Don't print the differences: interested users can just run `git diff` (or
save the old file and run `comm`).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test that `scripts/data_files/config-options-current.txt` is up-to-date.
This file needs to change every time we add or remove a config option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This script may be generalized to check other files that need lists of
current options. But for now, the script just checks
`scripts/data_files/config-options-current.txt`.
This script is identical to the file in crypto. If the file grows to support
multiple targets, we'll probably want to split it, with a generic part in
the framework and a project-specific part (probably little more than the
list of targets) in each project. But for now the file is too simple to split.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It doesn't matter how a macro was used in a previous minor version of the
library. What matters is current information about options and internal
symbols, and information about past versions from which a macro may have
been removed.
The output is mostly the same, but:
* Macros that were options in 3.6, became internal in 4.0 and have now
been completely removed are now shown as removed, not internal.
* Macros that were options in 3.6, were completely removed in 4.0, and are
now back but internal, are now shown as internal, not removed.
* Macros that were options in 3.6, were removed in 4.0 and are back to
being options are no longer rejected.
* Macros that were options in 3.6, were removed in 4.0 and are back to
being internal derived macros in TF-PSA-Crypto are no longer rejected.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
secp192 curves are no more supported in tf-psa-crypto and also all the
temporary fixes has been removed. This one can be removed as well.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Since the hash algorithm is known, this can be used when calling
"mbedtls_pk_can_do_psa()" to get a more accurate answer.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The correct return type should have been "psa_algorithm_t" since the
beginning because this is what the function really returns and this is
what the returned value is then used for in the calling functions.
Change also the returned value in the default case from
MBEDTLS_PK_SIGALG_NONE to PSA_ALG_NONE in order to return the same type
as in other cases of the switch case.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
We're going to remove ecdh.c soon, so use another way of testing whether
builtin ECDH is included in the build.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
In `scripts/common.make`, used by `tests/Makefile` and `programs/Makefile`,
we have the following rules to build the library:
```
$(MBEDLIBS):
$(MAKE) -C ../library
```
$(MBEDLIBS) contains three library files but the command is for all
the 3 files instead of single target generation. This would cause a
race when doing parallel build. This commit fixes command so that
the recipe could generate a single library file.
Fix https://github.com/Mbed-TLS/mbedtls/issues/8229
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
Checking that parent PK type is OK is definitely faster than computing
an hash, so invert the checks.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Add a simple helper to convert from PK sigalg to PSA algorithm. This is
handy when calling mbedtls_pk_can_do_psa() knowing the PK sigalg and the
used MD type.
This is being added in a separate file because it's meant to be consumed
by both ssl and x509 modules. It was not added to tf-psa-crypto because
this is only needed on the mbedtls repo and doing so reduce interdependencies
between the repos.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The check being removed is already done few lines above so there is no
need to repeat it twice.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This replacement is either:
- "server5-rsa-signed.crt": if a generic secp256r1 EC key is enough, i.e.
any EC key is fine as it's not secp192 since this support is being
removed from TF-PSA-Crypto.
- "server11-rsa-signed.crt": if an EC key which does not belong to "suite-b"
is required. For this case "secp256r1" wouldn't be good, so we use
a "secp256k1" key.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Those in SSL modules were redundant because it's already included from
ssl_misc.h.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Besides using an internal crypto header, error.h is arguably the wrong
place: this file's docstring says it's about "Error to string
translation", quite unrelated to the things we use from error_common.h.
This is not surprising given the history, but no longer makes sense
today.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
