1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-01 09:41:40 +03:00
Commit Graph

7603 Commits

Author SHA1 Message Date
ae59c52322 Create configuration option to bypass the mbedtls_ssl_set_hostname check
Update generated files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-24 18:04:14 +01:00
63f958df77 Create error code for mbedtls_ssl_set_hostname not called
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-21 19:33:55 +01:00
f33c45f84d Keep track of whether mbedtls_ssl_set_hostname() has been called
Use a special marker as ssl->hostname if mbedtls_ssl_set_hostname() has been
called with NULL. If mbedtls_ssl_set_hostname() has never been called, the
field is NULL, as before.

No behavior change apart from now emitting a different log message depending
on whether mbedtls_ssl_set_hostname() has been called with NULL or not at all.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-21 19:33:53 +01:00
3a2f75d8d5 Access ssl->hostname through abstractions
New abstractions to access ssl->hostname:
mbedtls_ssl_has_set_hostname_been_called() (only implemented approximatively
for now), mbedtls_ssl_get_hostname_pointer(), mbedtls_ssl_free_hostname().

Only access ssl->hostname directly in these functions and in
mbedtls_ssl_set_hostname().

Use these abstractions to access the hostname with the opportunity for
extra checks in mbedtls_ssl_verify_certificate().

No behavior change except for a new log message.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-21 19:32:59 +01:00
ff25715cb4 Move mbedtls_ssl_set_hostname up
Refactoring to prepare for "Access ssl->hostname through abstractions".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-20 13:57:51 +01:00
49d440372f tf-psa-crypto/drivers/builtin/src/ecp.c
Update tf-psa-crypto/drivers/builtin/src/ecp.c

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-01-23 15:29:58 +00:00
4ad27aa47e Specify previously missed XMM register clobbers in AES-NI asm blocks
Noticed by Gilles Peskine

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
Signed-off-by: Solar Designer <solar@openwall.com>
2024-12-13 02:14:13 +01:00
4115440aa7 Specify register clobbers in mbedtls_aesni_crypt_ecb()
Signed-off-by: Solar Designer <solar@openwall.com>
2024-12-13 02:13:03 +01:00
6d327128b5 Make mbedTLS compile with MS-DOS DJGPP
Signed-off-by: SuperIlu <superilu@yahoo.com>
2024-12-01 10:32:46 +01:00
aa6ae3f649 net/mbedtls_net_connect: Preventing double close problem
In the test examples and real usage scenarios, 'mbedtls_net_free' is called after 'mbedtls_net_connect' fails, which will cause the problem of double close the same fd. It is possible to close this closed fd which has been applied by other link.

Signed-off-by: makejian <makejian@xiaomi.com>
2024-10-22 20:06:10 +08:00
9f7cc4c14f Bump version to 2.28.9
Soversions unchanged.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-26 12:44:41 +02:00
69555ea884 Merge remote-tracking branch 'mbedtls-2.28' into mbedtls-2.28-restricted 2024-08-23 11:15:46 +02:00
d9e16c4870 Free allocated memory where methods were returning without freeing
Signed-off-by: Sam Berry <sam.berry@arm.com>
Signed-off-by: Gowtham Suresh Kumar <gowtham.sureshkumar@arm.com>
2024-08-19 13:22:35 +01:00
36548eefa4 Merge pull request #9256 from gilles-peskine-arm/psa-keystore-dynamic-backport-2.28
Backport 2.28: prepare for dynamically sized key store
2024-08-09 08:00:01 +00:00
d0ba2b0d1f Fix inverted assertion message
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-08 15:57:48 +02:00
55aa72fe21 Merge remote-tracking branch 'public/mbedtls-2.28' into merge-2.28
* public/mbedtls-2.28: (88 commits)
  tests/ssl_helpers: Check that message queue is popped
  Upgrade python dependencies in requirements file
  Fix some typo for include folder
  Adjust TLS protocol cases for 2.28
  Fix copypasta
  Declare the new generated files
  Add generated config tests
  Remove some settings that don't exist in 2.28
  Adjust generate_config_tests.py for 2.28
  Terminology: use "dependencies" for a list of settings
  Terminology: consistently use "setting", not "option"
  Explain why we require TLS client and server simultaneously
  Fix missing negation
  Pacify mypy
  Detect sub-options
  Generate config test cases for single options
  Anchor relative paths
  New test suite to report configuration options
  Recognize that a double-inclusion guard is not a config setting
  Add and update some .gitignore files
  ...
2024-08-08 10:03:24 +02:00
18f659b1e7 Assert that the key ID range for volatile keys is large enough
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-07 11:17:32 +02:00
f16263e286 Assert that key ID ranges don't overlap
Ensure that a key ID can't be in range for more than one of volatile keys,
persistent (i.e. user-chosen) keys or built-in keys.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-07 11:17:32 +02:00
37a4fcc5b4 Prevent mbedtls_psa_register_se_key with volatile keys
mbedtls_psa_register_se_key() is not usable with volatile keys, since there
is no way to return the implementation-chosen key identifier which would be
needed to use the key. Document this limitation. Reject an attempt to create
such an unusable key. Fixes #9253.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-07 11:17:32 +02:00
f555a4e26f MBEDTLS_STATIC_ASSERT: make it work outside of a function
At the top level, the macro would have had to be used without a following
semicolon (except with permissive compilers that accept spurious semicolons
outside of a function), which is confusing to humans and indenters. Fix
that.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-08-07 11:17:32 +02:00
e752eaf73a Force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE based on CTR_DRBG
If MBEDTLS_CTR_DRBG_C is enabled, force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE to be
disabled. This resolves the former inconsistency in builds where
MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is explicitly defined but MBEDTLS_CTR_DRBG_C
remains enabled, where PSA called the CTR_DRBG functions but other parts of
the code based assumed that HMAC was in use, in particular error code
conversions (leading to a test failure in test_suite_psa_crypto_init).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-07-25 18:30:51 +02:00
ff2c049eaf Merge pull request #9270 from sezrab/silence-2.28
[Backport 2.28] Silence gcc 12.2.0 warning
2024-07-04 14:49:34 +00:00
f514f25f88 Merge pull request #9025 from gilles-peskine-arm/psa-storage-test-cases-never-supported-2.28
Backport 2.28: Fix the detection of not-supported mechanisms in systematically generated PSA tests
2024-06-14 18:23:38 +00:00
ed9a4948b9 Silence gcc 12.2.0 warning
Unfortunately this compiler complains about a variable potentially being
used un-initialized.  Silence the warning by initializing it to a sane
default.

Signed-off-by: Patrick Wildt <pwildt@google.com>
2024-06-14 16:29:47 +01:00
0a2dd6d4eb Set psk to NULL in ssl_psk_remove-backport to 2.28
Summary:
Back port [PR 9241](https://github.com/Mbed-TLS/mbedtls/pull/9241) to
2.28 branch

Test Plan:

Reviewers:

Subscribers:

Tasks:

Tags:
Signed-off-by: lhuang04 <lhuang04@fb.com>
2024-06-11 13:00:28 -07:00
9ebf9aa448 Merge pull request #9153 from gilles-peskine-arm/oid-limits-2.28
2.28 only: Fix the build without check_config.h (inclusion of limits.h)
2024-05-29 16:14:24 +00:00
a8cd2e6421 Fix the build without check_config.h (inclusion of limits.h)
Including `mbedtls/check_config.h` from `mbedtls/config.h` is optional. If
done, `limits.h` gets included. If not done, we were missing the inclusion
of `limits.h` in several source files. Fix this and add a test build that
doesn't include `mbedtls/check_config.h`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-17 19:00:46 +02:00
e32671f0d7 Merge pull request #9086 from nileshkale123/fix/redefinition_warning_for_gnu_source_backport_2.28
Backport 2.28: Fixed issue of redefinition warning messages for _GNU_SOURCE
2024-05-06 12:40:41 +00:00
791331158c Merge pull request #8544 from Ryan-Everett-arm/8537-2.28
Backport 2.28: Fix error handling for secure element keys in `psa_start_key_creation`
2024-05-02 16:06:11 +00:00
52b6fefcc4 Fixed issue of redefinition warning messages for _GNU_SOURCE
Signed-off-by: nilesh.kale <nilesh.kale@espressif.com>
2024-05-02 14:47:54 +05:30
b6e362b82e PSA sign/verify: more uniform error on an unsupported hash
Uniformly return PSA_ERROR_NOT_SUPPORTED if given an algorithm that includes
a hash, but that hash algorithm is not supported. This will make it easier
to have a uniform treatment of unsupported hashes in automatically generated
tests.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-04-11 22:00:55 +02:00
6766a19027 Merge pull request #8875 from stevenwdv/mbedtls-2.28
[backport] Fix compilation on macOS without apple-clang
2024-03-29 13:59:14 +00:00
6fe0ae026f Version bump for 2.28.8
./scripts/bump_version.sh --version 2.28.8

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-21 17:52:54 +00:00
d4b3fe7597 Merge branch 'mbedtls-2.28' into 'mbedtls-2.28-restricted' 2024-03-20 09:27:24 +00:00
f7acf91e5f Check C/C++ compilers separately for AppleClang ranlib
Signed-off-by: Steven WdV <swdv@cs.ru.nl>
2024-03-19 11:39:22 +01:00
98ebf488f5 Fix bug in ALPN loading from serialized session
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-03-15 14:29:24 +00:00
5bada225eb Update generated files with inverted option
Achieved by running:

tests/scripts/check-generated-files.sh -u

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-14 11:21:34 +00:00
4201533196 Invert and rename config option
Replace MBEDTLS_PSA_COPY_CALLER_BUFFERS with inverse:
!MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. This ensures that buffer
protection is enabled by default without any change to the Mbed TLS
config file.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-14 11:17:56 +00:00
28fe6654d8 Remove LOCAL_OUTPUT_ALLOC_WITH_COPY
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-03-12 17:54:55 +00:00
ca92831a60 Add missing semicolon
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-03-12 17:53:30 +00:00
40895498b7 Merge pull request #8851 from billatarm/mbedtls-2.28-add-pc-files
Mbedtls 2.28 add pc files
2024-03-12 11:30:30 +00:00
f06494dc9e Merge branch 'mbedtls-2.28' into buffer-sharing-merge-2.28 2024-03-11 16:28:50 +00:00
7c89d1f8de Merge branch 'mbedtls-2.28-restricted' into backport_key_agreement_buffer_protection
Signed-off-by: tom-daubney-arm <74920390+tom-daubney-arm@users.noreply.github.com>
2024-03-06 17:35:59 +00:00
a19f6bfcad Merge pull request #8823 from davidhorstmann-arm/fix-config-bitflag-2.28
[Backport 2.28] Update `SSL_SERIALIZED_SESSION_CONFIG_BITFLAG` with new flags
2024-03-05 13:17:43 +00:00
fc8cacf9a2 Add missing config guards in comment
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-05 10:46:26 +00:00
f3c3504f5a Fix merge
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2024-03-04 17:17:51 +01:00
26bbd8dd4e Merge branch 'mbedtls-2.28-restricted' into bp228_buffer_protection_for_cipher
Signed-off-by: Gábor Mezei <63054694+gabor-mezei-arm@users.noreply.github.com>
2024-03-04 15:39:35 +00:00
5e5056d6ab cmake: Use GnuInstallDirs to customize install directories
Replace custom LIB_INSTALL_DIR with standard CMAKE_INSTALL_LIBDIR variable.
For backward compatibility, set CMAKE_INSTALL_LIBDIR if LIB_INSTALL_DIR is set.

Signed-off-by: Biswapriyo Nath <nathbappai@gmail.com>
2024-03-01 12:05:00 -06:00
f5a6fa2e4a Fix code style
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-01 12:31:35 +00:00
11def97472 Fix naming inconsistencies in config bits
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-01 12:15:56 +00:00