espressif/mbedtls
1
0
Fork 0
mirror of https://github.com/espressif/mbedtls.git synced 2026-06-05 21:14:47 +00:00
Code Issues Packages Projects Releases Wiki Activity
34,427 Commits 38 Branches 168 Tags
08a217c56009004ade40a241f380bb5bb7db5a22
Commit Graph

1374 Commits

Author SHA1 Message Date
Viktor Sokolovskiy 08a217c560 ssl: accept TLS 1.2 rsa_pss_rsae in client SKE 
Fix a TLS 1.2 client regression that caused valid ServerKeyExchange signatures using rsa_pss_rsae_* to be rejected.

Allow rsa_pss_rsae_* in the TLS 1.2 client ServerKeyExchange parse path when the algorithm is supported and was offered by the client. Add OpenSSL and GnuTLS interoperability coverage for TLS 1.2 servers that force rsa_pss_rsae_sha256.

Fixes #10668.

Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
 2026-04-28 14:02:54 +08:00
Minos Galanakis 308e7fb232 Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-4.1.0.rc3 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:18:31 +00:00
Ronald Cron 7a8fbc2100 Remove debug leftover 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron 1141cd0fb6 Improve comments 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron fbe388dc28 ssl-opt.sh: Fix log checks in some "DTLS reassembly" tests 
In DTLS reassembly tests, the server may receive a close_notify alert at the
end of a test. In this case, the Mbed TLS server logs an error, so these tests
should not check for the absence of the string "error" in the server logs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron f285018fa3 Disable "DTLS proxy: 3d, (openssl|gnutls) client, fragmentation" tests 
The tests fail intermittently on the CI with a frequency that
significantly impacts CI throughput.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:22 +01:00
Ronald Cron 16c5dd99b3 Introduce ssl_buffering_shift_slots 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron cb0b594a9d Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure 
Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure
 2026-03-17 10:36:38 +00:00
David Horstmann c6e1d67b1b ssl-opt.sh: Check for cert verify skipped 
Check that the message "! Certificate verification was skipped" is
present in the output when auth_mode=none. This indicates that the
certificate verify flag MBEDTLS_X509_BADCERT_SKIP_VERIFY was
correctly set.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
 2026-03-11 10:36:11 +00:00
Ronald Cron 814f5da61a ssl-opt.sh: Use more diverse MTUs 
Do not use only power of 2 MTUs.
Use diverse MTUs in DTLS reassembly/
fragmenting/proxy tests.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-23 12:12:36 +01:00
Ronald Cron 3ddc63d74e ssl-opt.sh: DTLS reassembly: Improve max_content_len requirements 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-23 12:12:36 +01:00
Ronald Cron e436f74576 ssl-opt.sh: Fix/improve comments 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-23 12:12:36 +01:00
Ronald Cron 6e270c0465 ssl-opt.sh: Add tests with CH fragmented with DTLS in default config 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-23 12:12:36 +01:00
Ronald Cron c1cbfdd072 ssl-opt.sh: Add interop test of DTLS defragmentation on server side 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-23 12:12:36 +01:00
Ronald Cron fa5e75d6f6 ssl-opt.sh: Relax deps of handshake defrag tests 
Relax the dependencies of the tests about handshake
message defragmentation/reassembly on server side.

TLS 1.3 does not need to be enable anymore for this
to work for TLS 1.2 handshake messages.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-23 12:12:36 +01:00
Ronald Cron 73be048c8a ssl-opt.sh: Revert leftover debug level increase 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ronald Cron 4f0741498c ssl_msg.c: Improve handshake message fragmenting message 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ronald Cron b952ba09d6 ssl-opt.sh: Improve DTLS proxy 3d tests 
Improve DTLS proxy 3d tests with OpenSSL and
GnuTLS servers. Have a better control of which
message is fragmented and verify it is the
case.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ronald Cron addf640a3b ssl-opt.sh: Improve DTLS reassembly tests 
Improve DTLS reassembly tests with OpenSSL
and GnuTLS server. Check that some messages
have been reassembled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ronald Cron cad9c8ae71 ssl-opt.sh: Remove DTLS reassembly redundant test 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ronald Cron 8f0240c350 ssl-opt.sh: Remove CH reassembly unsupported test 
We are about to have full support for TLS 1.2
CH reassembly on server side. The equivalent
positive test would be a duplicate of one of
the tests generated by generate_tls_handshake_tests.py.
Thus just removing the negative test.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ronald Cron 7fe38dd934 ssl_msg.c: Improve HS message reassembly completed message 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-02-18 14:21:48 +01:00
Ben Taylor f77d749127 Further updates to ssl-opt tests as wrapped keys now expose the underlying type 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2026-01-12 08:19:07 +00:00
Ben Taylor 98e958c91e Update ssl-opt tests as wrapped keys now expose the underlying type 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2026-01-12 08:19:07 +00:00
Ben Taylor 81deeb8a5a Update ssl-opt to remove Opaque key types 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2026-01-12 08:19:07 +00:00
Ben Taylor 485d4c1343 reverting last commit as the tests cause failures 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 26cdf6ee2b Re-adding tests for ECDH 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor df3e595536 Re-instate test for correctness of sent single supported algorithm 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 8371674048 re-add TLS_VERSION derivation 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 7b14d8228e Reverting TLS_VERSION derivation improvement, as it appear to be causing issues 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 6f0eb79111 Use get_tls_version to determine TLS_VERSION instead of statically assigning it 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor b191c02f6b Correct style issues 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor e16798ec67 Re-add reference to PSA_WANT_ALG_ECDH as this will be mantained 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 0fe02bb1bf Removed TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT as it is no longer used 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor a1914ef453 further removals of ssh tests from ssl-opt 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 5802394451 Remove further ECDH testd from ssl-opt.sh 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 0a7c5588db Remove further ECDH tests 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor dbf3977107 Remove tests from ssl-opt.sh that are depedendent the removed ECDH algorithm's 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 39280a4110 Remove ECDH from ssl-opt 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ben Taylor 15f1d7f812 Remove support for static ECDH cipher suites 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-09-11 13:22:40 +01:00
Ronald Cron 5df9d9d53e ssl-opt.sh: Fix dependency on ECDSA 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2025-09-08 15:40:12 +02:00
Ronald Cron 8fc000ec2c ssl-opt.sh: Fix MBEDTLS_ENTROPY_C dependency adjustment 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2025-08-25 15:19:59 +02:00
Minos Galanakis a1e867981b ssl-opt.sh: Adjust dependency to MBEDTLS_PSA_CRYPTO_C 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-08-21 15:57:00 +01:00
Valerio Setti d0d0791aed remove usage of secp192[k|r]1 curves 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-08-06 09:15:35 +02:00
Valerio Setti 70a4a31cb5 remove secp224[k|r]1 curves 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-08-06 09:15:35 +02:00
Ben Taylor c454b5b658 Fix rebase failure 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-30 07:55:14 +01:00
Ben Taylor 8519c3e0ba corrected copy paste error for MBEDTLS_USE_PSA_CRYPTO enabled/disabled 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-30 07:55:14 +01:00
Ben Taylor 6164e92d3b Restore comment in ssl-opt.sh as it is still relevent 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-30 07:55:14 +01:00
Ben Taylor 07687266b9 restoring test comment that refer to USE_PSA 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-30 07:55:14 +01:00
Ben Taylor 39a68bf347 removed additional references to USE_PSA in tests and comments 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-07-30 07:55:14 +01:00