06505cc5be
feat(drivers): Introduce MD5 operation context
2026-05-23 00:43:49 +05:30
6cc42afad3
feat(drivers): Support persistent ESP-RSA DS driver
2026-05-07 16:34:20 +05:30
8bfdb42530
Pacify uncrustify
...
Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com >
2026-04-28 14:03:02 +08:00
08a217c560
ssl: accept TLS 1.2 rsa_pss_rsae in client SKE
...
Fix a TLS 1.2 client regression that caused valid ServerKeyExchange signatures using rsa_pss_rsae_* to be rejected.
Allow rsa_pss_rsae_* in the TLS 1.2 client ServerKeyExchange parse path when the algorithm is supported and was offered by the client. Add OpenSSL and GnuTLS interoperability coverage for TLS 1.2 servers that force rsa_pss_rsae_sha256.
Fixes #10668 .
Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com >
2026-04-28 14:02:54 +08:00
5ec9b573a3
fix(mbedtls): skip memset operation with dynamic buffer
2026-04-27 17:01:18 +08:00
73bf56ebdf
fix(drivers): Support internal driver key source-specific storage layout
2026-04-27 13:09:15 +08:00
2a177ebfc6
feat(mbedtls): adds sbom.yml file for tf-psa-crypto
2026-04-20 17:01:46 +08:00
53bb66126f
feat(psa): Add generic secure element PSA driver dispatch
...
Add dispatch wrappers for secure element opaque sign, transparent verify,
import key, and export public key operations.
2026-04-20 16:57:27 +08:00
3428fc6165
feat(mbedtls): Add ATECC ECDSA PSA driver
2026-04-20 16:57:11 +08:00
fb5e4658a3
change(mbedtls): adds CVE-2025-66442 to exclude list.
...
The CVE is applicable with Clang using LLVM's select-optimize feature. ESP-IDF uses GCC as default compiler and sets -Os as the default optimisation flag
2026-04-20 16:57:00 +08:00
9345b5878c
fix(mbedtls): remove -Wdocumentation from build
2026-04-13 10:18:45 +08:00
74126a083e
fix(mbedtls): remove -Wdocumentation from build
2026-04-08 10:27:04 +08:00
cd0a45dc68
feat(mbedtls): adds mbedtls pre built files
2026-04-07 13:11:07 +08:00
1d43b9cd99
fix: update min cmake version to 3.10.2
2026-04-02 15:15:07 +08:00
bcaa74bae6
feat(mbedtls): minimal CMake changes for build setup
2026-04-02 15:14:57 +08:00
67a6a4091d
feat(mbedtls): update to tf-psa-crypto 1.1
2026-04-02 14:42:07 +08:00
521d2eb1fe
Merge pull request #10669 from gilles-peskine-arm/security-md-mention-compiler-4.1
...
Backport 4.1: Mention compiler optimization in the threat model
2026-04-01 15:46:13 +00:00
b43bdd7365
Be more specific about what compiler options we consider legitimate
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2026-04-01 11:08:23 +02:00
77a32fab9b
Mention the new advice about compiler options in the changelog
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2026-04-01 11:08:23 +02:00
582d23e04c
Add a section about compiler-introduced timing side channels
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2026-04-01 11:08:23 +02:00
0fe989b6b5
Update BRANCHES.md
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 22:34:42 +00:00
641fa2695c
Assemble ChangeLog
...
./framework/scripts/assemble_changelog.py
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 22:34:42 +00:00
e89565f92a
Bump version
...
./scripts/bump_version.sh --version 4.1.0 \
--so-crypto 18 --so-tls 23 --so-x509 9
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 22:34:28 +00:00
83d1ebc114
Updated tf psa-crypto submodule
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 22:20:06 +00:00
43b89543ec
Updated framework submodule
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 22:20:01 +00:00
308e7fb232
Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-4.1.0.rc3
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 22:18:31 +00:00
fc317141fe
Merge pull request #1534 from Mbed-TLS/release/changelog_fixes_4.1.0
...
[Release] Added attributions & CVE to ChangeLogs
2026-03-26 17:38:50 +00:00
feb0dd04ba
Extended attributions & CVE
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 15:03:07 +00:00
f3f27070a6
Added attributions & CVE
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-26 11:22:00 +00:00
5baf6883c6
Merge pull request #1529 from ronald-cron-arm/dtls
...
Fixes relative to DTLS invalid/unexpected first record
2026-03-25 22:31:24 +00:00
1330606ca1
dtls: Fix adaptation to first ClientHello
...
For each received ClientHello fragment, check
that its epoch is zero and update the
record-level sequence number.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:45:24 +01:00
7a8fbc2100
Remove debug leftover
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:45:24 +01:00
1141cd0fb6
Improve comments
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:45:24 +01:00
f2f44a9c9f
Restrict mapping of UNEXPECTED_RECORD to UNEXPECTED_MESSAGE
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:45:24 +01:00
fbe388dc28
ssl-opt.sh: Fix log checks in some "DTLS reassembly" tests
...
In DTLS reassembly tests, the server may receive a close_notify alert at the
end of a test. In this case, the Mbed TLS server logs an error, so these tests
should not check for the absence of the string "error" in the server logs.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:45:24 +01:00
f285018fa3
Disable "DTLS proxy: 3d, (openssl|gnutls) client, fragmentation" tests
...
The tests fail intermittently on the CI with a frequency that
significantly impacts CI throughput.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:45:22 +01:00
c9264ad227
dtls: Fix log level
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
140ebea442
dtls: parse_client_hello: Adapt mbedtls_ssl_read_record() error code
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
f9b7441542
dtls: Keep invalid/unexpected record header error code
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
0c301a686a
dtls: Improve comment
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
912ef74195
Update buffering when adapting to ClientHello message_seq
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
16c5dd99b3
Introduce ssl_buffering_shift_slots
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
676d74e4c7
dtls: Error out on invalid/unexpected record header
...
Error out on invalid/unexpected record header
when reading the DTLS 1.2 ClientHello.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
315c970fbe
dtls: Fix debug log
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2026-03-25 08:44:16 +01:00
ade56554a6
Revert "ssl_server2.c: DTLS: Attempt to read the response to the close notification"
...
This reverts commit 2e9b9681e6ronald.cron@arm.com >
2026-03-24 18:38:37 +01:00
497abfa776
Merge pull request #10644 from minosgalanakis/mbedtls-release-sync
...
MbedTLS 4.1.0 release-sync
2026-03-17 19:16:45 +00:00
831ea1e621
Updated tf-psa-crypto pointer
...
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com >
2026-03-17 16:47:55 +00:00
9f19fe1874
Merge pull request #1466 from yanesca/1445_fix_signature_algorithm_injection
...
Fix signature algorithm injection
2026-03-17 17:10:00 +01:00
a08cff3d40
Merge pull request #1483 from ronald-cron-arm/context_load_and_session_load_documentation
...
Tighten context/session load and save APIs documentation
2026-03-17 14:11:39 +01:00
cb0b594a9d
Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure
...
Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure
2026-03-17 10:36:38 +00:00
harshal.patil