TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-23 04:31:09 +01:00
Code Issues Packages Projects Releases Wiki Activity
33,079 Commits 177 Branches 276 Tags
1a1ec2fccee002bb886a960fc0909f29fca3a7dd
Commit Graph

7101 Commits

Author SHA1 Message Date
Max Fillinger
7577c9e373 Fix doxygen for MBEDTLS_SSL_KEYING_MATERIAL_EXPORT 
Error was introduced while resolving a merge conflict.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 17:08:12 +01:00
Max Fillinger
9c5bae5026 Fix max. label length in key material exporter 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 17:08:12 +01:00
Max Fillinger
53d9168502 Document BAD_INPUT_DATA error in key material exporter 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 17:08:12 +01:00
Max Fillinger
c6fd1a24d2 Use one maximum key_len for all exported keys 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 17:06:48 +01:00
Max Fillinger
3e1291866d Fix output size check for key material exporter 
HKDF-Expand can produce at most 255 * hash_size bytes of key material,
so this limit applies to the TLS 1.3 key material exporter.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 17:06:48 +01:00
Max Fillinger
51bec543bb Enable MBEDTLS_SSL_KEYING_MATERIAL_EXPORT by default 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 16:53:58 +01:00
Max Fillinger
2fe35f61bf Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option 
Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h
to control if the function mbedtls_ssl_export_keying_material() should
be available. By default, the option is disabled.

This is because the exporter for TLS 1.2 requires client_random and
server_random need to be stored after the handshake is complete.

Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-03-28 16:53:58 +01:00
Max Fillinger
281fb79116 Remove TLS 1.2 Exporter if we don't have randbytes 
The TLS-Exporter in TLS 1.2 requires client_random and server_random.
Unless MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined, these aren't stored
after the handshake is completed.

Therefore, mbedtls_ssl_export_keying_material() exists only if either
MBEDTLS_SSL_CONTEXT_SERIALIZATION is defined or MBEDTLS_SSL_PROTO_TLS1_2
is *not* defined.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 16:53:58 +01:00
Max Fillinger
e10c9849e2 Fix coding style 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-03-28 16:53:58 +01:00
Max Fillinger
7b72220d42 Fix coding style 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-03-28 16:53:58 +01:00
Max Fillinger
ae7d66a1d5 Fix doxygen comment parameter name 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-03-28 16:53:57 +01:00
Max Fillinger
5561994020 Fix typos in comment 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-03-28 16:53:57 +01:00
Max Fillinger
9c9989fc6d Fix mismatches in function declarations 
Missed some const keywords in function declarations.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 16:53:57 +01:00
Max Fillinger
bd81c9d0f7 Implement TLS-Exporter feature 
The TLS-Exporter is a function to derive shared symmetric keys for the
server and client from the secrets generated during the handshake.
It is defined in RFC 8446, Section 7.5 for TLS 1.3 and in RFC 5705 for
TLS 1.2.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-03-28 16:53:57 +01:00
Ben Taylor
7a84f0f3a9 removed rng parameters from struct mbedtls_ssl_config 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-03-27 09:34:21 +00:00
Ben Taylor
47111a1cb1 initial remove of mbedtls_ssl_conf_rng 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-03-26 13:32:10 +00:00
Ben Taylor
440cb2aac2 Remove RNG from x509 and PK 
remove the f_rng and p_rng parameter from x509 and PK.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-03-26 08:17:38 +00:00
Gilles Peskine
1ffdb18cdb Remove mbedtls_low_level_sterr() and mbedtls_high_level_strerr() 
Just removed from the API. We can greatly simplify error.c but that will be
for later.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-24 14:26:39 +00:00
Gabor Mezei
e99e591179 Remove key exchange based on encryption/decryption 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-03-20 17:53:07 +01:00
Gabor Mezei
3c7db0e5a8 Remove MBEDTLS_TLS_RSA_* ciphersuite macros 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-03-20 17:53:07 +01:00
Gabor Mezei
5814e3e566 Remove MBEDTLS_KEY_EXCHANGE_RSA key exchange type 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-03-20 17:53:07 +01:00
Gabor Mezei
e1e27300a2 Remove MBEDTLS_KEY_EXCHANGE_RSA_ENABLED config option 
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2025-03-20 17:53:01 +01:00
Manuel Pégourié-Gonnard
4515d10163 Merge pull request #10039 from bjwtaylor/remove-rng-from-ssl 
Remove RNG parameters from public SSL APIs
 2025-03-19 11:27:51 +00:00
Gilles Peskine
c4dd970386 Merge pull request #9096 from noahp/noahp/mbedtls_net_send-api-desc-tweak 
mbedtls_net_send API description typo fix
 2025-03-13 16:22:55 +00:00
Bence Szépkúti
906d3cdff5 Merge pull request #10020 from bensze01/msvc-format-size-macros 
Fix preprocessor guards for C99 format size specifiers
 2025-03-13 10:09:06 +00:00
Bence Szépkúti
011b6cb1c5 Fix comments 
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-03-12 17:11:42 +01:00
Minos Galanakis
a2a0c2cbe7 Merge remote-tracking branch 'origin/features/tls-defragmentation/development' into feature_merge_defragmentation_dev 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-03-12 15:25:06 +00:00
Bence Szépkúti
cd1ece7846 Never use %zu on MinGW 
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-03-12 16:18:35 +01:00
Bence Szépkúti
becb21e668 Fix MSVC version guard for C99 format size specifiers 
Visual Studio 2013 (_MSC_VER == 1800) doesn't support %zu - only use it
on 2015 and above (_MSC_VER >= 1900).

%ldd works on Visual Studio 2013, but this patch keeps the two macro
definitions together, for simplicity's sake.

Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
 2025-03-12 16:16:20 +01:00
Gilles Peskine
2b78a5abfa State globally that the limitations don't apply to DTLS 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-12 10:07:33 +01:00
Gilles Peskine
d9c858039e Clarify DTLS 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-11 13:47:49 +01:00
Gilles Peskine
80facedad9 ClientHello may be fragmented in renegotiation 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-11 13:47:14 +01:00
Gilles Peskine
d8f9e22b5e Move the defragmentation documentation to mbedtls_ssl_handshake 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-11 13:45:27 +01:00
Ben Taylor
0cfe54e4e0 remove RNG parameters from SSL API's 
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-03-10 13:24:31 +00:00
Gilles Peskine
36edd48c61 Document the limitations of TLS handshake message defragmentation 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-05 17:41:59 +01:00
Valerio Setti
15fd5c9925 ssl: remove support for MBEDTLS_DHM_C 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-03-05 10:11:23 +01:00
Manuel Pégourié-Gonnard
28f8e205eb Merge pull request #9872 from rojer/tls_hs_defrag_in 
Defragment incoming TLS handshake messages
 2025-02-24 09:28:11 +01:00
Deomid rojer Ryabkov
dd14c0a11e Remove in_hshdr 
The first fragment of a fragmented handshake message always starts at the beginning of the buffer so there's no need to store it.

Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
 2025-02-13 13:41:51 +03:00
Valerio Setti
d137f15e1b mbedtls_config.h: remove definition of MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-06 10:12:02 +01:00
Valerio Setti
02ae66830e check_config.h: remove checks for DHE-RSA 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-06 10:05:58 +01:00
Valerio Setti
b7e2eccf1f ssl_ciphersuites: remove MBEDTLS_KEY_EXCHANGE_SOME_XXDH_1_2_ENABLED 
This symbol is unused in the code so it can be removed.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-06 10:05:58 +01:00
Valerio Setti
b8621b6f9d ssl_ciphersuites: remove references to DHE-RSA key exchanges 
In this commit also MBEDTLS_KEY_EXCHANGE_SOME_DHE_ENABLED is removed.
This cause some code in "ssl_ciphersuites_internal.h" and
"ssl_tls12_server.c" to became useless, so these blocks are removed
as well.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-06 10:05:58 +01:00
Valerio Setti
89743b5db5 ssl_tls: remove code related to DHE-RSA 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-06 10:05:58 +01:00
David Horstmann
be658c47c8 Merge pull request #9938 from bjwtaylor/ssl-ticket-api 
Move ssl_ticket to the PSA API
 2025-02-05 10:41:09 +00:00
Ben Taylor
d0498803a1 Correct typos in comments 
Correct the typos in the mbedtls_ssl_ticket_setup function docs

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-02-03 11:35:34 +00:00
Harry Ramsey
2547ae9fcc Move SSL macro checks from TF-PSA-Crypto to Mbed TLS 
This commit moves macro checks specifically for Mbed TLS from
TF-PSA-Crypto to Mbed TLS where they more approriately belong.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-01-31 13:58:43 +00:00
Ben Taylor
0c29cf87b1 Move ssl_ticket to the PSA API 
Convert the mbedtl_ssl_ticket_setup function to use the TF_PSA_Crypto
API.

Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
 2025-01-30 08:22:40 +00:00
Manuel Pégourié-Gonnard
28905b76fa Remove mention of USE_PSA_CRYPTO in documentation 
This was the last occurrence found by:

    git grep -c 'MBEDTLS_USE_PSA_CRYPTO' library include

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:44:08 +01:00
Manuel Pégourié-Gonnard
48e0e3a356 Rm dead !USE_PSA code: check_config.h 
Manual, as most expressions were too complex for unifdef. Most of those
were or had a part like "we need XXX or USE_PSA" (where XXX was Cipher
or MD) and those are always satisfied now.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:21 +01:00
Manuel Pégourié-Gonnard
11ae619e77 Rm dead !USE_PSA code: SSL headers (part 1) 
unifdef -m -DMBEDTLS_USE_PSA_CRYPTO {library,include/mbedtls}/ssl*.h

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-01-28 16:15:04 +01:00