Let the user specify whether to use the key as a sign/verify key, an
encrypt/decrypt key or a key agreement key. Also let the user indicate if
they just want the public part when the input is a key pair.
Based on a discussion in
https://github.com/Mbed-TLS/mbedtls/pull/8682#discussion_r1444936480
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It's useful in applications that want to use some PSA opaque keys regardless
of whether all pk operations go through PSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Migrate to the new redirect format introduced by ReadTheDocs in
readthedocs/readthedocs.org#10881
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
These error codes are only returned if the program has been tampered with,
so they should be CORRUPTION_DETECTED.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
psa_wipe_key_slot can now be called on a slot in any state, if the slot's state
is PSA_SLOT_FULL or PSA_SLOT_PENDING_DELETION then there must be exactly 1 registered
reader.
Remove the state changing calls that are no longer necessary.
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
Move the save/load of session endpoint and
ciphersuite that are common to TLS 1.2 and
TLS 1.3 serialized data from the
specialized ssl_{tls12,tls13}_session_{save,load}
functions to ssl__session_{save,load}.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The purpose of this change is to eventually base
the calculation in ssl_ticket.c of the ticket age
when parsing a ticket on the ticket creation time
both in TLS 1.2 and TLS 1.3 case.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The endpoint field is needed to serialize/deserialize
a session in TLS 1.2 the same way it is needed in the
TLS 1.3 case: client specific fields that should not
be in the serialized version on server side if both
TLS client and server are enabled in the TLS library.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Take into account that the lifetime of
tickets can be changed through the
mbedtls_ssl_ticket_rotate() API.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
When calculating the ticket age, remove the check
that the endpoint is a server. The module is
supposed to be used only server side. Furthermore,
if such check was necessary, it should be at the
beginning of all ssl_ticket.c APIs. As there is no
such protection in any API, just remove the check.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The ticket module is removed from the build
if the TLS server is not in the build now
thus no need for the guard.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
