Commit graph

88 commits

Author SHA1 Message Date
Leonid Rozenboim
70dfd4c8ac ssl_tls12_server: fix potential NULL-dereferencing if local certificate was not set.
Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
2022-08-18 14:39:37 -07:00
Thomas Daubney
20f89a9605 Remove uses of SSL compression
Remove or modify current uses of session compression.

Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2022-07-26 16:13:03 +01:00
Paul Elliott
f518f81d41 Ensure return for mbedtls_ssl_write_alpn_ext() is checked
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 12:37:47 +01:00
Ronald Cron
ce7d76e2ee Merge remote-tracking branch 'mbedtls-restricted/development-restricted' into mbedtls-3.2.0rc0-pr 2022-07-11 10:22:37 +02:00
Manuel Pégourié-Gonnard
4d7af2aee0
Merge pull request #5835 from superna9999/5831-tls-1-2-ciphersuite-selection
Permissions 2a: TLS 1.2 ciphersuite selection
2022-07-04 12:37:02 +02:00
Glenn Strauss
999ef70b27 Add accessors to config DN hints for cert request
mbedtls_ssl_conf_dn_hints()
mbedtls_ssl_set_hs_dn_hints()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-06-28 12:43:59 -04:00
Neil Armstrong
9f1176a793 Move preferred_hash_for_sig_alg() check after ssl_pick_cert() and check if hash alg is supported with mbedtls_pk_can_do_ext()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-06-28 18:12:17 +02:00
Neil Armstrong
9f4606e6d2 Rename mbedtls_ssl_get_ciphersuite_sig_pk_ext_XXX in mbedtls_ssl_get_ciphersuite_sig_pk_ext_XXX()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-06-28 18:12:17 +02:00
Neil Armstrong
0c9c10a401 Introduce mbedtls_ssl_get_ciphersuite_sig_pk_ext_alg() and use it in ssl_pick_cert()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-06-28 18:10:48 +02:00
XiaokangQian
acb3992251 Add ALPN extension to the server side
CustomizedGitHooks: yes
Change-Id: I6fe1516963e7b5727710872ee91fea7fc51d2776
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-06-22 06:34:58 +00:00
Manuel Pégourié-Gonnard
a3115dc0e6 Mark static int SSL functions CHECK_RETURN_CRITICAL
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-06-20 21:12:52 +02:00
Manuel Pégourié-Gonnard
b64fb62ead Fix unchecked return value from internal function
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-06-20 21:12:29 +02:00
Gilles Peskine
e0469b5908
Merge pull request #931 from AndrzejKurek/clihlo_cookie_pxy_fix
Add a client hello cookie_len overflow test
2022-06-20 19:35:54 +02:00
Ronald Cron
ca3c6a5698
Merge pull request #5817 from xkqian/tls13_add_server_name
Tls13 add server name
2022-06-16 08:30:09 +02:00
Andrzej Kurek
755ddff25c Fix print format in a debug message
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-06-15 07:32:02 -04:00
Andrzej Kurek
cbe14ec967 Improve variable extracting operations by using MBEDTLS_GET macros
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-06-15 07:17:28 -04:00
Andrzej Kurek
b58cf0d172 Split a debug message into two - for clarity
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-06-08 11:53:59 -04:00
Gilles Peskine
364fd8bb71 More SSL debug messages for ClientHello parsing
In particular, be verbose when checking the ClientHello cookie in a possible
DTLS reconnection.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-06-06 14:25:41 -04:00
Dave Rodgman
a3344f7bac
Merge pull request #5767 from leorosen/avoid-null-args
Avoid potentially passing NULL arguments
2022-05-30 11:40:21 +01:00
XiaokangQian
9b2b7716b0 Change mbedtls_ssl_parse_server_name_ext base on comments
Change-Id: I4ae831925cb1899afafb7dc626bfad9be24a5c8c
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-30 08:07:16 +00:00
XiaokangQian
40a3523eb7 Add support of server name extension to server side
Change-Id: Iccf5017e306ba6ead2e1026a29f397ead084cc4d
Signed-off-by: XiaokangQian <xiaokang.qian@arm.com>
2022-05-30 08:07:16 +00:00
Ronald Cron
9edf51d8cd
Merge pull request #5785 from gabor-mezei-arm/5460_unify_parsing_sig_alg_ext
Unify parsing of the signature algorithms extension in TLS 1.2 and TLS 1.3
CI ABI API check job failure is expected as the PR do some changes in ssl_misc.h.
@RcColes if you eventually want to request some changes, they can be done in a follow-up PR.
2022-05-17 17:01:55 +02:00
Paul Elliott
114203814a Better check for NULL pointer
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-05-17 15:01:20 +01:00
Paul Elliott
dd428d3650 Fix incorrect error message
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-05-13 17:43:16 +01:00
Gabor Mezei
696956da24
Typo
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-13 17:02:19 +02:00
Gabor Mezei
0a4298bbe9
Remove unnecessary duble conversion
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-13 17:02:18 +02:00
Shaun Case
8b0ecbccf4 Redo of PR#5345. Fixed spelling and typographical errors found by CodeSpell.
Signed-off-by: Shaun Case <warmsocks@gmail.com>
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-05-11 21:25:51 +01:00
Gabor Mezei
86acf05b1e
Update signiture algorithm handling
Rename local variables and to simplify things use static_assert to
determine if the default signiture algorithms are not fit into the
SSL handshake structure.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:19 +02:00
Gabor Mezei
c1051b62aa
Remove MBEDTLS_SSL_SIG_ALG_SET macro
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:19 +02:00
Gabor Mezei
a3d016ce41
Rename and rewrite mbedtls_ssl_sig_hash_set_find function
Rename `mbedtls_ssl_sig_hash_set_find` function to a suitable name
and rewrite to operate TLS signature algorithm identifiers.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:18 +02:00
Gabor Mezei
1226590c88
Explicitly set invalid value for the end of the signiture algorithm set
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:18 +02:00
Gabor Mezei
15b95a6c52
Use common macro for the invalid signiture algorithm botn in TLS 1.2 and 1.3
Introduce a new macro MBEDTLS_TLS_SIG_NONE for invalid signiture algorithm.
It is intended to use in common code of TLS 1.2 and 1.3.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:18 +02:00
Gabor Mezei
078e803d2c
Unify parsing of the signature algorithms extension
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-05-11 14:29:08 +02:00
Neil Armstrong
8ecd66884f Keep raw PSK when set via mbedtls_ssl_conf_psk() and feed as input_bytes
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-05 14:01:49 +02:00
Neil Armstrong
80f6f32495 Make mbedtls_ssl_psk_derive_premaster() only for when MBEDTLS_USE_PSA_CRYPTO is not selected
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Neil Armstrong
cd05f0b9e5 Drop skip PMS generation for opaque XXX-PSK now Opaque PSA key is always present when MBEDTLS_USE_PSA_CRYPTO selected
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Neil Armstrong
e952a30d47 Remove RAW PSK when MBEDTLS_USE_PSA_CRYPTO is selected
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Neil Armstrong
61f237afb7 Remove PSA-only code dealing with non-opaque PSA key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-05-04 11:08:41 +02:00
Manuel Pégourié-Gonnard
67397fa4fd
Merge pull request #5704 from mprse/mixed_psk_2cx
Mixed PSK 2a, 2b, 2c: enable client/server support opaque RSA-PSK, ECDHE-PSK, DHE-PSK
2022-04-29 10:47:16 +02:00
Gilles Peskine
8855e36030
Merge pull request #5674 from superna9999/5668-abstract-tls-mode-cleanup
Cipher cleanup: abstract TLS mode
2022-04-28 12:33:38 +02:00
Przemek Stekiel
99114f3084 Fix build flags for opaque/raw psk checks
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:54:34 +02:00
Przemek Stekiel
cb322eac6b Enable support for psa opaque DHE-PSK key exchange on the server side
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:54:33 +02:00
Przemek Stekiel
14d11b0877 Enable support for psa opaque ECDHE-PSK key exchange on the server side
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:53:55 +02:00
Przemek Stekiel
aeb710fec5 Enable support for psa opaque RSA-PSK key exchange on the server side
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-04-22 14:52:28 +02:00
Manuel Pégourié-Gonnard
55132c6a9a
Merge pull request #5703 from superna9999/5322-ecdh-remove-legacy-context
TLS ECDH 4: remove legacy context
2022-04-22 14:27:06 +02:00
Neil Armstrong
76b7407bd7 Use MBEDTLS_SSL_SOME_SUITES_USE_CBC_ETM to enable ssl_write_encrypt_then_mac_ext()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
ab555e0a6c Rename mbedtls_get_mode_from_XXX to mbedtls_ssl_get_mode_from_XXX
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Neil Armstrong
fe635e42c9 Use mbedtls_get_mode_from_ciphersuite() in server-side ssl_write_encrypt_then_mac_ext()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-22 14:25:59 +02:00
Leonid Rozenboim
287527042b Avoid potentially passing NULL arguments
Several call sites flagged by Coverity that may potentially cause
a pointer argument to be NULL.

In two cases the issue is using a function call as a parameter to
a second function, where the first function may return NULL, while
the second function does not check for the NULL argument value.

Remaining case is when static configuration is mixed with run-time
decision, that could result in a data buffer argument being NULL.

Signed-off-by: Leonid Rozenboim <leonid.rozenboim@oracle.com>
2022-04-21 18:00:52 -07:00
Paul Elliott
a2da9c7e45
Merge pull request #5631 from gstrauss/enum-tls-vers
Unify internal/external TLS protocol version enums
2022-04-19 17:05:26 +01:00