lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-26 00:37:41 +03:00
Code Activity
31,628 Commits 176 Branches 276 Tags
5b69fade3171a8ab9d01977efadcc1a732c6e9c1
Commit Graph

13428 Commits

Author SHA1 Message Date
David Horstmann
1d98d9d861 Merge pull request #9526 from mpg/refactor-tls123-verif-dev 
Refactor tls123 verif dev
 2024-09-03 15:29:10 +00:00
David Horstmann
36fe9188e2 Merge pull request #9252 from gabor-mezei-arm/9114_replace_MBEDTLS_MD_CAN_SHA512_with_PSA_WANT 
Replace MBEDTLS_MD_CAN_SHA512 with its PSA_WANT counterpart
 2024-09-03 14:07:05 +00:00
Manuel Pégourié-Gonnard
5398e58fcd Fix guards around function now used by 1.3 as well 
Actually moved the function rather than trying to edit guards around it,
because the relevant guards are not nearby, the function was part of
larger blocks, so it seemed risky.

Also, that seems logically correct: the function is no longer part of
the "TLS 1.2 handshake functions common to server and client" section,
it's part of the "helper functions common to 1.2 and 1.3 server and
client" block. Ideally in the future perhaps the file structure should
reflect that (`ssl_generic.c` vs `ssl_tls12_generic.c`?) but that's out
of scope here.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
9e3e991d04 Fix typos in comments 
Co-authored-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
a040548747 Improve some comments 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
19dd9f59bc Merge 1.2 and 1.3 certificate verification 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
908f57dfba Minor refactoring of generic SSL certificate verif 
Rename as there was a name collision with a static function in another
file: ssl_parse_certificate_verify in ssl_tls12_server.c is the function
that parses the CertificateVerify message, which seems appropriate. Here
it meant "the 'verify' step after parsing the Certificate message".
Use a name that focuses on what it does: verify, not parse.

Also, take ciphersuite_info as an argument: when TLS 1.3 calls this
function, it can pass NULL as the ciphersuite has no influence there.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
843a00dec6 Add support for context f_vrfy callback in 1.3 
This was only supported in 1.2 for no good reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
fd800c2416 Improve a variable's name 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
5bdadbb1eb Restrict the scope of a few variables 
In particular, make sure pointer variables are initialized right after
being declared.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Ronald Cron
bfbecf8b34 tls13: Add support for trusted certificate callback 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
6901504ddb Allow no authentication of the server in 1.3 
See notes about optional two commits ago for why we're doing this.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
58ab9ba0bd Allow optional authentication of the server in 1.3 
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.

In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
aefc5938b0 Add comments about 1.3 server sending no cert 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
5f9428ac8a Rm translation code for unused flag 
We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
e5a916fd3c Simplify certificate curve check for 1.2 
The comments were about the time we were using mbedtls_pk_ec(), which
can return NULL, which we don't want to propagate to other functions.

Now we're using mbedtls_pk_get_ec_group_id() with is a safer interface
(and works even when EC is provided by drivers).

The check for GROUP_NONE was an heritage from the previous NULL check.
However it's actually useless: if NONE were returned (which can't happen
or parsing of the certificate would have failed and we wouldn't be
here), then mbedtls_ssl_check_curve() would work and just say that the
curve wasn't valid, which is OK.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
7a4aa4d133 Make mbedtls_ssl_check_cert_usage() work for 1.3 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
94f70228e9 Clean up mbedtls_ssl_check_cert_usage() 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Gilles Peskine
99b57bd35a Merge pull request #1272 from eleuzi01/forward-1263 
Fix 1.3 cli-auth optional reporting of (ext)KeyUsage issues
 2024-08-28 19:38:36 +02:00
Gabor Mezei
c15ef93aa5 Replace MBEDTLS_MD_CAN_SHA512 with PSA_WANT_ALG_SHA_512 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2024-08-28 18:20:25 +02:00
Gilles Peskine
805ac15e2d Merge pull request #9244 from waleed-elmelegy-arm/fix-tls13_parse_client_hello-issue 
Fix issue in handling legacy_compression_methods in ssl_tls13_parse_client_hello()
 2024-08-22 18:56:27 +00:00
Manuel Pégourié-Gonnard
4956e32538 Fix 1.3 failure to update flags for (ext)KeyUsage 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-08-16 17:23:47 +01:00
Sergey Markelov
4ed0fded12 Fix Mbed-TLS build when WIN32_LEAN_AND_MEAN macro is defined globally 
Signed-off-by: Sergey Markelov <sergey@solidstatenetworks.com>
 2024-08-14 15:15:14 -07:00
Elena Uziunaite
da41b60cef Replace MBEDTLS_SSL_HAVE_CAMELLIA with PSA_WANT_KEY_TYPE_CAMELLIA 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-08-13 09:58:00 +01:00
Gilles Peskine
b8457fff9f Merge pull request #9353 from eleuzi01/replace-ecp-have-secp384r1 
Replace MBEDTLS_ECP_HAVE_SECP384R1 with PSA_WANT_ECC_SECP_R1_384
 2024-08-12 14:37:10 +00:00
Gilles Peskine
0858fdca38 Merge pull request #9189 from misch7/fix-v3.6-issues-9186-and-9188 
Fix build of v3.6 (issues #9186 and #9188)
 2024-08-12 09:34:17 +00:00
Michael Schuster
1da4ed1df8 Move the -Wmissing-prototypes option from library/CMakeLists.txt to the top-level CMakeLists.txt for GCC & Clang 
Signed-off-by: Michael Schuster <michael@schuster.ms>
 2024-08-09 10:29:58 +01:00
Michael Schuster
7e39028628 Fix build of v3.6 with unset MBEDTLS_DHM_C but MBEDTLS_USE_PSA_CRYPTO set (fixes #9188) 
Avoid compiler warning about size comparison (like in commit 7910cdd):

Clang builds fail, warning about comparing uint8_t to a size that may be >255.

Signed-off-by: Michael Schuster <michael@schuster.ms>
 2024-08-09 10:27:44 +01:00
Michael Schuster
4394067071 Fix server mode only build of v3.6 with MBEDTLS_SSL_CLI_C unset (fixes #9186) 
Signed-off-by: Michael Schuster <michael@schuster.ms>
 2024-08-09 10:27:44 +01:00
Elena Uziunaite
6b4cd48d24 Replace MBEDTLS_ECP_HAVE_SECP384R1 with PSA_WANT_ECC_SECP_R1_384 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-08-09 09:49:03 +01:00
Gilles Peskine
aacbc622a4 Merge pull request #9453 from gilles-peskine-arm/psa-keystore-dynamic-prep-4.0 
Prepare for dynamic key store
 2024-08-09 08:00:06 +00:00
Gilles Peskine
e1171bd26f Merge pull request #9361 from eleuzi01/replace-key-aria 
Replace MBEDTLS_SSL_HAVE_ARIA with PSA_WANT_KEY_TYPE_ARIA
 2024-08-08 15:41:01 +00:00
Gilles Peskine
9e54a4f5ba Merge pull request #9369 from eleuzi01/replace-ecc-keys 
Replace MBEDTLS_PK_HAVE_ECC_KEYS with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
 2024-08-08 12:10:43 +00:00
Gilles Peskine
dc10825ab9 MBEDTLS_STATIC_ASSERT: make it work outside of a function 
At the top level, the macro would have had to be used without a following
semicolon (except with permissive compilers that accept spurious semicolons
outside of a function), which is confusing to humans and indenters. Fix
that.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-08-07 12:39:05 +02:00
Elena Uziunaite
51c85a0296 Replace MBEDTLS_SSL_HAVE_ARIA with PSA_WANT_KEY_TYPE_ARIA 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-08-07 11:33:14 +01:00
Elena Uziunaite
8dde3b3dec Replace MBEDTLS_PK_HAVE_ECC_KEYS with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-08-05 15:41:58 +01:00
Elena Uziunaite
c256172b30 Replace MBEDTLS_SSL_HAVE_CCM with PSA_WANT_ALG_CCM 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-08-05 15:40:00 +01:00
Gilles Peskine
be6a47140b Merge pull request #9365 from eleuzi01/replace-gcm 
Replace MBEDTLS_SSL_HAVE_GCM with PSA_WANT_ALG_GCM
 2024-08-05 09:43:23 +00:00
Gilles Peskine
9c9a3df3bf Merge pull request #9366 from eleuzi01/replace-chachapoly 
Replace MBEDTLS_SSL_HAVE_CHACHAPOLY with PSA_WANT_ALG_CHACHA20_POLY1305
 2024-08-02 14:26:27 +00:00
Elena Uziunaite
83a0d9deec Replace MBEDTLS_SSL_HAVE_GCM with PSA_WANT_ALG_GCM 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-08-02 09:52:20 +01:00
Elena Uziunaite
5c70c30655 Replace MBEDTLS_SSL_HAVE_CHACHAPOLY with PSA_WANT_ALG_CHACHA20_POLY1305 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-07-31 16:31:00 +01:00
Elena Uziunaite
74342c7c2b Replace MBEDTLS_SSL_HAVE_CBC with PSA_WANT_ALG_CBC_NO_PADDING 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-07-31 16:19:15 +01:00
Elena Uziunaite
6121a344dd Replace MBEDTLS_SSL_HAVE_AES with PSA_WANT_KEY_TYPE_AES 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-07-30 18:42:19 +01:00
Elena Uziunaite
417d05f7c5 Replace MBEDTLS_ECP_HAVE_SECP256R1 with PSA_WANT_ECC_SECP_R1_256 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-07-29 11:31:20 +01:00
Ronald Cron
901a675238 Adapt make build system 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-07-19 10:07:27 +02:00
Ronald Cron
088a1ab081 make: Fix object clean-up 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-07-19 09:58:35 +02:00
Bence Szépkúti
e7fdfdb913 Merge pull request #9123 from eleuzi01/replace-mbedtls-md-can-md5 
Replace MBEDTLS_MD_CAN_MD5 with PSA_WANT_ALG_MD5
 2024-07-18 16:17:25 +00:00
Paul Elliott
b449476595 Merge pull request #9354 from eleuzi01/replace-ecp-have-secp512r1 
Replace MBEDTLS_ECP_HAVE_SECP521R1 with PSA_WANT_ECC_SECP_R1_521
 2024-07-18 15:55:41 +00:00
Paul Elliott
df772da34e Merge pull request #9358 from eleuzi01/replace-curve 
Replace MBEDTLS_ECP_HAVE_CURVE* with PSA_WANT counterparts
 2024-07-18 13:54:26 +00:00
Elena Uziunaite
b66a991f04 Replace MBEDTLS_MD_CAN_MD5 with PSA_WANT_ALG_MD5 
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
 2024-07-18 14:31:59 +03:00