TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-05-06 01:44:06 +02:00
Code Issues Packages Projects Releases Wiki Activity
34,452 Commits 179 Branches 280 Tags
78336bb5bda9fa20725d812bf4f353e4177bb24e
Commit Graph

34452 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Maokaman1
78336bb5bd Merge branch 'Mbed-TLS:development' into fix/tls12-rsa-pss-sigalgs 2026-04-17 19:13:43 +03:00
Viktor Sokolovskiy
3d61c38ea0 ssl: add TLS 1.2 RSA-PSS debug trace 
Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
 2026-04-17 17:36:31 +03:00
Viktor Sokolovskiy
2168fe9cda ssl: narrow TLS 1.2 RSA-PSS handling and add interop coverage 
Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
 2026-04-16 04:36:48 +03:00
Gilles Peskine
8426c9bc51 Merge pull request #10684 from gilles-peskine-arm/maintainer-scripts-create-directory-dev 
development: Create a directory for maintainer-only Python scripts
 2026-04-15 08:19:36 +00:00
Gilles Peskine
8bf89416cf Merge pull request #10647 from gilles-peskine-arm/github-pr-template-add-4.1-mbedtls 
Add 1.1 line to the PR template
 2026-04-15 08:17:24 +00:00
Gilles Peskine
6b31bc6885 Unify TF-PSA-Crypto and mbedtls templates 
Following the team discussion, don't suggest "prerequisite" or "consuming"
in the template. Suggest linking all the pull requests in a group
everywhere.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-13 14:57:07 +02:00
Gilles Peskine
2a7d1ece77 Merge pull request #10676 from gilles-peskine-arm/analyze_outcomes-read_crypto 
Let TF-PSA-Crypto define test cases that Mbed TLS does not need to cover
 2026-04-13 09:24:21 +00:00
Gilles Peskine
cc134b0b94 Update crypto submodule with analyze_outcomes.py 
Update framework to match.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-10 14:49:14 +02:00
Gilles Peskine
9248af96b1 Create a directory for maintainer-only Python scripts 
This directory is currently excluded from `check-python-files.sh`, because
we run it on the CI in an old Python version that doesn't support some of
our new maintainer scripts.

There are no such scripts in mbedtls for now (only in TF-PSA-Crypto), but be
ready if we want to add some.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-09 19:39:42 +02:00
Gilles Peskine
806e1d365b Documentation improvements 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-08 17:22:10 +02:00
Gilles Peskine
d25f03919a INTERNAL_TEST_CASES moved to a separate data-only module 
This way, when Mbed TLS's `analyze_outcomes.py` loads the python module from
TF-PSA-Crypto (because it needs to know the value of `INTERNAL_TEST_CASES`),
there's no risk that the subproject and the superproject will have different
requirements on auxiliary modules such as `mbedtls_framework.outcome_analysis`.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-08 15:47:49 +02:00
Gilles Peskine
16a90a556e Add copyright line 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-08 15:31:52 +02:00
Viktor Sokolovskiy
f75c033ead ssl: add TLS 1.2 RSA-PSS regression coverage 
Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
 2026-04-07 20:20:09 +03:00
Gilles Peskine
667a3f6442 Move test currently covered by crypto from uncovered list to ignored list 
If we can't read `INTERNAL_TEST_CASES` from
`tf-psa-crypto/tests/scripts/analyze_outcomes.py` because the script doesn't
exist, hard-code the legacy value of that information.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-07 11:47:24 +02:00
Gilles Peskine
1978e1bd6b Ignore test cases that TF-PSA-Crypto tells us to ignore 
If the `tf-psa-crypto` submodule has `tests/scripts/analyze_outcomes.py`,
require it to define a global variable `INTERNAL_TEST_CASES`. Those test
cases will be ignored in Mbed TLS's coverage analysis.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-07 11:47:13 +02:00
Gilles Peskine
bb5cfbbdec Move _has_word_re to the framework 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-07 11:06:39 +02:00
Gilles Peskine
68d6b07287 Rename IGNORED_TESTS to UNCOVERED_TESTS 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-07 11:06:39 +02:00
Gilles Peskine
619f1acd75 Update framework with UNCOVERED_TESTS in outcome analysis 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-07 11:06:39 +02:00
Viktor Sokolovskiy
c064ba0edb ssl: accept TLS 1.2 rsa_pss_rsae signature schemes 
Signed-off-by: Viktor Sokolovskiy <maokaman@gmail.com>
 2026-04-04 03:57:04 +03:00
David Horstmann
0333486837 Merge pull request #10670 from gilles-peskine-arm/security-md-mention-compiler-4.x 
mbedtls: Mention compiler optimization in the threat model
 2026-04-01 15:43:26 +00:00
Gilles Peskine
d1f0ce8493 Be more specific about what compiler options we consider legitimate 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-01 11:08:46 +02:00
Gilles Peskine
54ebb9b42d Mention the new advice about compiler options in the changelog 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-01 11:08:46 +02:00
Gilles Peskine
be18f3f4a5 Add a section about compiler-introduced timing side channels 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2026-04-01 11:08:46 +02:00
Minos Galanakis
0cfd96499d Updated tf-psa-crypto submodule 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-31 15:36:07 +01:00
Minos Galanakis
6804c92d7d Merge tag 'mbedtls-4.1.0' into mbedtls-4.1.0_mergeback 
Mbed TLS 4.1.0

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-31 15:35:49 +01:00
Valerio Setti
32a3d5209c Merge pull request #10626 from gilles-peskine-arm/check_committed_generated_files-create 
Add check_committed_generated_files.py
 2026-03-30 10:50:04 +00:00
Minos Galanakis
0fe989b6b5 Update BRANCHES.md 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
mbedtls-4.1.0 v4.1.0 		2026-03-26 22:34:42 +00:00
Minos Galanakis
641fa2695c Assemble ChangeLog 
./framework/scripts/assemble_changelog.py

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:34:42 +00:00
Minos Galanakis
e89565f92a Bump version 
./scripts/bump_version.sh --version 4.1.0 \
  --so-crypto 18 --so-tls 23 --so-x509 9

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:34:28 +00:00
Minos Galanakis
83d1ebc114 Updated tf psa-crypto submodule 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:20:06 +00:00
Minos Galanakis
43b89543ec Updated framework submodule 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:20:01 +00:00
Minos Galanakis
308e7fb232 Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-4.1.0.rc3 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 22:18:31 +00:00
minosgalanakis
fc317141fe Merge pull request #1534 from Mbed-TLS/release/changelog_fixes_4.1.0 
[Release] Added attributions & CVE to ChangeLogs
 2026-03-26 17:38:50 +00:00
Minos Galanakis
feb0dd04ba Extended attributions & CVE 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 15:03:07 +00:00
Minos Galanakis
f3f27070a6 Added attributions & CVE 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2026-03-26 11:22:00 +00:00
minosgalanakis
5baf6883c6 Merge pull request #1529 from ronald-cron-arm/dtls 
Fixes relative to DTLS invalid/unexpected first record
 2026-03-25 22:31:24 +00:00
Ronald Cron
1330606ca1 dtls: Fix adaptation to first ClientHello 
For each received ClientHello fragment, check
that its epoch is zero and update the
record-level sequence number.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
7a8fbc2100 Remove debug leftover 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
1141cd0fb6 Improve comments 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
f2f44a9c9f Restrict mapping of UNEXPECTED_RECORD to UNEXPECTED_MESSAGE 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
fbe388dc28 ssl-opt.sh: Fix log checks in some "DTLS reassembly" tests 
In DTLS reassembly tests, the server may receive a close_notify alert at the
end of a test. In this case, the Mbed TLS server logs an error, so these tests
should not check for the absence of the string "error" in the server logs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:24 +01:00
Ronald Cron
f285018fa3 Disable "DTLS proxy: 3d, (openssl|gnutls) client, fragmentation" tests 
The tests fail intermittently on the CI with a frequency that
significantly impacts CI throughput.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:45:22 +01:00
Ronald Cron
c9264ad227 dtls: Fix log level 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
140ebea442 dtls: parse_client_hello: Adapt mbedtls_ssl_read_record() error code 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
f9b7441542 dtls: Keep invalid/unexpected record header error code 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
0c301a686a dtls: Improve comment 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
912ef74195 Update buffering when adapting to ClientHello message_seq 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
16c5dd99b3 Introduce ssl_buffering_shift_slots 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
676d74e4c7 dtls: Error out on invalid/unexpected record header 
Error out on invalid/unexpected record header
when reading the DTLS 1.2 ClientHello.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00
Ronald Cron
315c970fbe dtls: Fix debug log 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2026-03-25 08:44:16 +01:00