Don't ship two slightly different wheels.
This reduces our platform adherence by using only `clock_gettime()` in the
library and not `gettimeofday()` as well.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Nowadays, the timing module just builds on a function that provides a timer
with millisecond resolution. In terms of platform requirements, this is
almost exactly equivalent to `mbedtls_ms_time()`
provides (`mbedtls_ms_time()` is arguably a little stronger because it is
supposed to last longer than a single timer object, but an application could
start a timer when it starts, so there's no real difference.) So it's a bit
silly that `timing.c` essentially reimplements this. Rely on
`mbedtls_ms_time()` instead.
This is an API break because in Mbed TLS 4.0, it was possible to enable
`MBEDTLS_TIMING_C` without `MBEDTLS_HAVE_TIME`. However, `timing.c` only
provided an implementation for Windows and Unix-like platforms, and on those
platforms, it is very likely that the default implementation of
`MBEDTLS_HAVE_TIME` would also work. (The main exception would be a platform
that has the traditional Unix function `gettimeofday()`, but not the 1990s
novelty `clock_gettime()`.) So make this an official requirement, as a
belated change that really should have gone into 4.0 if we'd taken the time
to dig into it.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add new field that tells if the corresponding group is supported or not
in the current build.
Test function "test_mbedtls_ssl_get_supported_group_list" is extended
to verify this new feature.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is only done when MBEDTLS_DEBUG_C is declared in order not to inflate
the library size.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
- let the macro be an initializer for the array of known TLS IDs, not
a variable declarator;
- last item's group name is NULL, not an empty string
- change then name of the macro from MBEDTLS_TLS_ID_GROUP_NAME_TABLE to
MBEDTLS_SSL_IANA_TLS_GROUPS_INFO
- define a new public structure "mbedtls_ssl_iana_tls_group_info_t" to
hold each element of the table and that can be used the go over the
list from user code.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Being a macro allow the table to be instatiated only when/if necessary
by the consuming code.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Keep MBEDTLS_PK_WRITE_C as guard only for "debug_print_pk" but let
"mbedtls_debug_print_crt" to work also when MBEDTLS_PK_WRITE_C is disabled.
In this case the only public key won't be printed, but the rest of the
certificate will be.
This commit also updates test coverage by duplicating test cases: now there
will be one case for when MBEDTLS_PK_WRITE_C is enabled and another one
for !MBEDTLS_PK_WRITE_C.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Guards for "mbedtls_debug_print_crt()" were updated in previous commit,
but those changes were not applied to MBEDTLS_SSL_DEBUG_CRT therefore
causing build failures in the CI. This commit fixes the problem.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Even though the TLS RFCs do not mandate libraries to expose *Error
Alerts* (as defined in RFC8446 6.2 for TLS 1.3 and in RFC5246 7.2.2 for
TLS 1.2) to the user, there are use cases when it is handy to get the
actual last received fatal error instead of a generic one. For instance
this enables the user to differ between received fatal errors in case
`mbedtls_ssl_handshake()`, `mbedtls_ssl_handshake_step()` or
`mbedtls_ssl_read()` returned `MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE`.
This changesets stores the last incoming fatal alert in
`mbedtls_ssl_context` and provides `mbedtls_ssl_get_alert()` as a getter
for retrieving it. Another option would be to provide a callback
mechanisms for all kinds of alerts (not only fatals) but for simplicity
I discarded this option.
Signed-off-by: Nico Geyso <ng@gsmk.de>
Besides using an internal crypto header, error.h is arguably the wrong
place: this file's docstring says it's about "Error to string
translation", quite unrelated to the things we use from error_common.h.
This is not surprising given the history, but no longer makes sense
today.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Checking through the history in https://github.com/Mbed-TLS/mbedtls/pull/4589,
this seems to have been what we intended from the start. But we couldn't do
it yet because the library version was still 2.x while the config version
was already 3.0, so we temporarily commented out the definition in
1cafe5ce20. But then we forgot to uncomment
it during the release since it wasn't part of any process.
Thinking about it independently of the history, I think it makes more sense
to have it uncommented by default. That way, if someone copies the config
from a given version and then keeps it around, they'll get the compatibility
mode for that version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Since we're making incompatible changes to the configuration, we really
should advance the configuration version.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The support for TLS ciphersuites without
encryption does not rely anymore on the
MBEDTLS_CIPHER_NULL_CIPHER feature of
the cipher module. Introduce a specific
config option to enable these ciphersuites
and use it instead of MBEDTLS_CIPHER_NULL_CIPHER.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
