to the removed options.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For the test_psa_crypto_config_accel_rsa_crypto component,
ignore test cases that depend on MBEDTLS_GENPRIME being enabled.
When all RSA cryptographic operations are provided by drivers,
MBEDTLS_GENPRIME will not be enabled, as it will no longer be a configuration
option.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The header `mbedtls/oid.h` now belongs to the X.509 library. Move the
declarations of `mbedtls_oid_get_numeric_string()` and
`mbedtls_oid_from_numeric_string()` back to this header, which is where they
were in all previous releases of Mbed TLS. This avoids gratuitously breaking
backward compatibility.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some code that parses or writes X.509 needs to know OID values. We provide a
convenient list. Don't remove this list from the public interface of the
library.
For user convenience, expose these values in the same header as before and
with the same name as before: `MBEDTLS_OID_xxx` in `<mbedtls/oid.h>`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This will be a subset of the former `<mbedtls/oid.h>`, with only macro
definitions, no function declarations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Stop referring to low-level APIs that are becoming private.
Also drop the requirement on supporting what is now
PSA_ALG_RSA_PKCS1V15_SIGN_RAW. That was needed for TLS 1.0/1.1 which signs
MD5||SHA1, but is no longer needed since Mbed TLS 3.0 dropped support for
these protocol versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This reflects the fact that the library will not modify the list, and allows
the list to be read from a const buffer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* public/development: (23 commits)
tests: suite_x509parse: set PSA max operations in x509_verify_restart()
library: debug: remove mbedtls_debug_printf_ecdh()
library: debug: make mbedtls_debug_print_psa_ec() static
Remove call to pk_decrypt() in ssl_server2
Change hardcoded error values in ssl-opt to take in the PSA error alias
Test with GCC 15 with sloppy union initialization
Update crypto with the union initialization fixes
Mark ssl_tls12_preset_suiteb_sig_algs const
Mark ssl_tls12_preset_default_sig_algs const
Use PSA macros for the `pkalgs` domain
reverted compat-2.x.h removal from psa-transition.md
Correct ChangeLog file extension
Add ChangeLog
remove compat-2.x.h
Remove trace of secp224k1
Update submodules
Improve comments
Allow gcc-15 to be in $PATH
Enable drivers when testing with GCC 15
GCC 15: Silence -Wunterminated-string-initialization
...
Remove the public definition of mbedtls_debug_print_ecp(). The function
is only used internally in debug.c, so we can then make the function
static.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
crashing with use-after-free, instead it's now failing cleanly:
failed
! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
That's better of course but still not great, will be fixed by future
commits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- Do not store RSA-PSS signature options in CRL/CRT/CSR structures;
- During the parsing phase, just ensure that MGF1 hash alg is the same
as the one used for the message.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
