lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-12-24 17:41:01 +03:00
Code Activity
32,361 Commits 176 Branches 276 Tags
2a9a272bdb233b366705a2a83c89ac3ee9305333
Commit Graph

32361 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Valerio Setti
2a9a272bdb changelog: prevent loading peristent keys if the key ID is in the volatile range 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-10-27 11:16:36 +01:00
Valerio Setti
1b93588d93 psa_crypto_slot_management: check key ID range when loading a persistent key 
Do not try to load a persistent key whose key ID is in the volatile range.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-10-27 11:12:07 +01:00
Gilles Peskine
d80b9ff511 Merge pull request #10466 from minosgalanakis/bugfix/reset_gitignore_files 
Revert "Added generated files"
 2025-10-22 11:09:40 +00:00
Minos Galanakis
ddffba970b Revert "Added generated files" 
This reverts commit 335197e60c.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-22 10:51:01 +01:00
Gilles Peskine
6dacfdc59e Merge pull request #10447 from valeriosetti/static-key-store-fix-size 
[3.6] psa: improve buffer size computation for static key slots
 2025-10-20 13:42:04 +00:00
Valerio Setti
a8ff9f76e9 changelog: add note about MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE improvements 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-10-16 16:47:01 +02:00
Valerio Setti
5306324015 psa: crypto_extra: update documentation of MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-10-16 16:36:50 +02:00
Minos Galanakis
5a3d0214b3 Merge tag 'mbedtls-3.6.5' into mbedtls-3.6.5_mergeback 
Mbed TLS 3.6.5

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-15 18:41:13 +01:00
Valerio Setti
45574797e7 psa: crypto_extra: improve buffer size computation for static key slots 
Take also MAC's key types into account when computing the size of the
buffer to store key material in static key slot configuration.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-10-15 16:22:39 +02:00
minosgalanakis
e185d7fd85 Merge pull request #1428 from Mbed-TLS/mbedtls-3.6.5rc0-pr 
Mbedtls 3.6.5RC
v3.6.5 mbedtls-3.6.5 		2025-10-13 08:39:14 +01:00
Minos Galanakis
b1db32061c Update BRANCHES.md 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Minos Galanakis
335197e60c Added generated files 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Minos Galanakis
2e1245171c Updated framework pointer 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Minos Galanakis
ad63800090 Version bump for mbedtls-3.5.6 
./scripts/bump_version.sh --version 3.6.5

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Minos Galanakis
369ea7a041 Assemble ChangeLog 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Gilles Peskine
0c4a951b37 Be more precise about the user/peer ID limitation 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
(cherry picked from commit 84a9b26b88)
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Gilles Peskine
7e81fe32d0 Add storage format test case for JPAKE 
The storage test generator doesn't support JPAKE at this time. So write a
test case manually.

The key is not exercised, since `psa_exercise_key()` doesn't support PAKE at
this time. But at least we can use this test case to ensure that we know how
the key is represented in storage.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
(cherry picked from commit 98a4029d51)
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
Gilles Peskine
90eac7fc7a Document JPAKE limitations 
Document limitations on the user ID, peer ID, primitive (elliptic curve) and
hash for `PSA_ALG_JPAKE`.

https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/502
https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/503
https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/504

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
(cherry picked from commit 8ca2a5bf95)
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-10 18:04:55 +01:00
minosgalanakis
46dc477c22 Merge pull request #10444 from gilles-peskine-arm/jpake-persistent-key-compat-3.6.5 
Backport 3.6: PSA JPAKE: add storage test case and document limitations
 2025-10-10 14:45:23 +00:00
Gilles Peskine
84a9b26b88 Be more precise about the user/peer ID limitation 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-10-10 12:08:21 +02:00
Gilles Peskine
42ae2ac6ec Merge pull request #10318 from keith-packard/gcc-14-3-array-bounds 
Avoid invalid gcc 14.3 warning about array bounds in mbedtls_xor
 2025-10-08 19:00:48 +00:00
Gilles Peskine
98a4029d51 Add storage format test case for JPAKE 
The storage test generator doesn't support JPAKE at this time. So write a
test case manually.

The key is not exercised, since `psa_exercise_key()` doesn't support PAKE at
this time. But at least we can use this test case to ensure that we know how
the key is represented in storage.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-10-08 17:39:23 +02:00
Gilles Peskine
8ca2a5bf95 Document JPAKE limitations 
Document limitations on the user ID, peer ID, primitive (elliptic curve) and
hash for `PSA_ALG_JPAKE`.

https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/502
https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/503
https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/504

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-10-08 17:39:23 +02:00
Keith Packard
292b96c0a6 Avoid invalid gcc 14.3 warning about array bounds in mbedtls_xor 
The combination of the multi-byte loop with the single byte loop
confuses GCC 14.3's array bounds checker. When the loop size is
constant, check to see if it is a multiple of the multi-byte size and
bail early. As this will be evaluated at compile time, there should be
no run-time cost.

This change uses the __builtin_constant_p compile-time operation. To
check if that is supported, the change uses the existing
MBEDTLS_HAS_BUILTIN macro. That macro was defined later in
library/common.h than is needed for this change, so it was moved up to
join some other macros that looked similar.

Signed-off-by: Keith Packard <keithp@keithp.com>
 2025-10-02 11:09:29 -07:00
Minos Galanakis
bafcf5bddf Merge remote-tracking branch 'restricted/mbedtls-3.6-restricted' into mbedtls-3.6.5rc0-pr 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-10-02 15:37:04 +01:00
Bence Szépkúti
299ce78166 Merge pull request #10417 from bensze01/abicheck-worktree-submodules-3.6 
[3.6 backport] Use submodule work trees during ABI check
 2025-09-30 09:41:11 +00:00
Manuel Pégourié-Gonnard
f2021e28c6 Merge pull request #10421 from gilles-peskine-arm/psa-transition-guide-20250630-3.6 
Update PSA transition guide for 3.6.5
 2025-09-30 09:21:13 +00:00
David Horstmann
3c5efcb61b Merge pull request #10427 from bjwtaylor/time_t-backport 
Backport 3.6: Replace cases of time_t with mbedtls_time_t
 2025-09-29 19:35:11 +00:00
Ben Taylor
6e73b2f2fd Backport time_t type conversions 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-29 15:35:28 +01:00
Gilles Peskine
8701fddbc5 Remove sentence about 1.0 that should not have been backported 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-29 15:18:37 +02:00
Bence Szépkúti
616f9fde62 Fix comment too long for pylint 
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-09-29 14:24:25 +02:00
Manuel Pégourié-Gonnard
02b7707b10 Merge pull request #10419 from mpg/fix-udp-proxy-3.6 
[3.6] Fix includes in udp_proxy.c
 2025-09-29 10:48:02 +00:00
Bence Szépkúti
e45e5046ba Prevent unnecessary submodule fetches 
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-09-26 20:28:25 +02:00
Bence Szépkúti
d040427111 Eliminate use of git worktree prune 
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-09-26 15:47:01 +02:00
Bence Szépkúti
99fa0abc75 Use f-string literal 
This makes path-construction a bit more readable

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-09-26 15:47:01 +02:00
Gilles Peskine
1e9efcc1ab Update some references to the future 
The future is now.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 15:15:13 +02:00
Gilles Peskine
106700481d Improve explanations of configuration translation 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 15:11:02 +02:00
Gilles Peskine
f6a7be0673 Copyediting 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 15:10:09 +02:00
Gilles Peskine
4f9d6e9451 update 1.0.0/4.0.0 release bullet point 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 15:05:17 +02:00
Gilles Peskine
b9eeace74a Update asymmetric cryptography 
Minor clarifications also done in the TF-PSA-Crypto 1.0 update.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 15:02:22 +02:00
Gilles Peskine
223fd448ea Miscellaneous improvements 
Partial backport of "Update all except "Asymmetric cryptography" for
TF-PSA-Crypto", including only clarifications and the extra information
about migrating to `MBEDTLS_PSA_CRYPTO_CONFIG` that are also relevant in
3.6.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 14:57:33 +02:00
Gilles Peskine
e7a9546dfa Fix section names 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 14:49:19 +02:00
Gilles Peskine
f7f3ec460a A few updates for 3.6 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-26 14:49:19 +02:00
Manuel Pégourié-Gonnard
be407038bf Fix includes in udp_proxy.c 
The program uses atoi() unconditionally, so it should include stdlib.h
unconditionally. Previously this happened to be indirectly included by
some other header (via pk.h via ssl.h) but we should not rely on that.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-09-26 12:22:58 +02:00
Bence Szépkúti
cdd166274e Use worktrees instead of fetches for submodules 
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-09-25 17:41:27 +02:00
Manuel Pégourié-Gonnard
5cbbca45dd Merge pull request #8197 from gilles-peskine-arm/readme-20230913 
Backport 3.6: Update README about PSA
 2025-09-24 08:01:44 +00:00
Gilles Peskine
70135847cd Merge pull request #1425 from gilles-peskine-arm/restricted-3.6-merge-public-20250916 
3.6: : merge public into restricted 2025-09-16
 2025-09-17 21:05:31 +02:00
Gilles Peskine
aa611e4bef Update framework to the merge of the merge PR 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-17 18:22:30 +02:00
Gilles Peskine
b6bf893c70 Qualify "reference implementation" wording 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-17 14:04:10 +02:00
Gilles Peskine
263b6925a2 The PSA implementation is production-quality 
This has been the case for a while, but we forgot to update the readme.

Don't prominently label it a "reference" implementation. That implies that
it's a complete implementation, but it isn't: we do not intend to implement
every mechanism that the PSA specification has an encoding for. That also
tends to imply that it's for demonstration purposes and not ready for
production, but Mbed TLS is intended to be used in production.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-09-17 14:04:10 +02:00