1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-26 00:37:41 +03:00
Commit Graph

360 Commits

Author SHA1 Message Date
Ben Taylor
1c118a564d reverted enum in pk_verify_new
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-08-07 08:25:52 +01:00
Ben Taylor
adf5d537b2 Fix code style
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-08-07 08:25:52 +01:00
Ben Taylor
d95ea27e8c Create new enum mbedtls_pk_sigalg_t
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-08-07 08:25:52 +01:00
Ben Taylor
73b3987291 Correct rebase and add in additional type cast
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-07-29 07:54:44 +01:00
Ben Taylor
d3ae1701f3 Remove pragmas and use alias
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-07-29 07:54:44 +01:00
Ben Taylor
1c1535f153 Make pragmas more specific
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-07-29 07:54:43 +01:00
Ben Taylor
04b03d7712 Replace Werror removal with pragma
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-07-29 07:54:43 +01:00
Ben Taylor
0de87611bb Remove additional calls to mbedtls_pk_verify_ext
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-07-21 07:53:15 +01:00
Ben Taylor
306ffd3a36 Switch to mbedtls_pk_verify_new
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-07-21 07:53:15 +01:00
Gilles Peskine
4c83221320 Replace MBEDTLS_ERR_OID_NOT_FOUND with MBEDTLS_ERR_X509_UNKNOWN_OID
Replace the non-X.509-named error code `MBEDTLS_ERR_OID_NOT_FOUND` with
`MBEDTLS_ERR_X509_UNKNOWN_OID`, which already exists and is currently not
used for anything.

Public functions in X.509 propagate this error code, so it needs to have a
public name.

Remove the definition of `MBEDTLS_ERR_OID_NOT_FOUND` in `x509_oid.h`, then

```
git grep -l MBEDTLS_ERR_OID_NOT_FOUND | xargs perl -i -pe 's/\bMBEDTLS_ERR_OID_NOT_FOUND\b/MBEDTLS_ERR_X509_UNKNOWN_OID/g'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-06-03 15:51:34 +02:00
Valerio Setti
7f6f4e6907 library: pass NULL options parameter to mbedtls_pk_verify_ext()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-05-07 09:06:52 +02:00
Ben Taylor
440cb2aac2 Remove RNG from x509 and PK
remove the f_rng and p_rng parameter from x509 and PK.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 08:17:38 +00:00
Gilles Peskine
a7e14dc9eb Don't expect added error codes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-24 14:13:50 +00:00
Harry Ramsey
0f6bc41a22 Update includes for each library file
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2024-10-09 11:18:50 +01:00
Manuel Pégourié-Gonnard
19dd9f59bc Merge 1.2 and 1.3 certificate verification
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
843a00dec6 Add support for context f_vrfy callback in 1.3
This was only supported in 1.2 for no good reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
fd800c2416 Improve a variable's name
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
5bdadbb1eb Restrict the scope of a few variables
In particular, make sure pointer variables are initialized right after
being declared.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Ronald Cron
bfbecf8b34 tls13: Add support for trusted certificate callback
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
6901504ddb Allow no authentication of the server in 1.3
See notes about optional two commits ago for why we're doing this.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
58ab9ba0bd Allow optional authentication of the server in 1.3
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.

In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
aefc5938b0 Add comments about 1.3 server sending no cert
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
5f9428ac8a Rm translation code for unused flag
We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
7a4aa4d133 Make mbedtls_ssl_check_cert_usage() work for 1.3
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
4956e32538 Fix 1.3 failure to update flags for (ext)KeyUsage
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:23:47 +01:00
Gilles Peskine
69770aaa7b Use unsigned long rather than size_t for format string readability
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-06-05 20:54:42 +02:00
Gilles Peskine
a9d4ef0998 Fix uint32_t printed as unsigned int
This is ok in practice since we don't support 16-bit platforms, but it makes
`arm-none-eabi-gcc-10 -mthumb -Wformat` complain.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-06-03 22:16:23 +02:00
Tom Cosgrove
a2c45dc713 Fix compilation of ssl_tls13_generic.c when memcpy() is a function-like macro
Fixes #8994

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-04-02 14:51:47 +01:00
Ronald Cron
93795f2639 tls13: Improve comment about cast to uint32_t
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-07 09:57:07 +01:00
Ronald Cron
2e7dfd5181 tls13: Remove unnecessary cast from size_t to uint32_t
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-05 13:48:11 +01:00
Ronald Cron
19bfe0a631 tls13: Rename early_data_count to total_early_data_size
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-01 09:29:16 +01:00
Ronald Cron
70eab45ba6 tls13: generic: Fix log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-01 09:29:16 +01:00
Ronald Cron
8571804382 tls13: srv: Enforce maximum size of early data
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-01 09:29:09 +01:00
Ronald Cron
9b4e964c2c Merge pull request #8760 from ronald-cron-arm/tls13-write-early-data
TLS 1.3: Add mbedtls_ssl_write_early_data() API
2024-02-29 14:31:55 +00:00
Ronald Cron
5fbd27055d tls13: Use a flag not a counter for CCS and HRR handling
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-02-15 17:19:02 +01:00
Ronald Cron
e273f7203d tls13: client: Improve CCS handling
Call unconditionally the CCS writing function
when sending a CCS may be necessary in the
course of an handshake. Enforce in the writing
function and only in the writing function that
only one CCS is sent.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-02-14 10:24:00 +01:00
Manuel Pégourié-Gonnard
e6c80bc6e5 Merge pull request #8755 from ronald-cron-arm/tls13-client-early-data-status
TLS 1.3: Refine and test client early data status
2024-02-13 20:36:42 +00:00
Manuel Pégourié-Gonnard
1d7bc1ecdf Merge pull request #8717 from valeriosetti/issue8030
PSA FFDH: feature macros for parameters
2024-02-07 10:06:03 +00:00
Ronald Cron
fe59ff794d tls13: Send dummy CCS only once
Fix cases where the client was sending
two CCS, no harm but better to send only one.

Prevent to send even more CCS when early data
are involved without having to add conditional
state transitions.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-02-06 16:43:33 +01:00
Manuel Pégourié-Gonnard
32c28cebb4 Merge pull request #8715 from valeriosetti/issue7964
Remove all internal functions from public headers
2024-02-05 15:09:15 +00:00
Valerio Setti
b4f5076270 debug: move internal functions declarations to an internal header file
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-18 15:30:46 +01:00
Gilles Peskine
4d4891e18a Merge pull request #8666 from valeriosetti/issue8340
Export the mbedtls_md_psa_alg_from_type function
2024-01-18 13:58:55 +00:00
Valerio Setti
ecaf7c5690 ssl_tls: add guards for enabled DH key types
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-17 15:56:30 +01:00
Waleed Elmelegy
3ff472441a Fix warning in ssl_tls13_generic.c
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:28 +00:00
Waleed Elmelegy
e1ac98d888 remove mbedtls_ssl_is_record_size_limit_valid function
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Waleed Elmelegy
148dfb6457 Change record size limit writing function
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-01-10 16:17:27 +00:00
Yanray Wang
faf70bdf9d ssl_tls13_generic: check value of RecordSizeLimit in helper function
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2024-01-10 16:17:27 +00:00
Tom Cosgrove
3a6059beca Merge pull request #7455 from KloolK/record-size-limit/comply-with-limit
Comply with the received Record Size Limit extension
2024-01-09 15:22:17 +00:00
Valerio Setti
384fbde49a library/tests: replace md_psa.h with psa_util.h as include file for MD conversion
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-02 13:27:32 +01:00
Waleed Elmelegy
049cd302ed Refactor record size limit extension handling
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2023-12-20 17:28:31 +00:00