TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-05-08 18:54:23 +02:00
Code Issues Packages Projects Releases Wiki Activity
34,432 Commits 179 Branches 280 Tags
16541a9a42fd55f9b2ef753d76af50f57ee37fa7
Commit Graph

34432 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Gilles Peskine
16541a9a42 Create a directory for maintainer-only Python scripts 
This directory is currently excluded from `check-python-files.sh`, because
we run it on the CI in an old Python version that doesn't support some of
our new maintainer scripts.

There are no such scripts in mbedtls for now (only in TF-PSA-Crypto), but be
ready if we want to add some.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-09 19:39:20 +02:00
minosgalanakis
421f5d27fe Merge pull request #1548 from minosgalanakis/public-mbedtls-4.1 
Merge public changes into internal LTS 4.1 branch
 2026-04-02 22:40:53 +01:00
David Horstmann
521d2eb1fe Merge pull request #10669 from gilles-peskine-arm/security-md-mention-compiler-4.1 
Backport 4.1: Mention compiler optimization in the threat model
 2026-04-01 15:46:13 +00:00
Gilles Peskine
b43bdd7365 Be more specific about what compiler options we consider legitimate 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-01 11:08:23 +02:00
Gilles Peskine
77a32fab9b Mention the new advice about compiler options in the changelog 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-01 11:08:23 +02:00
Gilles Peskine
582d23e04c Add a section about compiler-introduced timing side channels 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-01 11:08:23 +02:00
Minos Galanakis
0cfd96499d Updated tf-psa-crypto submodule 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-31 15:36:07 +01:00
Minos Galanakis
6804c92d7d Merge tag 'mbedtls-4.1.0' into mbedtls-4.1.0_mergeback 
Mbed TLS 4.1.0

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-31 15:35:49 +01:00
Valerio Setti
32a3d5209c Merge pull request #10626 from gilles-peskine-arm/check_committed_generated_files-create 
Add check_committed_generated_files.py
 2026-03-30 10:50:04 +00:00
Minos Galanakis
0fe989b6b5 Update BRANCHES.md 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
mbedtls-4.1.0 v4.1.0 		2026-03-26 22:34:42 +00:00
Minos Galanakis
641fa2695c Assemble ChangeLog 
./framework/scripts/assemble_changelog.py

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:34:42 +00:00
Minos Galanakis
e89565f92a Bump version 
./scripts/bump_version.sh --version 4.1.0 \
  --so-crypto 18 --so-tls 23 --so-x509 9

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:34:28 +00:00
Minos Galanakis
83d1ebc114 Updated tf psa-crypto submodule 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:20:06 +00:00
Minos Galanakis
43b89543ec Updated framework submodule 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:20:01 +00:00
Minos Galanakis
308e7fb232 Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-4.1.0.rc3 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:18:31 +00:00
minosgalanakis
fc317141fe Merge pull request #1534 from Mbed-TLS/release/changelog_fixes_4.1.0 
[Release] Added attributions & CVE to ChangeLogs
 2026-03-26 17:38:50 +00:00
Minos Galanakis
feb0dd04ba Extended attributions & CVE 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 15:03:07 +00:00
Minos Galanakis
f3f27070a6 Added attributions & CVE 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 11:22:00 +00:00
minosgalanakis
5baf6883c6 Merge pull request #1529 from ronald-cron-arm/dtls 
Fixes relative to DTLS invalid/unexpected first record
 2026-03-25 22:31:24 +00:00
Ronald Cron
1330606ca1 dtls: Fix adaptation to first ClientHello 
For each received ClientHello fragment, check
that its epoch is zero and update the
record-level sequence number.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
7a8fbc2100 Remove debug leftover 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
1141cd0fb6 Improve comments 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
f2f44a9c9f Restrict mapping of UNEXPECTED_RECORD to UNEXPECTED_MESSAGE 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
fbe388dc28 ssl-opt.sh: Fix log checks in some "DTLS reassembly" tests 
In DTLS reassembly tests, the server may receive a close_notify alert at the
end of a test. In this case, the Mbed TLS server logs an error, so these tests
should not check for the absence of the string "error" in the server logs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
f285018fa3 Disable "DTLS proxy: 3d, (openssl|gnutls) client, fragmentation" tests 
The tests fail intermittently on the CI with a frequency that
significantly impacts CI throughput.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:22 +01:00
Ronald Cron
c9264ad227 dtls: Fix log level 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
140ebea442 dtls: parse_client_hello: Adapt mbedtls_ssl_read_record() error code 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
f9b7441542 dtls: Keep invalid/unexpected record header error code 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
0c301a686a dtls: Improve comment 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
912ef74195 Update buffering when adapting to ClientHello message_seq 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
16c5dd99b3 Introduce ssl_buffering_shift_slots 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
676d74e4c7 dtls: Error out on invalid/unexpected record header 
Error out on invalid/unexpected record header
when reading the DTLS 1.2 ClientHello.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
315c970fbe dtls: Fix debug log 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
ade56554a6 Revert "ssl_server2.c: DTLS: Attempt to read the response to the close notification" 
This reverts commit 2e9b9681e6.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-24 18:38:37 +01:00
Valerio Setti
63d1f7f6ef Merge pull request #10649 from valeriosetti/skip-thread-cmake-search 
cmake: make Thread package search quiet
 2026-03-23 23:34:05 +00:00
Valerio Setti
92cfa4e70e cmake: make Threads package search quiet 
This prevents printing message

"-- Could NOT find Threads (missing: Threads_FOUND)"

on platforms like Zephyr where threading is not provided by standard
libraries.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2026-03-23 15:43:46 +01:00
Gilles Peskine
aa40ca90d9 Move check_committed_generated_files to its own component 
This will probably help when a framework change causes the content of these
files to change. See https://github.com/Mbed-TLS/mbedtls-test/issues/252

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-03-23 15:38:32 +01:00
Gilles Peskine
61cf7bdc90 Add Python requirements from framework/util 
Any `all.sh` component that runs a script that requires a more recent
version of Python must have a `support_xxx` function that checks for the
requisite Python version or package. At this time, there is no such
requirement yet in the mbedtls repository.

The directory `framework/util` is not yet checked by `pylint` or `mypy`,
because we use older versions of these tools that don't work well with
modern Python versions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-03-23 15:38:28 +01:00
Gilles Peskine
260992c0f4 check_committed_generated_files.py: use the new generate_files_helper module 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-03-23 15:37:45 +01:00
Gilles Peskine
4a21496d6f Prepare to generalize check_option_lists.py 
We're going to have more committed generated files.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-03-23 15:37:45 +01:00
Gilles Peskine
7f4fe3943d Merge pull request #10624 from gilles-peskine-arm/audit_validity_dates-move-to-framework 
Move some scripts to the framework
 2026-03-19 12:19:00 +00:00
Ronald Cron
497abfa776 Merge pull request #10644 from minosgalanakis/mbedtls-release-sync 
MbedTLS 4.1.0 release-sync
 2026-03-17 19:16:45 +00:00
Minos Galanakis
831ea1e621 Updated tf-psa-crypto pointer 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-17 16:47:55 +00:00
Ronald Cron
9f19fe1874 Merge pull request #1466 from yanesca/1445_fix_signature_algorithm_injection 
Fix signature algorithm injection
 2026-03-17 17:10:00 +01:00
Ronald Cron
a08cff3d40 Merge pull request #1483 from ronald-cron-arm/context_load_and_session_load_documentation 
Tighten context/session load and save APIs documentation
 2026-03-17 14:11:39 +01:00
Ronald Cron
cb0b594a9d Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure 
Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure
 2026-03-17 10:36:38 +00:00
Manuel Pégourié-Gonnard
d7f2a4cdc6 Merge pull request #10591 from valeriosetti/replace-legacy-rsa-symbols 
library: replace `MBEDTLS_RSA_C` with `PSA_WANT`
 2026-03-17 10:35:15 +00:00
Ronald Cron
ccea2fd244 Improve change log 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-17 11:06:04 +01:00
Valerio Setti
e4d2126ad8 tests: ssl: replace dependency from RSA PSS to PKCS v1.5 in one handshake test 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2026-03-16 21:31:14 +01:00
David Horstmann
0862cf31b5 Merge pull request #10640 from davidhorstmann-arm/add-unused-fields-to-structs 
Add unused fields to structs
 2026-03-16 14:40:03 +00:00