13363 Commits

Author SHA1 Message Date
Ryan Everett
dd90507dc6 Fix potential non-NULL slot return on failure
If psa_get_and_lock_key_slot fails, the slot must be wiped.
This fixes a bug where a pointer to some valid key slot can
be incorrectly returned

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-04-29 18:24:58 +01:00
Gilles Peskine
dde67bbb5a Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled
It isn't detected on the CI because we only test this with an ancient Clang
that doesn't warn. Old GCC, modern GCC and modern Clang do
warn (-Wunused-but-set-variable).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-04-29 12:38:16 +02:00
Manuel Pégourié-Gonnard
024d3daa7d
Merge pull request from valeriosetti/issue8871
Improve test key generation in test_suite_pk
2024-04-29 09:25:37 +00:00
Paul Elliott
a3daff47d8 Add early exit if zero length AEAD AD passed in.
With multipart AEAD, if we attempt to add zero length additional data,
then with the buffer sharing fixes this can now lead to undefined
behaviour when using gcm. Fix this by returning early, as there is
nothing to do if the input length is zero.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-04-26 18:47:40 +01:00
Gilles Peskine
bee96566da
Merge pull request from tom-cosgrove-arm/fix-compilation-when-memcpy-is-function-like-macro
Fix compilation when memcpy() is a function-like macro
2024-04-09 11:34:46 +00:00
Manuel Pégourié-Gonnard
a4b773d3bb
Merge pull request from inorick/nofa_no_session_tickets
Guard ticket specific TLS 1.3 function with macro
2024-04-08 08:56:17 +00:00
Ronald Cron
233fcaadbf tls13: Do not initiate at all resumption if tickets not supported
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-04-04 15:52:40 +02:00
Bence Szépkúti
a376f84eb1
Merge pull request from valeriosetti/issue8712
Clarify the documentation of mbedtls_pk_setup_opaque
2024-04-04 13:40:57 +00:00
Troy-Butler
da73abc8d7 Fix NULL handling in mbedtls_ssl_config.free() function
Signed-off-by: Troy-Butler <squintik@outlook.com>
2024-04-02 13:37:31 -04:00
Ronald Cron
cf47a15e96 ssl_msg.c: Rename _check_new_session_ticket to _is_new_session_ticket
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-04-02 17:46:52 +02:00
Tom Cosgrove
a2c45dc713 Fix compilation of ssl_tls13_generic.c when memcpy() is a function-like macro
Fixes 

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-04-02 14:51:47 +01:00
Valerio Setti
390f276822 pk: fix unused variable in copy_from_psa()
key_bits is unused when neither MBEDTLS_RSA_C or MBEDTLS_PK_HAVE_ECC_KEYS
are defined.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-04-02 11:31:33 +02:00
Paul Elliott
30978ec650
Merge pull request from stevenwdv/development
Fix compilation on macOS without apple-clang
2024-03-29 13:59:36 +00:00
Minos Galanakis
9860056006 Revert "Autogenerated files for 3.6.0"
This reverts commit e8a6833b2878f1c08b8f96fe35e2812367e32ef3.

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-27 17:36:15 +00:00
Ronald Cron
7df18bc210 tls13: cli: Ignore tickets if not supported
If a TLS 1.3 client receives a ticket and
the feature is not enabled, ignore it.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-27 09:37:37 +01:00
Norbert Fabritius
d36913a58f Constify parameter of ssl_tls13_session_load
Signed-off-by: Norbert Fabritius <norbert.fabritius@esrlabs.com>
2024-03-27 08:22:53 +01:00
Norbert Fabritius
8ceeff95e9 Enable ssl_tls13_get_ciphersuite_hash_alg only if macro is active
Signed-off-by: Norbert Fabritius <norbert.fabritius@esrlabs.com>
2024-03-27 08:22:53 +01:00
Norbert Fabritius
d60aef0f1b Unconditionally define session variable
Signed-off-by: Norbert Fabritius <norbert.fabritius@esrlabs.com>
2024-03-27 08:22:53 +01:00
Ronald Cron
1f045f3a0c tls13: srv: Fix guards of _is_psk_(ephemeral_)available
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-27 08:22:53 +01:00
Norbert Fabritius
96eed725e1 Guard ticket specific TLS 1.3 function with macro
Guard ssl_tls13_write_new_session_ticket_coordinate with
MBEDTLS_SSL_SESSION_TICKETS macro.

Signed-off-by: Norbert Fabritius <norbert.fabritius@esrlabs.com>
2024-03-27 08:22:53 +01:00
Troy-Butler
9ac3e23f5d Fix NULL argument handling in mbedtls_xxx_free() functions
Signed-off-by: Troy-Butler <squintik@outlook.com>
2024-03-22 14:46:04 -04:00
Minos Galanakis
e8a6833b28 Autogenerated files for 3.6.0
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-22 16:00:55 +00:00
Valerio Setti
afa6d51442 pk: simplify mbedtls_pk_sign_ext()
In case of opaque keys skip the check of the supported primary/enrollment
algorithms. Just try to perfom the signature and if the wrapped key
does not support RSA PSS the operation will fail automatically.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-03-22 14:36:38 +01:00
Minos Galanakis
4492dbd286 Version Bump for 3.6.0
./scripts/bump_version.sh --version 3.6.0 --so-crypto 16 --so-x509 7  --so-tls 21

Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-22 11:46:25 +00:00
Minos Galanakis
d9d6435bc5 Merge branch 'development-restricted' into mbedtls-3.6.0rc0-pr
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-21 15:44:11 +00:00
Valerio Setti
144c27b0f3 pkwrite: add new internal symbol for the max supported public key DER length
This is also used in pk_psa_sign() to properly size buffers holding
the public key.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-03-20 17:10:35 +01:00
Valerio Setti
d45836a1c3 pk_wrap: fix algorithm selection in rsa_opaque_decrypt()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-03-20 15:42:55 +01:00
Minos Galanakis
b70f0fd9a9 Merge branch 'development' into 'development-restricted'
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2024-03-19 22:24:40 +00:00
Valerio Setti
4f3262de2d pk_wrap: fix algorithm selection in rsa_opaque_sign_wrap()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-03-19 15:55:32 +01:00
Ronald Cron
a5c5c58107 tls13: srv: Fix potential stack buffer overread
Fix potential stack buffer overread when
checking PSK binders.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-19 14:46:21 +01:00
Steven WdV
9f0858db30 Check C/C++ compilers separately for AppleClang ranlib
Signed-off-by: Steven WdV <swdv@cs.ru.nl>
2024-03-19 11:39:44 +01:00
Valerio Setti
07500fd874 pk: check PK context type in mbedtls_pk_verify_ext() before trying RSA PSS
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-03-18 16:22:33 +01:00
Paul Elliott
78064ac9e0
Merge pull request from paul-elliott-arm/make_psa_global_data_safe
Make PSA global_data thread safe
2024-03-15 19:50:01 +00:00
Paul Elliott
b24e36d07b Add explanatory comment for init flags
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 16:25:48 +00:00
Paul Elliott
d35dce6e23 Add comments about RNG mutex requirements
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 16:06:20 +00:00
Paul Elliott
0db6a9033a Start subsystem IDs at 1 instead of 0
Catch potential invalid calls to init.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 16:06:20 +00:00
Paul Elliott
78279962d6 Fix minor style issues
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2024-03-15 13:34:01 +00:00
Waleed Elmelegy
4dfb0e7c90 Add ALPN checking when accepting early data
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-03-15 12:12:15 +00:00
Waleed Elmelegy
131b2ffd89 Fix bug in ALPN negotiating
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-03-15 12:12:15 +00:00
Ronald Cron
6bee910dbd
Merge pull request from waleed-elmelegy-arm/add_alpn_to_session
Add ALPN information in session tickets
2024-03-15 09:50:24 +00:00
Gilles Peskine
7b333f1e88
Merge pull request from ronald-cron-arm/tls13-ticket-lifetime
TLS 1.3: Enforce ticket maximum lifetime and discard tickets with 0 lifetime
2024-03-14 15:59:25 +00:00
Gilles Peskine
1c5ebf4352
Merge pull request from BensonLiou/random_bye_on_hrr
Do not generate new random number while receiving HRR
2024-03-14 15:59:21 +00:00
David Horstmann
4a48becdba Invert and rename config option
Replace MBEDTLS_PSA_COPY_CALLER_BUFFERS with inverse:
!MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS. This ensures that buffer
protection is enabled by default without any change to the Mbed TLS
config file.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-03-14 14:47:48 +00:00
Gilles Peskine
93b305dc8e
tls13: Use a flag not a counter for CCS and HRR handling
Reconcile with 5fbd27055d15c8ac234a229389ff4e31977487a0 on another branch

Signed-off-by: Gilles Peskine <gilles.peskine@arm.com>
2024-03-14 15:05:09 +01:00
Gilles Peskine
91f7e07c63
Merge pull request from davidhorstmann-arm/buffer-sharing-merge
Update development-restricted after buffer-sharing work
2024-03-14 13:28:35 +01:00
Manuel Pégourié-Gonnard
93071cfeec
Merge pull request from valeriosetti/issue8919
Generalize some PK functions from MBEDTLS_PSA_CRYPTO_C to MBEDTLS_PSA_CRYPTO_CLIENT
2024-03-14 11:32:23 +00:00
BensonLiou
368debd384 Merge branch 'development' of https://github.com/Mbed-TLS/mbedtls into random_bye_on_hrr 2024-03-14 11:42:25 +08:00
Waleed Elmelegy
b28ab0a45a Fix code style in ssl_tls.c
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-03-13 16:50:01 +00:00
Waleed Elmelegy
daa4da781a Increase ALPN length in saved session to 2 bytes
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-03-13 16:50:01 +00:00
Waleed Elmelegy
5bc5263b2c Add code improvments and refactoring in dealing with ALPN
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2024-03-13 16:50:01 +00:00