0f6bc41a22
Update includes for each library file
...
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com >
2024-10-09 11:18:50 +01:00
19dd9f59bc
Merge 1.2 and 1.3 certificate verification
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
843a00dec6
Add support for context f_vrfy callback in 1.3
...
This was only supported in 1.2 for no good reason.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
fd800c2416
Improve a variable's name
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
5bdadbb1eb
Restrict the scope of a few variables
...
In particular, make sure pointer variables are initialized right after
being declared.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
bfbecf8b34
tls13: Add support for trusted certificate callback
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
6901504ddb
Allow no authentication of the server in 1.3
...
See notes about optional two commits ago for why we're doing this.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
58ab9ba0bd
Allow optional authentication of the server in 1.3
...
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.
In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
aefc5938b0
Add comments about 1.3 server sending no cert
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
5f9428ac8a
Rm translation code for unused flag
...
We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
7a4aa4d133
Make mbedtls_ssl_check_cert_usage() work for 1.3
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-09-02 12:46:03 +02:00
4956e32538
Fix 1.3 failure to update flags for (ext)KeyUsage
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2024-08-16 17:23:47 +01:00
69770aaa7b
Use unsigned long rather than size_t for format string readability
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2024-06-05 20:54:42 +02:00
a9d4ef0998
Fix uint32_t printed as unsigned int
...
This is ok in practice since we don't support 16-bit platforms, but it makes
`arm-none-eabi-gcc-10 -mthumb -Wformat` complain.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2024-06-03 22:16:23 +02:00
a2c45dc713
Fix compilation of ssl_tls13_generic.c when memcpy() is a function-like macro
...
Fixes #8994
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com >
2024-04-02 14:51:47 +01:00
93795f2639
tls13: Improve comment about cast to uint32_t
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-07 09:57:07 +01:00
2e7dfd5181
tls13: Remove unnecessary cast from size_t to uint32_t
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-05 13:48:11 +01:00
19bfe0a631
tls13: Rename early_data_count to total_early_data_size
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-01 09:29:16 +01:00
70eab45ba6
tls13: generic: Fix log
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-01 09:29:16 +01:00
8571804382
tls13: srv: Enforce maximum size of early data
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-01 09:29:09 +01:00
9b4e964c2c
Merge pull request #8760 from ronald-cron-arm/tls13-write-early-data
...
TLS 1.3: Add mbedtls_ssl_write_early_data() API
2024-02-29 14:31:55 +00:00
5fbd27055d
tls13: Use a flag not a counter for CCS and HRR handling
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-15 17:19:02 +01:00
e273f7203d
tls13: client: Improve CCS handling
...
Call unconditionally the CCS writing function
when sending a CCS may be necessary in the
course of an handshake. Enforce in the writing
function and only in the writing function that
only one CCS is sent.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-14 10:24:00 +01:00
e6c80bc6e5
Merge pull request #8755 from ronald-cron-arm/tls13-client-early-data-status
...
TLS 1.3: Refine and test client early data status
2024-02-13 20:36:42 +00:00
1d7bc1ecdf
Merge pull request #8717 from valeriosetti/issue8030
...
PSA FFDH: feature macros for parameters
2024-02-07 10:06:03 +00:00
fe59ff794d
tls13: Send dummy CCS only once
...
Fix cases where the client was sending
two CCS, no harm but better to send only one.
Prevent to send even more CCS when early data
are involved without having to add conditional
state transitions.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-06 16:43:33 +01:00
32c28cebb4
Merge pull request #8715 from valeriosetti/issue7964
...
Remove all internal functions from public headers
2024-02-05 15:09:15 +00:00
b4f5076270
debug: move internal functions declarations to an internal header file
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2024-01-18 15:30:46 +01:00
4d4891e18a
Merge pull request #8666 from valeriosetti/issue8340
...
Export the mbedtls_md_psa_alg_from_type function
2024-01-18 13:58:55 +00:00
ecaf7c5690
ssl_tls: add guards for enabled DH key types
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2024-01-17 15:56:30 +01:00
3ff472441a
Fix warning in ssl_tls13_generic.c
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-01-10 16:17:28 +00:00
e1ac98d888
remove mbedtls_ssl_is_record_size_limit_valid function
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-01-10 16:17:27 +00:00
148dfb6457
Change record size limit writing function
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-01-10 16:17:27 +00:00
faf70bdf9d
ssl_tls13_generic: check value of RecordSizeLimit in helper function
...
Signed-off-by: Yanray Wang <yanray.wang@arm.com >
2024-01-10 16:17:27 +00:00
3a6059beca
Merge pull request #7455 from KloolK/record-size-limit/comply-with-limit
...
Comply with the received Record Size Limit extension
2024-01-09 15:22:17 +00:00
384fbde49a
library/tests: replace md_psa.h with psa_util.h as include file for MD conversion
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2024-01-02 13:27:32 +01:00
049cd302ed
Refactor record size limit extension handling
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2023-12-20 17:28:31 +00:00
26e3698357
Revert back checking on handshake messages length
...
Revert back checking on handshake messages length due to
limitation on our fragmentation support of handshake
messages.
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2023-12-14 16:23:25 +00:00
9aec1c71f2
Add record size checking during handshake
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2023-12-06 15:18:15 +00:00
f482dcc6c7
Comply with the received Record Size Limit extension
...
Fixes #7010
Signed-off-by: Jan Bruckner <jan@janbruckner.de >
2023-12-06 15:18:08 +00:00
c59c586ac4
change prototype of write_early_data_ext
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2023-12-06 18:21:15 +08:00
ebe1de62f9
fix various issue
...
- rename connection time variable
- remove unnecessary comments
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2023-12-06 18:20:25 +08:00
5233539d9f
share write_early_data_ext function
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
2023-12-06 18:18:50 +08:00
16799db69a
update headers
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com >
2023-11-02 19:47:20 +00:00
8e00fe0cd8
Merge pull request #8309 from daverodgman/iar-warnings2
...
Fix IAR warnings
2023-10-06 13:24:12 +00:00
2eab462a8c
Fix IAR warnings
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com >
2023-10-05 13:30:37 +01:00
530c423ad2
Improve some debug messages and error codes
...
On a parsing error in TLS, return MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE, not a
crypto error code.
On error paths, emit a level-1 debug message. Report the offending sizes.
Downgrade an informational message's level to 3.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2023-10-02 15:42:11 +02:00
12c5aaae57
Fix buffer overflow in TLS 1.3 ECDH public key parsing
...
Fix a buffer overflow in TLS 1.3 ServerHello and ClientHello parsing. The
length of the public key in an ECDH- or FFDH-based key exchange was not
validated. This could result in an overflow of handshake->xxdh_psa_peerkey,
overwriting further data in the handshake structure or further on the heap.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2023-10-02 15:02:10 +02:00
ff2558a470
Fix unused variable in some TLS 1.3 builds
...
Fix unused variable when MBEDTLS_SSL_PROTO_TLS1_3 and
MBEDTLS_SSL_SESSION_TICKETS are enabled but not MBEDTLS_DEBUG_C.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2023-09-05 21:10:39 +02:00
711f853b48
ssl_tls13: fix guard for FFDH function
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2023-08-11 06:33:52 +02:00