lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-11-21 12:40:51 +03:00
Code Activity
32,392 Commits 176 Branches 276 Tags
mbedtls-3.6
Commit Graph

13688 Commits

Author SHA1 Message Date
Valerio Setti
14ada7f73c Merge pull request #10473 from valeriosetti/issue488-3.6 
[3.6] psa_load_builtin_key_into_slot: prevent accessing the PSA storage if key ID is in volatile range
 2025-11-11 12:31:15 +00:00
Juha-Pekka Kesonen
b11d969e2c ssl_msg.c: change log level for record checking 
Signed-off-by: Juha-Pekka <juha-pekka.kesonen@nordicsemi.no>
 2025-11-05 15:06:02 +02:00
Juha-Pekka Kesonen
a535836d14 ssl_tls12: change log level for ECDH computation 
Signed-off-by: Juha-Pekka <juha-pekka.kesonen@nordicsemi.no>
 2025-11-05 15:05:23 +02:00
Valerio Setti
cc0385852d Merge pull request #10471 from yanesca/fix_dead_code_231025 
Fix dead code - 3.6 Backport
 2025-10-31 12:49:57 +00:00
Valerio Setti
667e56a0a7 Merge pull request #10478 from Cube707/backport/iar-compiler-warning 
[backport] add cast to fix IAR compiler errors
 2025-10-31 12:33:11 +00:00
Jan Wille
8d59423fe5 format: apply suggestions (add spaces) 
Signed-off-by: Jan Wille <jan.wille@siemens.com>
 2025-10-29 15:50:57 +01:00
Jan Spannberger
73d5398f02 add cast to fix IAR compiler errors 
IAR throws a warning "mixed ENUM with other type"

backport of a5384bdf09

Signed-off-by: Jan Spannberger <jan.spannberger@siemens.com>
 2025-10-28 15:14:30 +01:00
Valerio Setti
1b93588d93 psa_crypto_slot_management: check key ID range when loading a persistent key 
Do not try to load a persistent key whose key ID is in the volatile range.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-10-27 11:12:07 +01:00
Luc Schrijvers
7a399a6ed6 Add library/CMakeList.txt to the changes 
Signed-off-by: Luc Schrijvers <begasus@gmail.com>
 2025-10-24 13:00:40 +02:00
Janos Follath
94700198fb Remove dead code 
Signed-off-by: Janos Follath <janos.follath@arm.com>
 2025-10-23 14:43:52 +01:00
Minos Galanakis
ddffba970b Revert "Added generated files" 
This reverts commit 335197e60c.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-22 10:51:01 +01:00
Minos Galanakis
5a3d0214b3 Merge tag 'mbedtls-3.6.5' into mbedtls-3.6.5_mergeback 
Mbed TLS 3.6.5

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-15 18:41:13 +01:00
Minos Galanakis
335197e60c Added generated files 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Minos Galanakis
ad63800090 Version bump for mbedtls-3.5.6 
./scripts/bump_version.sh --version 3.6.5

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Gilles Peskine
42ae2ac6ec Merge pull request #10318 from keith-packard/gcc-14-3-array-bounds 
Avoid invalid gcc 14.3 warning about array bounds in mbedtls_xor
 2025-10-08 19:00:48 +00:00
Keith Packard
292b96c0a6 Avoid invalid gcc 14.3 warning about array bounds in mbedtls_xor 
The combination of the multi-byte loop with the single byte loop
confuses GCC 14.3's array bounds checker. When the loop size is
constant, check to see if it is a multiple of the multi-byte size and
bail early. As this will be evaluated at compile time, there should be
no run-time cost.

This change uses the __builtin_constant_p compile-time operation. To
check if that is supported, the change uses the existing
MBEDTLS_HAS_BUILTIN macro. That macro was defined later in
library/common.h than is needed for this change, so it was moved up to
join some other macros that looked similar.

Signed-off-by: Keith Packard <keithp@keithp.com>
 2025-10-02 11:09:29 -07:00
Minos Galanakis
bafcf5bddf Merge remote-tracking branch 'restricted/mbedtls-3.6-restricted' into mbedtls-3.6.5rc0-pr 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-02 15:37:04 +01:00
Ben Taylor
6e73b2f2fd Backport time_t type conversions 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-29 15:35:28 +01:00
Gilles Peskine
b6bf893c70 Qualify "reference implementation" wording 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-17 14:04:10 +02:00
Gilles Peskine
334dfa8799 Merge remote-tracking branch '3.6' into restricted-3.6-merge-public-20250916 
Conflicts:

* `framework`: update submodule to the merge of `main` and `main-restricted`.
 2025-09-16 16:16:53 +02:00
Gilles Peskine
c2b94d45d4 Merge pull request #10401 from gilles-peskine-arm/psa_can_do-declare-publicly-3.6 
Backport 3.6: Declare psa_can_do_cipher() publicly
 2025-09-15 12:02:50 +00:00
Janos Follath
753036edb3 Merge pull request #10336 from gilles-peskine-arm/generated-files-lib-build-3.6 
Backport 3.6: fix `make lib GEN_FILES=` sometimes requiring python
 2025-09-12 13:27:26 +00:00
Gilles Peskine
3aee15b8e5 Declare psa_can_do_cipher() in a public header 
Integrators in a client-server architecture need to provide this function on
the client side.

Fixes mbedtls/issues#10341.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-12 11:27:07 +02:00
Manuel Pégourié-Gonnard
3e59e0ae08 Merge pull request #1411 from mpg/bypass-wrappers 
[3.6] Bypass GCD/modinv wrappers when possible
 2025-09-11 12:25:23 +02:00
Manuel Pégourié-Gonnard
c6b28b31ef Be explicit about modinv output range 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-09-11 09:58:45 +02:00
Gilles Peskine
cc908ad04c Remove redundant memset on freshly initialized buffer 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-08 12:22:39 +02:00
Gilles Peskine
04dfd70432 psa_cipher_decrypt: treat status and output length as sensitive 
In `psa_cipher_decrypt()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_decrypt()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.

With this change, `psa_cipher_decrypt()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-08 12:22:39 +02:00
Gilles Peskine
3b380daedb psa_cipher_finish: treat status and output length as sensitive 
In `psa_cipher_finish()` and in the corresponding function in our built-in
implementation `mbedtls_psa_cipher_finish()`, treat `status` and
`*output_length` as sensitive variables whose value must not leak through a
timing side channel. This is important when doing decryption with unpadding,
where leaking the validity or amount of padding can enable a padding oracle
attack.

With this change, `psa_cipher_finish()` should be constant-time if the
underlying legacy function (including the cipher implementation) is.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-08 12:22:39 +02:00
Gilles Peskine
e74b42832e Return PSA_ERROR_INVALID_PADDING in constant time 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-08 12:22:39 +02:00
Gilles Peskine
d179dc80a5 Use mbedtls_psa_cipher_finish() in PSA 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-08 12:22:39 +02:00
Gilles Peskine
9d7d0e63ae Merge pull request #1407 from gilles-peskine-arm/mbedtls_cipher_finish_padded-3.6 
Backport 3.6: Introduce mbedtls_cipher_finish_padded
 2025-09-08 12:18:50 +02:00
Gilles Peskine
9f7ac0371f Fix code style 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-29 10:46:52 +02:00
Gilles Peskine
7e43145bac Typo 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-29 09:35:29 +02:00
Gilles Peskine
2324a02602 Create threading_internal.h 
This is meant to hold threading-related definitions that are not public, but
are used in the test framework.

To be populated later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-08-29 08:59:27 +02:00
Manuel Pégourié-Gonnard
c18eea6d43 Minor grammar fix in comment 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-26 11:34:45 +02:00
Manuel Pégourié-Gonnard
b46432930e ecdsa: rm unused variable 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-26 11:33:12 +02:00
Manuel Pégourié-Gonnard
6ab0f519b8 dhm: remove unused variable (and improve comment) 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-26 11:31:52 +02:00
Manuel Pégourié-Gonnard
9e1c532847 RSA: use CT gcd-modinv in deduce_private_exponent() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:40:05 +02:00
Manuel Pégourié-Gonnard
a4bf680e92 RSA: refactor: avoid code duplication 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:40:05 +02:00
Manuel Pégourié-Gonnard
630148e67f RSA: use constant-time modinv in deduce_crt() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:40:05 +02:00
Manuel Pégourié-Gonnard
7dcfd73731 RSA: use constant-time GCD in deduce_primes() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
0d73de5ee0 ecdsa: use CT modinv 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
f35d30799c ECP: use CT modinv 
A function that was previously called in multiple places is now called
only once, hence more susceptible to being inlined, hence the test fix.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
c2d210ea0d DHM: use CT modinv for blinding 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Manuel Pégourié-Gonnard
a56a05b015 RSA: use CT gcd-modinv in prepare_blinding() 
While at it, draw the blinding value uniformly in the permissible range.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-14 09:18:52 +02:00
Janos Follath
210f8bc4d7 Merge pull request #1408 from mpg/improve-gcd-3.6 
[3.6] Make GCD (a lot) less leaky
 2025-08-13 19:44:57 +01:00
Manuel Pégourié-Gonnard
30f0732369 bignum: gcd: improve comments 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:55 +02:00
Manuel Pégourié-Gonnard
87e77d6516 bignum: fix memory leak in GCD with 0 as an input 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:55 +02:00
Manuel Pégourié-Gonnard
381d4ba03b Make mbedtls_mpi_gcd() more consistent 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:45 +02:00
Manuel Pégourié-Gonnard
c6a9d84555 bignum: use CT gcd for mbedtls_mpi_gcd() 
The overall function is still not constant-time, but it just got a lot
less leaky.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-08-13 09:01:45 +02:00