mbedtls

mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-08-07 06:42:56 +03:00

Author	SHA1	Message	Date
Gilles Peskine	96073fb997	Improve documentation of mbedtls_ssl_set_hostname Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	02e303ec86	Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	825c3d075a	Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	640512eb90	mbedtls_ssl_set_hostname tests: add tests with CA callback Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	856a370628	Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	488b91929d	Require calling mbedtls_ssl_set_hostname() for security In a TLS client, when using certificate authentication, the client should check that the certificate is valid for the server name that the client expects. Otherwise, in most scenarios, a malicious server can impersonate another server. Normally, the application code should call mbedtls_ssl_set_hostname(). However, it's easy to forget. So raise an error if mandatory certificate authentication is in effect and mbedtls_ssl_set_hostname() has not been called. Raise the new error code MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME, for easy identification. But don't raise the error if the backward compatibility option MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME is enabled. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	59a5117072	Create error code for mbedtls_ssl_set_hostname not called Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:48:49 +01:00
Gilles Peskine	434016e2eb	Keep track of whether mbedtls_ssl_set_hostname() has been called No behavior change apart from now emitting a different log message depending on whether mbedtls_ssl_set_hostname() has been called with NULL or not at all. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-24 18:47:44 +01:00
Minos Galanakis	cd6a24b288	ssl-opt.sh: Disabled HS Defrag Tests for TLS1.2 where len < 16 Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:27:09 +00:00
Minos Galanakis	99ca6680f2	ssl-opt: Replaced max_send_frag with split_send_frag Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	a5a8c9f5c9	ssl-opt: Added coverage for hs defragmentation TLS 1.2 tests. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	eddbb5a829	ChangeLog: Updated the entry for tls-hs-defragmentation Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	d708a63857	ssl-opt: Updated documentation. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	36c81f5f05	ssl-opt: Added DSA-RSA dependency on TLS1.2 defragmentation testing. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	74ce7498d7	ssl-opt: Added negative tests for handshake fragmentation. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	1c106afd22	ssl-opt: Added handshake fragmentation tests for 4 byte fragments. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	41782a9cd0	ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled) Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	85fe73d55d	ssl-opt: Added tls 1.2 tests for HS defragmentation. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	a4dde77cbe	ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	a8a298c9d6	ssl-opt: Adjusted the wording on handshake fragmentation tests. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	a1b9117f17	ssl-opt: Added requires_openssl_3_x to defragmentation tests. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Minos Galanakis	270dd7462e	ssl-opt: Updated the keywords to look up during handshake fragmentation tests. Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	4028cfd9ca	Add missing client certificate check in handshake defragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	5f21537c2a	Test Handshake defragmentation only for TLS 1.3 only for small values Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	a75c7e09c8	Add guard to handshake defragmentation tests for client certificate Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	f162249e87	Add a comment to elaborate using split_send_frag in handshake defragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	61b8e2d225	Enforce client authentication in handshake fragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	39d83dd38d	Remove unneeded mtu option from handshake fragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	48874b3aba	Add client authentication to handshake defragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	f9120311e3	Require openssl to support TLS 1.3 in handshake defragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	fccd014c2d	Remove unnecessary string check in handshake defragmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	c0118d87b9	Fix typo in TLS Handshake defrafmentation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	0e0d5d4dc8	Improve TLS handshake defragmentation tests * Add tests for the server side. * Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3. * Use latest version of openSSL to make sure -max_send_frag & -split_send_frag flags are supported. Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Waleed Elmelegy	79a8ded315	Add TLS Hanshake defragmentation tests Tests uses openssl s_server with a mix of max_send_frag and split_send_frag options. Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>	2025-02-24 09:16:06 +00:00
Manuel Pégourié-Gonnard	28f8e205eb	Merge pull request #9872 from rojer/tls_hs_defrag_in Defragment incoming TLS handshake messages	2025-02-24 09:28:11 +01:00
Ronald Cron	ede8494d73	Merge pull request #9986 from valeriosetti/issue9971-development [development] Move benchmark program to TF-PSA-Crypto	2025-02-21 14:26:49 +00:00
Valerio Setti	aa380c4a82	tf-psa-crypto: update reference Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2025-02-21 11:31:33 +01:00
Valerio Setti	69d0781576	scripts: move ecc-heap.sh to tf-psa-crypto Since benchmark programs was moved to tf-psa-crypto, this script should be moved as well. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2025-02-21 11:21:40 +01:00
Valerio Setti	f8244d49b0	programs: update .gitignore Remove entry for benchmark program since it was moved to the tf-psa-crypto repo. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2025-02-21 11:20:47 +01:00
Valerio Setti	34b4aa1f58	programs: move benchmark to tf-psa-crypto repo This commit also removes references from Makefile and README.md. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2025-02-21 11:20:47 +01:00
Stefan Gloor	b5c079b13c	fix: rename BEFORE_COLON and BC to avoid conflicts Namespace BEFORE_COLON and BC defines by prepending MBEDTLS_ and expanding BC to BEFORE_COLON_STR. This is to avoid naming conflicts with third-party code. No functional change. Signed-off-by: Stefan Gloor <stefan.gloor@siemens.com>	2025-02-21 10:33:51 +01:00
Stefan Gloor	6a9cf11361	fix: remove superfluous BEFORE_COLON in x509_crl.c BEFORE_COLON and BC defines with the accompanying comment are only required in x509_crt and x509_csr, but not used in x509_crl.c. Signed-off-by: Stefan Gloor <stefan.gloor@siemens.com>	2025-02-21 10:32:36 +01:00
Ronald Cron	dc882a8f89	Merge pull request #9939 from Harry-Ramsey/move-programs-from-mbedtls-to-framework Move programs from mbedtls to framework	2025-02-21 07:13:17 +00:00
Gilles Peskine	4ac4008fa0	Access ssl->hostname through abstractions in certificate verification New abstractions to access ssl->hostname: mbedtls_ssl_has_set_hostname_been_called(), mbedtls_ssl_free_hostname(). Use these abstractions to access the hostname with the opportunity for extra checks in mbedtls_ssl_verify_certificate(). No behavior change except for a new log message. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 19:24:16 +01:00
Gilles Peskine	e5054e495a	mbedtls_ssl_set_hostname tests: baseline Test the current behavior. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 19:24:16 +01:00
Gilles Peskine	95fe2a6df4	Add a flags field to mbedtls_ssl_context Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 19:24:16 +01:00
Gilles Peskine	58b399e81e	Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 18:51:14 +01:00
Gilles Peskine	eb63613347	Make guards more consistent between X.509-has-certs and SSL-has-certs Fix some build errors when MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED is false but MBEDTLS_X509_CRT_PARSE_C is enabled. This is not a particularly useful configuration, but for quick testing, it's convenient for it to work. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 18:51:14 +01:00
Gilles Peskine	86a66edcd0	Fix Doxygen markup Pacify `clang -Wdocumentation`. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 18:51:14 +01:00
Gilles Peskine	aa2594a52e	Make ticket_alpn field private An omission in 3.x. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2025-02-20 18:51:14 +01:00

... 9 10 11 12 13 ...

33322 Commits