1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-04 08:02:28 +03:00
Commit Graph

1296 Commits

Author SHA1 Message Date
a81d6dfb05 tests|programs: remove usage of mbedtls_ecp_set_max_ops()
PK restartable operations are now implemented using PSA interruptible
ones, so mbedtls_ecp_set_max_ops() can be removed in favor of
psa_interruptible_set_max_ops().

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-06-12 06:39:18 +02:00
7f363dfe62 programs: ssl_client2: set max restartable op also in PSA
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-05-27 11:59:32 +02:00
92a9bd345c Remove call to pk_decrypt() in ssl_server2
We no longer use decrypt TLS 1.2 (never did in 1.3) so we no longer need
this path. Further simplifications could probably be made (we currently
have an enum type with only one possible value...) but for now I'm
trying to keep changes minimal.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-20 12:04:26 +02:00
02c80e631f Fix test and formatting in ssl_context_info
Signed-off-by: Paul Höhn <paul.hoehn@icloud.com>
2025-04-29 22:02:24 +02:00
5a7a5305e8 removed trailing whitespace
Signed-off-by: Paul Höhn <paul.hoehn@icloud.com>
2025-04-29 18:53:07 +02:00
da95274730 ssl context fix for 4.0
Signed-off-by: Paul Höhn <paul.hoehn@icloud.com>
2025-04-29 18:53:07 +02:00
b12205ca7a Removed use of mbedtls_cipher_info from ssl_context_info.c
Signed-off-by: Paul Höhn <paul.hoehn@icloud.com>
2025-04-22 11:18:34 +02:00
232da48471 Merge pull request #9421 from mfil/feature/implement_tls_exporter
Implement TLS-Exporter
2025-04-17 14:47:13 +00:00
ed4a2b4f0a Merge branch 'development-restricted' into merge-from-restricted
* development-restricted:
  Add missing credit for set_hostname issue
  Add changelog entry for TLS 1.2 Finished fix
  TLS1.2: Check for failures in Finished calculation
  ssl_session_reset: preserve HOSTNAME_SET flag
  Document the need to call mbedtls_ssl_set_hostname
  Improve documentation of mbedtls_ssl_set_hostname
  Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients
  Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup
  mbedtls_ssl_set_hostname tests: add tests with CA callback
  Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests
  Require calling mbedtls_ssl_set_hostname() for security
  Create error code for mbedtls_ssl_set_hostname not called
  Keep track of whether mbedtls_ssl_set_hostname() has been called
  Access ssl->hostname through abstractions in certificate verification
  mbedtls_ssl_set_hostname tests: baseline
  Add a flags field to mbedtls_ssl_context
  Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency
  Make guards more consistent between X.509-has-certs and SSL-has-certs
  Fix Doxygen markup
  Make ticket_alpn field private

 Conflicts:
	programs/ssl/ssl_test_common_source.c
2025-04-01 09:40:47 +02:00
22728dc5e3 Use mbedtls_calloc, not regular calloc
Also fix the allocation size.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 17:08:12 +01:00
144cccecb7 Fix memory leak in example programs
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 17:08:12 +01:00
2fe35f61bf Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option
Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h
to control if the function mbedtls_ssl_export_keying_material() should
be available. By default, the option is disabled.

This is because the exporter for TLS 1.2 requires client_random and
server_random need to be stored after the handshake is complete.

Signed-off-by: Max Fillinger <max@max-fillinger.net>
2025-03-28 16:53:58 +01:00
281fb79116 Remove TLS 1.2 Exporter if we don't have randbytes
The TLS-Exporter in TLS 1.2 requires client_random and server_random.
Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored
after the handshake is completed.

Therefore, mbedtls_ssl_export_keying_material() exists only if either
MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2
is *not* defined.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:58 +01:00
dbe864569e Fix typos in comments
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:58 +01:00
7b72220d42 Fix coding style
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2025-03-28 16:53:58 +01:00
81dfc8830b Actually set exporter defaults in ssl_client2
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:57 +01:00
b2718e17e6 Add TLS-Exporter options to ssl_client2
Prints out the exported key on the command line for testing purposes.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:57 +01:00
32ba7f4a17 Add TLS-Exporter options to ssl_server2
The program prints out the derived symmetric key for testing purposes.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:57 +01:00
47111a1cb1 initial remove of mbedtls_ssl_conf_rng
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 13:32:10 +00:00
440cb2aac2 Remove RNG from x509 and PK
remove the f_rng and p_rng parameter from x509 and PK.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 08:17:38 +00:00
858b829436 Add define to fuzz/common.c and ssl/ssl_test_lib.c
Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-03-25 10:06:53 +00:00
998760ae5d Define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS in every sample program
Add #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS to every sample program
before the first include so that mbedtls doesn't break with future
privatization work.

Signed-off-by: Felix Conway <felix.conway@arm.com>
2025-03-24 11:37:33 +00:00
58535da8d0 Only check for certificates if it is supported
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-20 17:53:07 +01:00
e99e591179 Remove key exchange based on encryption/decryption
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-20 17:53:07 +01:00
4515d10163 Merge pull request #10039 from bjwtaylor/remove-rng-from-ssl
Remove RNG parameters from public SSL APIs
2025-03-19 11:27:51 +00:00
7134e52dec programs -> ssl_client2.c: Added option renego_delay to set record buffer depth.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-03-13 11:06:43 +00:00
a2a0c2cbe7 Merge remote-tracking branch 'origin/features/tls-defragmentation/development' into feature_merge_defragmentation_dev
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-03-12 15:25:06 +00:00
0cfe54e4e0 remove RNG parameters from SSL API's
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-10 13:24:31 +00:00
2e5a7ea9bc Fix Doxygen markup
Pacify `clang -Wdocumentation`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-05 17:02:18 +01:00
73cd415c0b programs: remove DHM_C from ssl_client2 and ssl_server2
MBEDTLS_DHM_C is being removed so all its occurencies should be removed
as well.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-05 10:11:22 +01:00
e5054e495a mbedtls_ssl_set_hostname tests: baseline
Test the current behavior.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-20 19:24:16 +01:00
eb63613347 Make guards more consistent between X.509-has-certs and SSL-has-certs
Fix some build errors when MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED is false
but MBEDTLS_X509_CRT_PARSE_C is enabled. This is not a particularly useful
configuration, but for quick testing, it's convenient for it to work.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-20 18:51:14 +01:00
86a66edcd0 Fix Doxygen markup
Pacify `clang -Wdocumentation`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-20 18:51:14 +01:00
53ba6ad106 Update paths for moved program files in CMakeLists
This commit fixes the paths of program files which were moved to the
MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-19 15:30:24 +00:00
c19b8e80e7 Update include paths in C files
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-19 15:25:44 +00:00
837130cf65 Improve Changelog and correct alg selection
Improve the description of the API changes in the changelog and
fix some incorrect alg selection variables in ssl_server2.c.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-02-04 07:50:19 +00:00
0c29cf87b1 Move ssl_ticket to the PSA API
Convert the mbedtl_ssl_ticket_setup function to use the TF_PSA_Crypto
API.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-01-30 08:22:40 +00:00
bc7c523420 Remove uses of secp244k1
Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will
not be implemented. (It would be K1_225 anyway, but we don't intend to
implement it anyway.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-01-08 16:51:23 +01:00
5096b4cb4b Revert "Remove mbedtls_test"
This reverts commit 939ce9d0d5.

Build mbedtls_test library of objects to link
with TLS and x509 test suites and programs
with mbedtls framework not TF-PSA-Crypto
one (when it will be there).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-12-10 16:56:49 +01:00
d5331ff4e6 cmake: Move cert.o to mbedtls_test_helpers library of objects
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-12-04 14:25:02 +01:00
b4dcb952ea Add SSL-related test includes to ssl programs
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-11-18 15:50:44 +00:00
5b93d97b95 Update references to test helpers
Replace:
* tests/src -> framework/tests/src
* tests/include -> framework/tests/include

Except for occurrences of:
* tests/src/test_helpers (since this only contains ssl_helpers.c)
* tests/src/test_certs.h
* tests/include/alt_dummy

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-11-18 15:50:44 +00:00
939ce9d0d5 Remove mbedtls_test
Use tf_psa_crypto_test instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-11-14 13:52:36 +01:00
fc140d0c6b Merge pull request #9672 from gilles-peskine-arm/coverity-20241004
Fix edge cases of mbedtls_psa_raw_to_der and mbedtls_psa_der_to_raw
2024-11-06 19:03:13 +00:00
cd0fb1d178 Merge pull request #9105 from jetm/ssl-client2-get-req-host
ssl_client2: Add Host to HTTP GET request
2024-10-31 11:32:49 +00:00
b2478989e2 cmake: GNU GCC: Set base compile options target by target
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-10-25 18:09:33 +02:00
1392017263 Remove unreachable assignments
This is harmless, but we might as well remove the unreachable line. If we
ever add a break to the loop and we don't think of changing the surrounding
code, it would make more sense not to set exit_code to SUCCESS.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-10-07 11:23:39 +02:00
713127de4c dtls_server: allow unexpected messages during handshake
If MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE happens during the handshake, don't
show it as an "error". It might be an error, but it might also be a fact of
life if it happens during the second or more handshake: it can be a
duplicated packet or a close_notify alert from the previous connection,
which is hard to avoid and harmless.

Fixes #9652.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-10-02 11:09:20 +02:00
5333425891 Always call psa_crypto_init before using TLS
In Mbed TLS 4.0, all cryptography goes through PSA, so calling
psa_crypto_init() is now mandatory before starting a TLS connection (as was
the case in Mbed TLS 3.x with MBEDTLS_USE_PSA_CRYPTO enabled).

Switch the TLS sample programs to calling psa_crypto_init() unconditionally.
Otherwise TLS 1.3 connections fail, and (D)TLS 1.2 connections soon will.

This commit omits the test programs ssl_client2 and ssl_server2, which don't
require a change right now. They will be covered when we make
MBEDTLS_USE_PSA_CRYPTO always on.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 21:12:57 +02:00
6e3de21492 dtls_client: don't force the use of IPv6
Default to connecting to "localhost", like ssl_client1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00