0f6bc41a22
Update includes for each library file
...
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com >
2024-10-09 11:18:50 +01:00
e2a6aa5369
Improve comments explaining legacy_methods_compression handling
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-06-25 18:16:16 +01:00
0a9e8a3a18
Correct a small typo in ssl_tls13_parse_client_hello()
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-06-25 10:22:49 +01:00
a5842ac20e
Improve handling of legacy_compression_methods in ssl_tls13_parse_client_hello()
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-06-19 15:09:48 +01:00
b6e7331739
Fix issue in handling legacy_compression_methods in ssl_tls13_parse_client_hello()
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-06-11 18:45:40 +01:00
a9d4ef0998
Fix uint32_t printed as unsigned int
...
This is ok in practice since we don't support 16-bit platforms, but it makes
`arm-none-eabi-gcc-10 -mthumb -Wformat` complain.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2024-06-03 22:16:23 +02:00
a4b773d3bb
Merge pull request #6955 from inorick/nofa_no_session_tickets
...
Guard ticket specific TLS 1.3 function with macro
2024-04-08 08:56:17 +00:00
d60aef0f1b
Unconditionally define session variable
...
Signed-off-by: Norbert Fabritius <norbert.fabritius@esrlabs.com >
2024-03-27 08:22:53 +01:00
1f045f3a0c
tls13: srv: Fix guards of _is_psk_(ephemeral_)available
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-27 08:22:53 +01:00
96eed725e1
Guard ticket specific TLS 1.3 function with macro
...
Guard ssl_tls13_write_new_session_ticket_coordinate with
MBEDTLS_SSL_SESSION_TICKETS macro.
Signed-off-by: Norbert Fabritius <norbert.fabritius@esrlabs.com >
2024-03-27 08:22:53 +01:00
b70f0fd9a9
Merge branch 'development' into 'development-restricted'
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2024-03-19 22:24:40 +00:00
a5c5c58107
tls13: srv: Fix potential stack buffer overread
...
Fix potential stack buffer overread when
checking PSK binders.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-19 14:46:21 +01:00
4dfb0e7c90
Add ALPN checking when accepting early data
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-03-15 12:12:15 +00:00
6bee910dbd
Merge pull request #8858 from waleed-elmelegy-arm/add_alpn_to_session
...
Add ALPN information in session tickets
2024-03-15 09:50:24 +00:00
7b333f1e88
Merge pull request #8913 from ronald-cron-arm/tls13-ticket-lifetime
...
TLS 1.3: Enforce ticket maximum lifetime and discard tickets with 0 lifetime
2024-03-14 15:59:25 +00:00
5bc5263b2c
Add code improvments and refactoring in dealing with ALPN
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-03-13 16:50:01 +00:00
883f77cb08
Add mbedtls_ssl_session_set_alpn() function
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-03-13 16:50:01 +00:00
2824a209bc
Add ALPN information in session tickets
...
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com >
2024-03-13 16:50:01 +00:00
ce79488dd5
tls13: srv: Fail connection if ticket lifetime exceed 7 days
...
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com >
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-10 17:42:43 +01:00
7e1f9f290f
Merge pull request #8854 from ronald-cron-arm/tls13-srv-max-early-data-size
...
TLS 1.3: Enforce max_early_data_size on server
2024-03-09 00:16:07 +00:00
080a5171e2
Merge pull request #8861 from ronald-cron-arm/tls13-srv-select-kex
...
TLS 1.3: SRV: Improve key exchange mode selection
2024-03-08 14:58:36 +00:00
19521ddc36
tls13: srv: Fix/Improve debug logs
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
7cab4f885b
tls13: srv: Fix/Improve comments
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
16cc370423
tls13: srv: Fix initialization value
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
f602f7ba50
tls13: srv: Code improvements
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
3811765c0c
tls13: srv: Add/Improve comments
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
74a1629231
tls13: srv: Move PSK ciphersuite selection up
...
Move PSK ciphersuite selection up to the main
ClientHello parsing function. That way the
ciphersuite selection only happens in this
function.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
3e47eec431
tls13: srv: Simplify resumption detection
...
Avoid marking we resume and then
cancelling it.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
e8c162d7ba
tls13: srv: Simplify kex availability checks
...
Regarding the possibility of selecting a
key exchange mode, the check of the ticket
flags is now separated from the check of
the ClientHello content and server
configuration.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
79cdd4156f
tls13: srv: Improve key exchange mode determination
...
For PSK based key exchange modes do not check twice
anymore if they can be selected or not. Check it
only when looping over the offered PSKs to select
one.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
1f63fe4d74
tls13: srv: Fix resume flag in case of cancelled PSK
...
If we prefer ephemeral key exchange mode over
the pure PSK one, make sure the resume flag is
disabled as eventually we are not going to
resume a session even if we aimed to at some
point.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
cf284565c5
tls13: srv: Determine best key exchange mode for a PSK
...
Determine best key exchange for for ticket based and
external PSKs.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
89089cc69b
tls13: srv: Factorize ciphersuite selection code
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
f7e9916b3d
tls13: srv: Fix MBEDTLS_SSL_SESSION_TICKETS guard position
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
12e72f1664
tls13: srv: Always parse the pre-shared key extension
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
7a30cf5954
tls13: srv: Stop earlier identity check
...
If an identity has been determined as a
ticket identity but the ticket is not
usable, do not try to check if the
identity is that of an external
provided PSK.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
fbae94a52f
tls13: srv: Improve ticket identity check return values
...
Improve the values returned by
ssl_tls13_offered_psks_check_identity_match_ticket().
Distinguish between the two following cases:
1) the PSK identity is not a valid ticket identity
2) the PSK identity is a valid ticket identity but
the ticket cannot be used for session resumption.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
3cdcac5647
tls13: srv: Fix return value
...
Fix the value returned by
ssl_tls13_offered_psks_check_identity_match_ticket()
when there is no ticket parser function defined
or no time.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
6e31127f08
tls13: srv: Define specific return macros for binder check
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-08 08:43:41 +01:00
139a4185b1
Merge pull request #8587 from yanrayw/issue/4911/ssl_setup-check-RNG-configuration
...
TLS: check RNG when calling mbedtls_ssl_setup()
2024-03-08 07:38:39 +00:00
8571804382
tls13: srv: Enforce maximum size of early data
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-01 09:29:09 +01:00
c286519747
tls13: srv: Do not forget to include max_early_data_size in the ticket
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-03-01 09:03:51 +01:00
9b4e964c2c
Merge pull request #8760 from ronald-cron-arm/tls13-write-early-data
...
TLS 1.3: Add mbedtls_ssl_write_early_data() API
2024-02-29 14:31:55 +00:00
0ecb5fd6f5
Merge pull request #8574 from ronald-cron-arm/ssl-tickets
...
Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3
2024-02-21 09:38:46 +00:00
5fbd27055d
tls13: Use a flag not a counter for CCS and HRR handling
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-15 17:19:02 +01:00
e273f7203d
tls13: client: Improve CCS handling
...
Call unconditionally the CCS writing function
when sending a CCS may be necessary in the
course of an handshake. Enforce in the writing
function and only in the writing function that
only one CCS is sent.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-14 10:24:00 +01:00
fe59ff794d
tls13: Send dummy CCS only once
...
Fix cases where the client was sending
two CCS, no harm but better to send only one.
Prevent to send even more CCS when early data
are involved without having to add conditional
state transitions.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-06 16:43:33 +01:00
5c9cc0b30f
Merge pull request #8727 from ronald-cron-arm/tls13-ignore-early-data-when-rejected
...
TLS 1.3: SRV: Ignore early data when rejected
2024-02-06 13:16:03 +00:00
31e2d83eee
tls13: srv: Improve coding
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2024-02-05 16:45:57 +01:00
32c28cebb4
Merge pull request #8715 from valeriosetti/issue7964
...
Remove all internal functions from public headers
2024-02-05 15:09:15 +00:00