58916768b7
Rm dead !USE_PSA code: ssl_tls12_server.c (part 1)
...
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls12_server.c
framework/scripts/code_style.py --fix library/ssl_tls12_server.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:17:26 +01:00
0b44a81f07
Rm dead !USE_PSA code: ssl_tls13*.c part 2
...
The one expression that was apparently too much for unifdef
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:15:40 +01:00
855f5bf244
Rm dead !USE_PSA code: ssl_tls13_xxx (part 1)
...
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls13*.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:15:29 +01:00
48e0e3a356
Rm dead !USE_PSA code: check_config.h
...
Manual, as most expressions were too complex for unifdef. Most of those
were or had a part like "we need XXX or USE_PSA" (where XXX was Cipher
or MD) and those are always satisfied now.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:15:21 +01:00
615914b5ac
Rm dead !USE_PSA code: SSL headers (part 2)
...
Expression that are too complex for unifdef - please review carefully :)
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:15:14 +01:00
11ae619e77
Rm dead !USE_PSA code: SSL headers (part 1)
...
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl*.h
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:15:04 +01:00
873816129e
Rm dead !USE_PSA code: SSL ciphersuite (part 2)
...
Manual removal as unifdef doesn't handle non-trivial expressions.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:14:56 +01:00
daeaa51943
Rm dead !USE_PSA code: SSL ciphersuites (part 1)
...
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl_ciphersuites*
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:14:50 +01:00
b18c8b957b
Rm dead !USE_PSA code: SSL hooks
...
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl_{ticket,cookie}.[ch]
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:14:43 +01:00
f60b09b019
Rm dead !USE_PSA code: X.509
...
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/x509*.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-28 16:14:38 +01:00
b70e76a1e6
Add a safety check for in_hsfraglen
...
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me >
2025-01-27 22:37:53 +04:00
7554eeaf4c
Disable 224K1 while testing the other curves
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com >
2025-01-27 15:03:14 +01:00
fe14d85b7c
Remove unused symbol
...
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com >
2025-01-27 15:03:14 +01:00
069e3e6fe7
Remove reference for PSA_WANT_ALG_SECP_K1_224
...
The `PSA_WANT_ALG_SECP_K1_224` symbol has been removed.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com >
2025-01-27 15:03:14 +01:00
0a2f257492
Use symbol matching for the curves domain
...
Instead of using the `crypto_knowledge.py`, use basic symbol matching for the
`PSA_WANT_ECC_*` macros to search for in the `curves` domain of `depend.py`.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com >
2025-01-27 15:03:13 +01:00
1c49cff468
Use PSA macros for the curves domain
...
Exclude the SECP224K1 curve due it is unstable via the PSA API.
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com >
2025-01-27 15:03:13 +01:00
0ebd6de77b
ssl-opt.sh: remove tests forcing DHE-RSA for which have alternatives
...
Remove tests which are forcing DHE-RSA, but for which an ECDHE-RSA
alternative already exists.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:46:26 +01:00
3b412e283f
ssl-opt.sh: remove tests which are specific for DHE-RSA
...
For these ones there is no ECDHE alternative as they are testing
specific features of DHE.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:46:26 +01:00
309a7ec70e
ssl-opt.sh: adapt tests from DHE-RSA to ECDHE-RSA
...
Adapted tests do not already have an ECDHE-RSA test available.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:46:26 +01:00
592f6826dd
test_suite_ssl: update description for conf_curve and conf_gruop tests
...
These tests are about EC curves/groups, not DH ones, so the description
should be updated accordingly.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:46:25 +01:00
8638603ba7
test_suite_ssl: remove tests specific for DHE-RSA
...
These tests were specific for DHE-RSA (which is being removed on
development branch) and also for each of them there was already the
ECDHE-RSA counterpart available.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:38:39 +01:00
b8ef2a4455
test_suite_ssl: adapt handshake_fragmentation() to use ECDHE-RSA
...
Use ECDHE-RSA instead of DHE-RSA.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:38:39 +01:00
5b7bfd8d5a
test_suite_ssl: adapt DHE-RSA tests to ECDHE-RSA
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 12:38:39 +01:00
189dcf630f
Merge pull request #9910 from valeriosetti/issue9684
...
Remove DHE-PSK key exchange
2025-01-27 11:15:10 +00:00
7e1154c959
Merge pull request #9906 from mpg/rm-conf-curves
...
[dev] Remove deprecated function mbedtls_ssl_conf_curves()
2025-01-27 08:21:27 +00:00
094fd49f5b
tf-psa-crypto: update reference
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-27 05:24:06 +01:00
aaa152ed91
Allow fragments less HS msg header size (4 bytes)
...
Except the first
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me >
2025-01-26 11:12:25 +02:00
3dfe75e115
Remove mbedtls_ssl_reset_in_out_pointers
...
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me >
2025-01-26 11:12:21 +02:00
944f3ab1d6
changelog: add note about DHE-PSK removal
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
27bc56303a
docs: remove references of DHE-PSK
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
6ba324de02
mbedtls_config: remove MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
...
This commit also removes its disabling from config_adjust_ssl.h
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
a07345247e
check_config: remove checks for DHE-PSK
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
6e892cb630
components-configuration-crypto.sh: remove references to DHE_PSK kex
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
70cc4e6bd1
analyze_outcomes.py: remove exceptions related to DHE-PSK
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
6348b46c0b
ssl_ciphersuites: remove references/usages of DHE-PSK
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
48659a1f9c
ssl_tls: remove usage of DHE-PSK
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
64d264d2e6
compat.sh: remove usage of DHE-PSK
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
9a9c9a53c1
compat.sh: do not use DHE-PSK key exchange in gnutls tests
...
DHE-PSK is being removed from Mbed TLS so we cannot use this key
exchange with gnutls testing.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
5c730c1d54
ssl-opt.sh: remove DHE-PSK only test cases
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-01-24 11:49:59 +01:00
1532ea42ac
Merge pull request #9918 from davidhorstmann-arm/clarify-x509-security-md
...
Add X.509 formatting validation to SECURITY.md
2025-01-23 16:09:50 +00:00
0704fbf1eb
Fix missing-word typo
...
Signed-off-by: David Horstmann <david.horstmann@arm.com >
2025-01-23 10:28:06 +00:00
490e30599b
Stop recommended deprecated function in migration guide
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-23 09:33:59 +01:00
faa1a0fe50
Add paragraph on undefined behaviour
...
Add a note that we do aim to protect against undefined behaviour and
undefined behaviour in certificate parsing is in scope.
Signed-off-by: David Horstmann <david.horstmann@arm.com >
2025-01-22 14:48:58 +00:00
2fe0da7947
Add X.509 formatting validation to SECURITY.md
...
Clarify that strict formatting of X.509 certificates is not checked by
Mbed TLS and that it therefore should not be used to construct a CA.
Signed-off-by: David Horstmann <david.horstmann@arm.com >
2025-01-22 14:27:22 +00:00
c4e768a8a6
Fix incorrect test function
...
We should not manually set the TLS version, the tests are supposed to
pass in 1.3-only builds as well. Instead do the normal thing of setting
defaults. This doesn't interfere with the rest of the testing, so I'm
not sure why we were not doing it.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-01-22 10:04:43 +01:00
5a77c230b1
Merge pull request #9909 from gilles-peskine-arm/psa-storage-test-cases-never-supported-negative-dev
...
Switch generate_psa_test.py to automatic dependencies for negative test cases
2025-01-21 18:34:25 +00:00
7dc570905e
Update submodule
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-01-20 19:43:41 +01:00
13c418dcee
Add ignore list entries for ECDH/FFDH algorithm without key type
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-01-20 16:00:46 +01:00
fe683e7a1b
Remove test coverage exceptions that are no longer needed
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-01-20 16:00:46 +01:00
08c4362ad1
Update submodules
...
Catch up with https://github.com/Mbed-TLS/mbedtls-framework/pull/104 =
"Switch generate_psa_test.py to automatic dependencies for negative test cases"
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-01-20 16:00:44 +01:00
