1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-24 13:32:59 +03:00
Commit Graph

2122 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
88800ddcc6 Rm dead !USE_PSA code: ssl_tls.c (part 1)
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls.c
framework/scripts/code_style.py --fix library/ssl_tls.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-28 16:18:11 +01:00
Ronald Cron
189dcf630f Merge pull request #9910 from valeriosetti/issue9684
Remove DHE-PSK key exchange
2025-01-27 11:15:10 +00:00
Deomid rojer Ryabkov
3dfe75e115 Remove mbedtls_ssl_reset_in_out_pointers
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-01-26 11:12:21 +02:00
Valerio Setti
48659a1f9c ssl_tls: remove usage of DHE-PSK
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-01-24 11:49:59 +01:00
Manuel Pégourié-Gonnard
6402c35eca Remove internal helper mbedtls_ssl_get_groups()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-14 12:23:56 +01:00
Manuel Pégourié-Gonnard
6b720161ca Remove mbedtls_ssl_conf::curve_list
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-14 12:17:20 +01:00
Manuel Pégourié-Gonnard
93d4591255 Remove deprecated function mbedtls_ssl_conf_curves()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-14 12:06:31 +01:00
Gilles Peskine
bc7c523420 Remove uses of secp244k1
Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will
not be implemented. (It would be K1_225 anyway, but we don't intend to
implement it anyway.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-01-08 16:51:23 +01:00
Deomid rojer Ryabkov
ac2cf1f26c Defragment incoming TLS handshake messages
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2024-12-25 14:34:17 +02:00
Ronald Cron
8b592d28f9 Move psa_to_ssl_errors
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-12-04 14:25:02 +01:00
Gilles Peskine
712e9a1c3e Remove MBEDTLS_KEY_EXCHANGE_RSA_PSK
Remove mentions of MBEDTLS_KEY_EXCHANGE_RSA_PSK that were not guarded by the
configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED. This finishes the
removal of library code that supports the RSA-PSK key exchange in TLS 1.2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-05 15:49:12 +01:00
Gilles Peskine
ac767e5c69 Remove MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Remove the configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED and all
code guarded by it. This remove support for the RSA-PSK key exchange in TLS
1.2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-05 15:49:01 +01:00
Harry Ramsey
0f6bc41a22 Update includes for each library file
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2024-10-09 11:18:50 +01:00
Ronald Cron
8c95999b38 Merge pull request #9544 from eleuzi01/replace-224k1
Replace MBEDTLS_ECP_HAVE_SECP224K1 with PSA_WANT_ECC_SECP_K1_224
2024-09-06 15:15:35 +00:00
Elena Uziunaite
63cb13e494 Replace MBEDTLS_ECP_HAVE_SECP224K1 with PSA_WANT_ECC_SECP_K1_224
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-05 12:43:14 +01:00
Elena Uziunaite
9fc5be09cb Replace MBEDTLS_MD_CAN_SHA1 with PSA_WANT_ALG_SHA_1
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-04 18:12:59 +01:00
David Horstmann
1d98d9d861 Merge pull request #9526 from mpg/refactor-tls123-verif-dev
Refactor tls123 verif dev
2024-09-03 15:29:10 +00:00
Manuel Pégourié-Gonnard
5398e58fcd Fix guards around function now used by 1.3 as well
Actually moved the function rather than trying to edit guards around it,
because the relevant guards are not nearby, the function was part of
larger blocks, so it seemed risky.

Also, that seems logically correct: the function is no longer part of
the "TLS 1.2 handshake functions common to server and client" section,
it's part of the "helper functions common to 1.2 and 1.3 server and
client" block. Ideally in the future perhaps the file structure should
reflect that (`ssl_generic.c` vs `ssl_tls12_generic.c`?) but that's out
of scope here.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
9e3e991d04 Fix typos in comments
Co-authored-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
a040548747 Improve some comments
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
19dd9f59bc Merge 1.2 and 1.3 certificate verification
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
908f57dfba Minor refactoring of generic SSL certificate verif
Rename as there was a name collision with a static function in another
file: ssl_parse_certificate_verify in ssl_tls12_server.c is the function
that parses the CertificateVerify message, which seems appropriate. Here
it meant "the 'verify' step after parsing the Certificate message".
Use a name that focuses on what it does: verify, not parse.

Also, take ciphersuite_info as an argument: when TLS 1.3 calls this
function, it can pass NULL as the ciphersuite has no influence there.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
843a00dec6 Add support for context f_vrfy callback in 1.3
This was only supported in 1.2 for no good reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
fd800c2416 Improve a variable's name
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
5bdadbb1eb Restrict the scope of a few variables
In particular, make sure pointer variables are initialized right after
being declared.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
58ab9ba0bd Allow optional authentication of the server in 1.3
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.

In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
5f9428ac8a Rm translation code for unused flag
We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
e5a916fd3c Simplify certificate curve check for 1.2
The comments were about the time we were using mbedtls_pk_ec(), which
can return NULL, which we don't want to propagate to other functions.

Now we're using mbedtls_pk_get_ec_group_id() with is a safer interface
(and works even when EC is provided by drivers).

The check for GROUP_NONE was an heritage from the previous NULL check.
However it's actually useless: if NONE were returned (which can't happen
or parsing of the certificate would have failed and we wouldn't be
here), then mbedtls_ssl_check_curve() would work and just say that the
curve wasn't valid, which is OK.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
7a4aa4d133 Make mbedtls_ssl_check_cert_usage() work for 1.3
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
94f70228e9 Clean up mbedtls_ssl_check_cert_usage()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Gabor Mezei
c15ef93aa5 Replace MBEDTLS_MD_CAN_SHA512 with PSA_WANT_ALG_SHA_512
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2024-08-28 18:20:25 +02:00
Elena Uziunaite
da41b60cef Replace MBEDTLS_SSL_HAVE_CAMELLIA with PSA_WANT_KEY_TYPE_CAMELLIA
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-13 09:58:00 +01:00
Elena Uziunaite
6b4cd48d24 Replace MBEDTLS_ECP_HAVE_SECP384R1 with PSA_WANT_ECC_SECP_R1_384
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-09 09:49:03 +01:00
Gilles Peskine
e1171bd26f Merge pull request #9361 from eleuzi01/replace-key-aria
Replace MBEDTLS_SSL_HAVE_ARIA with PSA_WANT_KEY_TYPE_ARIA
2024-08-08 15:41:01 +00:00
Gilles Peskine
9e54a4f5ba Merge pull request #9369 from eleuzi01/replace-ecc-keys
Replace MBEDTLS_PK_HAVE_ECC_KEYS with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
2024-08-08 12:10:43 +00:00
Elena Uziunaite
51c85a0296 Replace MBEDTLS_SSL_HAVE_ARIA with PSA_WANT_KEY_TYPE_ARIA
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-07 11:33:14 +01:00
Elena Uziunaite
8dde3b3dec Replace MBEDTLS_PK_HAVE_ECC_KEYS with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-05 15:41:58 +01:00
Elena Uziunaite
c256172b30 Replace MBEDTLS_SSL_HAVE_CCM with PSA_WANT_ALG_CCM
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-05 15:40:00 +01:00
Gilles Peskine
be6a47140b Merge pull request #9365 from eleuzi01/replace-gcm
Replace MBEDTLS_SSL_HAVE_GCM with PSA_WANT_ALG_GCM
2024-08-05 09:43:23 +00:00
Gilles Peskine
9c9a3df3bf Merge pull request #9366 from eleuzi01/replace-chachapoly
Replace MBEDTLS_SSL_HAVE_CHACHAPOLY with PSA_WANT_ALG_CHACHA20_POLY1305
2024-08-02 14:26:27 +00:00
Elena Uziunaite
83a0d9deec Replace MBEDTLS_SSL_HAVE_GCM with PSA_WANT_ALG_GCM
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-02 09:52:20 +01:00
Elena Uziunaite
5c70c30655 Replace MBEDTLS_SSL_HAVE_CHACHAPOLY with PSA_WANT_ALG_CHACHA20_POLY1305
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-31 16:31:00 +01:00
Elena Uziunaite
74342c7c2b Replace MBEDTLS_SSL_HAVE_CBC with PSA_WANT_ALG_CBC_NO_PADDING
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-31 16:19:15 +01:00
Elena Uziunaite
6121a344dd Replace MBEDTLS_SSL_HAVE_AES with PSA_WANT_KEY_TYPE_AES
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-30 18:42:19 +01:00
Elena Uziunaite
417d05f7c5 Replace MBEDTLS_ECP_HAVE_SECP256R1 with PSA_WANT_ECC_SECP_R1_256
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-29 11:31:20 +01:00
Bence Szépkúti
e7fdfdb913 Merge pull request #9123 from eleuzi01/replace-mbedtls-md-can-md5
Replace MBEDTLS_MD_CAN_MD5 with PSA_WANT_ALG_MD5
2024-07-18 16:17:25 +00:00
Paul Elliott
b449476595 Merge pull request #9354 from eleuzi01/replace-ecp-have-secp512r1
Replace MBEDTLS_ECP_HAVE_SECP521R1 with PSA_WANT_ECC_SECP_R1_521
2024-07-18 15:55:41 +00:00
Paul Elliott
df772da34e Merge pull request #9358 from eleuzi01/replace-curve
Replace MBEDTLS_ECP_HAVE_CURVE* with PSA_WANT counterparts
2024-07-18 13:54:26 +00:00
Elena Uziunaite
b66a991f04 Replace MBEDTLS_MD_CAN_MD5 with PSA_WANT_ALG_MD5
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-18 14:31:59 +03:00
Gilles Peskine
9a75dddb5c Merge pull request #9350 from eleuzi01/replace-ecp-have-secp224r1
Replace MBEDTLS_ECP_HAVE_SECP224R1 with PSA_WANT_ECC_SECP_R1_224
2024-07-17 13:48:40 +00:00