Return a const char* instead of taking a char* as an argument.
This aligns us with the interface used in TF PSA Crypto.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
`check_config.h` only needs to run once on the configuration. It doesn't
need to run every time an application is built. It used to be public up to
Mbed TLS 2.x because it was included from `config.h`, and users could
substitute that file completely and should still include `check_config.h`
from their file. But since Mbed TLS 3.x, including `check_config.h` is a
purely internal thing (done in `build_info.h`). So make the file itself
purely internal.
We don't need to include `check_config.h` when building every library file,
just one: `mbedtls_config.c`, that's its job.
Give the file a unique name, to avoid any clashes with TF-PSA-Crypto's
`check_config.h`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix compilation error when `mbedtls/oid.h` is included without having first
included `mbedtls/asn1.h`. Fix#10326
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Following the removal of the legacy hash, cipher,
CMAC, AEAD, and RSA configuration options in
TF-PSA-Crypto, update the "requires" comments that
referred to the removed options.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
For the test_psa_crypto_config_accel_rsa_crypto component,
ignore test cases that depend on MBEDTLS_GENPRIME being enabled.
When all RSA cryptographic operations are provided by drivers,
MBEDTLS_GENPRIME will not be enabled, as it will no longer be a configuration
option.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The header `mbedtls/oid.h` now belongs to the X.509 library. Move the
declarations of `mbedtls_oid_get_numeric_string()` and
`mbedtls_oid_from_numeric_string()` back to this header, which is where they
were in all previous releases of Mbed TLS. This avoids gratuitously breaking
backward compatibility.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some code that parses or writes X.509 needs to know OID values. We provide a
convenient list. Don't remove this list from the public interface of the
library.
For user convenience, expose these values in the same header as before and
with the same name as before: `MBEDTLS_OID_xxx` in `<mbedtls/oid.h>`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This will be a subset of the former `<mbedtls/oid.h>`, with only macro
definitions, no function declarations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Stop referring to low-level APIs that are becoming private.
Also drop the requirement on supporting what is now
PSA_ALG_RSA_PKCS1V15_SIGN_RAW. That was needed for TLS 1.0/1.1 which signs
MD5||SHA1, but is no longer needed since Mbed TLS 3.0 dropped support for
these protocol versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This reflects the fact that the library will not modify the list, and allows
the list to be read from a const buffer.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* public/development: (23 commits)
tests: suite_x509parse: set PSA max operations in x509_verify_restart()
library: debug: remove mbedtls_debug_printf_ecdh()
library: debug: make mbedtls_debug_print_psa_ec() static
Remove call to pk_decrypt() in ssl_server2
Change hardcoded error values in ssl-opt to take in the PSA error alias
Test with GCC 15 with sloppy union initialization
Update crypto with the union initialization fixes
Mark ssl_tls12_preset_suiteb_sig_algs const
Mark ssl_tls12_preset_default_sig_algs const
Use PSA macros for the `pkalgs` domain
reverted compat-2.x.h removal from psa-transition.md
Correct ChangeLog file extension
Add ChangeLog
remove compat-2.x.h
Remove trace of secp224k1
Update submodules
Improve comments
Allow gcc-15 to be in $PATH
Enable drivers when testing with GCC 15
GCC 15: Silence -Wunterminated-string-initialization
...
Remove the public definition of mbedtls_debug_print_ecp(). The function
is only used internally in debug.c, so we can then make the function
static.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Now programs/x509/cert_write san="DN:CN=#0000;DN:CN=#0000" is no longer
crashing with use-after-free, instead it's now failing cleanly:
failed
! mbedtls_x509_string_to_names returned -0x2800 - X509 - Input invalid
That's better of course but still not great, will be fixed by future
commits.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
- Do not store RSA-PSS signature options in CRL/CRT/CSR structures;
- During the parsing phase, just ensure that MGF1 hash alg is the same
as the one used for the message.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
* development-restricted:
Add missing credit for set_hostname issue
Add changelog entry for TLS 1.2 Finished fix
TLS1.2: Check for failures in Finished calculation
ssl_session_reset: preserve HOSTNAME_SET flag
Document the need to call mbedtls_ssl_set_hostname
Improve documentation of mbedtls_ssl_set_hostname
Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients
Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup
mbedtls_ssl_set_hostname tests: add tests with CA callback
Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests
Require calling mbedtls_ssl_set_hostname() for security
Create error code for mbedtls_ssl_set_hostname not called
Keep track of whether mbedtls_ssl_set_hostname() has been called
Access ssl->hostname through abstractions in certificate verification
mbedtls_ssl_set_hostname tests: baseline
Add a flags field to mbedtls_ssl_context
Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency
Make guards more consistent between X.509-has-certs and SSL-has-certs
Fix Doxygen markup
Make ticket_alpn field private
Conflicts:
programs/ssl/ssl_test_common_source.c
