espressif/mbedtls
1
0
Fork 0
mirror of https://github.com/espressif/mbedtls.git synced 2025-07-13 10:15:49 +08:00
Code Issues Packages Projects Releases Wiki Activity
32,050 Commits 34 Branches 164 Tags
Commit Graph

32050 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Manuel Pégourié-Gonnard
12df5f3a16 Improve unit tests for mbedtls_asn1_store_named_data 
Every time we check found->val.p we should also check found->val.len.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-05-26 10:55:59 +02:00
Manuel Pégourié-Gonnard
2df7ab7c0c Fix bug in mbedtls_asn1_store_named_data() 
When passed a zero-length val, the function was free-ing the buffer as
the documentation suggests:

 * \param val_len   The minimum length of the data buffer needed.
 *                  If this is 0, do not allocate a buffer for the associated
 *                  data.
 *                  If the OID was already present, enlarge, shrink or free
 *                  the existing buffer to fit \p val_len.

However it kept the previous length, leaving the val structure in the
corresponding item in the output list in an inconsistent state:

    p == NULL but len != 0

As a result, functions that would try using this item in the list
(including the same function!) afterwards would trip an dereference the
NULL pointer.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-05-26 10:42:14 +02:00
Manuel Pégourié-Gonnard
13f86e689e Add tests for bug in mbedtls_x509_string_to_names() 
The commented out tests cause crashes (in different ways) until the bug
is fixed; the first two test are passing already and are here mostly to
provide a reference point.

The bug report was using programs/x509/cert_write, but string_to_names()
is what it was really targetting, which is better for automated tests.
The strings used are a minor adapation of those from the report.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
 2025-05-22 13:18:49 +02:00
Manuel Pégourié-Gonnard
219c3368eb
Merge pull request #1306 from davidhorstmann-arm/pkcs7-padding-side-channel-fix-3.6 
[Backport 3.6] Fix side channel in PKCS7 padding
 2025-05-06 09:34:40 +02:00
David Horstmann
3bd433d38a
Merge pull request #10150 from gilles-peskine-arm/pylint-check-str-concat-3.6 
Backport 3.6: Pylint: Complain about a missing comma in multiline lists of strings
 2025-04-28 16:53:39 +00:00
Gilles Peskine
ae18357880
Merge pull request #10138 from XavierChapron/xch/constify-mbedtls_cipher_base_lookup_table-3.6 
Constify cipher_wrap:mbedtls_cipher_base_lookup_table
 2025-04-24 17:49:03 +00:00
Gilles Peskine
cc4649dd7f Complain about a missing comma in multiline lists of strings 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-04-24 19:37:58 +02:00
Gilles Peskine
0dd76e0470 Prepare framework for pylint check-str-concat-over-line-jumps 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-04-24 19:37:41 +02:00
Gilles Peskine
84442115ff
Merge pull request #10137 from gilles-peskine-arm/test_suite_ssl-fix-ret-20250408-3.6 
Backport 3.6: Fix uncaught failure conditions in test_suite_ssl
 2025-04-23 16:42:17 +00:00
Gilles Peskine
74383ab137
Merge pull request #10132 from valeriosetti/issue157-3.6 
[3.6] Make demo_common.sh usable on its own
 2025-04-18 11:11:11 +00:00
Valerio Setti
309ca525ac framework: update reference 
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-04-18 10:31:28 +02:00
Xavier Chapron
afedef5eea Constify cipher_wrap:mbedtls_cipher_base_lookup_table 
This structure is initialized during the compilation and there is no
reason it changes.
Making it const allows the compiler to put it in .rodata section instead
of .data one.

Signed-off-by: Xavier Chapron <chapron.xavier@gmail.com>
 2025-04-18 09:24:36 +02:00
David Horstmann
e08edcc494
Merge pull request #9469 from mfil/feature/backport36_implement_tls_exporter 
[Backport 3.6] Implement TLS-Exporter
 2025-04-17 14:47:20 +00:00
Gilles Peskine
0e6032dd94 Fix some test helper functions returning 0 on some failures 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-04-17 10:35:04 +02:00
Gilles Peskine
1ff12810e5 Check the status of mbedtls_ssl_set_hostname() 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-04-17 10:35:03 +02:00
Max Fillinger
1b0e2e903b Add missing ifdef for mbedtls_ssl_tls13_exporter 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 14:35:24 +02:00
Max Fillinger
40c202461f Add label_len argument to non-PSA tls_prf_generic 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
820e5cc29b Fix dependencies for TLS-Exporter tests 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
0b65a91eea Fix doxygen for MBEDTLS_SSL_KEYING_MATERIAL_EXPORT 
Error was introduced while resolving a merge conflict.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
5122dc6219 Fix mistake in previous comment change 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
7833b18008 Fix HkdfLabel comment 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
529931a34a Allow maximum label length in Hkdf-Expand-Label 
Previously, the length of the label was limited to the maximal length
that would be used in the TLS 1.3 key schedule. With the keying material
exporter, labels of up to 249 bytes may be used.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
6a64f0f171 Exporter: Add min. and max. label tests 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
76bb753054 Fix max. label length in key material exporter 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
97a287953f Document BAD_INPUT_DATA error in key material exporter 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
c361064dee Fix requirements for TLS 1.3 Exporter compat test 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
6f7cf0e402 Use mbedtls_calloc, not regular calloc 
Also fix the allocation size.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
2310c1970b Add fixed compatibility test for TLS 1.3 Exporter 
When testing TLS 1.3, use O_NEXT_CLI.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
e009158d71 Remove exporter compatibility test for TLS 1.3 
The openssl version in the docker image doesn't support TLS 1.3, so we
can't run the test.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:50 +02:00
Max Fillinger
0faf5d19a7 Fix openssl s_client invocation 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:49 +02:00
Max Fillinger
d22493f86b Print names of new tests properly 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:49 +02:00
Max Fillinger
a442aea2be Fix memory leak in example programs 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:49 +02:00
Max Fillinger
9c3a7ba6da ssl-opt.sh: Add tests for keying material export 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:49 +02:00
Max Fillinger
c8f936e746 mbedtls_test_ssl_do_handshake_with_endpoints: Zeroize endpoints 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-04-16 11:24:49 +02:00
Max Fillinger
ede294ea42 Exporter tests: Don't use unavailbable constant 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:49 +02:00
Max Fillinger
2c2a6ac64c Exporter tests: Add missing depends-ons 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:24:47 +02:00
Max Fillinger
8ee21410f1 Use one maximum key_len for all exported keys 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:23:42 +02:00
Max Fillinger
fb7e578689 Exporter tests: Reduce key size in long key tests 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:23:42 +02:00
Max Fillinger
20e4ac8b3e Exporter tests: Free endpoints before PSA_DONE() 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:23:42 +02:00
Max Fillinger
81b41d40dc Exporter tests: Fix possible uninitialized variable use 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-04-16 11:23:42 +02:00
Max Fillinger
538ed71ecb Coding style cleanup 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-04-16 11:23:42 +02:00
Max Fillinger
e825110391 Exporter tests: Initialize allocated memory 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-04-16 11:23:42 +02:00
Max Fillinger
436cc20378 Exportert tests: Free endpoints and options 
Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-04-16 11:23:41 +02:00
Max Fillinger
e95edbf6c5 Fix output size check for key material exporter 
HKDF-Expand can produce at most 255 * hash_size bytes of key material,
so this limit applies to the TLS 1.3 key material exporter.

Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:23:41 +02:00
Max Fillinger
ffc47e6e2b Increase allowed output size of HKDF-Expand-Label 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:23:41 +02:00
Max Fillinger
9e23339ae9 Add more tests for keying material export 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:23:40 +02:00
Max Fillinger
1bc2a9bdbf Mention MBEDTLS_SSL_KEYING_MATERIAL_EXPORT in change log 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:20:50 +02:00
Max Fillinger
8fa72523be Fix #endif comment 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:20:50 +02:00
Max Fillinger
d97e0e8edc Enable MBEDTLS_SSL_KEYING_MATERIAL_EXPORT by default 
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com>
 2025-04-16 11:20:50 +02:00
Max Fillinger
951b886801 Create MBEDTLS_SSL_KEYING_MATERIAL_EXPORT option 
Add the option MBEDTLS_SSL_KEYING_MATERIAL_EXPORT to mbedtls_config.h
to control if the function mbedtls_ssl_export_keying_material() should
be available. By default, the option is disabled.

This is because the exporter for TLS 1.2 requires client_random and
server_random need to be stored after the handshake is complete.

Signed-off-by: Max Fillinger <max@max-fillinger.net>
 2025-04-16 11:20:50 +02:00