yuzu-emu/mbedtls
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
20535 commits 1 branch 0 tags 94 MiB
Commit graph

20535 commits

This branch
This branch
All branches
Author SHA1 Message Date
Manuel Pégourié-Gonnard
2a47d23927 Update strategy.md 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
83c538869e Update psa-limitations 
- misc updates about on-going/recent work
- removal of the section about mixed-PSK: being done in #5762
- clarifications in some places
- some typo fixes

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
b8a6c2320e Update testing.md 
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
2ffb93a83b Rm tasks-g2.md 
That document was always temporary (said so at the top). Now superseded
by https://github.com/orgs/Mbed-TLS/projects/1#column-18338322

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2022-07-04 12:38:43 +02:00
Manuel Pégourié-Gonnard
4d7af2aee0
Merge pull request #5835 from superna9999/5831-tls-1-2-ciphersuite-selection 
Permissions 2a: TLS 1.2 ciphersuite selection
 2022-07-04 12:37:02 +02:00
Paul Elliott
41aa808a56
Merge pull request #952 from gilles-peskine-arm/stdio_buffering-setbuf 
Turn off stdio buffering with setbuf()
 2022-07-04 10:12:22 +01:00
Ronald Cron
0e39ece23f
Merge pull request #5916 from yuhaoth/pr/tls13-refactor-get-sig-alg-from-pk 
Refactor signature algorithm chooser
 2022-07-04 09:10:08 +02:00
Paul Elliott
7c6b0e4464
Merge pull request #5972 from wernerlewis/migration_guide_removals 
Add guidance for deprecated functions and macros to migration guide
 2022-07-01 17:40:21 +01:00
Neil Armstrong
6931e439e4 Fix Handshake select ECDH-RSA- test dependencies 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-07-01 18:30:10 +02:00
Paul Elliott
bae7a1a5a6
Merge pull request #5620 from gstrauss/dn_hints 
Add accessors to config DN hints for cert request
 2022-07-01 17:23:14 +01:00
Paul Elliott
c466ec2e73 Fix code formatting 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-01 16:43:25 +01:00
Paul Elliott
dfb5da2a99 Fix changelog requirements section. 
Setbuf() is currently not guarded by MBEDTLS_FS_IO, nor can it easily be
so. Raised a seperate issue to cover this, and removed the mention of
MBEDTLS_FS_IO from the Changelog.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-01 16:32:14 +01:00
Paul Elliott
ff15dbab4c Make definition order a bit neater 
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
 2022-07-01 16:30:08 +01:00
Ronald Cron
7922bfbd47
Merge pull request #6005 from ronald-cron-arm/tls13-changelogs-doc-update 
TLS 1.3: Add missing change logs and update doc for 3.2 release

Validated by the internal CI, ready to be merged.
 2022-07-01 17:27:33 +02:00
Neil Armstrong
971f30d917 Fix mbedtls_ssl_get_ciphersuite_sig_alg() by returning MBEDTLS_PK_NONE for MBEDTLS_KEY_EXCHANGE_RSA 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-07-01 16:23:50 +02:00
Neil Armstrong
c67e6e96f8 Depends on MBEDTLS_X509_REMOVE_INFO disable for double Opaque keys test requiring cert infos to determine selected key 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-07-01 15:48:10 +02:00
Gabor Mezei
dc3f3bb8b1
Initilize variable 
Coverity scan detected a problem of an uinitilized variable.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
 2022-07-01 15:06:34 +02:00
Ronald Cron
3cb707dc6d Fix and improve logs and documentation 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-01 14:36:52 +02:00
Jerry Yu
7ac0d498de remove force_version for client 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-01 19:29:30 +08:00
Manuel Pégourié-Gonnard
8b8a1610f7
Merge pull request #936 from paul-elliott-arm/fix_tls_record_size_check 
Fix the wrong variable being used for TLS record size checks
 2022-07-01 12:29:48 +02:00
Manuel Pégourié-Gonnard
790ab52ee0
Merge pull request #5962 from gilles-peskine-arm/storage-format-doc-202206 
Documentation about storage format compatibility
 2022-07-01 12:21:17 +02:00
Jerry Yu
52b7d923fe fix various issues 
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
 2022-07-01 18:12:44 +08:00
Ronald Cron
08346434d2 Add TLS 1.3 change logs 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-01 11:37:07 +02:00
Ronald Cron
2ba0d23c65 Update TLS 1.3 support documentation 
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
 2022-07-01 11:25:49 +02:00
Neil Armstrong
7999cb3896 Remove auth_mode=required and client crt_file/key_file when testing server authentication 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-07-01 09:51:33 +02:00
Neil Armstrong
4b10209568 Use different certs for double opaque keys and check certificate issuer CN 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-07-01 09:48:09 +02:00
Manuel Pégourié-Gonnard
11ccb35987
Merge pull request #5994 from gilles-peskine-arm/storage-format-doc-2.25-development 
Update storage format specification for Mbed TLS 2.25.0+
 2022-07-01 09:25:35 +02:00
Gilles Peskine
0bd76ee2ed Fix Doxygen documentation attached to non-existent elements 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 19:32:02 +02:00
Neil Armstrong
1948a20796 Cleanup Order & Title of Opaque TLS tests, fix RSA- test definition 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 18:05:57 +02:00
Neil Armstrong
96eceb8022 Refine mbedtls_ssl_tls12_get_preferred_hash_for_sig_alg() when USE_PSA_CRYPTO is selected 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 18:05:05 +02:00
Gilles Peskine
cf4d9f98c7 Changelog entry for mbedtls_setbuf() 
* Security: we're improving a countermeasure.
* Requirement change: the library will no longer compile on a platform
  without setbuf().

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 17:11:30 +02:00
Gilles Peskine
6d576c9646 Call setbuf when reading or writing files: programs 
After opening a file containing sensitive data, call mbedtls_setbuf() to
disable buffering. This way, we don't expose sensitive data to a memory
disclosure vulnerability in a buffer outside our control.

This commit adds a call to mbedtls_setbuf() after each call to fopen(),
but only in sample programs that were calling mbedtls_platform_zeroize().
Don't bother protecting stdio buffers in programs where application buffers
weren't protected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 17:06:11 +02:00
Gilles Peskine
da0913ba6b Call setbuf when reading or writing files: library 
After opening a file containing sensitive data, call mbedtls_setbuf() to
disable buffering. This way, we don't expose sensitive data to a memory
disclosure vulnerability in a buffer outside our control.

This commit adds a call to mbedtls_setbuf() after each call to fopen(),
except:
* In ctr_drbg.c, in load_file(), because this is only used for DH parameters
  and they are not confidential data.
* In psa_its_file.c, in psa_its_remove(), because the file is only opened
  to check its existence, we don't read data from it.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 17:03:40 +02:00
Gilles Peskine
6497b5a1d1 Add setbuf platform function 
Add a platform function mbedtls_setbuf(), defaulting to setbuf().

The intent is to allow disabling stdio buffering when reading or writing
files with sensitive data, because this exposes the sensitive data to a
subsequent memory disclosure vulnerability.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 17:01:40 +02:00
Ronald Cron
cb67e1a890
Merge pull request #5917 from gilles-peskine-arm/asn1write-0-fix 
Improve ASN.1 write tests
 2022-06-30 15:42:16 +02:00
Ronald Cron
bcde39ca4a
Merge pull request #5612 from tom-cosgrove-arm/tls13-config-options 
Document that MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is required by MBEDTLS_SSL_PROTO_TLS1_3

Fully validated by the internal CI. No need to wait for the open one.
 2022-06-30 15:10:02 +02:00
Gilles Peskine
0b7ee23fe0 Historical update: the layout on stdio changed in Mbed Crypto 1.1.0 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 12:16:50 +02:00
Gilles Peskine
38989612d6 Typos 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 12:16:32 +02:00
Gilles Peskine
219a34839c Repeat the seed file documentation in 2.25.0 
This way the 2.25.0 section is now fully self-contained.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 12:15:53 +02:00
Gilles Peskine
3d65a19ee3 Fix wrong type in C snippet 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 12:15:35 +02:00
Neil Armstrong
167d82c4df Add dual keys Opaque ssl-opt tests 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 11:32:00 +02:00
Manuel Pégourié-Gonnard
31fcfd5632
Merge pull request #5981 from mprse/hkdf_config_fix 
Add comment to config_psa.h about enabling PSA_HKDF/-EXTRACT/-EXPAND
 2022-06-30 11:27:16 +02:00
Neil Armstrong
36b022334c Reorganize Opaque ssl-opt tests, pass key_opaque_algs=, add less wrong negative server testings 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 11:16:53 +02:00
Neil Armstrong
b2c3b5be2d Fix depends on handshake_ciphersuite_select tests 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 10:49:04 +02:00
Tom Cosgrove
d7adb3c7d9 Add comments about MBEDTLS_PSA_CRYPTO_C also being required by MBEDTLS_SSL_PROTO_TLS1_3 
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-06-30 09:48:40 +01:00
Gilles Peskine
25e39f24b9 Add section for Mbed TLS 2.25.0+ 
We hadn't updated the storage specification in a while. There have been no
changes to the storage layout, but the details of the contents of some
fields have changed.

Since this is now a de facto stable format (unchanged between 2.25 and 3.2),
describe it fully, avoiding references to previous versions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2022-06-30 09:16:53 +02:00
Neil Armstrong
db13497490 Reorganize & add more handshake_ciphersuite_select to test all MBEDTLS_KEY_EXCHANGE_XXX cases 
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
 2022-06-30 09:06:28 +02:00
Paul Elliott
f6a56cf5ff
Merge pull request #939 from ronald-cron-arm/tls13-add-missing-overread-check 
TLS 1.3: Add missing overread check
 2022-06-29 17:01:14 +01:00
Tom Cosgrove
afb2fe1acf Document that MBEDTLS_SSL_KEEP_PEER_CERTIFICATE is required by MBEDTLS_SSL_PROTO_TLS1_3 
Also have check_config.h enforce this. And MBEDTLS_SSL_EXPORT_KEYS has been removed,
so no longer mention it.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
 2022-06-29 16:36:12 +01:00
Dave Rodgman
1dc6848679
Merge pull request #5976 from gilles-peskine-arm/selftest-calloc-pointer-comparison-fix-development 
Remove largely useless bit of test log to silence GCC 12
 2022-06-29 15:25:04 +01:00