This will be a subset of the former `<mbedtls/oid.h>`, with only macro
definitions, no function declarations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Replace the non-X.509-named error code `MBEDTLS_ERR_OID_NOT_FOUND` with
`MBEDTLS_ERR_X509_UNKNOWN_OID`, which already exists and is currently not
used for anything.
Public functions in X.509 propagate this error code, so it needs to have a
public name.
Remove the definition of `MBEDTLS_ERR_OID_NOT_FOUND` in `x509_oid.h`, then
```
git grep -l MBEDTLS_ERR_OID_NOT_FOUND | xargs perl -i -pe 's/\bMBEDTLS_ERR_OID_NOT_FOUND\b/MBEDTLS_ERR_X509_UNKNOWN_OID/g'
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Avoid clashes with the functions and the type that are still defined in
TF-PSA-Crypto. They are now internal names, so it doesn't really matter, but
having the same name as the ones declared in TF-PSA-Crypto's `oid.h` would
cause problems during the transition.
Remove the unused name for `struct mbedtls_oid_descriptor_t`, and rename the
rest:
```
perl -i -pe 's/mbedtls_oid_/mbedtls_x509_oid_/g' library/x509_oid.[hc]
./framework/scripts/code_style.py --fix library/x509_oid.[hc]
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Stop referring to low-level APIs that are becoming private.
Also drop the requirement on supporting what is now
PSA_ALG_RSA_PKCS1V15_SIGN_RAW. That was needed for TLS 1.0/1.1 which signs
MD5||SHA1, but is no longer needed since Mbed TLS 3.0 dropped support for
these protocol versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With the removal of MBEDTLS_SHA3_C the test cases with disabled SHA3
dependency are never executed. Adding a temporary `all.sh` component
which disabling the `PSA_WANT_ALG_SHA3_*` macros to cover
these test cases.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
Both PKCS7 and X509 rely on PK module under the hood and the latter can
use PSA to store keys and perform operations. Therefore psa_crypto_init()
must be called before any operation can be done with PKCS7 and X509.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Move mbedtls_debug_print_ecp(), mbedtls_debug_print_ec_coord() and
mbedtls_debug_print_psa_ec() under the same guards as debug_print_pk().
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Remove the public definition of mbedtls_debug_print_ecp(). The function
is only used internally in debug.c, so we can then make the function
static.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Set also psa_interruptible_set_max_ops() when mbedtls_ecp_set_max_ops()
is set so that the same amount of operations will be used both if legacy
ECDSA_C or PSA is used under the hood to perform the operation.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
We no longer use decrypt TLS 1.2 (never did in 1.3) so we no longer need
this path. Further simplifications could probably be made (we currently
have an enum type with only one possible value...) but for now I'm
trying to keep changes minimal.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
ssl-opt checks for specific error code values in the output, but as
MBEDTLS_ERR_ECP_IN_PROGRESS is becoming an alias of PSA_OPERATION_INCOMPLETE
then this hardcoded value will change.
Therefore allow the result to be either the old mbedtls error, or the new PSA
error, as not to break the CI.
Signed-off-by: Felix Conway <felix.conway@arm.com>
The curve secp224k1 was supported in the legacy API in Mbed TLS <=3.6, but
removed after 3.6, and was never implemented in PSA. Remove this old trace
of it.
This is a partial cherry-pick of 32c82f0c369117b22d8a40e51723c364156d1aff
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The goal of testing with GCC 15 is to validate fixes for
https://github.com/Mbed-TLS/mbedtls/issues/9814 . The bug is present in
multiple places, and some of them affect third-party drivers but not our
built-in implementation. (The bug is that driver contexts might not be
zero-initialized, but some of our built-in implementations happen not to
care about this.) Thus, enable the test drivers in the test component that
uses GCC 15, to gain the extra checks performed in the driver wrappers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is a new warning in GCC 15 that our code base triggers in many places.
Silence it for the time being.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
