1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-10-24 13:32:59 +03:00
Commit Graph

214 Commits

Author SHA1 Message Date
Anton Matkin
bc48725b64 Include fixups (headers moves to private directory)
Signed-off-by: Anton Matkin <anton.matkin@arm.com>
2025-08-29 07:05:37 +02:00
Valerio Setti
ae89dcc4be library: tls12: remove usage of MBEDTLS_PK_USE_PSA_EC_DATA
PK module will now always use PSA storing pattern when working with
EC keys therefore MBEDTLS_PK_USE_PSA_EC_DATA is assumed to be always
enabled.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-06-12 06:21:30 +02:00
Gilles Peskine
f670ba5e52 Always call mbedtls_ssl_handshake_set_state
Call a single function for all handshake state changes, for easier tracing.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-04-09 12:52:22 +02:00
Ben Taylor
1cd1e01897 Correct code style
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 13:34:03 +00:00
Ben Taylor
fd52984896 resolved ci failures
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 13:32:10 +00:00
Ben Taylor
602b2968ca pre-test version of the mbedtls_ssl_conf_rng removal
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 13:32:10 +00:00
Ben Taylor
440cb2aac2 Remove RNG from x509 and PK
remove the f_rng and p_rng parameter from x509 and PK.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
2025-03-26 08:17:38 +00:00
Gabor Mezei
58535da8d0 Only check for certificates if it is supported
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-20 17:53:07 +01:00
Gabor Mezei
e99e591179 Remove key exchange based on encryption/decryption
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-20 17:53:07 +01:00
Gabor Mezei
e1e27300a2 Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config option
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-20 17:53:01 +01:00
Manuel Pégourié-Gonnard
28f8e205eb Merge pull request #9872 from rojer/tls_hs_defrag_in
Defragment incoming TLS handshake messages
2025-02-24 09:28:11 +01:00
Valerio Setti
b8621b6f9d ssl_ciphersuites: remove references to DHE-RSA key exchanges
In this commit also MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED is removed.
This cause some code in "ssl_ciphersuites_internal.h" and
"ssl_tls12_server.c" to became useless, so these blocks are removed
as well.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-06 10:05:58 +01:00
Valerio Setti
89743b5db5 ssl_tls: remove code related to DHE-RSA
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-06 10:05:58 +01:00
Waleed Elmelegy
cf4e6a18e6 Remove unused variable in ssl_server.c
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-02-05 13:10:01 +02:00
Deomid rojer Ryabkov
afa11db620 Remove obselete checks due to the introduction of handhsake defragmen...
tation. h/t @waleed-elmelegy-arm

909e71672f

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-02-01 15:42:43 +02:00
Manuel Pégourié-Gonnard
df5e1b6864 Rm dead !USE_PSA code: ssl_tls12_server.c (part 2)
Manual.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-28 16:17:54 +01:00
Manuel Pégourié-Gonnard
58916768b7 Rm dead !USE_PSA code: ssl_tls12_server.c (part 1)
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO library/ssl_tls12_server.c
framework/scripts/code_style.py --fix library/ssl_tls12_server.c

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-28 16:17:26 +01:00
Ronald Cron
189dcf630f Merge pull request #9910 from valeriosetti/issue9684
Remove DHE-PSK key exchange
2025-01-27 11:15:10 +00:00
Valerio Setti
48659a1f9c ssl_tls: remove usage of DHE-PSK
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-01-24 11:49:59 +01:00
Manuel Pégourié-Gonnard
6402c35eca Remove internal helper mbedtls_ssl_get_groups()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2025-01-14 12:23:56 +01:00
Gilles Peskine
712e9a1c3e Remove MBEDTLS_KEY_EXCHANGE_RSA_PSK
Remove mentions of MBEDTLS_KEY_EXCHANGE_RSA_PSK that were not guarded by the
configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED. This finishes the
removal of library code that supports the RSA-PSK key exchange in TLS 1.2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-05 15:49:12 +01:00
Gilles Peskine
ac767e5c69 Remove MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED
Remove the configuration option MBEDTLS_KEY_EXCHANGE_RSA_PSK_ENABLED and all
code guarded by it. This remove support for the RSA-PSK key exchange in TLS
1.2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-11-05 15:49:01 +01:00
Harry Ramsey
0f6bc41a22 Update includes for each library file
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2024-10-09 11:18:50 +01:00
Manuel Pégourié-Gonnard
7a4aa4d133 Make mbedtls_ssl_check_cert_usage() work for 1.3
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard
94f70228e9 Clean up mbedtls_ssl_check_cert_usage()
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-09-02 12:46:03 +02:00
Michael Schuster
7e39028628 Fix build of v3.6 with unset MBEDTLS_DHM_C but MBEDTLS_USE_PSA_CRYPTO set (fixes #9188)
Avoid compiler warning about size comparison (like in commit 7910cdd):

Clang builds fail, warning about comparing uint8_t to a size that may be >255.

Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:27:44 +01:00
Gilles Peskine
8c60b16188 Merge pull request #8643 from gilles-peskine-arm/tls12_server-pk_opaque-dead_code
Guard configuration-specific code in ssl_tls12_server.c
2024-05-30 17:24:33 +00:00
Ronald Cron
139a4185b1 Merge pull request #8587 from yanrayw/issue/4911/ssl_setup-check-RNG-configuration
TLS: check RNG when calling mbedtls_ssl_setup()
2024-03-08 07:38:39 +00:00
Gilles Peskine
84b9f1b039 mbedtls_ecp_write_key_ext(): migrate internally
Stop using mbedtls_ecp_write_key() except to test it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-02-28 13:19:42 +01:00
Manuel Pégourié-Gonnard
0ecb5fd6f5 Merge pull request #8574 from ronald-cron-arm/ssl-tickets
Fix and align ticket age check in ssl_ticket.c for TLS 1.2 and TLS 1.3
2024-02-21 09:38:46 +00:00
Valerio Setti
b4f5076270 debug: move internal functions declarations to an internal header file
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-01-18 15:30:46 +01:00
Ronald Cron
3c0072b58e ssl_ticket.c: Base ticket age check on the ticket creation time
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-01-15 10:29:51 +01:00
Ronald Cron
17ef8dfddb ssl_session: Define unconditionally the endpoint field
The endpoint field is needed to serialize/deserialize
a session in TLS 1.2 the same way it is needed in the
TLS 1.3 case: client specific fields that should not
be in the serialized version on server side if both
TLS client and server are enabled in the TLS library.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-01-15 08:58:19 +01:00
Gilles Peskine
4bf4473ef0 Merge pull request #8633 from Wenxing-hou/clear_clienthello_comment
Make clienthello comment clear
2023-12-21 12:09:23 +00:00
Manuel Pégourié-Gonnard
a4b38f24fd Merge pull request #8579 from valeriosetti/issue7995
PK: clean up pkwrite
2023-12-20 08:20:10 +00:00
Gilles Peskine
c6d2df8a67 Guard configuration-specific code
A large block of code is only reachable if MBEDTLS_PK_USE_PSA_EC_DATA is
enabled, i.e. if MBEDTLS_USE_PSA_CRYPTO is enabled with driver-only ECC.
Compilers are likely to figure it out, but still, for clarity and
robustness, do guard that block of code with the appropriate conditional
compilation guard.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-12-18 20:38:38 +01:00
Wenxing Hou
3b9de38208 Make clienthello comment clear
Signed-off-by: Wenxing Hou <wenxing.hou@intel.com>
2023-12-14 22:44:08 +08:00
Valerio Setti
202bb71dcd ssl_tls12_server: do not export/import opaque keys
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-06 17:05:24 +01:00
Valerio Setti
bced8bc8d7 ssl_tls12_server: export/import PK parsed key in TLS side
Instead of setting both algorithm and enrollement algorithm in the
PK module when parsing the key:

- for Weierstrass keys we only set ECDSA algorithm,
- for Montgomery keys we don't set any algorithm.

Reasons:
- PK module can only do ECDSA and not ECDH
- ECDH is only used in TLS
- Montgomery keys cannot be used to do ECDSA, while Weierstrass ones
  can do both ECDSA and ECDH.

So the idea is that once TLS needs the key to do ECDH (either Weierstrass
and Montgomery), it exports the one parsed from the PK module and then
re-imports it setting proper algorithm and flags. In this way the TLS
module will own the new key so it will be its duty to clear it on
exit.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-12-06 10:40:47 +01:00
Yanray Wang
197199f154 tls12 & tls13 server: remove RNG check in write_server_hello
RNG check is added in ssl_conf_check when calling mbedtls_ssl_setup,
so there is no need to check it again.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-12-04 11:03:14 +08:00
Valerio Setti
f9362b7324 pk_internal: small renaming for mbedtls_pk_get_group_id()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-11-29 08:42:27 +01:00
Dave Rodgman
c37ad4432b misc type fixes in ssl
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
a3d0f61aec Use MBEDTLS_GET_UINTxx_BE macro
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
e4a6f5a7ec Use size_t cast for pointer subtractions
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-21 17:09:46 +00:00
Dave Rodgman
16799db69a update headers
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2023-11-02 19:47:20 +00:00
Gilles Peskine
f6f4695824 Merge pull request #8320 from valeriosetti/issue8263
Fix dependencies of mbedtls_pk_ec_ro and mbedtls_pk_ec_rw
2023-10-18 10:03:46 +00:00
Valerio Setti
74cb404b0d ssl: improve ssl_check_key_curve()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-16 13:40:50 +02:00
Valerio Setti
4d0e84628c ssl: reorganize guards surrounding ssl_get_ecdh_params_from_cert()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-11 13:15:29 +02:00
Valerio Setti
e7cefae5f4 ssl: fix getting group id in ssl_check_key_curve()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-10-06 13:19:48 +02:00
Gilles Peskine
3713bee34c Remove leftover local debug line
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-10-02 18:43:18 +02:00