mbedtls

mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-05-08 18:54:23 +02:00

Author	SHA1	Message	Date
Gilles Peskine	b43bdd7365	Be more specific about what compiler options we consider legitimate Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2026-04-01 11:08:23 +02:00
Gilles Peskine	77a32fab9b	Mention the new advice about compiler options in the changelog Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2026-04-01 11:08:23 +02:00
Gilles Peskine	582d23e04c	Add a section about compiler-introduced timing side channels Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>	2026-04-01 11:08:23 +02:00
Minos Galanakis	0fe989b6b5	Update BRANCHES.md Signed-off-by: Minos Galanakis <minos.galanakis@arm.com> mbedtls-4.1.0 v4.1.0	2026-03-26 22:34:42 +00:00
Minos Galanakis	641fa2695c	Assemble ChangeLog ./framework/scripts/assemble_changelog.py Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 22:34:42 +00:00
Minos Galanakis	e89565f92a	Bump version ./scripts/bump_version.sh --version 4.1.0 \ --so-crypto 18 --so-tls 23 --so-x509 9 Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 22:34:28 +00:00
Minos Galanakis	83d1ebc114	Updated tf psa-crypto submodule Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 22:20:06 +00:00
Minos Galanakis	43b89543ec	Updated framework submodule Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 22:20:01 +00:00
Minos Galanakis	308e7fb232	Merge remote-tracking branch 'restricted/development-restricted' into mbedtls-4.1.0.rc3 Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 22:18:31 +00:00
minosgalanakis	fc317141fe	Merge pull request #1534 from Mbed-TLS/release/changelog_fixes_4.1.0 [Release] Added attributions & CVE to ChangeLogs	2026-03-26 17:38:50 +00:00
Minos Galanakis	feb0dd04ba	Extended attributions & CVE Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 15:03:07 +00:00
Minos Galanakis	f3f27070a6	Added attributions & CVE Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-26 11:22:00 +00:00
minosgalanakis	5baf6883c6	Merge pull request #1529 from ronald-cron-arm/dtls Fixes relative to DTLS invalid/unexpected first record	2026-03-25 22:31:24 +00:00
Ronald Cron	1330606ca1	dtls: Fix adaptation to first ClientHello For each received ClientHello fragment, check that its epoch is zero and update the record-level sequence number. Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:45:24 +01:00
Ronald Cron	7a8fbc2100	Remove debug leftover Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:45:24 +01:00
Ronald Cron	1141cd0fb6	Improve comments Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:45:24 +01:00
Ronald Cron	f2f44a9c9f	Restrict mapping of UNEXPECTED_RECORD to UNEXPECTED_MESSAGE Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:45:24 +01:00
Ronald Cron	fbe388dc28	ssl-opt.sh: Fix log checks in some "DTLS reassembly" tests In DTLS reassembly tests, the server may receive a close_notify alert at the end of a test. In this case, the Mbed TLS server logs an error, so these tests should not check for the absence of the string "error" in the server logs. Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:45:24 +01:00
Ronald Cron	f285018fa3	Disable "DTLS proxy: 3d, (openssl\|gnutls) client, fragmentation" tests The tests fail intermittently on the CI with a frequency that significantly impacts CI throughput. Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:45:22 +01:00
Ronald Cron	c9264ad227	dtls: Fix log level Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	140ebea442	dtls: parse_client_hello: Adapt mbedtls_ssl_read_record() error code Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	f9b7441542	dtls: Keep invalid/unexpected record header error code Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	0c301a686a	dtls: Improve comment Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	912ef74195	Update buffering when adapting to ClientHello message_seq Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	16c5dd99b3	Introduce ssl_buffering_shift_slots Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	676d74e4c7	dtls: Error out on invalid/unexpected record header Error out on invalid/unexpected record header when reading the DTLS 1.2 ClientHello. Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	315c970fbe	dtls: Fix debug log Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-25 08:44:16 +01:00
Ronald Cron	ade56554a6	Revert "ssl_server2.c: DTLS: Attempt to read the response to the close notification" This reverts commit `2e9b9681e6`. Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-24 18:38:37 +01:00
Ronald Cron	497abfa776	Merge pull request #10644 from minosgalanakis/mbedtls-release-sync MbedTLS 4.1.0 release-sync	2026-03-17 19:16:45 +00:00
Minos Galanakis	831ea1e621	Updated tf-psa-crypto pointer Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>	2026-03-17 16:47:55 +00:00
Ronald Cron	9f19fe1874	Merge pull request #1466 from yanesca/1445_fix_signature_algorithm_injection Fix signature algorithm injection	2026-03-17 17:10:00 +01:00
Ronald Cron	a08cff3d40	Merge pull request #1483 from ronald-cron-arm/context_load_and_session_load_documentation Tighten context/session load and save APIs documentation	2026-03-17 14:11:39 +01:00
Ronald Cron	cb0b594a9d	Merge pull request #10442 from davidhorstmann-arm/verify-result-default-failure Hardening: Make `mbedtls_ssl_get_verify_result()` default to failure	2026-03-17 10:36:38 +00:00
Manuel Pégourié-Gonnard	d7f2a4cdc6	Merge pull request #10591 from valeriosetti/replace-legacy-rsa-symbols library: replace `MBEDTLS_RSA_C` with `PSA_WANT`	2026-03-17 10:35:15 +00:00
Ronald Cron	ccea2fd244	Improve change log Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-17 11:06:04 +01:00
Valerio Setti	e4d2126ad8	tests: ssl: replace dependency from RSA PSS to PKCS v1.5 in one handshake test Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 21:31:14 +01:00
David Horstmann	0862cf31b5	Merge pull request #10640 from davidhorstmann-arm/add-unused-fields-to-structs Add unused fields to structs	2026-03-16 14:40:03 +00:00
Ronald Cron	894cea1fa2	Add change log Signed-off-by: Ronald Cron <ronald.cron@arm.com>	2026-03-16 15:03:12 +01:00
Valerio Setti	2258cb7b5a	tests: pkcs7: ease requirements for parse tests replace PSA_HAVE_ALG_SOME_RSA_VERIFY with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 13:52:01 +01:00
Valerio Setti	0dfc52e740	tests: ssl: replace remaining occurrences of legacy RSA algorithms Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 13:52:01 +01:00
Valerio Setti	ed0aebd2c5	tests: bulk replace MBEDTLS_RSA_C with PSA_HAVE_ALG_SOME_RSA_SIGN Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 13:52:01 +01:00
Valerio Setti	2fab51329b	tests: bulk replace MBEDTLS_RSA_C with PSA_HAVE_ALG_SOME_RSA_VERIFY Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 13:52:01 +01:00
Valerio Setti	ff2630664a	tests: bulk replace MBEDTLS_RSA_C with PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 13:52:01 +01:00
Valerio Setti	ae885590fb	library: bulk replace MBEDTLS_RSA_C with PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC Follow the same pattern that was used in the past to remove dependency on MBEDTLS_RSA_C and use PSA_WANT instead. Relying on MBEDTLS_RSA_C is fine only when builtin drivers are compiled since all PSA_WANT are converted to legacy build symbols. However when builtin drivers are not built (ex: in case of TF-M), then part of the code in TLS/X509 won't be compiled because MBEDTLS_RSA_C is not set. OTOH it's not possible to declare that symbol in a configuration file because it's a legacy one and it will be rejected by buildtime checks. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>	2026-03-16 13:52:01 +01:00
Janos Follath	6714b39017	Improve ssl_parse_signature_algorithm Simplify and improve error reporting and remove unnecessary initialisation (the caller is responsible for initialising those values). Signed-off-by: Janos Follath <janos.follath@arm.com>	2026-03-16 12:28:36 +00:00
Janos Follath	703c2a6d7c	Fix a typo and an oversight DEBUG_C supposed to have been removed from the test dependencies, still being there is an oversight. Removing it was the sole purpose of 3e58109fbd. Signed-off-by: Janos Follath <janos.follath@arm.com>	2026-03-16 12:28:36 +00:00
Janos Follath	5ffef28971	Fix code style Signed-off-by: Janos Follath <janos.follath@arm.com>	2026-03-16 12:28:36 +00:00
Janos Follath	7b255e3a12	ssl_parse_signature_algorithm: match error codes The caller is returning MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER if ssl_parse_signature_algorithm() fails, but ssl_parse_signature_algorithm() returns MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE upon failure. There is no good reason for this mismatch and better to be aligned. Signed-off-by: Janos Follath <janos.follath@arm.com>	2026-03-16 12:28:36 +00:00
Janos Follath	862c191f4f	send_invalid_sig_alg: reduce debug dependency Run as much of the test as we can even in the abscence of MBEDTLS_DEBUG_C. Signed-off-by: Janos Follath <janos.follath@arm.com>	2026-03-16 12:28:36 +00:00
Janos Follath	c46eccf6ef	ssl_parse_signature_algorithm: caller to get bytes After the recent refactoring ssl_parse_signature_algorithm() sends an alert on failure, but the caller also sends an alert on failure. Sending two alerts is at least a protocol violation, and might not leave the SSL context in a good state. It is simpler to have the caller read the two bytes, and pass them to this function. Signed-off-by: Janos Follath <janos.follath@arm.com>	2026-03-16 12:28:36 +00:00

1 2 3 4 5 ...

34413 Commits