Hanno Becker
2fc9a652bc
Address review feedback
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Hanno Becker
2e3ecda684
Adust migration guide for SSL error codes
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-28 12:35:08 +01:00
Gilles Peskine
fedd52ca19
Merge pull request #4707 from gilles-peskine-arm/require-matching-hashlen-rsa-implementation
...
Require matching hashlen in RSA functions: implementation
2021-06-24 10:28:20 +02:00
Gilles Peskine
f06b92d724
Merge pull request #4567 from mstarzyk-mobica/gcm_ad
...
Enable multiple calls to mbedtls_gcm_update_ad
2021-06-23 19:36:23 +02:00
Gilles Peskine
e9bc857327
Merge pull request #4552 from hanno-arm/mbedtls_3_0_key_export
...
Implement modified key export API for Mbed TLS 3.0
2021-06-22 18:52:37 +02:00
Gilles Peskine
9dbbc297a3
PK signature function: require exact hash length
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-22 18:39:41 +02:00
Dave Rodgman
5ec5003992
Document the return type change in the migration guide
...
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-22 13:49:09 +01:00
Manuel Pégourié-Gonnard
e7885e5441
RSA: Require hashlen to match md_alg when applicable
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-22 12:29:27 +02:00
Manuel Pégourié-Gonnard
3e7ddb2bb6
Merge pull request #4604 from gilles-peskine-arm/default-hashes-curves-3.0
...
Update the default hash and curve selection for X.509 and TLS
2021-06-22 12:08:37 +02:00
Manuel Pégourié-Gonnard
a805d57261
Merge pull request #4588 from TRodziewicz/remove_MD2_MD4_RC4_Blowfish_and_XTEA
...
Remove MD2, MD4, RC4, Blowfish and XTEA
2021-06-22 09:27:41 +02:00
TRodziewicz
f41dc7cb35
Removal of RC4 certs and fixes to docs and tests
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-21 13:27:29 +02:00
Hanno Becker
7e6c178b6d
Make key export callback and context connection-specific
...
Fixes #2188
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Hanno Becker
d5c9cc7c90
Add migration guide for modified key export API
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-18 18:40:19 +01:00
Manuel Pégourié-Gonnard
9a32d45819
Merge pull request #4517 from hanno-arm/ticket_api_3_0
...
Implement 3.0-API for SSL session resumption
2021-06-18 18:34:45 +02:00
Manuel Pégourié-Gonnard
ae35830295
Merge pull request #4661 from mpg/make-blinding-mandatory
...
Make blinding mandatory
2021-06-18 18:32:13 +02:00
Dave Rodgman
8c8166a7f1
Merge pull request #4640 from TRodziewicz/move_part_of_timing_module_out_of_the_library_and_to_test
...
Move part of timing module out of the library
2021-06-18 16:35:58 +01:00
Gilles Peskine
39957503c5
Remove secp256k1 from the default X.509 and TLS profiles
...
For TLS, secp256k1 is deprecated by RFC 8422 §5.1.1. For X.509,
secp256k1 is not deprecated, but it isn't used in practice, especially
in the context of TLS where there isn't much point in having an X.509
certificate which most peers do not support. So remove it from the
default profile. We can add it back later if there is demand.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 23:17:52 +02:00
Gilles Peskine
ec78bc47b5
Meld DEFAULT_ALLOW_SHA1_IN_CERTIFICATES removal migration guide
...
Meld the migration guide for the removal of
MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES into the migration guide for
the strengthening of TLS and X.509 defaults, which is more general. The
information in the SHA-1 section was largely already present in the
strengthening section. It is now less straightforward to figure out how to
enable SHA-1 in certificates, but that's a good thing, since no one should
still be doing this in 2021.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
6b1f64a150
Wording clarifications
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
b1940a76ad
In TLS, order curves by resource usage, not size
...
TLS used to prefer larger curves, under the idea that a larger curve has a
higher security strength and is therefore harder to attack. However, brute
force attacks are not a practical concern, so this was not particularly
meaningful. If a curve is considered secure enough to be allowed, then we
might as well use it.
So order curves by resource usage. The exact definition of what this means
is purposefully left open. It may include criteria such as performance and
memory usage. Risk of side channels could be a factor as well, although it
didn't affect the current choice.
The current list happens to exactly correspond to the numbers reported by
one run of the benchmark program for "full handshake/s" on my machine.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:29 +02:00
Gilles Peskine
3758fd6b79
Changelog entry and migration guide for hash and curve profile upgrades
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-06-17 21:46:14 +02:00
Manuel Pégourié-Gonnard
8707259318
Improve ChangeLog and migration guide entries
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:41:00 +02:00
Manuel Pégourié-Gonnard
e6e51aab55
Add ChangeLog and migration guide entries
...
Merge part of the RSA entries into this one, as I think it's easier for
users to have all similar changes in one place regardless of whether
they were introduce in the same PR or not.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-17 09:38:38 +02:00
Mateusz Starzyk
bd513bb53d
Enable multiple calls to mbedtls_gcm_update_ad.
...
Signed-off-by: Mateusz Starzyk <mateusz.starzyk@mobica.com>
2021-06-16 14:34:09 +02:00
TRodziewicz
15a7b73708
Documentation rewording
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 11:22:53 +02:00
TRodziewicz
8f91c721d3
Code review follow-up corrections
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:45 +02:00
TRodziewicz
7ff652ae53
Addition of ChangeLog and migration guide entry files.
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-16 10:34:39 +02:00
Gilles Peskine
17575dcb03
Merge pull request #4629 from TRodziewicz/rename_functions_whose_deprecated_variants_have_been_removd
...
Rename the _ret() functions
2021-06-15 20:32:07 +02:00
TRodziewicz
9c90226df1
Addition of the migration guide and change log files
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 15:49:20 +02:00
TRodziewicz
28a4a963fc
Corrections to the docs wording and changes to aux scripts
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-15 00:18:32 +02:00
TRodziewicz
3946f79cab
Correction according to code review (function and param. names change
...
and docs rewording)
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 13:46:21 +02:00
TRodziewicz
8b223b6509
Addition of the migration guide entry file.
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:56:33 +02:00
TRodziewicz
1fcd72e93c
change log and migr. guide fixes and _DEPRECATED_REMOVED removed
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-14 11:16:06 +02:00
Gilles Peskine
02b76b7d18
Merge pull request #4619 from TRodziewicz/remove_MBEDTLS_X509_CHECK_x_KEY_USAGE_options
...
Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
2021-06-10 17:43:36 +02:00
TRodziewicz
2a5e5a2759
Correction to the migration guide entry wording
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 16:54:20 +02:00
TRodziewicz
0ea2576502
Correction to the migr. guide wording and removal of not needed option
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 13:31:42 +02:00
TRodziewicz
b8367380b1
Addition of the migration guide
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 13:31:42 +02:00
TRodziewicz
1e66642d68
Addition of change log and migration guide files.
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-09 11:25:28 +02:00
Ronald Cron
f8abfa8b1b
Improve migration guide
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-09 10:54:14 +02:00
Ronald Cron
6fe1bc3f24
Add change log and migration guide
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2021-06-08 14:11:19 +02:00
Manuel Pégourié-Gonnard
16fdab79a5
Merge pull request #4382 from hanno-arm/max_record_payload_api
...
Remove MFL query API and add API for maximum plaintext size of incoming records
2021-06-08 11:07:27 +02:00
Hanno Becker
61f292ea0a
Fix migration guide for now-removed deprecated functions
...
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-06-08 07:50:55 +01:00
TRodziewicz
0730cd5d9e
Merge branch 'development' into Remove__CHECK_PARAMS_option
2021-06-07 15:41:49 +02:00
TRodziewicz
442fdc22ea
Remove MBEDTLS_X509_CHECK_*_KEY_USAGE options but enable the code
...
Signed-off-by: TRodziewicz <tomasz.rodziewicz@mobica.com>
2021-06-07 13:52:23 +02:00
Manuel Pégourié-Gonnard
13a9776676
Editorial improvements
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-07 12:00:04 +02:00
Manuel Pégourié-Gonnard
3b5a7c198c
Update ChangeLog and migration guide
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-06-07 11:13:34 +02:00
Manuel Pégourié-Gonnard
84191eab06
Merge pull request #4315 from Kxuan/feat-pre-compute-tls
...
Static initialize comb table
2021-06-03 11:41:54 +02:00
kXuan
782c2b9f36
fix comment, ChangeLog & migration-guide for MBEDTLS_ECP_FIXED_POINT_OPTIM
...
Signed-off-by: kXuan <kxuanobj@gmail.com>
2021-06-03 15:47:40 +08:00
Manuel Pégourié-Gonnard
1b1327cc0d
Merge pull request #4581 from TRodziewicz/remove_supp_for_extensions_in_pre-v3_X.509_certs
...
Remove MBEDTLS_X509_ALLOW_EXTENSIONS_NON_V3 option
2021-06-02 13:48:03 +02:00
Manuel Pégourié-Gonnard
df77624ab5
Merge pull request #4490 from TRodziewicz/Combine__SSL_<CID-TLS1_3>_PADDING_GRANULARITY_options
...
Combine _SSL_<CID-TLS1_3>_PADDING_GRANULARITY options
2021-06-02 13:47:48 +02:00