Przemek Stekiel
4dc874453e
ssl_tls13_parse_certificate_verify(): optimize the code
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-28 11:05:42 +02:00
Manuel Pégourié-Gonnard
273453f126
Merge pull request #5983 from gstrauss/inline-mbedtls_x509_dn_get_next
...
Inline mbedtls_x509_dn_get_next() in x509.h
2022-06-28 10:13:58 +02:00
Ronald Cron
6b14c69277
Improve documentation
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
11b5332ffc
tls13: Fix certificate extension size write
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
139d0aa9d3
Fix typo in documentation
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
81a334fc02
tls13: Fix buffer overread checks in ssl_tls13_parse_alpn_ext()
...
Some coding style alignement as well.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
585cd70d04
tests: ssl: Fix coverity deadcode issue
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
7b8404608a
tls13: Rename ssl_tls13_write_hello_retry_request_coordinate
...
Rename ssl_tls13_write_hello_retry_request_coordinate to
ssl_tls13_prepare_hello_retry_request as it is more
aligned with what the function does.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
fb508b8f21
tls13: Move state changes up to state main handler
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
63dc463ed6
tls13: Simplify switch to the inbound handshake keys on server side
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:21:13 +02:00
Ronald Cron
5afb904022
tls13: Move out of place handshake field reset
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
828aff6ead
tls13: Rename server_hello_coordinate to preprocess_server_hello
...
Rename server_hello_coordinate to preprocess_server_hello
as it is more aligned with what the function does.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
db5dfa1f1c
tls13: Move ServerHello fetch to the ServerHello top handler
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
44b23b10e1
tls13: Document TLS 1.3 handshake implementation
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
9d6a545714
tls13: Re-organize EncryptedExtensions message parsing code
...
Align the organization of the EncryptedExtensions
message parsing code with the organization of the
other message parsing codes.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
154d1b68d6
tls13: Fix wrong usage of MBEDTLS_SSL_CHK_BUF(_READ)_PTR macros
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
c80835943c
tls13: Fix pointer calculation before space check
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
2827106199
tls13: Add missing buffer overread check
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-28 09:18:42 +02:00
Ronald Cron
b94854f8e3
Merge pull request #5973 from ronald-cron-arm/tls13-misc-tests
...
TLS 1.3: Enable and add tests
2022-06-28 09:15:17 +02:00
Gilles Peskine
5969a4b5e0
Don't call memcpy(NULL, 0) which has undefined behavior
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 23:59:53 +02:00
Gilles Peskine
bf918b9cfe
Use headlinese for added functions, per request
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 23:34:32 +02:00
Gilles Peskine
3dc9ac95ec
Spelling
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 23:02:58 +02:00
Gilles Peskine
ed5c21dc37
Declare deprecated option for no_deprecated configs
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 23:02:09 +02:00
Glenn Strauss
01d2f52a32
Inline mbedtls_x509_dn_get_next() in x509.h
...
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-06-27 14:20:07 -04:00
Przemek Stekiel
18399d8d53
Add comment to config_psa.h about enabling PSA_HKDF/PSA_HKDF_EXRACT/PSA_HKDF_EXPAND algs
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 15:36:06 +02:00
Dave Rodgman
f5b7082f6e
Merge pull request #5811 from polhenarejos/bug_x448
...
Fix order value for curve x448
2022-06-27 13:47:24 +01:00
Gilles Peskine
251ca25d94
Clarify potential ambiguity in changelog entry
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-27 14:47:15 +02:00
Werner Lewis
9b0e940135
Fix case where final special char exceeds buffer
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 12:01:22 +01:00
Przemek Stekiel
9e30fc94f3
Remove redundant spaces
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 12:48:35 +02:00
Werner Lewis
fd8cfe4f8e
Replace parsing with outputting
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:23:43 +01:00
Werner Lewis
31ecb9600a
Add tests for exceeded buffer size
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:23:43 +01:00
Werner Lewis
b33dacdb50
Fix parsing of special chars in X509 DN values
...
Use escape mechanism defined in RFC 1779 when parsing commas and other
special characters in X509 DN values. Resolves failures when generating
a certificate with a CSR containing a comma in subject value.
Fixes #769 .
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 11:19:50 +01:00
Przemek Stekiel
6a5e01858f
ssl_tls13_parse_certificate_verify(): remove md dependency
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 11:53:13 +02:00
Przemek Stekiel
6230d0d398
mbedtls_x509_sig_alg_gets(): remove md dependency
...
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-06-27 11:19:04 +02:00
Werner Lewis
4abd7c2545
Minor phrasing changes
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:42:34 +01:00
Werner Lewis
129d6adc0e
Use mbedtls-2.28 branch for documentation link
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:42:34 +01:00
Werner Lewis
4b8aaa4e60
Add clarification on 2.x branch choice
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:41:54 +01:00
Werner Lewis
f5b86f3b16
Add clarification for 2.x section
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-27 09:20:01 +01:00
Ronald Cron
cf600bc07c
Comment fixes
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:49 +02:00
Ronald Cron
e0d7367a9e
Add change log
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:49 +02:00
Ronald Cron
2b1a43c101
tls13: Add missing overread check in Certificate msg parsing.
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:49 +02:00
Ronald Cron
e7b9b6b380
tls13: Add checks of overread check failures
...
In Certificate message parsing tests with
invalid vector lengths, add checks that the
parsing failed on the expected overread check.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:49 +02:00
Ronald Cron
ad8c17b9c6
tls: Add overread/overwrite check failure tracking
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:49 +02:00
Ronald Cron
e3dac4aaa1
tls13: Add Certificate msg parsing tests with invalid vector lengths
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:28:42 +02:00
Ronald Cron
a8d79b9eb6
ssl-opt.sh: Remove one pattern check
...
In "Authentication: client cert not trusted,
server required" ssl-opt.sh test, depending
on client and server execution speed, the
handshake on the client side may complete
successfully: the TLS connection is aborted
by the server because it is not able to
authenticate the client but at that time
the client may have completed the handshake
on its side. Thus, do not check that the
client handshake failed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-06-27 09:05:35 +02:00
Ronald Cron
07040bb179
Merge pull request #5951 from xkqian/tls13_add_alpn
...
Add ALPN extension to the server side
2022-06-27 08:33:03 +02:00
Ronald Cron
9738a8d0fd
Merge pull request #943 from ronald-cron-arm/tls13-fix-key-usage-checks
...
TLS 1.3: Fix certificate key usage checks
2022-06-27 08:32:17 +02:00
Gilles Peskine
0ff241a1ea
Remove largely useless bit of test log to silence GCC 12
...
GCC 12 emits a warning because it thinks `buffer1` is used after having been
freed. The code is correct C because we're only using the value of
`(uintptr_t)buffer1`, not `buffer1`. However, we aren't using the value for
anything useful: it doesn't really matter if an alloc-free-alloc sequence
returns the same address twice. So don't print that bit of information, and
this way we don't need to save the old address.
Fixes #5974 .
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-25 14:29:23 +02:00
Paul Elliott
668b31f210
Fix the wrong variable being used for TLS record size checks
...
Fix an issue whereby a variable was used to check the size of incoming
TLS records against the configured maximum prior to it being set to the
right value.
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-06-24 20:09:37 +01:00
Werner Lewis
f8a478795c
Add guidance for generating deprecated list
...
Signed-off-by: Werner Lewis <werner.lewis@arm.com>
2022-06-24 11:10:48 +01:00