* public/mbedtls-2.28: (88 commits)
tests/ssl_helpers: Check that message queue is popped
Upgrade python dependencies in requirements file
Fix some typo for include folder
Adjust TLS protocol cases for 2.28
Fix copypasta
Declare the new generated files
Add generated config tests
Remove some settings that don't exist in 2.28
Adjust generate_config_tests.py for 2.28
Terminology: use "dependencies" for a list of settings
Terminology: consistently use "setting", not "option"
Explain why we require TLS client and server simultaneously
Fix missing negation
Pacify mypy
Detect sub-options
Generate config test cases for single options
Anchor relative paths
New test suite to report configuration options
Recognize that a double-inclusion guard is not a config setting
Add and update some .gitignore files
...
mbedtls_psa_register_se_key() is not usable with volatile keys, since there
is no way to return the implementation-chosen key identifier which would be
needed to use the key. Document this limitation. Reject an attempt to create
such an unusable key. Fixes#9253.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
MBEDTLS_PSA_HMAC_DRBG_MD_TYPE was documented and announced as causing the
PSA DRBG to be HMAC_DRBG. However, that was never actually implemented:
CTR_DRBG is prioritized if enabled.
Since there is a simple workaround of disabling MBEDTLS_CTR_DRBG_C if you
want to use HMAC_DRBG, we have decided to accept the actual behavior and fix
the documentation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Including `mbedtls/check_config.h` from `mbedtls/config.h` is optional. If
done, `limits.h` gets included. If not done, we were missing the inclusion
of `limits.h` in several source files. Fix this and add a test build that
doesn't include `mbedtls/check_config.h`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is the issue that tracks incomplete support for buffer overlap, so
we should refer to it when we discuss partial support whenever
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
* Fix a grammatical typo
* Mention shared memory
* Mention overlap support in the security section
* Improve wording
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Mention that arbitrary overlap is now supported, except whenever
MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS is set.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Specifically:
* Clarify that passing shared buffers is now secure by default (not
newly supported)
* Remove spurious hyphen
* Clarify that we do not guarantee copying, but rather guarantee
protection, allowing us to implement this differently in future if
required.
* Mention both protection of inputs from modification and outputs from
exposure of intermediate results.
* Invert the config option, from an enable-option to a disable-option.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Replace custom LIB_INSTALL_DIR with standard CMAKE_INSTALL_LIBDIR variable.
For backward compatibility, set CMAKE_INSTALL_LIBDIR if LIB_INSTALL_DIR is set.
Signed-off-by: Biswapriyo Nath <nathbappai@gmail.com>
Add three package config files for mbedtls, mbedcrypto and mbedx509.
Also update various project variables so the generated PC files have the
required data needed without hardcoding it everywhere.
This will help distros package the project following existing
conventsions between a normal and -devel package that includes the
headers and .pc files for pkg-config aware consumers.
This also squashes:
- fff51cecc ("Update ChangeLog.d/pkg-config-files-addition.txt")
Fixes: #228
Signed-off-by: Bill Roberts <bill.roberts@arm.com>
Add non-regression tests. Update some test functions to not assume that
byte_length == bit_length / 8.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Upon further consideration we think that a remote attacker close to the
victim might be able to have precise enough timing information to
exploit the side channel as well. Update the Changelog to reflect this.
Signed-off-by: Janos Follath <janos.follath@arm.com>
