1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-01 09:41:40 +03:00
Commit Graph

706 Commits

Author SHA1 Message Date
92a9bd345c Remove call to pk_decrypt() in ssl_server2
We no longer use decrypt TLS 1.2 (never did in 1.3) so we no longer need
this path. Further simplifications could probably be made (we currently
have an enum type with only one possible value...) but for now I'm
trying to keep changes minimal.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-05-20 12:04:26 +02:00
22728dc5e3 Use mbedtls_calloc, not regular calloc
Also fix the allocation size.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 17:08:12 +01:00
144cccecb7 Fix memory leak in example programs
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 17:08:12 +01:00
2fe35f61bf Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option
Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h
to control if the function mbedtls_ssl_export_keying_material() should
be available. By default, the option is disabled.

This is because the exporter for TLS 1.2 requires client_random and
server_random need to be stored after the handshake is complete.

Signed-off-by: Max Fillinger <max@max-fillinger.net>
2025-03-28 16:53:58 +01:00
281fb79116 Remove TLS 1.2 Exporter if we don't have randbytes
The TLS-Exporter in TLS 1.2 requires client_random and server_random.
Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored
after the handshake is completed.

Therefore, mbedtls_ssl_export_keying_material() exists only if either
MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2
is *not* defined.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:58 +01:00
dbe864569e Fix typos in comments
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:58 +01:00
7b72220d42 Fix coding style
Signed-off-by: Max Fillinger <max@max-fillinger.net>
2025-03-28 16:53:58 +01:00
32ba7f4a17 Add TLS-Exporter options to ssl_server2
The program prints out the derived symmetric key for testing purposes.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
2025-03-28 16:53:57 +01:00
47111a1cb1 initial remove of mbedtls_ssl_conf_rng
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 13:32:10 +00:00
440cb2aac2 Remove RNG from x509 and PK
remove the f_rng and p_rng parameter from x509 and PK.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 08:17:38 +00:00
e99e591179 Remove key exchange based on encryption/decryption
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-20 17:53:07 +01:00
0cfe54e4e0 remove RNG parameters from SSL API's
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-10 13:24:31 +00:00
73cd415c0b programs: remove DHM_C from ssl_client2 and ssl_server2
MBEDTLS_DHM_C is being removed so all its occurencies should be removed
as well.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-05 10:11:22 +01:00
837130cf65 Improve Changelog and correct alg selection
Improve the description of the API changes in the changelog and
fix some incorrect alg selection variables in ssl_server2.c.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-02-04 07:50:19 +00:00
0c29cf87b1 Move ssl_ticket to the PSA API
Convert the mbedtl_ssl_ticket_setup function to use the TF_PSA_Crypto
API.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-01-30 08:22:40 +00:00
8d8620bf18 Address review comments: add PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-09 11:18:10 +01:00
a6950b8ce7 Replace MBEDTLS_PK_CAN_ECDSA_SOME with PSA_HAVE_ALG_SOME_ECDSA
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-09 11:17:36 +01:00
99b57bd35a Merge pull request #1272 from eleuzi01/forward-1263
Fix 1.3 cli-auth optional reporting of (ext)KeyUsage issues
2024-08-28 19:38:36 +02:00
92a391e0fe Always print detailed cert errors in test programs
Previously the client was only printing them on handshake success, and
the server was printing them on success and some but not all failures.

This makes ssl-opt.sh more consistent as we can always check for the
presence of the expected message in the output, regardless of whether
the failure is hard or soft.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:24:05 +01:00
0858fdca38 Merge pull request #9189 from misch7/fix-v3.6-issues-9186-and-9188
Fix build of v3.6 (issues #9186 and #9188)
2024-08-12 09:34:17 +00:00
f672b694fa Use correct conditionals in programs/ssl (fix unused-function errors)
Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:29:59 +01:00
0420093795 Adjust spacing in sample programs
Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:29:58 +01:00
8db8d6182f Fix missing-prototype errors in sample programs
Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:29:58 +01:00
8dde3b3dec Replace MBEDTLS_PK_HAVE_ECC_KEYS with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-05 15:41:58 +01:00
b476d4bf21 Replace MBEDTLS_MD_CAN_SHA384 with PSA_WANT_ALG_SHA_384
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-03 10:20:41 +01:00
74191a56e8 ssl_server2: Split early data enablement from max_early_data_size setting
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-14 20:00:42 +01:00
7541ebea52 programs: remove usage of mbedtls_pk_wrap_as_opaque() from tests
This is replaced with: mbedtls_pk_get_psa_attributes() +
mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque().

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-27 10:44:33 +01:00
0ecb5fd6f5 Merge pull request #8574 from ronald-cron-arm/ssl-tickets
Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3
2024-02-21 09:38:46 +00:00
192e0f9b1d ssl_server2: Add read early data support
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-02-01 16:40:47 +01:00
d1c106c787 Define ticket creation time in TLS 1.2 case as well
The purpose of this change is to eventually base
the calculation in ssl_ticket.c of the ticket age
when parsing a ticket on the ticket creation time
both in TLS 1.2 and TLS 1.3 case.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-01-15 08:58:19 +01:00
3a6059beca Merge pull request #7455 from KloolK/record-size-limit/comply-with-limit
Comply with the received Record Size Limit extension
2024-01-09 15:22:17 +00:00
f482dcc6c7 Comply with the received Record Size Limit extension
Fixes #7010

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-12-06 15:18:08 +00:00
750e06743f remove misbehavior tests and code
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-12-06 18:22:15 +08:00
ea96ac3da9 fix various issues
- get ticket_flags with function.
- improve output message and check it.
- improve `ssl_server2` help message

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-12-06 18:17:37 +08:00
3c2b21ed0e Enable multi max_early_data_size value for connections
For test purpose, we set different value for each
session

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-12-06 18:14:56 +08:00
713ce1f889 various improvement
- improve change log entry
- improve comments
- remove unnecessary statement
- change type of client_age

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:59:25 +08:00
cf9135100e fix various issues
- fix CI failure due to wrong usage of ticket_lifetime
- Improve document and comments

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:58:19 +08:00
25ba4d40ef rename ticket_creation to ticket_creation_time
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:58:19 +08:00
3ff0b1fda3 Cleanup ticket negative tests.
- improve comments
- case 3/4 is for server age check.
- case 5/6 is for client age check

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:58:18 +08:00
ec6d07870d Replace start with ticket_creation
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:58:18 +08:00
f16efbc78d fix various issues
- Add comments for ticket test hooks
- improve code style.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:58:18 +08:00
cebffc3446 change time unit of ticket to milliseconds
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2023-11-21 09:58:18 +08:00
752dd39a69 Merge pull request #8508 from valeriosetti/issue6323
[G3] Driver-only cipher+aead: TLS: ssl-opt.sh
2023-11-14 11:39:06 +00:00
38e75fb1a7 ssl_server2: remove usage of mbedtls_cipher_info_from_string()
This removes the dependency from cipher module and legacy key/modes
symbols which are used in cipher_wrap.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-11-10 08:27:39 +01:00
0751761b49 max_early_data_size: rename configuration function
Rename mbedtls_ssl_tls13_conf_max_early_data_size as
mbedtls_ssl_conf_max_early_data_size since in the future
this may not be specific to TLS 1.3.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-11-07 11:49:34 +08:00
d5ed36ff24 early data: rename configuration function
Rename mbedtls_ssl_tls13_conf_early_data as
mbedtls_ssl_conf_early_data since in the future this may not be
specific to TLS 1.3.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-11-07 11:49:24 +08:00
8b6b41f6cd Merge pull request #8434 from valeriosetti/issue8407
[G2] Make TLS work without Cipher
2023-11-04 15:05:00 +00:00
16799db69a update headers
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-02 19:47:20 +00:00
74d48c89fa ssl_server2: small improvement of code readability
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-11-02 16:43:55 +01:00
bdf04e840a ssl_server2: support ticket_aead only when CIPHER_C is defined
Cipher parsing requires mbedtls_cipher_info_from_string() which
depends on CIPHER_C.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-30 11:36:32 +01:00