lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-19 01:04:04 +03:00
Code
32,851 Commits 172 Branches 267 Tags
Commit Graph

32851 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Manuel Pégourié-Gonnard
58916768b7 Rm dead !USE_PSA code: ssl_tls12_server.c (part 1) 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls12_server.c
framework/scripts/code_style.py --fix library/ssl_tls12_server.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:17:26 +01:00
Manuel Pégourié-Gonnard
0b44a81f07 Rm dead !USE_PSA code: ssl_tls13*.c part 2 
The one expression that was apparently too much for unifdef

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:40 +01:00
Manuel Pégourié-Gonnard
855f5bf244 Rm dead !USE_PSA code: ssl_tls13_xxx (part 1) 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls13*.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:29 +01:00
Manuel Pégourié-Gonnard
48e0e3a356 Rm dead !USE_PSA code: check_config.h 
Manual, as most expressions were too complex for unifdef. Most of those
were or had a part like "we need XXX or USE_PSA" (where XXX was Cipher
or MD) and those are always satisfied now.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:21 +01:00
Manuel Pégourié-Gonnard
615914b5ac Rm dead !USE_PSA code: SSL headers (part 2) 
Expression that are too complex for unifdef - please review carefully :)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:14 +01:00
Manuel Pégourié-Gonnard
11ae619e77 Rm dead !USE_PSA code: SSL headers (part 1) 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl*.h

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:04 +01:00
Manuel Pégourié-Gonnard
873816129e Rm dead !USE_PSA code: SSL ciphersuite (part 2) 
Manual removal as unifdef doesn't handle non-trivial expressions.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:14:56 +01:00
Manuel Pégourié-Gonnard
daeaa51943 Rm dead !USE_PSA code: SSL ciphersuites (part 1) 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl_ciphersuites*

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:14:50 +01:00
Manuel Pégourié-Gonnard
b18c8b957b Rm dead !USE_PSA code: SSL hooks 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl_{ticket,cookie}.[ch]

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:14:43 +01:00
Manuel Pégourié-Gonnard
f60b09b019 Rm dead !USE_PSA code: X.509 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/x509*.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:14:38 +01:00
Deomid rojer Ryabkov
b70e76a1e6 Add a safety check for in_hsfraglen 
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
 2025-01-27 22:37:53 +04:00
Gabor Mezei
7554eeaf4c
Disable 224K1 while testing the other curves 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-01-27 15:03:14 +01:00
Gabor Mezei
fe14d85b7c
Remove unused symbol 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-01-27 15:03:14 +01:00
Gabor Mezei
069e3e6fe7
Remove reference for PSA_WANT_ALG_SECP_K1_224 
The `PSA_WANT_ALG_SECP_K1_224` symbol has been removed.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-01-27 15:03:14 +01:00
Gabor Mezei
0a2f257492
Use symbol matching for the curves domain 
Instead of using the `crypto_knowledge.py`, use basic symbol matching for the
`PSA_WANT_ECC_*` macros to search for in the `curves` domain of `depend.py`.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-01-27 15:03:13 +01:00
Gabor Mezei
1c49cff468
Use PSA macros for the curves domain 
Exclude the SECP224K1 curve due it is unstable via the PSA API.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-01-27 15:03:13 +01:00
Valerio Setti
0ebd6de77b ssl-opt.sh: remove tests forcing DHE-RSA for which have alternatives 
Remove tests which are forcing DHE-RSA, but for which an ECDHE-RSA
alternative already exists.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:46:26 +01:00
Valerio Setti
3b412e283f ssl-opt.sh: remove tests which are specific for DHE-RSA 
For these ones there is no ECDHE alternative as they are testing
specific features of DHE.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:46:26 +01:00
Valerio Setti
309a7ec70e ssl-opt.sh: adapt tests from DHE-RSA to ECDHE-RSA 
Adapted tests do not already have an ECDHE-RSA test available.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:46:26 +01:00
Valerio Setti
592f6826dd test_suite_ssl: update description for conf_curve and conf_gruop tests 
These tests are about EC curves/groups, not DH ones, so the description
should be updated accordingly.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:46:25 +01:00
Valerio Setti
8638603ba7 test_suite_ssl: remove tests specific for DHE-RSA 
These tests were specific for DHE-RSA (which is being removed on
development branch) and also for each of them there was already the
ECDHE-RSA counterpart available.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:38:39 +01:00
Valerio Setti
b8ef2a4455 test_suite_ssl: adapt handshake_fragmentation() to use ECDHE-RSA 
Use ECDHE-RSA instead of DHE-RSA.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:38:39 +01:00
Valerio Setti
5b7bfd8d5a test_suite_ssl: adapt DHE-RSA tests to ECDHE-RSA 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 12:38:39 +01:00
Ronald Cron
189dcf630f
Merge pull request #9910 from valeriosetti/issue9684 
Remove DHE-PSK key exchange
 2025-01-27 11:15:10 +00:00
Manuel Pégourié-Gonnard
7e1154c959
Merge pull request #9906 from mpg/rm-conf-curves 
[dev] Remove deprecated function mbedtls_ssl_conf_curves()
 2025-01-27 08:21:27 +00:00
Valerio Setti
094fd49f5b tf-psa-crypto: update reference 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-27 05:24:06 +01:00
Deomid rojer Ryabkov
aaa152ed91 Allow fragments less HS msg header size (4 bytes) 
Except the first

Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
 2025-01-26 11:12:25 +02:00
Deomid rojer Ryabkov
3dfe75e115 Remove mbedtls_ssl_reset_in_out_pointers 
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
 2025-01-26 11:12:21 +02:00
Valerio Setti
944f3ab1d6 changelog: add note about DHE-PSK removal 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
27bc56303a docs: remove references of DHE-PSK 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
6ba324de02 mbedtls_config: remove MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED 
This commit also removes its disabling from config_adjust_ssl.h

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
a07345247e check_config: remove checks for DHE-PSK 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
6e892cb630 components-configuration-crypto.sh: remove references to DHE_PSK kex 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
70cc4e6bd1 analyze_outcomes.py: remove exceptions related to DHE-PSK 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
6348b46c0b ssl_ciphersuites: remove references/usages of DHE-PSK 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
48659a1f9c ssl_tls: remove usage of DHE-PSK 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
64d264d2e6 compat.sh: remove usage of DHE-PSK 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
9a9c9a53c1 compat.sh: do not use DHE-PSK key exchange in gnutls tests 
DHE-PSK is being removed from Mbed TLS so we cannot use this key
exchange with gnutls testing.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Valerio Setti
5c730c1d54 ssl-opt.sh: remove DHE-PSK only test cases 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-01-24 11:49:59 +01:00
Janos Follath
1532ea42ac
Merge pull request #9918 from davidhorstmann-arm/clarify-x509-security-md 
Add X.509 formatting validation to SECURITY.md
 2025-01-23 16:09:50 +00:00
David Horstmann
0704fbf1eb Fix missing-word typo 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2025-01-23 10:28:06 +00:00
Manuel Pégourié-Gonnard
490e30599b Stop recommended deprecated function in migration guide 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-23 09:33:59 +01:00
David Horstmann
faa1a0fe50 Add paragraph on undefined behaviour 
Add a note that we do aim to protect against undefined behaviour and
undefined behaviour in certificate parsing is in scope.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2025-01-22 14:48:58 +00:00
David Horstmann
2fe0da7947 Add X.509 formatting validation to SECURITY.md 
Clarify that strict formatting of X.509 certificates is not checked by
Mbed TLS and that it therefore should not be used to construct a CA.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2025-01-22 14:27:22 +00:00
Manuel Pégourié-Gonnard
c4e768a8a6 Fix incorrect test function 
We should not manually set the TLS version, the tests are supposed to
pass in 1.3-only builds as well. Instead do the normal thing of setting
defaults. This doesn't interfere with the rest of the testing, so I'm
not sure why we were not doing it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-22 10:04:43 +01:00
David Horstmann
5a77c230b1
Merge pull request #9909 from gilles-peskine-arm/psa-storage-test-cases-never-supported-negative-dev 
Switch generate_psa_test.py to automatic dependencies for negative test cases
 2025-01-21 18:34:25 +00:00
Gilles Peskine
7dc570905e Update submodule 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-01-20 19:43:41 +01:00
Gilles Peskine
13c418dcee Add ignore list entries for ECDH/FFDH algorithm without key type 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-01-20 16:00:46 +01:00
Gilles Peskine
fe683e7a1b Remove test coverage exceptions that are no longer needed 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-01-20 16:00:46 +01:00
Gilles Peskine
08c4362ad1 Update submodules 
Catch up with https://github.com/Mbed-TLS/mbedtls-framework/pull/104 =
"Switch generate_psa_test.py to automatic dependencies for negative test cases"

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-01-20 16:00:44 +01:00