lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-30 10:45:34 +03:00
Code Activity
31,648 Commits 176 Branches 276 Tags
46ea764289ee5ca2a8261c34d76d35cc9be69ea3
Commit Graph

533 Commits

Author SHA1 Message Date
Elena Uziunaite
5adc9c304b Add "common.h" 
Needed after b81cd1af64 (#9671)
since generate_ssl_debug_helpers.py was moved to the framework

Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-10-15 16:58:16 +01:00
Manuel Pégourié-Gonnard
1116de3ca1 Add guard on internal 1.2-only function 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-04 10:56:08 +02:00
David Horstmann
9f10979853 Merge branch 'mbedtls-3.6-restricted' into mbedtls-3.6.1rc0-pr 
Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2024-08-28 20:48:27 +01:00
Ronald Cron
9f44c883f4 Rename some "new_session_tickets" symbols 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-08-28 17:47:46 +02:00
Ronald Cron
ba45a44f13 Move session tickets getter functions to ssl_misc.h 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-08-28 13:22:26 +02:00
Gilles Peskine
069bccdf78 Call psa_crypto_init in the library when required for TLS 1.3 
For backward compatibility with Mbed TLS <=3.5.x, applications must be able
to make a TLS connection with a peer that supports both TLS 1.2 and TLS 1.3,
regardless of whether they call psa_crypto_init(). Since Mbed TLS 3.6.0,
we enable TLS 1.3 in the default configuration, so we must take care of
calling psa_crypto_init() if needed. This is a change from TLS 1.3 in
previous versions, where enabling MBEDTLS_SSL_PROTO_TLS1_3 was a user
choice and could have additional requirement.

This commit makes the library call psa_crypto_init() when it needs PSA
crypto in a situation where the application might not have called it,
namely, when starting a TLS 1.3 connection.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-08-25 10:44:39 +02:00
Gilles Peskine
4002e6fdee Merge remote-tracking branch 'mbedtls-3.6' into mbedtls-3.6-restricted 2024-08-23 11:15:11 +02:00
Manuel Pégourié-Gonnard
565da768a4 Fix typos in comments 
Co-authored-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-08-20 22:03:10 +02:00
Manuel Pégourié-Gonnard
ce60330dfb Merge 1.2 and 1.3 certificate verification 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-08-20 22:03:10 +02:00
Manuel Pégourié-Gonnard
4938b693f3 Make mbedtls_ssl_check_cert_usage() work for 1.3 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-08-20 22:03:10 +02:00
Manuel Pégourié-Gonnard
96a0c5c48e Clean up mbedtls_ssl_check_cert_usage() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-08-20 22:03:10 +02:00
Michael Schuster
c9184fe7ab Fix server mode only build of v3.6 with MBEDTLS_SSL_CLI_C unset (fixes #9186) 
Signed-off-by: Michael Schuster <michael@schuster.ms>
 2024-08-06 11:26:00 +01:00
Waleed Elmelegy
5bc5263b2c Add code improvments and refactoring in dealing with ALPN 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2024-03-13 16:50:01 +00:00
Waleed Elmelegy
883f77cb08 Add mbedtls_ssl_session_set_alpn() function 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2024-03-13 16:50:01 +00:00
Ronald Cron
fd4c0c8b3d tls13: cli: Fix comment 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-12 17:48:18 +01:00
Ronald Cron
aa3593141b tls13: cli: Move definition of MBEDTLS_SSL_EARLY_DATA_STATE_xyz 
Move definition of MBEDTLS_SSL_EARLY_DATA_STATE_xyz
from ssl.h(public) to ssl_misc.h(private) even if
that means we cannot use the enum type for
early_data_state in ssl.h.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-12 17:48:18 +01:00
Ronald Cron
8571804382 tls13: srv: Enforce maximum size of early data 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-01 09:29:09 +01:00
Ronald Cron
d6d32b9210 tls13: Improve declaration and doc of early data status 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-15 17:19:14 +01:00
Ronald Cron
b9a9b1f5a5 tls13: Fix/Improve comments 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-15 17:19:14 +01:00
Ronald Cron
5fbd27055d tls13: Use a flag not a counter for CCS and HRR handling 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-15 17:19:02 +01:00
Ronald Cron
90e223364c tls13: cli: Refine early data status 
The main purpose of the change is to
know from the status, at any point in
the handshake, if early data can be
sent or not and why.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-06 16:43:33 +01:00
Ronald Cron
fe59ff794d tls13: Send dummy CCS only once 
Fix cases where the client was sending
two CCS, no harm but better to send only one.

Prevent to send even more CCS when early data
are involved without having to add conditional
state transitions.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-06 16:43:33 +01:00
Manuel Pégourié-Gonnard
32c28cebb4 Merge pull request #8715 from valeriosetti/issue7964 
Remove all internal functions from public headers
 2024-02-05 15:09:15 +00:00
Ronald Cron
78a38f607c tls13: srv: Do not use early_data_status 
Due to the scope reduction for
mbedtls_ssl_read_early_data(), on
server as early data state variable
we now only need a flag in the
handshake context indicating if
the server has accepted early data
or not.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-01 20:10:35 +01:00
Ronald Cron
3b9034544e Revert "tls13: Introduce early_data_state SSL context field" 
This reverts commit 0883b8b625.
Due to the scope reduction of mbedtls_ssl_read_early_data()
it is not necessary anymore to refine the usage
of early_data_status/state rather the opposite.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-01 20:03:57 +01:00
Ronald Cron
0883b8b625 tls13: Introduce early_data_state SSL context field 
Introduce early_data_state SSL context field to
distinguish better this internal state from
the status values defined for the
mbedtls_ssl_get_early_data_status() API.
Distinguish also between the client and
server states. Note that the client state
are going to be documented and reworked
as part of the implementation of
mbedtls_ssl_write_early_data().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-01 16:45:04 +01:00
Ronald Cron
5d0ae9021f tls13: srv: Refine early data status 
The main purpose is to know from the status
if early data can be received of not and
why.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-01 16:40:47 +01:00
Valerio Setti
25b282ebfe x509: move internal functions declarations to a private header 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2024-01-19 09:07:35 +01:00
Valerio Setti
d929106f36 ssl_ciphersuites: move internal functions declarations to a private header 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2024-01-18 15:08:28 +01:00
Tom Cosgrove
f1ba1933cf Merge pull request #8526 from yanrayw/issue/7011/send_record_size_limit_ext 
TLS1.3: SRV/CLI: add support for sending Record Size Limit extension
 2024-01-12 13:39:15 +00:00
Waleed Elmelegy
f0ccf46713 Add minor cosmetic changes to record size limit changelog and comments 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2024-01-12 10:52:45 +00:00
Ronald Cron
ae2213c307 Merge pull request #8414 from lpy4105/issue/uniform-ssl-check-function 
Harmonise the names and return values of check functions in TLS code
 2024-01-11 13:51:39 +00:00
Waleed Elmelegy
f501790ff2 Improve comments across record size limit changes 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2024-01-10 16:17:28 +00:00
Waleed Elmelegy
148dfb6457 Change record size limit writing function 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2024-01-10 16:17:27 +00:00
Yanray Wang
a8b4291836 tls13: add generic function to write Record Size Limit ext 
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
 2024-01-10 16:17:27 +00:00
Tom Cosgrove
3a6059beca Merge pull request #7455 from KloolK/record-size-limit/comply-with-limit 
Comply with the received Record Size Limit extension
 2024-01-09 15:22:17 +00:00
Waleed-Ziad Maamoun-Elmelegy
e2d3db5cfc Update mbedtls_ssl_get_output_record_size_limit signature 
Co-authored-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Waleed-Ziad Maamoun-Elmelegy <122474370+waleed-elmelegy-arm@users.noreply.github.com>
 2024-01-05 14:19:16 +00:00
Pengyu Lv
94a42ccb3e Add tls13 in ticket flags helper function names 
```
sed -i \
"s/\(mbedtls_ssl\)_\(session_\(\w*_\)\?ticket\)/\1_tls13_\2/g" \
library/*.[ch]
```

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 11:12:46 +08:00
Pengyu Lv
abd844f379 Fix wrong format in the function doc 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:58 +08:00
Pengyu Lv
02e72f65da Reword return value description for mbedtls_ssl_tls13_is_kex_mode_supported 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:58 +08:00
Pengyu Lv
b2cfafbb9e Consistent renaming 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:58 +08:00
Pengyu Lv
2333b826f4 tls13: srv: rename mbedtls_ssl_tls13_check_kex_modes 
The function is renamed to
`mbedtls_ssl_tls13_is_kex_mode_supported` and
the behaviour is reversed.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:58 +08:00
Pengyu Lv
0a1ff2b969 Consistent renaming 
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:58 +08:00
Pengyu Lv
4f537f73fa tls13: rename mbedtls_ssl_session_check_ticket_flags 
The function is renamed to mbedtls_ssl_session_ticket_has_flags.
Descriptions are added.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:58 +08:00
Pengyu Lv
fc2cb9632b tls13: rename mbedtls_ssl_conf_tls13_check_kex_modes 
The function is renamed to
mbedtls_ssl_conf_tls13_is_kex_mode_enabled.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:57 +08:00
Pengyu Lv
60a22567e4 tls13: change return value of mbedtls_ssl_conf_tls13_check_kex_modes 
To keep the convention in TLS code, check functions should return 0
when check is successful.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
 2023-12-08 10:01:57 +08:00
Waleed Elmelegy
9aec1c71f2 Add record size checking during handshake 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2023-12-06 15:18:15 +00:00
Jan Bruckner
f482dcc6c7 Comply with the received Record Size Limit extension 
Fixes #7010

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
 2023-12-06 15:18:08 +00:00
Jerry Yu
c59c586ac4 change prototype of write_early_data_ext 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-12-06 18:21:15 +08:00
Jerry Yu
5233539d9f share write_early_data_ext function 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2023-12-06 18:18:50 +08:00