lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-26 00:37:41 +03:00
Code Activity
20,380 Commits 176 Branches 276 Tags
56e01f37a866ef7c3df1f9abac6a7525447ad5f9
Commit Graph

206 Commits

Author SHA1 Message Date
Gabor Mezei
96ae926572 Typo 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-28 11:56:26 +02:00
Gabor Mezei
05ebf3be74 Revert "Do not encrypt CCS records" 
This reverts commit 96ec831385.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-28 11:55:35 +02:00
Gabor Mezei
96ec831385 Do not encrypt CCS records 
According to the TLS 1.3 standard the CCS records must be unencrypted.

When a record is not encrypted the counter, used in the dynamic IV
creation, is not incremented.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-06-22 17:07:21 +02:00
Gilles Peskine
8399cccd2e Merge pull request #5829 from paul-elliott-arm/fix_ct_uninit_memory_access 
Fix uninitialised memory access in constant time functions
 2022-06-01 11:42:51 +02:00
Paul Elliott
5260ce27ed Fix uninitialised memory access in constant time functions 
Fix an issue reported by Coverity whereby some constant time functions
called from the ssl decrypt code could potentially access uninitialised
memory.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-05-19 18:23:24 +01:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell. 
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-05-11 21:25:51 +01:00
Neil Armstrong
ab555e0a6c Rename mbedtls_get_mode_from_XXX to mbedtls_ssl_get_mode_from_XXX 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-04-22 14:25:59 +02:00
Neil Armstrong
136f8409df Replace PSA/Cipher logic with mbedtls_get_mode_from_transform() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-04-22 14:25:26 +02:00
Paul Elliott
a2da9c7e45 Merge pull request #5631 from gstrauss/enum-tls-vers 
Unify internal/external TLS protocol version enums
 2022-04-19 17:05:26 +01:00
Glenn Strauss
041a37635b Remove some tls_ver < MBEDTLS_SSL_VERSION_TLS1_2 checks 
mbedtls no longer supports earlier TLS protocol versions

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-04-14 15:40:14 -04:00
Glenn Strauss
e3af4cb72a mbedtls_ssl_(read|write)_version using tls_version 
remove use of MBEDTLS_SSL_MINOR_VERSION_*
remove use of MBEDTLS_SSL_MAJOR_VERSION_*
(only remaining use is in tests/suites/test_suite_ssl.data)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-04-14 15:40:14 -04:00
Glenn Strauss
60bfe60d0f mbedtls_ssl_ciphersuite_t min_tls_version,max_tls_version 
Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible, as the struct is now smaller.

Reduce size of mbedtls_ssl_ciphersuite_t

members are defined using integral types instead of enums in
order to pack structure and reduce memory usage by internal
ciphersuite_definitions[]

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-04-14 15:40:12 -04:00
Glenn Strauss
2dfcea2b9d mbedtls_ssl_config min_tls_version, max_tls_version 
Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms.  For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).

New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-04-14 15:39:43 -04:00
Glenn Strauss
07c641605e Rename mbedtls_ssl_transform minor_ver to tls_version 
Store the TLS version in tls_version instead of minor version number.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
 2022-04-14 15:23:54 -04:00
Hanno Becker
5e18f74abb Make alert sending function re-entrant 
Fixes #1916

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
 2022-04-08 12:16:43 +01:00
Ronald Cron
a980adf4ce Merge pull request #5637 from ronald-cron-arm/version-negotiation-1 
TLS 1.2/1.3 version negotiation - 1
 2022-03-31 11:47:16 +02:00
Manuel Pégourié-Gonnard
3304f253d7 Merge pull request #5653 from paul-elliott-arm/handshake_over 
Add mbedtls_ssl_is_handshake_over()
 2022-03-30 12:16:40 +02:00
Ronald Cron
8f6d39a81d Make some handshake TLS 1.3 utility routines available for TLS 1.2 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-03-29 14:42:17 +02:00
Paul Elliott
27b0d94e25 Use mbedtls_ssl_is_handshake_over() 
Switch over to using the new function both internally and in tests.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-03-24 14:43:52 +00:00
Manuel Pégourié-Gonnard
f4042f076b Merge pull request #5573 from superna9999/5176-5177-5178-5179-tsl-record-hmac 
TLS record HMAC
 2022-03-21 11:36:44 +01:00
Ronald Cron
00d012f2be Fix type of force_flush parameter 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-03-09 07:51:52 +01:00
Ronald Cron
66dbf9118e TLS 1.3: Do not send handshake data in handshake step handlers 
Send data (call to mbedtls_ssl_flush_output()) only from
the loop over the handshake steps. That way, we do not
have to take care of the partial writings (MBEDTLS_ERR_SSL_WANT_WRITE
error code) on the network in handshake step handlers.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-03-09 07:51:52 +01:00
Neil Armstrong
4313f55a13 Simplify error handling of PSA mac operationsg in ssl_msg.c 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-03-02 15:37:04 +01:00
Neil Armstrong
e858996413 Use PSA version of mbedtls_ct_hmac() in mbedtls_ssl_decrypt_buf() 
Due to mbedtls_ct_hmac() implementation the decryption MAC key
must be exportable.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-02-25 15:17:50 +01:00
Neil Armstrong
cf8841a076 Remove non-PSA MAC keys in mbedtls_ssl_transform when MBEDTLS_USE_PSA_CRYPTO is defined 
Also remove last usage of non-PSA MAC keys in ssl_decrypt_non_etm_cbc() SSL test.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-02-25 15:16:49 +01:00
Neil Armstrong
26e6d6764e Use PSA MAC API in mbedtls_ssl_encrypt/decrypt_buf() 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-02-25 15:16:49 +01:00
Neil Armstrong
39b8e7dde4 Add, Initialize & Free HMAC keys in mbedtls_ssl_transform 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-02-23 09:24:57 +01:00
Przemyslaw Stekiel
c499e33ed0 ssl_msg.c: Change message in MBEDTLS_SSL_DEBUG_RET() to be the failed function name instead current function name 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-07 15:12:05 +01:00
Przemyslaw Stekiel
c8a06feae6 ssl_msg.c: Optimize null/stream cipher decryption/encryption 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-07 10:52:47 +01:00
Przemyslaw Stekiel
98ef6dca68 Remove redundant new lines 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-07 08:04:39 +01:00
Przemyslaw Stekiel
8c010eb467 Fix comments, code style, remove debug code 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-03 14:55:24 +01:00
Przemyslaw Stekiel
6b2eedd25f ssl_msg.c: add debug code for psa failures 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-03 14:55:14 +01:00
Przemyslaw Stekiel
d66387f8fa Init psa status to PSA_ERROR_CORRUPTION_DETECTED 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-03 09:16:41 +01:00
Przemyslaw Stekiel
b97556e8d1 mbedtls_ssl_encrypt/decrypt_buf: remove dead code 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-02-03 09:16:29 +01:00
Przemyslaw Stekiel
77aec8d181 Rename ssl_psa_status_to_mbedtls->psa_ssl_status_to_mbedtls 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 20:22:53 +01:00
Przemyslaw Stekiel
be47ecf5e2 mbedtls_ssl_get_record_expansion: use same condidion set as for non-psa build 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 17:50:00 +01:00
Przemyslaw Stekiel
89dad93a78 Rename psa_status_to_mbedtls->ssl_psa_status_to_mbedtls and add conversion for PSA_ERROR_INVALID_SIGNATURE 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:39:24 +01:00
Przemyslaw Stekiel
399ed51185 Fix condition in mbedtls_ssl_get_record_expansion 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:39:24 +01:00
Przemyslaw Stekiel
1d714479a3 mbedtls_ssl_get_record_expansion: rework switch statement for psa 
As PSA_ALG_IS_AEAD( transform->psa_alg ) can't be used as switch labels (switch labels must be constant expressions, they have to be evaluated at compile time) refactor switch to "if else" statement.

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
e88477844c Adapt the mbed tls mode: ccm or gcm or cachapoly to psa version 
mode == MBEDTLS_MODE_CCM || mode == MBEDTLS_GCM || mode == MBEDTLS_CHACHAPOLY is equivalent to PSA_ALG_IS_AEAD( alg ).

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
221b52791e ssl_msg.c: fix parm in call to mbedtls_ssl_decrypt_buf() 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
6be9cf542f Cleanup the code 
Use conditional compilation for psa and mbedtls code (MBEDTLS_USE_PSA_CRYPTO).

Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
d4eab57933 Skip psa encryption/decryption for null cipher 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
ce09e7d868 Use psa_status_to_mbedtls() for psa error case 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
1fe065b235 Fix conditional compilation (MBEDTLS_USE_PSA_CRYPTO) 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
2e9711f766 mbedtls_ssl_decrypt_buf(): replace mbedtls_cipher_crypt() and mbedtls_cipher_auth_decrypt_ext() with PSA calls 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:29 +01:00
Przemyslaw Stekiel
b37fae122c mbedtls_ssl_encrypt_buf(): replace mbedtls_cipher_crypt() and mbedtls_cipher_auth_encrypt_ext() with PSA calls 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:28 +01:00
Przemyslaw Stekiel
ce37d11c67 mbedtls_ssl_transform_free(): fix destruction of psa keys 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:28 +01:00
Przemyslaw Stekiel
8f80fb9b1d Adapt in mbedtls_ssl_transform_init() and mbedtls_ssl_transform_free() after extending mbedtls_ssl_transform struct 
Signed-off-by: Przemyslaw Stekiel <przemyslaw.stekiel@mobica.com>
 2022-01-31 15:38:28 +01:00
Dave Rodgman
050ad4bb50 Merge pull request #5313 from gilles-peskine-arm/missing-ret-check-mbedtls_md_hmac 
Check HMAC return values
 2021-12-13 10:51:27 +00:00