5adc9c304b
Add "common.h"
...
Needed after b81cd1af64#9671 )
since generate_ssl_debug_helpers.py was moved to the framework
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com >
2024-10-15 16:58:16 +01:00
1116de3ca1
Add guard on internal 1.2-only function
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-04 10:56:08 +02:00
9f10979853
Merge branch 'mbedtls-3.6-restricted' into mbedtls-3.6.1rc0-pr
...
Signed-off-by: David Horstmann <david.horstmann@arm.com >
2024-08-28 20:48:27 +01:00
9f44c883f4
Rename some "new_session_tickets" symbols
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-08-28 17:47:46 +02:00
ba45a44f13
Move session tickets getter functions to ssl_misc.h
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-08-28 13:22:26 +02:00
069bccdf78
Call psa_crypto_init in the library when required for TLS 1.3
...
For backward compatibility with Mbed TLS <=3.5.x, applications must be able
to make a TLS connection with a peer that supports both TLS 1.2 and TLS 1.3,
regardless of whether they call psa_crypto_init(). Since Mbed TLS 3.6.0,
we enable TLS 1.3 in the default configuration, so we must take care of
calling psa_crypto_init() if needed. This is a change from TLS 1.3 in
previous versions, where enabling MBEDTLS_SSL_PROTO_TLS1_3 was a user
choice and could have additional requirement.
This commit makes the library call psa_crypto_init() when it needs PSA
crypto in a situation where the application might not have called it,
namely, when starting a TLS 1.3 connection.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2024-08-25 10:44:39 +02:00
4002e6fdee
Merge remote-tracking branch 'mbedtls-3.6' into mbedtls-3.6-restricted
2024-08-23 11:15:11 +02:00
565da768a4
Fix typos in comments
...
Co-authored-by: David Horstmann <david.horstmann@arm.com >
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-08-20 22:03:10 +02:00
ce60330dfb
Merge 1.2 and 1.3 certificate verification
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-08-20 22:03:10 +02:00
4938b693f3
Make mbedtls_ssl_check_cert_usage() work for 1.3
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-08-20 22:03:10 +02:00
96a0c5c48e
Clean up mbedtls_ssl_check_cert_usage()
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-08-20 22:03:10 +02:00
c9184fe7ab
Fix server mode only build of v3.6 with MBEDTLS_SSL_CLI_C unset ( fixes #9186 )
...
Signed-off-by: Michael Schuster <michael@schuster.ms >
2024-08-06 11:26:00 +01:00
5bc5263b2c
Add code improvments and refactoring in dealing with ALPN
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-03-13 16:50:01 +00:00
883f77cb08
Add mbedtls_ssl_session_set_alpn() function
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-03-13 16:50:01 +00:00
fd4c0c8b3d
tls13: cli: Fix comment
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-12 17:48:18 +01:00
aa3593141b
tls13: cli: Move definition of MBEDTLS_SSL_EARLY_DATA_STATE_xyz
...
Move definition of MBEDTLS_SSL_EARLY_DATA_STATE_xyz
from ssl.h(public) to ssl_misc.h(private) even if
that means we cannot use the enum type for
early_data_state in ssl.h.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-12 17:48:18 +01:00
8571804382
tls13: srv: Enforce maximum size of early data
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-01 09:29:09 +01:00
d6d32b9210
tls13: Improve declaration and doc of early data status
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-15 17:19:14 +01:00
b9a9b1f5a5
tls13: Fix/Improve comments
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-15 17:19:14 +01:00
5fbd27055d
tls13: Use a flag not a counter for CCS and HRR handling
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-15 17:19:02 +01:00
90e223364c
tls13: cli: Refine early data status
...
The main purpose of the change is to
know from the status, at any point in
the handshake, if early data can be
sent or not and why.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-06 16:43:33 +01:00
fe59ff794d
tls13: Send dummy CCS only once
...
Fix cases where the client was sending
two CCS, no harm but better to send only one.
Prevent to send even more CCS when early data
are involved without having to add conditional
state transitions.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-06 16:43:33 +01:00
32c28cebb4
Merge pull request #8715 from valeriosetti/issue7964
...
Remove all internal functions from public headers
2024-02-05 15:09:15 +00:00
78a38f607c
tls13: srv: Do not use early_data_status
...
Due to the scope reduction for
mbedtls_ssl_read_early_data(), on
server as early data state variable
we now only need a flag in the
handshake context indicating if
the server has accepted early data
or not.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-01 20:10:35 +01:00
3b9034544e
Revert "tls13: Introduce early_data_state SSL context field"
...
This reverts commit 0883b8b625ronald.cron@arm.com >
2024-02-01 20:03:57 +01:00
0883b8b625
tls13: Introduce early_data_state SSL context field
...
Introduce early_data_state SSL context field to
distinguish better this internal state from
the status values defined for the
mbedtls_ssl_get_early_data_status() API.
Distinguish also between the client and
server states. Note that the client state
are going to be documented and reworked
as part of the implementation of
mbedtls_ssl_write_early_data().
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-01 16:45:04 +01:00
5d0ae9021f
tls13: srv: Refine early data status
...
The main purpose is to know from the status
if early data can be received of not and
why.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-01 16:40:47 +01:00
25b282ebfe
x509: move internal functions declarations to a private header
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2024-01-19 09:07:35 +01:00
d929106f36
ssl_ciphersuites: move internal functions declarations to a private header
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2024-01-18 15:08:28 +01:00
f1ba1933cf
Merge pull request #8526 from yanrayw/issue/7011/send_record_size_limit_ext
...
TLS1.3: SRV/CLI: add support for sending Record Size Limit extension
2024-01-12 13:39:15 +00:00
f0ccf46713
Add minor cosmetic changes to record size limit changelog and comments
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-01-12 10:52:45 +00:00
ae2213c307
Merge pull request #8414 from lpy4105/issue/uniform-ssl-check-function
...
Harmonise the names and return values of check functions in TLS code
2024-01-11 13:51:39 +00:00
f501790ff2
Improve comments across record size limit changes
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-01-10 16:17:28 +00:00
148dfb6457
Change record size limit writing function
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-01-10 16:17:27 +00:00
a8b4291836
tls13: add generic function to write Record Size Limit ext
...
Signed-off-by: Yanray Wang <yanray.wang@arm.com >
2024-01-10 16:17:27 +00:00
3a6059beca
Merge pull request #7455 from KloolK/record-size-limit/comply-with-limit
...
Comply with the received Record Size Limit extension
2024-01-09 15:22:17 +00:00
e2d3db5cfc
Update mbedtls_ssl_get_output_record_size_limit signature
...
Co-authored-by: Ronald Cron <ronald.cron@arm.com >
Signed-off-by: Waleed-Ziad Maamoun-Elmelegy <122474370+waleed-elmelegy-arm@users.noreply.github.com >
2024-01-05 14:19:16 +00:00
94a42ccb3e
Add tls13 in ticket flags helper function names
...
```
sed -i \
"s/\(mbedtls_ssl\)_\(session_\(\w*_\)\?ticket\)/\1_tls13_\2/g" \
library/*.[ch]
```
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 11:12:46 +08:00
abd844f379
Fix wrong format in the function doc
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:58 +08:00
02e72f65da
Reword return value description for mbedtls_ssl_tls13_is_kex_mode_supported
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:58 +08:00
b2cfafbb9e
Consistent renaming
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:58 +08:00
2333b826f4
tls13: srv: rename mbedtls_ssl_tls13_check_kex_modes
...
The function is renamed to
`mbedtls_ssl_tls13_is_kex_mode_supported` and
the behaviour is reversed.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:58 +08:00
0a1ff2b969
Consistent renaming
...
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:58 +08:00
4f537f73fa
tls13: rename mbedtls_ssl_session_check_ticket_flags
...
The function is renamed to mbedtls_ssl_session_ticket_has_flags.
Descriptions are added.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:58 +08:00
fc2cb9632b
tls13: rename mbedtls_ssl_conf_tls13_check_kex_modes
...
The function is renamed to
mbedtls_ssl_conf_tls13_is_kex_mode_enabled.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:57 +08:00
60a22567e4
tls13: change return value of mbedtls_ssl_conf_tls13_check_kex_modes
...
To keep the convention in TLS code, check functions should return 0
when check is successful.
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com >
2023-12-08 10:01:57 +08:00
9aec1c71f2
Add record size checking during handshake
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2023-12-06 15:18:15 +00:00
f482dcc6c7
Comply with the received Record Size Limit extension
...
Fixes #7010
Signed-off-by: Jan Bruckner <jan@janbruckner.de >
2023-12-06 15:18:08 +00:00
c59c586ac4
change prototype of write_early_data_ext
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2023-12-06 18:21:15 +08:00
5233539d9f
share write_early_data_ext function
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2023-12-06 18:18:50 +08:00
