Including `mbedtls/check_config.h` from `mbedtls/config.h` is optional. If
done, `limits.h` gets included. If not done, we were missing the inclusion
of `limits.h` in several source files. Fix this and add a test build that
doesn't include `mbedtls/check_config.h`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is the issue that tracks incomplete support for buffer overlap, so
we should refer to it when we discuss partial support whenever
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
* Fix a grammatical typo
* Mention shared memory
* Mention overlap support in the security section
* Improve wording
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Mention that arbitrary overlap is now supported, except whenever
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Specifically:
* Clarify that passing shared buffers is now secure by default (not
newly supported)
* Remove spurious hyphen
* Clarify that we do not guarantee copying, but rather guarantee
protection, allowing us to implement this differently in future if
required.
* Mention both protection of inputs from modification and outputs from
exposure of intermediate results.
* Invert the config option, from an enable-option to a disable-option.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Replace custom LIB_INSTALL_DIR with standard CMAKE_INSTALL_LIBDIR variable.
For backward compatibility, set CMAKE_INSTALL_LIBDIR if LIB_INSTALL_DIR is set.
Signed-off-by: Biswapriyo Nath <nathbappai@gmail.com>
Add three package config files for mbedtls, mbedcrypto and mbedx509.
Also update various project variables so the generated PC files have the
required data needed without hardcoding it everywhere.
This will help distros package the project following existing
conventsions between a normal and -devel package that includes the
headers and .pc files for pkg-config aware consumers.
This also squashes:
- fff51cecc ("Update ChangeLog.d/pkg-config-files-addition.txt")
Fixes: #228
Signed-off-by: Bill Roberts <bill.roberts@arm.com>
Add non-regression tests. Update some test functions to not assume that
byte_length == bit_length / 8.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Upon further consideration we think that a remote attacker close to the
victim might be able to have precise enough timing information to
exploit the side channel as well. Update the Changelog to reflect this.
Signed-off-by: Janos Follath <janos.follath@arm.com>
With stream ciphers, add a check that there's enough room to read a MAC in
the record. Without this check, subtracting the MAC length from the data
length resulted in an integer underflow, causing the MAC calculation to try
reading (SIZE_MAX + 1 - maclen) bytes of input, which is a buffer overread.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
