Mbed-TLS/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-06-05 21:15:16 +00:00
Code Issues Packages Projects Releases Wiki Activity
34,496 Commits 180 Branches 280 Tags
development
Commit Graph

367 Commits

Author SHA1 Message Date
Valerio Setti 81a5a0914c library: ssl: replace mbedtls_pk_can_do() with mbedtls_pk_can_do_psa() 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-12-04 16:28:44 +01:00
Manuel Pégourié-Gonnard 3e6455d50e Remove useless includes of psa_util_internal 
Those in SSL modules were redundant because it's already included from
ssl_misc.h.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-12-02 12:00:34 +01:00
Ben Taylor 42074c193f Rename mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg to mbedtls_ssl_get_pk_sigalg_and_md_alg_from_sig_alg 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-10-31 08:40:36 +00:00
Ben Taylor 5f037c7fb3 Rename mbedtls_ssl_pk_alg_from_sig to mbedtls_ssl_pk_alg_from_sig_pk_alg and update to use mbedtls_pk_sigalg_t 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-10-30 14:59:24 +00:00
Ben Taylor 0ff335d715 Remove uses of mbedtls_pk_verify_new 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-10-13 15:17:44 +01:00
Ben Taylor 8b3b7e5cac Update further type mismatches 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-08-07 08:25:52 +01:00
Ben Taylor 6816fd781e Adjust for change in mbedtls_pk_verify_new function prototype 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-08-07 08:25:52 +01:00
Ben Taylor 1c118a564d reverted enum in pk_verify_new 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-08-07 08:25:52 +01:00
Ben Taylor adf5d537b2 Fix code style 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-08-07 08:25:52 +01:00
Ben Taylor d95ea27e8c Create new enum mbedtls_pk_sigalg_t 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-08-07 08:25:52 +01:00
Ben Taylor 73b3987291 Correct rebase and add in additional type cast 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-29 07:54:44 +01:00
Ben Taylor d3ae1701f3 Remove pragmas and use alias 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-29 07:54:44 +01:00
Ben Taylor 1c1535f153 Make pragmas more specific 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-29 07:54:43 +01:00
Ben Taylor 04b03d7712 Replace Werror removal with pragma 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-29 07:54:43 +01:00
Ben Taylor 0de87611bb Remove additional calls to mbedtls_pk_verify_ext 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-21 07:53:15 +01:00
Ben Taylor 306ffd3a36 Switch to mbedtls_pk_verify_new 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-21 07:53:15 +01:00
Gilles Peskine 4c83221320 Replace MBEDTLS_ERR_OID_NOT_FOUND with MBEDTLS_ERR_X509_UNKNOWN_OID 
Replace the non-X.509-named error code `MBEDTLS_ERR_OID_NOT_FOUND` with
`MBEDTLS_ERR_X509_UNKNOWN_OID`, which already exists and is currently not
used for anything.

Public functions in X.509 propagate this error code, so it needs to have a
public name.

Remove the definition of `MBEDTLS_ERR_OID_NOT_FOUND` in `x509_oid.h`, then

```
git grep -l MBEDTLS_ERR_OID_NOT_FOUND | xargs perl -i -pe 's/\bMBEDTLS_ERR_OID_NOT_FOUND\b/MBEDTLS_ERR_X509_UNKNOWN_OID/g'
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-06-03 15:51:34 +02:00
Valerio Setti 7f6f4e6907 library: pass NULL options parameter to mbedtls_pk_verify_ext() 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-05-07 09:06:52 +02:00
Ben Taylor 440cb2aac2 Remove RNG from x509 and PK 
remove the f_rng and p_rng parameter from x509 and PK.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-03-26 08:17:38 +00:00
Gilles Peskine a7e14dc9eb Don't expect added error codes 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-24 14:13:50 +00:00
Harry Ramsey 0f6bc41a22 Update includes for each library file 
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2024-10-09 11:18:50 +01:00
Manuel Pégourié-Gonnard 19dd9f59bc Merge 1.2 and 1.3 certificate verification 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 843a00dec6 Add support for context f_vrfy callback in 1.3 
This was only supported in 1.2 for no good reason.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard fd800c2416 Improve a variable's name 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 5bdadbb1eb Restrict the scope of a few variables 
In particular, make sure pointer variables are initialized right after
being declared.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Ronald Cron bfbecf8b34 tls13: Add support for trusted certificate callback 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 6901504ddb Allow no authentication of the server in 1.3 
See notes about optional two commits ago for why we're doing this.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 58ab9ba0bd Allow optional authentication of the server in 1.3 
This is for compatibility, for people transitioning from 1.2 to 1.3.
See https://github.com/Mbed-TLS/mbedtls/issues/9223 "Mandatory server
authentication" and reports linked from there.

In the future we're likely to make server authentication mandatory in
both 1.2 and 1.3. See https://github.com/Mbed-TLS/mbedtls/issues/7080

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard aefc5938b0 Add comments about 1.3 server sending no cert 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 5f9428ac8a Rm translation code for unused flag 
We don't check the non-standard nsCertType extension, so this flag can't
be set, so checking if it's set is useless.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 7a4aa4d133 Make mbedtls_ssl_check_cert_usage() work for 1.3 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-09-02 12:46:03 +02:00
Manuel Pégourié-Gonnard 4956e32538 Fix 1.3 failure to update flags for (ext)KeyUsage 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2024-08-16 17:23:47 +01:00
Gilles Peskine 69770aaa7b Use unsigned long rather than size_t for format string readability 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-06-05 20:54:42 +02:00
Gilles Peskine a9d4ef0998 Fix uint32_t printed as unsigned int 
This is ok in practice since we don't support 16-bit platforms, but it makes
`arm-none-eabi-gcc-10 -mthumb -Wformat` complain.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2024-06-03 22:16:23 +02:00
Tom Cosgrove a2c45dc713 Fix compilation of ssl_tls13_generic.c when memcpy() is a function-like macro 
Fixes #8994

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2024-04-02 14:51:47 +01:00
Ronald Cron 93795f2639 tls13: Improve comment about cast to uint32_t 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-07 09:57:07 +01:00
Ronald Cron 2e7dfd5181 tls13: Remove unnecessary cast from size_t to uint32_t 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-05 13:48:11 +01:00
Ronald Cron 19bfe0a631 tls13: Rename early_data_count to total_early_data_size 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-01 09:29:16 +01:00
Ronald Cron 70eab45ba6 tls13: generic: Fix log 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-01 09:29:16 +01:00
Ronald Cron 8571804382 tls13: srv: Enforce maximum size of early data 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-03-01 09:29:09 +01:00
Ronald Cron 9b4e964c2c Merge pull request #8760 from ronald-cron-arm/tls13-write-early-data 
TLS 1.3: Add mbedtls_ssl_write_early_data() API
 2024-02-29 14:31:55 +00:00
Ronald Cron 5fbd27055d tls13: Use a flag not a counter for CCS and HRR handling 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-15 17:19:02 +01:00
Ronald Cron e273f7203d tls13: client: Improve CCS handling 
Call unconditionally the CCS writing function
when sending a CCS may be necessary in the
course of an handshake. Enforce in the writing
function and only in the writing function that
only one CCS is sent.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-14 10:24:00 +01:00
Manuel Pégourié-Gonnard e6c80bc6e5 Merge pull request #8755 from ronald-cron-arm/tls13-client-early-data-status 
TLS 1.3: Refine and test client early data status
 2024-02-13 20:36:42 +00:00
Manuel Pégourié-Gonnard 1d7bc1ecdf Merge pull request #8717 from valeriosetti/issue8030 
PSA FFDH: feature macros for parameters
 2024-02-07 10:06:03 +00:00
Ronald Cron fe59ff794d tls13: Send dummy CCS only once 
Fix cases where the client was sending
two CCS, no harm but better to send only one.

Prevent to send even more CCS when early data
are involved without having to add conditional
state transitions.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2024-02-06 16:43:33 +01:00
Manuel Pégourié-Gonnard 32c28cebb4 Merge pull request #8715 from valeriosetti/issue7964 
Remove all internal functions from public headers
 2024-02-05 15:09:15 +00:00
Valerio Setti b4f5076270 debug: move internal functions declarations to an internal header file 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2024-01-18 15:30:46 +01:00
Gilles Peskine 4d4891e18a Merge pull request #8666 from valeriosetti/issue8340 
Export the mbedtls_md_psa_alg_from_type function
 2024-01-18 13:58:55 +00:00
Valerio Setti ecaf7c5690 ssl_tls: add guards for enabled DH key types 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2024-01-17 15:56:30 +01:00