The header `mbedtls/oid.h` now belongs to the X.509 library. Move the
declarations of `mbedtls_oid_get_numeric_string()` and
`mbedtls_oid_from_numeric_string()` back to this header, which is where they
were in all previous releases of Mbed TLS. This avoids gratuitously breaking
backward compatibility.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
For each function in `x509_oid.c`, determine where it is used and only
include it in the build if it is needed by the X.509 code. Define the
corresponding internal tables only when they are consumed by a function.
This makes Mbed TLS completely independent of the compilation option
`MBEDTLS_OID_C`. This option remains present only in sample configs for
crypto, where it must stay until TF-PSA-Crypto no longer relies on this
option.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_oid_get_md_alg() is used in X.509, but
mbedtls_oid_get_oid_by_md() is only used in crypto.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some code that parses or writes X.509 needs to know OID values. We provide a
convenient list. Don't remove this list from the public interface of the
library.
For user convenience, expose these values in the same header as before and
with the same name as before: `MBEDTLS_OID_xxx` in `<mbedtls/oid.h>`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This will be a subset of the former `<mbedtls/oid.h>`, with only macro
definitions, no function declarations.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Replace the non-X.509-named error code `MBEDTLS_ERR_OID_NOT_FOUND` with
`MBEDTLS_ERR_X509_UNKNOWN_OID`, which already exists and is currently not
used for anything.
Public functions in X.509 propagate this error code, so it needs to have a
public name.
Remove the definition of `MBEDTLS_ERR_OID_NOT_FOUND` in `x509_oid.h`, then
```
git grep -l MBEDTLS_ERR_OID_NOT_FOUND | xargs perl -i -pe 's/\bMBEDTLS_ERR_OID_NOT_FOUND\b/MBEDTLS_ERR_X509_UNKNOWN_OID/g'
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Avoid clashes with the functions and the type that are still defined in
TF-PSA-Crypto. They are now internal names, so it doesn't really matter, but
having the same name as the ones declared in TF-PSA-Crypto's `oid.h` would
cause problems during the transition.
Remove the unused name for `struct mbedtls_oid_descriptor_t`, and rename the
rest:
```
perl -i -pe 's/mbedtls_oid_/mbedtls_x509_oid_/g' library/x509_oid.[hc]
./framework/scripts/code_style.py --fix library/x509_oid.[hc]
```
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Stop referring to low-level APIs that are becoming private.
Also drop the requirement on supporting what is now
PSA_ALG_RSA_PKCS1V15_SIGN_RAW. That was needed for TLS 1.0/1.1 which signs
MD5||SHA1, but is no longer needed since Mbed TLS 3.0 dropped support for
these protocol versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Set also psa_interruptible_set_max_ops() when mbedtls_ecp_set_max_ops()
is set so that the same amount of operations will be used both if legacy
ECDSA_C or PSA is used under the hood to perform the operation.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
We no longer use decrypt TLS 1.2 (never did in 1.3) so we no longer need
this path. Further simplifications could probably be made (we currently
have an enum type with only one possible value...) but for now I'm
trying to keep changes minimal.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
ssl-opt checks for specific error code values in the output, but as
MBEDTLS_ERR_ECP_IN_PROGRESS is becoming an alias of PSA_OPERATION_INCOMPLETE
then this hardcoded value will change.
Therefore allow the result to be either the old mbedtls error, or the new PSA
error, as not to break the CI.
Signed-off-by: Felix Conway <felix.conway@arm.com>
The curve secp224k1 was supported in the legacy API in Mbed TLS <=3.6, but
removed after 3.6, and was never implemented in PSA. Remove this old trace
of it.
This is a partial cherry-pick of 32c82f0c369117b22d8a40e51723c364156d1aff
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The goal of testing with GCC 15 is to validate fixes for
https://github.com/Mbed-TLS/mbedtls/issues/9814 . The bug is present in
multiple places, and some of them affect third-party drivers but not our
built-in implementation. (The bug is that driver contexts might not be
zero-initialized, but some of our built-in implementations happen not to
care about this.) Thus, enable the test drivers in the test component that
uses GCC 15, to gain the extra checks performed in the driver wrappers.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is a new warning in GCC 15 that our code base triggers in many places.
Silence it for the time being.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
