Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Slowroll:Build:2
mbedtls
mbedtls.changes
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File mbedtls.changes of Package mbedtls
------------------------------------------------------------------- Thu Oct 17 09:38:18 UTC 2024 - Pedro Monreal <pmonreal@suse.com> - Update to version 3.6.2: [bsc#1231708, CVE-2024-49195] * test_suite_pkwrite: extend coverage of wrong output buffer sizes in pk_write_check_common() * pkwrite: fix buffer overrun ------------------------------------------------------------------- Sat Sep 07 12:00:00 UTC 2024 - cunix@mail.de - Update to version 3.6.1: * Move some ChangeLog entries to a different section * Add CVE IDs to security ChangeLog * Update BRANCHES.md * Add generated files * Finalise ChangeLog * Bump version to 3.6.1 * Assemble ChangeLog * Don't clean test_keys.h and test_certs.h * Fix typos in make clean target for Windows * Fix/Improve documentation * Rename some "new_session_tickets" symbols * Fix change log * Improve documentation * Move session tickets getter functions to ssl_misc.h * Add change logs * Improve debug logs * Move MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET doc * Do not add a new field in the SSL config * ssl_client2: Fix new_session_tickets option parsing * Document NewSessionTicket handling being disabled by default * Improve MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET documentation * Document MBEDTLS_ERR_SSL_RECEIVED_NEW_SESSION_TICKET. * Enable TLS 1.3 ticket handling in resumption tests * TLS 1.3: Ignore tickets if disabled at runtime * Add mbedtls_ssl_conf_enable_new_session_tickets() API * TLS 1.3 server: move crypto_init after protocol negotiation * Changelog entry for psa_crypto_init potentially being called from TLS * Clarify "negotiating" * Error translation and init are needed in PSK-only builds as well * Call psa_crypto_init in the library when required for TLS 1.3 * Don't call psa_crypto_init in test programs when not required for TLS 1.3 * Don't call psa_crypto_init in unit tests when not required for TLS 1.3 * Call psa_crypto_init in the library when required for TLS 1.3: doc * Fix the capitalisation in the changelog entry * Reduce the wording in changelog entry * Improve the changelog entry for fixing legacy compression issue * Add chanelog entry for fixing legacy comprssion methods issue * Remove redundant legacy compression test * Improve legacy compression regression testing * Add regression testing to handling Legacy_compression_methods * Improve comments explaining legacy_methods_compression handling * Correct a small typo in ssl_tls13_parse_client_hello() * Improve handling of legacy_compression_methods in ssl_tls13_parse_client_hello() * Fix issue in handling legacy_compression_methods in ssl_tls13_parse_client_hello() * Fix Changelog formatting * Add header for mbedtls_mpi_exp_mod_unsafe() * Improve ChangeLog * Make mbedtls_mpi_exp_mod_unsafe internal * Add changelog * Tiny fix in ChangeLog pt 2 * Tiny fix in ChangeLog * Changelog entry for the RSA memory leak * Simplify and explain the overflow check for maximum slice length * Add overflow check for maximum key slot length * Tweak macro check to allow 3 extra key slices * Fix incorrect comments on slice numbering * Add a ChangeLog entry * Fix guards around function now used by 1.3 as well * Fix typos in comments * Fix two dependency declarations in ssl-opt * Improve some comments * Merge 1.2 and 1.3 certificate verification * Minor refactoring of generic SSL certificate verif * Add support for context f_vrfy callback in 1.3 * Improve a variable's name * Restrict the scope of a few variables * ssl-opt.sh: Test trusted certificate callback in TLS 1.3 * tls13: Add support for trusted certificate callback * ssl-opt.sh: Fix test case titles * Allow no authentication of the server in 1.3 * Reorder some tests in ssl-opt.sh * Allow optional authentication of the server in 1.3 * Add comments about 1.3 server sending no cert * Rm translation code for unused flag * Simplify certificate curve check for 1.2 * Make mbedtls_ssl_check_cert_usage() work for 1.3 * Clean up mbedtls_ssl_check_cert_usage() * Test cert alert REVOKED -> CERT_REVOKED * Test cert alert NOT_TRUSTED -> UNKNOWN_CA * Fix ordering of a test case in ssl-opt.sh * Add test forcing TLS 1.2 for clearer coverage * Fix memory corruption in exp_mod tests * Edit ChangeLog entry * Clean up initialization in _core_exp_mod() * Disable optionally safe test hook in threading builds * Fix optionally safe hooks declarations * Update ChangeLog * Free allocated memory where methods were returning without freeing * Add test cases for extKeyUsage * Optimise public RSA operations * Fix mpi_core_exp_mod documentation * Rationalize extKeyUsage tests * Fix Mbed-TLS build when WIN32_LEAN_AND_MEAN macro is defined globally * The fully static key store will miss the 3.6.1 release * Mention the option name for the dynamic key store * Add tests for optionally unsafe code paths * Update framework to the head of the main branch * Add tests for optionally safe codepaths * Use actual exponent size for window calculation * Move _public parameters next to their target * Make MBEDTLS_MPI_IS_PUBLIC thumb friendly * Move MBEDTLS_MPI_IS_* macros to bignum_core.h * Move mixed security code to small local functions * Make _optionally_safe functions internal * Improve documentation of MBEDTLS_MPI_IS_PUBLIC * PSA PAKE wasn't in 2.28 * entropy.h is also going away * Use P_CLI when O_CLI's status is not reliable * Mention interfaces replaced by PSA drivers * Update the submodule to the head of PR in the framework repository * Changelog entry * Remove MBEDTLS_PSA_UTIL_HAVE_ECDSA so that functions are only enabled when PSA enabled * Clarify some internal documentation * Make integer downsizing explicit * Changelog entry for MBEDTLS_PSA_KEY_STORE_DYNAMIC * Add test components with the PSA static key store * Dynamic key store: make full-key-store tests work effectively * Microoptimizations when MBEDTLS_PSA_KEY_STORE_DYNAMIC is disabled * Dynamic key store: implementation * psa_key_slot_t: different fields in free vs occupied slots * Dynamic key store: disable full-key-store tests * Dynamic key store: preparatory refactoring * Dynamic key store: new compilation option * Improve documentation in some tests * Revised presentation of cipher suites * More relevant characterisation of PSA being from before 3.0 * Improve mechanism grouping * Fix missing bits in crypto mechanisms * Rationalize keyUsage testing, round 2 * Always print detailed cert errors in test programs * Fix 1.3 failure to update flags for (ext)KeyUsage * Rationalize ssl-opt tests for keyUsage * Test cert alert KEY_USAGE -> UNSUPPORTED_CERT * Mention the PSA transition guide * Announce the main removals planned for 4.0 * PSA_DONE: account for MBEDTLS_TEST_PSA_INTERNAL_KEYS * Fix inverted assertion message * Call in_mbedtls_repo * Move some proj detection code inside pre_check_environment * Match spacing in pointer types in documentation with the code style * Rename one more deprecated identifier * Documentation improvements * Rename internal function psa_key_production_parameters_are_default * key_custom: update analyze_outcomes.py * Test cpp_dummy_build in pedantic mode * Changelog entry for the move from key_ext to key_custom functions * Remove some tests of psa_generate_key_ext * Document the key_ext functions as deprecated * Documentation: point to key_custom instead of key_ext * Update PSA wrappers * Implement psa_generate_key_custom * Fix missing-prototype error for the print_buf functions in sample programs * Revert commit 33af72df in order to not depend on test code * Fix format-pedantic error in programs/test/metatest.c * Use correct conditionals in programs/ssl (fix unused-function errors) * Add missing include in tests/src/psa_memory_poisoning_wrappers.c to fix missing-prototype error * Fix Uncrustify errors in modified tests/suites to satisfy check_code_style test * Use correct test case conditionals for helper functions in tests/suites * Fix tests build with MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS enabled * Move the -Wmissing-prototypes option from library/CMakeLists.txt to the top-level CMakeLists.txt for GCC & Clang * Adjust spacing in tests/suites function sources * Fix missing-prototype errors in tests/suites * Fix unused-function error for ecjpake_operation_setup in test_suite_psa_crypto.function * Adjust spacing in sample programs * Fix missing-prototype errors in sample programs * Fix missing-prototype error in programs/fuzz by moving LLVMFuzzerTestOneInput prototype to common.h * Move print_buf into mbedtls_test_print_buf helper function in sample programs * Add missing include in tests/src/asn1_helpers.c * Add -Wmissing-prototypes to component_build_no_ssl_srv and component_build_no_ssl_cli in all.sh * Fix build of v3.6 with unset MBEDTLS_DHM_C but MBEDTLS_USE_PSA_CRYPTO set (fixes #9188) * Fix server mode only build of v3.6 with MBEDTLS_SSL_CLI_C unset (fixes #9186) * all.sh/components: Removed components.sh * all.sh/components: Moved build_aes_via_padlock to platform component. * all.sh/components: Moved driver components to configuration crypto. * all.sh/components: Moved more components to configuration crypto. * all.sh/components: Fixed a typo in configuration-tls. * all.sh/components: Moved more components to configuration tls. * Extract sanitizer components into a separate file. * Extract platform components into a separate file. * Extract configuration components into a separate file. * Extract configuration-x509 components into a separate file. * Extract configuration-platform components into a separate file. * Extract configuration-crypto-components into a separate file. * Extract compliance-components into a separate file. * Extract compiler-components into a separate file. * Extract build-components into a separate file. * Extract basic-components into a separate file. * Separate all.sh from components. * Applied consistent style. * Created placeholder component files. * Update framework * Add functions to detect project * Introduce project_name.txt * Miscellaneous clarifications * Expand on performance * Discuss why we have so many variants * Link to issue about freeing empty slices * Improve and fix explanation of next_free * Update macro name about the static key store * Typos and minor clarifications * Improve description of who is affected * More diversified sizes in tests * Fix stack buffer overflow in ECDSA signature format conversions * Force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE based on CTR_DRBG * Document that MBEDTLS_PSA_HMAC_DRBG_MD_TYPE does not force HMAC * Update auto-generated psa_test_wrappers. * Update the framework submodule to the merge of PR38 * Update framework as in PR 9394 * programs: fuzz: Fix comment * tests: CMake: Align/fix config test suite generation * CMake: Include CMakePrintHelpers * Fix copypasta * Keep track of PSA keys used interally * Fix spurious test case failure with accelerated AES * Improve full-key-store tests * Improve the documentation of MBEDTLS_PSA_KEY_SLOT_COUNT * Update invalid key id in a test case * Fix overlap between volatile keys and built-in keys * Assert that the key ID range for volatile keys is large enough * Assert that key ID ranges don't overlap * Add a test for the built-in key range * Prevent mbedtls_psa_register_se_key with volatile keys * Reorder blocks to avoid double negations * Make it possible to enable CTR_DRBG/PSA without a PSA AES driver * MBEDTLS_STATIC_ASSERT: make it work outside of a function * Add TLS: password protected... to ignored_tests list * Reverted requires_cipher_enabled AES * Changed some tests to use requires_cipher_enabled * Added support for MD5 in `requires_hash_alg` * Upgrade python dependencies in requirements file * tests/ssl_helpers: Check that message queue is popped * psa: fix parameters' names of psa_key_derivation_verify_bytes() * Fix some typo for include folder * Fix typo in platform_util.c * Update framework submodule * Update the framework submodule to the merge of PR18 * Update framework submodule * Update generated tls13 testcase script * Move variable into generated bash * Simplify path in audit-validity-dates.py * Simplify data_files path in compat test generation * Use variable for data_files path in ssl-opt.sh * Replace data_files path with variable in compat.sh * Correct redundant framework/../framework paths * Fix line-too-long in generate_tls13_compat_tests.py * Update directory-climbing path in context-info.sh * Update paths pointing to tests/data_files * Move some files to framework repository * psa_cipher_decrypt CCM*: fix rejection of messages shorter than 3 bytes * Update framework after merge of #28 * psa_open_key does not lock the key in memory * Document the key store design * changelog: add changelog * config_psa: do not update legacy symbols in client-only PSA build * Update generate_config_tests.py * Add some missing handling for generated test_suite_config.*.data * Anchor relative paths * Driver vs referenee: ignore relevant configuration differences * Generate config test cases for single options * New test suite to report configuration options * Clean up generated files enumeration * Recognize that a double-inclusion guard is not a config setting * Update framework submodule to the merge of PR22 * test_when_no_ciphersuites_have_mac: Fix logs * tests: src: Fix PSA test wrappers for PAKE * Add optionally unsafe variant of exp_mod for perf * Update framework * Changelog Fix * Add ChangeLog * Add and update some .gitignore files * all.sh: Fix clean-up of Makefiles generated by CMake * Code style fix * Fix compiler warnings in test_suite_pk.function * Use CMAKE_C_SIMULATE_ID when available to determine compiler * Silence gcc 12.2.0 warning * Fix incorrect array length in function prototype * Set psk to NULL in ssl_psk_remove -backpor to 3.6 * Extend python checks to framework scripts * Remove multi-type variable * Allow code_style.py to work from a git hook * Use unsigned long rather than size_t for format string readability * Fix uint32_t printed as unsigned int * Update framework to latest * crypto.h: fix documentation for some functions * changelog: add changelog for PSA CMAC fix * adjust_legacy_crypto: enable CIPHER_C when PSA CMAC is builtin * Update framework submodule * Update file paths for moved files * Move some test generation files to framework * Make abi_check.py look in both locations * Guard configuration-specific code * ssl-opt.sh, compat.sh: Error out if not executing any tests * Do not use --recurse-submodules * Extend C code style check to framework files * Extend basic checks of files to framework files * Error on unexpectedly defined symbols * Tweak wording * Update framework submodule to the merge of #15 * fix typo * Document that there is now an error for dangerous inclusions * Warn if mbedtls_config.h is included manually * Error out if *adjust* headers are included manually * Macros to indicate the finalization level of the configuration * Belated changelog entry for not including check_config.h * Document check-config.h and *adjust*.h as internal headers * Pacify pylint * Generate test data before coverage analysis * Improve test-ref-configs.pl * Fix crypto_adjust_config_dependencies.h documentation * Fix PBKDF2_AES_CMAC_PRF_128 dependencies * Fix the resolution of dependencies on HMAC * Fix "maybe-uninitialized" warning with GCC 11.3 * Resolve PBKDF2_AES_CMAC_PRF_128 dependencies * Resolve some HMAC dependencies automatically * test-ref-configs.pl: Detect automatically test with USE_PSA enabled * Fix compat.sh filters * config-symmetric-only.h: Add SHA3 * config-symmetric-only.h: Remove obsolete comment * Add missing dependency that isn't autodetected * Remove redundant RSA dependency * Explicitly use TLS 1.2 on <=1.2-specific keyUsage/extKeyusage tests * Fix PSK invocation: GnuTLS PSK length (more) * Driver-only FFDH is not good enough for DHE support in TLS 1.2 * Add seme missing dependencies on renegotiation support * Default NEXT versions to be the base executables * Force some test cases to use TLS 1.2 * Add some missing dependencies on crypto features * Fix PSK invocation: GnuTLS PSK length * Fix PSK invocation: GnuTLS prompting * Fix PSK invocation: OpenSSL client * Require RSA when using server1* key or certificate * Fix a compilation warning in pk.c when PSA is enabled and RSA is disabled * Fix skipped tests in configurations without RSA * Add invalid `padding_len` check in `get_pkcs_padding` * Rename framework_path to framework_scripts_path * Update framework submodule to tip of branch * Add mbedtls_framework to mypy checks * Add framework_path module * Update references to mbedtls_dev * Add framework/scripts to scripts_path.py * Move some files to framework repository * gitignore: ignore .vscode folder in main repo * gitignore: ignore test_keys.h and test_certs.h * Add note explaining component purpose * Add all.sh component for programs without tests * Move test generated files to main CMakeLists.txt * generate_test_keys: move code for arrays and LUT generation to a separate function * check-generated-files: move check for generate_test_cert_macros.py * generate_test_[keys/cert_macros]: minor fixes * generate_test_keys: move output file writing to a separate function * generate_test_keys: sort keys before processing them * check-generated-files: add test_certs.h file to the list of checked items * generate_test_cert_macros: minor fixes * generated_test_keys: minor fixes * generate_test_keys: remove left-over variable * tests/CMakeLists: fix indentation * generate_test_keys: do not quit script if output file already exists * generate_test_keys: add missing flush at the end of script * test_suite_pk: use explicit key bit size instead of RSA_KEY_SIZE * generate_test_keys: use build_tree to guess the MbedTLS root path * generate_test_cert_macros: minor fixes * cmake: relocate custom commands for test_certs.h and test_keys.h generation * generate_test_cert_macros: embed input args * tests/Makefile: minor fix: specify Python binary to be used * fix "make generated_files" for test_keys.h and test_certs.h * generate_test_keys: add default output file option * tests: remove test_certs.h and test_keys.h as they are auto-generated * test: automatically generate test_certs.h and test_keys.h * tests: update Makefile to generate tests/src/test_keys.h * Fix Changelog formatting * md: fix guards for mbedtls_md_error_from_psa() * ChangeLog: Add missing reference to CVE in security entry * Fixed issue of redefinition warning messages for _GNU_SOURCE * Add changelog * Clarify psa_get_and_lock_key_slot return behaviour * Explicitly document return behaviour * Fix potential non-NULL slot return on failure * ssl_mail_client: Fix code style issue * ssl_mail_client: Check return value of mbedtls_snprintf * ssl_mail_client: Replace snprintf with mbedtls_snprintf * ssl_mail_client: Fix unbounded write of sprintf() * Rewrite changelog * Add changelog * Fix error handling for secure element keys in `psa_start_key_creation` * Add Changelog entry * Add early exit if zero length AEAD AD passed in. * Convert recent RSA key files in PEM format from PKCS8 to PKCS1 * Fix rsa_pkcs1_*_clear.der to actually be PKCS#1 files * Use large enough keys when testing parsing of non-word-aligned RSA sizes * Add some test RSA keys of sizes 768 and up * Cleartext RSA keys: also make DER formats available * Fix misspelled dependency: there is no MBEDTLS_PEM_C * Allow PSA to not support RSA keys with non-byte-aligned sizes * Remove redundant dependency * Fix full invocation of ssl-opt.sh * generate_test_keys: split group_id and key bitsize in the generated structure * test_suite_pk: fix some descriptions in data file * generate_test_keys: minor improvements * changelog: fix text * add changelog * adjust_legacy_crypto: enable ASN1_[PARSE|WRITE]_C when RSA_C * Simplify full invocation of compat.sh * test_suite_pk: fix guards for pk_psa_setup() * test_suite_pk: remove PK_PARSE_C unnecessary dependencies * test_suite_pk: remove RSA key generation/size dependencies * test_suite_pk: enhance pk_psa_setup() to support all key types * test_suite_pk: use pk_setup() instead of mbedtls_rsa_gen_key() in pk_psa_wrap_sign_ext() * test_suite_pk: use predefined RSA keys in pk_setup_for_type() * test_suite_pk: rename pk_genkey() and pk_psa_genkey() * test_suite_pk: fix get_predefined_key_data() return value * generate_test_keys: generate also look-up table in script * generate_test_keys: generate arrays for all keys in asymmetric_key_data.py * generate_test_keys: generate also RSA public key arrays * generate_test_keys: minor improvements * asymmetric_key_data: fix public RSA-2048 key * generate_test_keys: fix mypy issue for imported path * generate_test_keys: use keys from asymmetric_key_data.py * test_suite_pk: minor code fixes and comments improvements * generate_test_keys.py: minor improvements * test_suite_pk: fix guards * pk: fix unused variable in copy_from_psa() * test_suite_pk: add python script to generate predefined keys * test_suite_pk: simplify pk_psa_genkey() * test_suite_pk: simplify pk_genkey() * test_suite_pk: fix key_id initialization value * test_suite_pk: use look-up table instead of file for the predefined keys * test_suite_pk: remove PSA_WANT_KEY_TYPE_[ECC/RSA]_KEY_PAIR_GENERATE dependencies * test_suite_pk: modify pk_psa_genkey() in order to use predefined keys * test_suite_pk: use a single helper function to generate PSA keys * test_suite_pk: modify pk_genkey() in order to use predefined keys * test-data: add predefined RSA and EC keys * ssl-opt.sh: Fix some test dependencies * Use latest installed OpenSSL 3 as OPENSSL_NEXT * ssl-opt.sh: Adapt tests to OpenSSL 3 * Add RSA key certificates * compat.sh: properly skip unsupported DTLS 1.2 * compat.sh: properly report skipped tests * Add change log * tls13: Do not initiate at all resumption if tickets not supported * tls13: Fix doc of mbedtls_ssl_session_set() - 2 * tls13: Fix doc of mbedtls_ssl_session_set() - 1 * tls13: Fix doc of mbedtls_ssl_session_get() - 2 * tls13: Fix doc of mbedtls_ssl_session_get() - 1 * tls: Fix doc of mbedtls_ssl_session_save() * ssl_msg.c: Rename _check_new_session_ticket to _is_new_session_ticket * all.sh: Use full instead of default as the base for the new component * tests: ssl: Fix dependencies of SRV TLS 1.3 session serialization tests * ssl-opt.sh: Add tests where tickets are ignored * tls13: cli: Ignore tickets if not supported * ssl-opt.sh: Add missing MBEDTLS_SSL_SESSION_TICKETS dependencies * all.sh: Add component testing default minus session tickets * tests: ssl: Fix dependencies of TLS 1.3 session serialization tests * tests: ssl: Add hostname checks in session serialization tests * tests: ssl: Remove redundant test * tests: ssl: Fix session field guards * Constify parameter of ssl_tls13_session_load * Enable ssl_tls13_get_ciphersuite_hash_alg only if macro is active * Unconditionally define session variable * tls13: srv: Fix guards of _is_psk_(ephemeral_)available * Guard ticket specific TLS 1.3 function with macro * Fix closing comment to match opening guard * Fix style of preprocessor expression * Fix failures in psa_cryto_driver_wrappers suite * Add missing dependency of fallback test in driver wrappers suite * Add missing definition of AT_LEAST_ONE_BUILTIN_KDF * Fix wrong dependency in psa_crypto_driver_wrappers suite * Fix wrong dependency in psa_crypto_pake suite * Fix typo in ssl test suite * Correct dependancy on `MBEDTLS_X509_INFO` for x509parse * We now have two LTS branches to backport to. * pk: fix documentation of mbedtls_pk_setup_opaque() * pk: fix typos in description of mbedtls_pk_setup_opaque() * pk: add check_pair info to mbedtls_pk_setup_opaque() documentation * test_suite_pk: add failing check for sign_ext() in pk_psa_wrap_sign_ext() * pk: simplify mbedtls_pk_sign_ext() * pk: fix description of mbedtls_pk_setup_opaque for sign_ext() * pk: fix indentation in description of mbedtls_pk_setup_opaque() * pk: fix description of mbedtls_pk_setup_opaque() * pk: update documentation of mbedtls_pk_setup_opaque() based on #8951 * pk: fix documentation for mbedtls_pk_setup_opaque() * pk: improve documentation of mbedtls_pk_setup_opaque() * pk: fix documentation for mbedtls_pk_setup_opaque() * test_suite_pk: test check_pair() also with opaque RSA keys * Fix NULL handling in mbedtls_ssl_config.free() function * Fix compilation of ssl_tls13_generic.c when memcpy() is a function-like macro * Revert "Autogenerated files for 3.6.0" * Fix NULL argument handling in mbedtls_xxx_free() functions * ssl-opt.sh: Improve version selection test titles * test_suite_pk: simplify pk_copy_from_psa_success() * Check C/C++ compilers separately for AppleClang ranlib * Fix compilation on macOS without apple-clang * Remove the workarround for G->m dtls12 tests * Align the case listing with case running in compat.sh ------------------------------------------------------------------- Thu Apr 4 14:35:21 UTC 2024 - Martin Pluskal <mpluskal@suse.com> - Update baselibs.conf ------------------------------------------------------------------- Wed Apr 03 06:51:07 UTC 2024 - guillaume.gardet@opensuse.org - Update to version 3.6.0 (new LTS): * Fix typo in psa_key_production_parameters_t doc: 65535 should be 65537 * Record size limit support is released, so remove warning about only for testing * Autogenerated files for 3.6.0 * Fix some Changelog typos * Version Bump for 3.6.0 * Assemble Changelog * Fix #ifdef guard in driver wrapper template * test_suite_pk: fix guards in pk_psa_sign() * add changelog * pkwrite: add new internal symbol for the max supported public key DER length * test_suite_pk: uniformly generate RSA and EC keys in pk_psa_sign() * test_suite_pk: fix guards in pk_psa_sign() * test_suite_pk: test also RSA OAEP in pk_wrap_rsa_decrypt_test_vec() * pk_wrap: fix algorithm selection in rsa_opaque_decrypt() * test_suite_pk: fix guards in pk_psa_sign() * test_suite_pk: properly size buffers for public keys in pk_psa_sign() * test_suite_pk: test also RSA keys with PKCS1 v2.1 padding mode in pk_psa_sign() * pk_wrap: fix algorithm selection in rsa_opaque_sign_wrap() * test_suite_pk: fix RSA issue in pk_psa_sign() when !PK_[PARSE|WRITE]_C are defined * test_suite_pk: rename some variables in pk_psa_sign() * test_suite_pk: reshape pk_psa_sign() * tls13: srv: Fix potential stack buffer overread * test_suite_pk: always test verify_ext with opaque keys in pk_psa_wrap_sign_ext() * add changelog * Mention MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS * Remove 'Question' line around testing * Replace reference to master * pk: check PK context type in mbedtls_pk_verify_ext() before trying RSA PSS * test_suite_pk: extend pk_psa_wrap_sign_ext() * Mention metatest.c * Mention MBEDTLS_TEST_MEMORY_CAN_POISON * Discuss test wrappers and updating them * Update BRANCHES * Add discussion of copying conveience macros * Add issues fixed to changelog entry * Abstractify example in design exploration * Rename mbedtls_psa_core_poison_memory() * Clarify design decision in light of actions * Minor relaxation to auto-gen regex * all.sh: Add TLS 1.2 only component * all.sh: Adapt/Fix some components * all.sh: Disable TLS 1.3 when pre-requisites are not meet * Enable TLS 1.3 by default * line length fix * Check file content to see if it looks auto-generated * Update docs/architecture/psa-thread-safety/psa-thread-safety.md * Add changelog entry for threading MVP * Respond to feedback on psa-thread-safety.md * Update slot transition diagram * Add explanatory comment for init flags * Add comments about RNG mutex requirements * Start subsystem IDs at 1 instead of 0 * Improve tls13-support.md * Fix documentation about anti-replay defenses * Improve the change log * Remove experimental warnings related to early data * Fix minor style issues * pk_import_into_psa: test persistent keys * Add ALPN checking when accepting early data * Fix bug in ALPN negotiating * Drop reference to Visual Studio 2013 from config * Update changelog * Document that we do not implement the anti-replay defenses * tls13-early-data.md: Fix reading early data documentation * tls13-early-data.md: Adapt code examples to new coding style * docs: Move TLS 1.3 early data doc to a dedicated file * tls13-support.md: Stop referring to the prototype * tls13-support.md: Early data supported now * tls13-support.md: Some fixes * Add change log for early data feature * ssl-opt.sh: Add m->m resumption and early data tests * ssl-opt.sh: Rework m->m resumption tests * ssl-opt.sh: Move m->m resumption tests * ssl-opt.sh: Rework O->m placeholder test * ssp-opt.sh: Expand G->m resumption and early data tests * ssl-opt.sh: Group TLS 1.3 resumption and early data G->m tests * ssl-opt.sh: Rework m->O resumption and early data tests * ssl-opt.sh: Remove m->O early data test based on external PSK * ssl-opt.sh: Expand m->G resumption and early data tests * ssl-opt.sh: Remove redundant early data test * ssl-opt.sh: Group TLS 1.3 resumption and early data m->G tests * ssl-opt.sh: Group TLS 1.3 resumption and early data compat tests * ssl_server2: Split early data enablement from max_early_data_size setting * Rewrite section on PSA copy functions * Document unsupported concurrency scenario in psa_exercise_key * Add missing PSA_ASSERT in mbedtls_test_psa_raw_key_agreement_with_self * Use TEST_FAIL in threaded tests * Fix typo in thread_import_key * Document security weakness in concurrent execution of psa_destroy_key * Rework and update psa-thread-safety.md * Preserve alphabetical sorting of config options * Remove MBEDTLS_PSA_ASSUME_EXCLUSIVE_BUFFERS from full * Update wrapper generation script and regenerate * Invert and rename config option * tls13: Use a flag not a counter for CCS and HRR handling * Fix state transition diagram * Add change log * Add CVE IDs to Changelog * Fix code style in ssl_tls.c * Increase ALPN length in saved session to 2 bytes * Add code improvments and refactoring in dealing with ALPN * Fix possible overflow in ALPN length when saving session * Fix code style in ssl_tls.c * Update serialized session description with ALPN information * Add ALPN bit flag to session header * Add mbedtls_ssl_session_set_alpn() function * Add ALPN information in session tickets * Work around a bug in ancient lcov * Add test cases for concurrently_use_same_persistent_key * Add test function for concurrently using the same persistent key * Add key_destroyable parameter to key export smoke tests * Add key_destroyable parameter to non-raw key agreement smoke tests * Reference issue #3266 * Use the exact phrase 'shared memory' * Mention the CVE number that is fixed * Reword ChangeLog entry. Specifically: * Add PSA threaded init tests * Protect the key slot management initialised flag * Add mbedtls_psa_crypto_init_subsystem() * fix code style * missing word * Remove further instance of LOCAL_OUTPUT_WITH_COPY * Update compilers list in docs and changelog * Update the MSBuild toolset versions to VS2017 * Rename solution files to referece VS2017 * Check gcc version * pk: uniformly guard set/get enrollment algorithm calls with CRYPTO_C * psa_crypto_stubs: extend stub functions for the CRYPTO_CLIENT tests * all.sh: modify/add test components for CRYPTO_CLIENT * pk: use CRYPTO_CLIENT as guard for PK-PSA bridge functions instead of CRYPTO_C * Fix copypasta * Regenerate PSA wrappers for new PSA functions * Remove LOCAL_OUTPUT_ALLOC_WITH_COPY * Add key_destroyable parameter to raw key agreement smoke tests * Add key_destroyable parameter to key derivation smoke tests * Add key_destroyable parameter to exercise_asymmetric_encryption_key * Add key_destroyable parameter to exercise_signature_key * Add key_destroyable parameter to exercise_aead_key * Add key_destroyable parameter to psa_exercise_cipher_key * Add key_destroyable parameter to exercise_mac_key * Add key_destroyable parameter to check_key_attributes_sanity * Add key_destroyable parameter to mbedtls_test_psa_exercise_key * Add bugfix section about buffer sharing * tls13: cli: Rename STATUS_NOT_SENT to STATUS_NOT_INDICATED * tls13: cli: Fix comment * tls13: cli: Move definition of MBEDTLS_SSL_EARLY_DATA_STATE_xyz * tls13: cli: Re-order early data states * tls13: cli: Rename STATE_SENT to STATE_IND_SENT * tls13: cli: Rename STATE_NOT_SENT to STATE_NO_IND_SENT * tls13: cli: Rename STATUS_NOT_SENT to STATUS_NO_IND_SENT * tls13: cli: Rename STATE_UNKNOWN to STATE_IDLE * tls13: cli: Split early data user status and internal state * Reword ChangeLog entry for shared memory work * Fix gcc -O3 warnings * Fix missing semicolon * ssl-opt.sh: Add O->m server version selection tests * Fix removed space in merge resolution * Change goto exit into direct return * ssl-opt.sh: Expand MbedTLS only version negotiation tests * ssl-opt.sh: Change MbedTLS only version negotiation tests * ssl-opt.sh: Group MbedTLS only version negotiation tests * ssl-opt.sh: Group cli ver nego tests against GnuTLS and OpenSSL * ssl-opt.sh: Expand G->m server version selection tests * ssl-opt.sh: Change G->m server version selection tests * ssl-opt.sh: Group G->m server version selection checks * Protect PSA drivers_initialized with mutex * Protect PSA global rng data with mutex. * Protect PSA global initialized flag with mutex. * Add new mutex for PSA global rng data * Add new global mutex for PSA global_data * Fix copypasta * Fix and test pk_copy_from_psa with an unsupported algorithm * Test mbedtls_pk_copy_public_from_psa on non-exportable keys * New function mbedtls_pk_copy_public_from_psa * Simplify locating original tool * Remove unnecessary use of export * MBEDTLS_USE_PSA_CRYPTO: most pk bridge functions don't require it * Remind the reader that PK doesn't support DH * Discuss mbedtls_pk_copy_public_from_psa * test_suite_pk: revert erroneous missing initialization of PSA key IDs * test_suite_pk: add comment for pk_copy_from_psa_builtin_fail * changelog: fix text * mbedtls_pk_decrypt/encrypt actually check the padding mode * Add ChangeLog for PSA buffer sharing fix * Do not attempt to wipe output buffer if it is NULL * Flip logic of generate_psa_wrappers.py * Generate memory poisoning in wrappers * Add buffer copying to psa_verify_hash_start() * Add buffer copying to psa_sign_hash_start/complete * Fix IAR warning * Fix and improve the change log * Fix code style * pk: improve mbedtls_pk_copy_from_psa() * test_suite_pk: fix some comments * pk: fix documentation for mbedtls_pk_copy_from_psa() * changelog: fix text and typos * changelog: enhance description * test_suite_pk: when ANY_HASH is used then pick any available MD alg in the build * test_suite_pk: improve PSA alg selection in pk_copy_from_psa_success() * test_suite_pk: destroy original xkey after pk_copy_from_psa() in pk_copy_from_psa_success() * test_suite_pk: add description for psa_pub_key_from_priv() * test_suite_pk: minor fixes for test failures * rsa: rsa_rsassa_pss_sign() to check MD alg both in parameters and RSA context * test_suite_pk: add new test case for an algorithm only avaible in driver * pk: pk_copy_from_psa() performs the conversion even if the algorithm doesn't match * test_suite_pk: add more test cases for pk_copy_from_psa_success() * test_suite_pk: various minor fixes * pk: fixed documentation of mbedtls_pk_copy_from_psa() * add changelog * test_suite_pk: extend testing in pk_copy_from_psa() * pk_wrap: use correct PSA alg in rsa_encrypt_wrap() when USE_PSA * test_suite_pk: rename PK context variables * test_suite_pk: add key pair check in pk_copy_from_psa_success() * pk: let psa_export_key() check if the key is exportable or not * all.sh: keep RSA_C enabled in component_full_no_pkparse_pkwrite() * Changelog: Added entry for ssl_session accessors. * Remove volatile from declaration * Fix use of volatile * Fix typo * test_suite_pk: fix typos * pk_ecc: fix documentation * pk: replace CRYPTO_CLIENT guards with CRYPTO_C * all.sh: add test component based on full config without PK_[PARSE|WRITE]_C * pk: move ECC setters to a separate file * test_suite_pk: add some initial testing for mbedtls_pk_copy_from_psa() * pk: add mbedtls_pk_copy_from_psa() * pkparse: make EC/RSA setup functions internally available * tls13: cli: Discard ticket with zero lifetime * tls13: srv: Fail connection if ticket lifetime exceed 7 days * Fix potential bug in psa_destroy_key where multiple threads can return PSA_SUCCESS * Improve style * Avoid implementation defined behaviour * Hinder unwanted optimisations * tests: ssl: early data: Fix comments * ssl_ticket.c: Fix ticket lifetime when parsing * ssl_ticket.h: Fix note in API documentation * ssl_client2: Fix early data log * tests: suite: early data: Add comments * tests: ssl: Improve early data test code * tests: ssl: Improve test code for very small max_early_data_size * ssl_msg.c: Fix log position * ssl-opt.sh: Fix early data test option * tls13: srv: Fix/Improve debug logs * tls13: srv: Fix/Improve comments * tls13: srv: Fix initialization value * tls13: srv: Code improvements * tls13: srv: Add/Improve comments * tls13: srv: Move PSK ciphersuite selection up * tls13: srv: Simplify resumption detection * tls13: srv: Simplify kex availability checks * tls13: srv: Improve key exchange mode determination * tls13: srv: Fix resume flag in case of cancelled PSK * tls13: srv: Determine best key exchange mode for a PSK * tls13: srv: Factorize ciphersuite selection code * tls13: srv: Fix MBEDTLS_SSL_SESSION_TICKETS guard position * tls13: srv: Always parse the pre-shared key extension * tls13: srv: Stop earlier identity check * tls13: srv: Improve ticket identity check return values * tls13: srv: Fix return value * tls13: srv: Define specific return macros for binder check * Avoid recursion for relative paths * Follow-up for less verbose logging * Do not forget about TLS 1.2 disabled at runtime aspect * tls13: Improve comment about cast to uint32_t * Improve change log * Add change log * Remove MBEDTLS_THREADING_C check in check_test_dependencies * Allow the use of threading dependancies in PSA tests. * Disable MBEDTLS_SELF_TEST in the TSan config * Add test cases for concurrently_generate_keys * Add a concurrent key generation test function * Fix issue with large allocation in tests * test_suite_ssl: Added ssl_session_id_accessors_check. * Ensure blocksize is compile-time const when DES not present * Improve PBKDF2 with CMAC perf by ~16% * library: psa_crypto: Explicitly initialize shared_secret * Add a warning to the definition of MBEDTLS_PSA_CRYPTO_SE_C * test_suite_x509parse: Added test-case for legacy certificate * Ensure drivers have threading enabled if required * Explicitely remove the deprecated driver interface from the TSan config * Document deprecated transaction system as non thread safe * tls13: Remove unnecessary cast from size_t to uint32_t * x509: Reworded documentation bits. * List ECDSA signature conversion functions * Document mbedtls_pk_setup_opaque and mbedtls_pk_copy_from_psa * Document mbedtls_pk_import_into_psa * Mention psa_generate_key_ext() * Adjust defaults * Fix intended code blocks that were not suitably indented * Fix merge * Update submodule after PR merge * In library, with make, only require the framework for generated files * Show guidance if the framework is not found * Note the need to tell git to set up the submodule * Add docstrings to pacify pylint * Tell ReadTheDocs to include framework submodule * Support Git submodules * Framework submodule: fix the libtestdriver1 build * Add framework submodule with makefiles * ssl: Added session getter for ciphersuite_id. * ssl_ciphersuite: Added getter methods for ciphersuite id. * ssl: Added getter methods for session id and len. * ssl_helpers: Restore rng_seed incrementation * Added changelog * tests: Added test for `mbedtls_x509_crt_get_ca_istrue()` * x509: Added `mbedtls_x509_crt_get_ca_istrue()` API accessor. * Changelog: Added changelog for `mbedtls_ecdh_get_grp_id`. * tests: ssl: Free write/read test buffers * tests: write early data: Improve tls13_cli_max_early_data_size * tests: write early data: Allocate buffer to write/read * psa_crypto_stubs/changelog: fix typos * tests: Set the default conf then customize * tests: ssl_helpers: Rename rng_get to mbedtls_test_random * Adjust default unroll settings * tls13: cli: Fix error code not checked * tls13: Rename early_data_count to total_early_data_size * tests: ssl: Test enforcement of maximum early data size * tls13: cli: Enforce maximum size of early data * ssl: Add early_data_count field * tests: ssl: Add max_early_data_size option * Fix code style * Fixup: add peer_cert_digest_type to comment * Add ChangeLog entry for ssl serialization bitflags * Fix naming inconsistencies in config bits * tests: ssl: Restore write_early_data test function * tests: ssl: Improve tls13_srv_max_early_data_size() * tls13: Rename early_data_count to total_early_data_size * tls13: generic: Fix log * tests: srv max early data size: Add reach_max test arg * Enforce maximum size of early data in case of HRR * Enforce maximum size of early data when rejected * tests: ssl: Test enforcement of maximum early data size * tls13: srv: Enforce maximum size of early data * tls13: srv: Do not forget to include max_early_data_size in the ticket * ssl: Add early_data_count field * tests: ssl: Add max_early_data_size option * Fix formatting * Fix missing fields in ssl session struct comment * Move session descriptions into a single comment * Add config guards to session struct comments * Move session functions to same part of file * Update ssl session serialization config bitflag * Add session config bit for KEEP_PEER_CERTIFICATE * Require framework directory to exist when building * changelog: fix description * psa_util: change guard for mbedtls_psa_get_random() to CRYPTO_CLIENT * blank line for readability * Use export to set VERBOSE_LOGS * add changelog * Fix docs * simplify printf call * improve docs * Add editor hint for emacs * Rename quiet to quiet.sh * add changelog * tests: Added test for `mbedtls_ecdh_context_grp` * echd: Added `mbedtls_ecdh_get_grp_id` getter. * Fix incorrect conflict resolution * Do not copy the content to the local output buffer with allocation * Remove write check in driver wrappers tests * Fix buffer protection handling for `cipher_generate_iv` * Update test wrapper functions for ciper buffer protection * Add buffer protection for `cipher_generate_iv` and `cipher_set_iv` * Move local buffer allocation just before usage * Add `LOCAL_OUTPUT_ALLOC_WITH_COPY` macro if buffer protection is disabled * Fix ASAN error for `psa_cipher_update` * Add test wrapper functions for cipher buffer protection * Add buffer protection for cipher functions * Add missing guards around exit label * mbedtls_ecp_write_key_ext(): Upgrade import_pair_into_psa as well * mbedtls_ecp_write_key_ext(): make key const * mbedtls_ecp_write_key_ext: document error for no private key set * mbedtls_ecp_write_key(): deprecate the old function * mbedtls_ecp_write_key_ext(): migrate internally * mbedtls_ecp_write_key_ext(): recommend over the old function in documentation * mbedtls_ecp_write_key_ext(): new function * Fix code style * ssl_test_lib: add guards for pk_wrap_as_opaque() * pk: fix alg selection in mbedtls_pk_sign_ext() for opaque keys * psa_crypto_random_impl: minor fixes * Get rid of flags in attributes * In attributes, keep track of slot number through a dedicated field * Get rid of psa_core_key_attributes_t * Don't access psa_key_attributes_t.core * Get rid of intermediate full-attributes local variables * Switch key slots to psa_key_attributes_t * psa_key_attributes_t: move slot_number to core structure * Use attribute accessor functions in driver wrappers * test_suite_pk: initialize all PSA key IDs and attributes * ssl_helpers: minor fix in mbedtls_test_ssl_endpoint_certificate_init() * pk: completely remove mbedtls_pk_wrap_as_opaque * Add missing casts * pk: deprecate mbedtls_pk_wrap_as_opaque() * programs: remove usage of mbedtls_pk_wrap_as_opaque() from tests * test: remove usage of mbedtls_pk_wrap_as_opaque() from tests * Simplify pi rolled-up variant * Test all unroll variations * Send printed command to stderr * remove trailing space from printed command * Improve simplified quoting * remove shebang from quiet * Improve docs * Quote directory name from cmake wrapper * Undo not-needed change * Allow wrappers to be missing; quote directory name from make * Generate test wrappers for psa_generate_random() * Add buffer copying to psa_generate_random() * Finish cleaning up override that's no longer needed * Remove domain parameters from psa_key_attributes_t * Un-unrestore mbedtls_x509_string_to_names() * Suppress pylint * Avoid infinite loop * Extract common parts of quiet wrapper * psa: simplify management of mbedtls_psa_drbg_context_t * Tidy up quiet wrappers * Move quiet wrapper setup * psa: let mbedtls_psa_get_random() always use psa_generate_random() * Remove domain parameters from the public API * Rename variables * Ignore domain parameters in RSA key generation * psa: move mbedtls_psa_get_random() to psa_util.c * typo * Improve documentation / comments * Remove cruft * Changelog entry for benchmark improvement * Improve changelog * Improve validation in mpi_exp_mod_min_RR * Use TEST_EQUAL instead of TEST_ASSERT in new code * Benchmark only one side of ECDH, both static and ephemeral * tests: write early data: Improve get_early_data_status testing * tls13: Improve sanity check in get_early_data_status * ssl_context_info: explicitly note accesses to private fields * Don't authorize private access to fields where not actually needed * fuzz_dtlsserver: explicitly note the one access to a private field * Decouple if statements in psa_raw_key_agreement exit. * fuzz_pubkey, fuzz_privkey: no real need to access private fields * tls13: Improve documentation * tests: read early data: Use write API to send early data * tests: read early data: Add no early data indication sent scenario * Make psa_open_key threadsafe * tests: ssl: Rename tls13_early_data to tls13_read_early_data * Make multi-part AEAD operations thread-safe * Make multi-part PAKE operations thread-safe * Make multi-part key derivation operations thread-safe * Make multi-part cipher operations thread-safe * Make restartable signature verifications thread-safe * Make restartable signature operations thread-safe * Make multi-part MAC operations thread-safe * Benchmark: not using private fields anymore * Benchmark: remove the legacy-context ECDH block * tls13: cli: Add mbedtls_ssl_get_early_data_status() API * tls13: cli: Add missing MBEDTLS_SSL_EARLY_DATA guards * tests: write early data: Inverse loop over state logic * tests: write early data: Check we can complete handshake after writing * ssl_client2: Improve loop writing early data * ssl_client2: Default to library default for early data enablement * Improve comments/documentation * Revise how output allocation is checked * tls13: write_early_data: Add endpoint check * Rework check for failed output allocation * Fix style * Fix MBEDTLS_MPI_WINDOW_SIZE documentation * Exp mod: handle negative zero * Use mbedtls_ct_condition_t in mpi_core_check_zero * Remove unnecessary ChangeLog entry * Unrestore mbedtls_x509_string_to_names() * Exp mod: tidy up temporary storage allocation * Clarify which unregister operation needs to be used * More renaming: method -> production parameters * project: set version * Rename "key generation method" to "key production parameters" * Exp mod: Make sure RR has enough limbs * Check output allocated before randomising * Remove initialization function for variable-length struct * Fix copypasta * fix changelog * add changelog * rsa: remove leftovers from mbedtls_rsa_parse_[pub]key() * pem: zeroize the entire buffer in case of errors in mbedtls_pem_read_buffer() * test_suite_pk: fix data in some RSA related test cases * pk: fix documentation for RSA sign/verify and encrypt/decrypt * test_suite_pk: remove leftover comment * pem: fix return values in pem_check_pkcs_padding() * test_suite_pem: fix comment in test case * ECP write/export key: document that these functions don't detect unset data * mbedtls_ecp_write_key: document and test smaller output buffer * mbedtls_ecp_write_key: document and test larger output buffer * mbedtls_ecp_write_key: no FEATURE_UNAVAILABLE error * Improve style * Exp mod: clarify preprocessing * Add ChangeLog entry for restoring X509 functions * Exp mod: simplify 0 exponent handling * Restore X509 functions erroneously made private * Exp mod: use assignment instead memcpy * Exp mod: move declarations before use * Bignum: Remove/update obsolete comments * test_suite_pem: solve driver test disparities * pem: do not parse ASN1 data after decryption (removes ASN1 dependency) * test_suite_pem: add more test cases for invalid padding data * pk: fix documentation for sign/verify and encrypt/decrypt * test_suite_pk: add test cases for RSA keys (sign/verify & crypt/decrypt) * pem: reject empty PEM contents * To check if client random number is unchanged while receiving HRR * mbedtls_pk_import_into_psa: fix Montgomery keys in the legacy case * After pk_import_into_psa, test that the keys match * New test helper: mbedtls_test_key_consistency_psa_pk * tests: ssl: early data: Add systematic default case in scenario switches * tls13: Improve declaration and doc of early data status * tls13: Fix/Improve comments * tls13: client: Add comment about early data in 2nd ClientHello * tls13: Use a flag not a counter for CCS and HRR handling * Fix copypasta * Test mbedtls_pk_import_into_psa with different bits * Improve quote_args output readability * pk_wrap: set proper PSA algin rsa wrappers based on padding mode set in RSA context * Improve output from make/cmake wrapper * Conditionally include exit label * Generate test wrappers * Add buffer protection to psa_key_derivation_key_agreement * Lock test mutex before doing mutex usage check * Add buffer protection to psa_raw_key_agreement * Fix missing mutex lock for mutex usage error * Rename internal test info data accessors * Use named constants FROM_PAIR/FROM_PUBLIC for readability * Always display make/cmake invocation command * Fix encrypt/decrypt confusion * Rename identifier for consistency * Only test custom-e RSA key generation when built in * generate key ext: skip driver invocation with non-default method * generate/derive key ext: pass method_data_length rather than method_length * psa_generate_key_ext: RSA: support custom public exponent * Add Changelog * Increase default exponentiation window size * Bignum: remove unused functions * Use mpi_core_exp_mod in bignum. * Implement psa_generate_key_ext, psa_key_derivation_output_key_ext * Refactoring: extract rsa_test_e * Document new functions psa_generate_key_ext, psa_key_derivation_output_key_ext * check_config: add missing dependency check for MBEDTLS_PK_WRITE_C * check_config: combine check for MBEDTLS_PK_PARSE_C * Check MBEDTLS_PK_{PARSE,WRITE}_C requires MBEDTLS_OID_C * pk: remove duplicate define of MBEDTLS_PK_HAVE_ECC_KEYS * test_suite_pk.function: add correct dependency * Add checks for PK_[PARSE/WRITE]_C when PK_HAVE_ECC_KEYS is set * Make internal test info accessor functions static. * Add metatests for failing TEST_EQUAL and TEST_LE_* * Comment on locking strategy in psa_fail_key_creation * Revert psa_reserve_free_key_slot changes, lock in start_key_creation instead * Make psa_fail_key_creation thread safe * Make psa_finish_key_creation thread safe * Make psa_reserve_free_key_slot thread safe * Docs; minor tidy-up * roll up chi loop for gcc -Os * pacify check-names * roll-up chi loop on clang * pacify check-names * Improve docs; pacify check-names * tls13: client: Improve CCS handling * add changelog * test_suite_psa_crypto: fix some test descriptions * test_suite_pem: add more test cases for encrypted PEM buffers * pem: check data padding in DES/AES decrypted buffers * Roll/unroll various bits * newline at end of changelog file * fix cast warning * Read pi table in 4-byte chunks * Read rho table in 4-byte chunks * Rotate right instead of left * Pack the iota round constants * fill out missing dot in changelog * Update ChangeLog.d/pkg-config-files-addition.txt * Fix deadlock with test failures * Fix remaining warnings from -Wshorten-64-to-32 * Fix IAR cast warning * changelog for bugfix * Prioritize SHA2 over MD5 for KNOWN_SUPPORTED_HASH_ALG * Don't exercise if the algorithm is not supported * Fix some preprocessor guards * Don't define pk_sign_verify in configurations where it's unused * depends.py: set unique configuration names in outcome file * mbedtls_pk_import_into_psa: positive tests with pkparse output * mbedtls_pk_import_into_psa: negative tests for different ECC curve * mbedtls_pk_import_into_psa: implement and test * exercise_key: fix asymmetric encrypt/decrypt with >2028-bit RSA * exercise_key: allow SIGN_MESSAGE/VERIFY_MESSAGE with PSA_ALG_ANY_HASH * Also check the RSA length for public keys * Cosmetic fix * Generate all test wrappers * Generate test wrappers * Implement safe buffer copying in asymm. encryption * Fix return code error when locking mutex * Change condition on wiping tag buffer * Modify allocation and buffer wiping in sign_finish * Fix code style * Conditionally include exit label * Generate test wrappers for mac functions * Implement safe buffer copying in MAC API * Fix code style * Conditionally include exit label * Generate test wrappers for hash functions * Implement buffer copy code in psa_hash_compare * Make new internal function static * Implement safe buffer copying in hash API * Add missing dependency on PEM * Fix mbedtls_pk_get_bitlen() for RSA with non-byte-aligned sizes * New function mbedtls_rsa_get_bitlen() * adjust indentation * move entropy init prior arguments number recognition * mbedtls_pk_import_into_psa: documentation * Choose a curve for tests at compile time * Remove unnecessary setting of status variable * test_suite_pem: more tests for ASN.1 parsing after decoding * Replaced MBEDTLS_GCM_LARGETABLE by MBEDTLS_GCM_LARGE_TABLE. Removed empty comment line in doc block. * Fix error path in `psa_key_derivation_output_bytes` * Fix typo / improve documentation for test step fns * Fix issue with lock failures returning CORRUPTION_DETECTED * Fix mutex unlock error handling in psa_destroy_key * Reduce analyze_block_cipher_dispatch exceptions * Use NULL for pointer initialization * Ajdusted change log. * tls12: Fix documentation of TLS 1.2 session serialized data * Add change log for mbedtls_ssl_session_get_ticket_creation_time() * tests: ssl: Improve test parameter sanity check * ssl_session: Reorder some fields to reduce padding * Add change log * test_suite_[pkparse|x509parse]: fix return values of some PEM related error tests * pem: fix valid data length returned by mbedtls_pem_read_buffer() * asn1: enable mbedtls_asn1_get_tag() when PEM_PARSE_C is defined * rsa: reject buffers with data outside main SEQUENCE when parsing keys * Remove useless overly strong dependency * Remove comments referencing private defines. * Add changelog. * spelling * Reformat AES encryption test data in pkcs5 tests * Add PKCS5/12 exceptions to analyze_block_cipher_dispatch * Fix: - Remove unnecessary tests. - Update description of MBEDTLS_GCM_LARGETABLE parameter. - Move acceleration defines from gcm.h to gcm.c. - Remove unnecessary zero setting after shift. - Fix implementation for big-endian architectures. * Remove redundant check * Move config adjustment to config_adjust * Remove temporary macros that are not needed * Fix wrong dependency of ECJPAKE_C * Fix dependency on low-level hash modules * Simplify and fix dependency of MD_C on a hash * Remove redundant helper macros in check_config.h * ssl-opt.sh: Establish TLS 1.3 then TLS 1.2 session * ssl-opt.sh: Establish TLS 1.2 then TLS 1.3 connection * tls: Reset TLS maximum negotiable version * build_info should look for MBEDTLS_PSA_CRYPTO_CLIENT as well * Inline the SHA3 parameters table into a switch * Reformat wrapper generation code * Guard memcpy so that it won't fail on null input pointer * Guard the exit to stop unused label warning * Restructure wrapper script * Generate test wrappers for key derivation * Fix psa_key_derivation_output_bytes * Protect key_derivation_output_bytes * Protect psa_key_derivation_input_bytes * Fix trailing parenthesis * psa_util: improve leading zeros check in convert_der_to_raw_single_int() * Fix confusing comment in ctr drbg thread test * test_suite_psa_crypto_util: add more test for raw->der * psa_util: update documentation for mbedtls_ecdsa_raw_to_der() * Add MBEDTLS_CIPHER_C dependencies to new pkparse tests * Make check_config aware of MBEDTLS_PSA_CRYPTO_CLIENT * Enhance GCM throughput using larger precalculated tables. Also refactored the code for shorter tables and moved the check for available accelerators to the context initialization code. * Slightly soften force-push suggestion * Remove comments about rebasing vs merging; link to longer RTD document * Remind contributors not to force-push * Wording improvement * tests: write early data: Add HRR scenario * tests: write early data: Add "server rejects" scenario * tests: write early data: Add "not sent" scenario * tests: ssl: Add write early data unit test * Add test case for early data writing * ssl_client2: Add support for early data writing * ssl_client2: Add buffer overflow check * ssl_client2: Switch from int to size_t * ssl_client2: Move code to build http request * ssl_client2: Simplify early_data option * tls13: cli: Add mbedtls_ssl_write_early_data() API * rsa: remove unnecessary check in priv/pub key parsing * ECDSA signature conversion: put bits first * Stop platform test failures with GCC and TSAN * Update buffer start and length in multipart test * Add testcase to fail multipart cipher tests * Remove mutex calls in psa_wipe_all_key_slots * add changelog * pk_wrap: use proper raw buffer length in ecdsa_sign_psa() * psa_util: smarter raw length check in mbedtls_ecdsa_raw_to_der() * Revert "psa_util: allow larger raw buffers in mbedtls_ecdsa_raw_to_der()" * tests: early data status: Add HRR scenario * tests: early data status: Add "server rejects" scenario * tests: early data status: Add "not sent" scenario * tests: ssl: Add scenario param to early data status testing function * tests: ssl: Add early data status unit test * tls13: cli: Refine early data status * tls13: Send dummy CCS only once * tests: ssl: Use get TLS 1.3 ticket helper for early data test * tests: ssl: Add helper function to get a TLS 1.3 ticket * tests: ssl: Add early data handshake option * tests: ssl: First reset to all zeroes options in init * tests: ssl: Move group list to options * suite_psa_crypto_util: use 521 bits data and bit-size instead of 528 * Add comment to set/increment step functions * Pacify check-names * suite_psa_crypto_util: make ecdsa_raw_to_der_incremental() more readable * Improve docs * add changelog * Generate poisoning wrappers for AEAD * Prevent unused warnings in psa_aead_set_nonce() * Add buffer copying to psa_aead_verify() * Add buffer copying to psa_aead_finish() * Add buffer copying to psa_aead_update() * Add buffer copying to psa_aead_update_ad() * Refactor: Use wrapper around internal set_nonce() * Add buffer copying to psa_aead_set_nonce() * Fix bug in PSA AEAD test * Add buffer copying to psa_aead_generate_nonce() * Add buffer copying to psa_aead_decrypt() * Copy buffers in psa_aead_encrypt() * Use struct not union * Improve docs * Improve gcc guards * Fix missed case for removing accessor * Change unaligned access method for old gcc * tests: early data: Complete the handshake * Fix builds with secp224k1 as the only curve * Reduce many unnecessary static memory consumption * adjust_legacy_from_psa: use groups instead of curves for DH * psa_util: allow larger raw buffers in mbedtls_ecdsa_raw_to_der() * rsa: handle buffer length similarly in private and public key parsing * tests: early data: Switch to mnemonics for test scenarios * test_suite_psa_crypto_util: improve ecdsa_der_to_raw() * Fix pkcs5 aes test data * Add missing dependencies for pkparse tests * test_suite_psa_crypto_util: add more test cases * tls13: ssl_msg.c: Improve/add comments * tls13: srv: Improve coding * pkg-config: add initial pkg-config files * test_suite_psa_util: use more generic symbols for test case dependencies * psa_util: enhance checks on leading zeros in convert_der_to_raw_single_int() * psa_util: minor performance improvement in mbedtls_ecdsa_der_to_raw() * psa_util: convert_der_to_raw_single_int() accepts also all zero integers * psa_util: improve check of raw_len in mbedtls_ecdsa_raw_to_der() * psa_util: improve documentation for convert_raw_to_der_single_int() * psa_util: update documentation for mbedtls_ecdsa_der_to_raw() * psa_util: improve convert_raw_to_der_single_int() * Correct the ENCODES_OWNER macro name in comment * psa_util: change parameters order in ECDSA conversion functions * psa_util: fix documentation of ECDSA conversion functions * test_suite_rsa: fix data for "extra integer outside the SEQUENCE" * rsa_internal: fix documentation for mbedtls_rsa_parse_key() * Revert accidental formatting change * Restore mutex lock for mbedtls_test_set_step() * Add calls to BLOCK_CIPHER_PSA_INIT / BLOCK_CIPHER_PSA_DONE * tests: tls13: Run early data test only in TLS 1.3 only config * Ignore early data app msg before 2nd client hello * tls13: srv: Do not allow early data indication in 2nd ClientHello * tls13: cli: Indicate early data only in first ClientHello * tls13: srv: Deprotect and discard early data records * tls13: srv: Add discard_early_data_record SSL field * Adjust check order * test_suite_x509parse: remove useless include of rsa.h * pkparse: fix check for ASN1 errors in mbedtls_pk_parse_subpubkey() * Add a client view layout for interruptible hash and pake * Add comments in psa/crypto_struct.h for id layout * changelog: fix typo * Smoke tests for mbedtls_pk_get_psa_attributes after parsing * Fix handling of ECC public keys under MBEDTLS_PK_USE_PSA_EC_DATA * test_suite_psa_crypto_util: add missing new line at the end of file * test_suite_rsa: improve key parsing tests for extra data * Remove unnecessary dependencies from psa_crypto_helpers.h * Fix line-too-long in script * Conditionally guard exit label to deter unused label error * Re-add cipher_encrypt to test wrapper script * Generate test wrappers for key management * Protect buffer in psa_export_public_key * Protect the buffer in psa_export_key * Protect buffer in psa_import_key * test_suite_rsa: improve rsa_key_write_incremental() * pkparse: keep legacy PK error codes when RSA key parsing fails * Add missing implied usage * Fix typo in dependency * mbedtls_pk_get_psa_attributes: opaque: require specified usage * Fix comment * Clearer variable names * Use PSA_INIT with test that requires PSA * Copypasta * Copypasta * Don't use mbedtls_pk_ec in our own code * Create auxiliary function for repeated code * Test enrollment algorithm for the non-OPAQUE case * Minor documentation improvements * tests: ssl: Adjust early data test * tls13: srv: Do not use early_data_status * Revert "tls13: Introduce early_data_state SSL context field" * tls13: early data: Improve, add comments * test_suite_rsa: improve rsa_parse_write_pkcs1_key() and rsa_key_write_incremental() * rsa_internal: update documentation for parse/write functions * rsa: simplify mbedtls_rsa_parse_pubkey() input parameters * rsa: rename parse/write functions in order to follow the standard format * rsa: set parse/write functions out of !RSA_ALT guard * tls13: srv: Simplify mbedtls_ssl_read_early_data() API * tls13: early data: Improve documentation * ssl.h: Fix comments * tls13: Introduce early_data_state SSL context field * ssl.h: Simplify guard * tls13: srv: Reject early data in case of HRR * Update early data test * ssl_server2: Add read early data support * tls13: srv: Add mbedtls_ssl_read_early_data() API * Update mbedtls_ssl_read_early_data() definition * Add MBEDTLS_ERR_SSL_RECEIVED_EARLY_DATA error code * tls13: srv: Move early data size check placeholder * tls: Add internal function ssl_read_application_data() * tls13: srv: Refine early data status * ssl.h: Fix comment * psa_crypto_rsa: remove unnecessary casting * changelog: improve descriptions * test_suite_psa_crypto_util: fix tests for 0-length and one 0x00 byte for r and s * psa_util: convert_der_to_raw_single_int: ensure the input DER integers have valid length * Fix test dependencies * Fix accidental copy paste mistake * Fix style issues * Refactor to help future other implementations * Fix compile warning in tests * Fix code style issues * Disable poisoning with PSA_CRYPTO_DRIVER_TEST * Use TEST_EQUAL instead of TEST_ASSERT where possible * Fix and add comments in ticket and early data test function * Make one shot operations thread safe * Fix PSA init and done macros in TLS unit tests * Make psa_get_and_lock_X_with_policy threadsafe * Add a wrapper function for psa_unregister_read * Explain purpose of test specific write/parse ticket functions * Make psa_get_and_lock_key_slot threadsafe * Update psa_get_and_lock_key_slot_in_memory * psa_util: invert check order for leading zeros in convert_der_to_raw_single_int() * test_suite_psa_crypto_util: add test with 0-length s * test_suite_rsa: add test for key write with incremental output size * Remove state transitions in psa_load_X_key_into_slot * Fix race condition with test comparison functions * Wrap get_and_lock_key_slot_in_memory calls in mutex * test_suite_rsa: add more test cases for RSA key parsing * Support SHA-512 hwcap detection on old libc * test_suite_bignum: add test function: mpi_zero_length_buffer_is_null() * aria: remove leftover in comments * test_suite_aria: remove NOT_DEFINED dependency from aria_invalid_param() * Changelog for building SHA-256 and 512 with old libc * Update ECDSA signature conversion based on experimentation * test_suite_psa_crypto_util: add test with 0-length for r * test_suite_psa_crypto_util: alloc/free buffer inside loop in ecdsa_raw_to_der_incremental() * psa_util: minor improvements to convert_der_to_raw_single_int() * Refactor all.sh clang version detection code * Fix comment about verison of clang required for 'build_aes_armce' * fix build for midipix * Conditionally guard exit label * Generate test wrappers * Implement safe buffer copying in asymmetric signature API * Switch pk_setup_for_type() to return MBEDTLS_ERR_xxx * Always call psa_crypto_init when testing mbedtls_pk_get_psa_attributes * Update preprocessor guard comment * Update some msg descriptions * test_psa_compliance: use the last upstream release of psa-arch-tests * Comment on locking strategy in psa_destroy_key * suite_psa_crypto_util: add more test cases for DER->RAW * Make psa_destroy_key threadsafe * psa_util: remove raw_len param from convert_der_to_raw_single_int() * suite_psa_crypto_util: add more testing for mbedtls_ecdsa_raw_to_der() * psa_util: some code improvement to convert_der_to_raw_single_int() * Update psa_wipe_all_key_slots and document non-thread safety * Make psa_purge_key thread safe * Make psa_close_key thread safe * Use constant_time module from cmac * bignum: removing usage of MPI_VALIDATE_RET() * aria: replace ARIA_VALIDATE_RET() with a simple "if" block * lib: remove NULL pointer checks performed with MBEDTLS_INTERNAL_VALIDATE[_RET] * test_psa_compliance: add exception for tests using wrong RSA pub key format * platform_util: remove declarations of MBEDTLS_INTERNAL_VALIDATE[_RET]() * psa_crypto_ffdh: fix typos * adjust_legacy_from_psa: use EC pattern for enabling builtin elements of DH * adjust_legacy_from_psa: optimize legacy enablement also for EC key types * programs_benchmark: Updated to use `mbedtls_dhm_read_public()`. * programs_benchmark: Updated to use `mbedtls_dhm_set_group()` & `mbedtls_dhm_get_len()` * programs_dh_server: Updated to use `mbedtls_dhm_set_group()` & `mbedtls_dhm_get_len()`. * driver-only-builds: improve a sentence in the HMAC section * analyze_outcomes: fix typo * all.sh: fix comment in check_test_dependencies() * adjust_legacy_crypto: add parenthesis to improve clarity * Remove already-assmebled Changelog entry * adjust_legacy_from_psa: improve pattern for enabling internal symbols * psa_crypto_ffdh: move dhm.h inclusion to c file * tests: fix `calloc()` argument list (`gcc-14` fix) * Fix magic numbers in more J-PAKE tests * Remove now-redundant guard * Fix 1 forgotten separate input/output buffer * Use separate input/output buffer. Explain why error is expected * all.sh: remove MBEDTLS_PEM_PARSE_C exception from check_test_dependencies() * Depend on legacy RSA key generation for test code * Implement pick-a-curve when ECP_LIGHT is disabled * mbedtls_pk_get_psa_attributes: require MBEDTLS_PSA_CRYPTO_C * Fix Make issues with Everest enabled * Refactor common PThreads CMake code * changelog: document RSA parse/write improvements * test_suite_rsa: extend rsa_parse_pkcs1_key adding tests for public key * test_suite_[pkparse/rsa]: move RSA private key parsing tests * test_suite_rsa: improve rsa_parse_write_pkcs1_key() adding more checks * Generate poisoning in PAKE test wrappers * Fix magic number buffer length in J-PAKE tests * Add copying to PAKE input and output * Add copying in PAKE set peer and user functions * all.sh: remove MBEDTLS_ASN1_PARSE_C exception from check_test_dependencies() * asn1: use the new symbol to guard dependencies of ECDSA conversion functions * psa_util: guard ECDSA conversion functions with proper (internal) symbol * test_suite_psa_crypto_util: add comments to 512/521 bit size test cases * test_suite_psa_crypto_util: change curve type for 256bits tests * psa_util: add variable casting in convert_raw_to_der_single_int() * psa_util: skip leading zeros in der format with "if" instead of "while" * all.sh: add exception for ASN1_PARSE_C in check_test_dependencies * test_suite_psa_crypto_util: split ECDSA test function in two * psa_util: remove CRYPTO_C guard from ECDSA conversion functions * psa_util: add include asn1write.h in public header * test_suite_psa_crypto_util: increase the size of tested integers * psa_util: minor code improvements * psa_util: improve description for ECDSA conversion functions * test_suite_psa_crypto_util: add test function and data for ECDSA conversion functions * pk_wrap: use PSA util functions for ECDSA conversion instead of PK ones * psa_util: add raw<->DER ECDSA conversion functions * test_suite_psa_crypto: fix typo in description * adjust_legacy_from_psa: use intermediate symbol to enable builtin support * driver-only-builds: add documentation for HMAC acceleration * Put the id field at the end of the psa_key_attributes_s structure * Refactor macros * all.sh: disable legacy hash support in test_psa_crypto_config_accel_hmac() * Add test cases on GCM AD, input, IV length * Add allocate and copy style output buffer handling * rsa: write documentation of new functions for parse/writing RSA priv/pub keys * pk_wrap: use RSA module functions to write priv/pub key in RSA wrappers * all.sh: update common_test_psa_crypto_config_accel_ecc_some_curves() * config_adjust_legacy: do not auto-enable PK when RSA is enabled in PSA * rsa: update return values of priv/pub parse/write functions * Disable MBEDTLS_PSA_CRYPTO_CLIENT in no-PSA builds * Missing dependency for MBEDTLS_PK_ECDSA * Minor fixes to locking macros * Fix the build with MBEDTLS_RSA_ALT * Allow context types with an ALT version to be linked in Doxygen * Unify want_private detection * mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_USE_PSA_EC_DATA * Allow building with MBEDTLS_PK_USE_PSA_EC_DATA && MBEDTLS_ECP_C * mbedtls_pk_get_psa_attributes: support MBEDTLS_PK_OPAQUE * mbedtls_pk_get_psa_attributes: test bad usage value * mbedtls_pk_get_psa_attributes: ECC support * mbedtls_pk_get_psa_attributes: RSA support * mbedtls_pk_get_psa_attributes: force enrollment algorithm off * Introduce mbedtls_pk_get_psa_attributes * Add ..._GOTO_EXIT macro * Add ..._GOTO_RETURN macro * psa_crypt_rsa: remove dependency from the PK module * test_suite_psa_crypto: remove tests for importing an RSA key in PEM format * test_suite_rsa: add some basic testing of new parse/write priv/pub keys * pk/rsa: move RSA parse/write private/public key functions to rsa module * Handle sizeof(size_t) > sizeof(uint64_t) * Fix comment typo * Update ChangeLog.d/8726.txt * Limit compiler hint to compilers that are known to benefit from it * pkwrite: split pk_write_rsa_der() with a dedicated function for non-opaque RSA key * pkparse: rename RSA key and pubkey parsing functions * test_suite_entropy: relax MD_C dependency to MD_LIGHT * cert_[req/write]: add MD_C dependency * analyze_outcomes: add task for HMAC coverage * all.sh: add accelerated and reference components for HMAC * Update the initialization macros * Add comment on impossible overflows * Add back restriction on AD length of GCM * Create 8726.txt changelog entry * Add a client view of the multipart contexts * Update entropy_poll.c * tests: tls13: Run early data test only in TLS 1.3 only config * tests: tls13: Add early data unit test * tests: ssl: Move setting of debug callback * tests: tls13: Add session resume with ticket unit test * ssl_helpers.c: Add ticket write/parse test functions * tls13: cli: Fix setting of early data transform * Access the test data mutex via accessor * Make test data static now it has accessors * Remove include of build_info.h * Fix documentation typos. * Remove unneeded lines from fuzz/Makefile * Move MBEDTLS_COMPILER_IS_GCC & MBEDTLS_GCC_VERSION into build_info * Improve comments * Add changelog entry * Set preferences before finding Threads in CMake * Improve mbedtls_xor docs * Make mbedtls_xor always inline * Make unaligned accessors always inline * Fix unaligned access on old compilers * programs_dh_client/server: Updated config guards. * programs_dh_client/server: Changed mdlen type to unsigned integer. * Move MBEDTLS_COMPILER_IS_GCC defn into alignment.h * Improve mbedtls_xor for IAR * Fix typo * Add empty line in register_read comment * Move key_slot_mutex to threading.h * pk: move mbedtls_pk_load_file to pk_internal * x509: move internal functions declarations to a private header * debug: move internal functions declarations to an internal header file * programs_dh_client/server: Updated to query digest size using `mbedtls_md_info_from_type()`. * programs_rsa_rsa_verify: Updated program to use `mbedtls_rsa_get_len()` * programs_rsa_rsa_sign: Updated program to use `mbedtls_rsa_get_len()` * programs_rsa_encrypt/decrypt: Updated programs to use `mbedtls_rsa_get_len()` * programs_dh_client/server: Updated programs to use `mbedtls_rsa_get_len()` * programs/dh_client/server: Added entropy source to `mbedtls_rsa_pkcs1_sign()` * programs/dh_client/server: Replaced mbedtls_sha1 with mbedtls_sha256 * ssl_ciphersuites: move internal functions declarations to a private header * Document the thread safety of the primitive key slot functions * Support PSA_ERROR_SERVICE_FAILURE * Initialize and free the key slot mutex * Define key_slot_mutex * generate_tls13_compat_tests: add DH group dependency when FFDH is used * ssl-opt: add DH groups requirements in test cases using FFDH * test_driver_key_management: keep mbedtls_test_opaque_wrap_key() private * changelog: fix typo * Add underflow check to UNPOISON counter decrement * Pacify check_files * Spelling fix * Use quiet make wrappers from all.sh * Create quiet wrappers for make and cmake * all.sh: fix tests with accelerated FFDH * crypto_config_test_driver_extension: support accelaration of DH groups * tests: add guards for DH groups * all.sh: add new component with only DH 2048 bits. * psa_crypto: do not validate DH groups which are not enabled * ssl_test_lib: add guards for enabled DH groups * ssl_tls: add guards for enabled DH key types * crypto_sizes: adjust PSA_VENDOR_FFDH_MAX_KEY_BITS based on the supported groups * psa_crypto_ffdh: add guards for enabled domain parameters * config_adjust: fix adjustments between legacy and PSA * Separate memory poisoning tests from generic ASan * Change memory poisoning flag to a count * Clarify psa_destroy_key documentation * Request C11 in CMake (but only for tests) * Open question for ECDSA signature that can be resolved during implementation * Add a usage parameter to mbedtls_pk_get_psa_attributes * Resolve several open questions as nothing special to do * Extend psa_wipe_key_slot documentation * Implement delayed deletion in psa_destroy_key and some cleanup * Reference filed issues * Add header guards * crypto_config: define feature macros for DH keys * Reference ongoing work * typo * Generalize mbedtls_pk_setup_opaque beyond MBEDTLS_USE_PSA_CRYPTO * add changelog * Fix test dependencies * Fix error in ctr_drbg * Fix ASAN error in test * Migrate to new RTD redirect format * Add Changelog * Add NIST AES-CTR test vectors * add test for multipart AES-CTR * Fix parsing of C line comments * Disable PSA wrappers psa_collect_statuses builds * PSA wrappers: don't poison buffers when buffer copying is disabled * Add review exception warning * Remove the manually written poisoning wrapper * Update generated PSA wrappers * Generated PSA wrappers: poison/unpoison buffer parameters * Enable generated PSA wrappers * Declare the outputs from generate_psa_wrappers.py as generated files * Commit generated PSA wrappers * PSA wrapper generator * Guard the macro definition * C function wrapper generator * Python module to parse function declarations from a header file * test_suite_psa_crypto: revert known failing checks for [en|de]cryption with opaque keys * test_driver_asymmetric_encryption: implement opaque [en/de]cryption functions * test_driver_key_management: make opaque [un]wrapping functions public * Make gcm counter increment more efficient * Save 14 bytes in CTR-DRBG * Use optimised counter increment in AES-CTR and CTR-DRBG * Add tests for mbedtls_ctr_increment_counter * Introduce mbedtls_ctr_increment_counter * Revert change to psa_destroy_key documentation * Revert change to return behaviour in psa_reserve_free_key_slot * Return CORRUPTION_DETECTED instead of BAD_SLOT when the slot's state is wrong * Relax psa_wipe_key_slot to allow states other than SLOT_PENDING_DELETION * Iterate in 16-byte chunks * psa_crypto: allow asymmetric encryption/decryption also with opaque keys * test_suite_psa_crypto: test asymmetric encryption/decryption also with opaque keys * ssl_tls.c: Factorize save/load of endpoint and ciphersuite * ssl_ticket.c: Base ticket age check on the ticket creation time * Add ticket creation time to TLS 1.2 session serialization * Define ticket creation time in TLS 1.2 case as well * Fix TLS 1.2 session serialization on server side * Add endpoint in TLS 1.2 session serialization data * ssl_session: Define unconditionally the endpoint field * ssl_ticket.c: Fix ticket lifetime enforcement * ssl_ticket.c: Remove pedantic server endpoint check * ssl_ticket.c: Remove TLS server guard * ssl_ticket.c: Remove client code * Disable ticket module when useless * add support for AES-CTR to benchmark * Only run memory poisoning metatests when poisoning * Use thread-local flag to enable memory poisoning * Stop enforcing C99 in CMakeLists.txt * Add minor cosmetic changes to record size limit changelog and comments * Change renegotiation test to use G_NEXT_SRV * Mention PK parse in changelog * Restore previous version of rsa_pkcs8_pbes2_pbkdf2_2048_3des_sha384.pem * Do not generate new random number while receiving HRR * change values to ULL * Change test data for pkparse aes * Update Marvin fix Changelog entry * Improve record size limit changelog wording * psa_crypto_ecp: remove support for secp224k1 * Change renegotiation tests to work with TLS 1.2 only * Add AES tests to test_suite_pkparse * Add more details to comments * Fix dependencies in pkcs5 aes-128-cbc tests * fix depends on condition * add test cases with different hash algs * add depends on for capacity tests and fix code style * correct test data * fix unused variable warning and other fixes * add bugfix changelog entry * disable pbkdf2_hmac set max capacity test * Add tests for derive_full for hkdf_extract, hkdf_expand and ecjpake_to_pms * Add tests for derive_set_capacity for pbkdf and ecjpake_to_pms * Change error status for invalid HKDF alg * Add hkdf_extract, hkdf_expand and ecjpake_to_pms cases * Increase input parameter type and buffer size * Add kdf_set_max_capacity function * Reorder and correct comment * add tests for derive_full and derive_set_capacity * Fix psa_key_derivation_setup_kdf * Fix warning in ssl_tls13_generic.c * Change order of checking of record size limit client tests * Add MBEDTLS_SSL_RECORD_SIZE_LIMIT to config_adjust_ssl.h * Revert "Make sure record size limit is not configured without TLS 1.3" * Make sure record size limit is not configured without TLS 1.3 * Add MBEDTLS_SSL_RECORD_SIZE_LIMIT to full config * Move record size limit testing to tls13 component * Add tests for client complying with record size limit * Improve comments across record size limit changes * update record size limit tests to be more consistent * Add Changlog entry for record size extension * Improve record size limit tests * Fix issue in checking in writing extensions * remove mbedtls_ssl_is_record_size_limit_valid function * Stop sending record size limit extension if it's not sent from client * Change record size limit writing function * TLS1.3: SRV/CLI: add support for sending Record Size Limit extension * tls13: server: write Record Size Limit ext in EncryptedExtensions - add the support in library - update corresponding test cases. * tls13: cli: write Record Size Limit ext in ClientHello * ssl_tls13_generic: check value of RecordSizeLimit in helper function * tls13: add generic function to write Record Size Limit ext * Add new lines before lists * Fix typos / improve syntax * Add ability to exclude mutex from tests * Protect test info access with mutex * Move bignum flag for negative zero into test_info * Add required dependency to the testcase * Remove unneeded testcase * Update test-data to use SIZE_MAX * Add missing newline at the end of test_suite_x509write.data * Update fix to be more platform-independent * Fix Issue #8687 * Add tests for Issue #8687 * psa_util: rename parameter of mbedtls_ecc_group_from_psa * psa_util: update documentation for PSA conversion functions * changelog: improve wording * changelog: improve wording * psa_crypto_ecp: fix comment for secp224k1 in check_ecc_parameters * test_suite_psa_crypto: test also MBEDTLS_ECP_DP_MAX in ecc_conversion_functions_fail() * psa_util: update documentation of EC conversion functions * psa_util: remove support for secp224k1 in EC conversion functions * psa_crypto_ecp: return unsupported for secp224k1 in check_ecc_parameters() * test_suite_psa_crypto: improve failing tests for EC conversion functions * test_suite_psa_crypto: add test case for ECP conversion with null values * psa-transition: update "Elliptic curve mechanism selection" section * changelog: fix working * psa_util: properly handle secp224r1 private key size * changelog: add missing newline * test_suite_psa_crypto: explicitly check return values of conversion functions * psa: let mbedtls_ecc_group_from_psa() accept only exact bit lengths * psa-transition: extend "Elliptic curve mechanism selection" * changelog: added documentation for the 2 new public functions * test_suite_psa_crypto: add test functions and cases for ECC conversion functions * psa_util: update the documentation of ECC conversion functions * psa_crypto_ecp: add helper for checking EC parameters * psa: remove bits_is_sloppy parameter from mbedtls_ecc_group_from_psa() * psa: rename "mbedtls_ecc_group_of_psa" to "mbedtls_ecc_group_from_psa" * Improve wording & fix typos * Revert "psa_util: add algorithm's availability checks for MD conversion functions" * Revert "test_suite_md: improve md_to_from_psa() test function and related data" * Revert "psa_util: fix typo in comment" * mbedtls_config: update documentation for CIPHER_C and CRYPTO_C * adjust_legacy_crypto: auto-enable CIPHER_C when any builtin cipher is enabled in PSA * Revert "check_config: add check for PSA builtin unauthenticated ciphers" * mbedtls_config: extend documentation for MBEDTLS_PSA_CRYPTO_C * check_config: add check for PSA builtin unauthenticated ciphers * Update architecture doc for cipher dual dispatch * Quickly mention the status of RSA accel * Rename tests components for clarity * Rename test components to better reflect content * Clarify CCM/CM with partial accel * Update ChangeLog for CCM/GCM improvements * Consolidate ChangeLog entries about CIPHER_C * Allow programs/fuzz to be linked against pthread * Enable common.make to be included by programs/fuzz * Link programs with pthread via cmake * Use new thread abstraction for ctr_drbg tests * Add test thread create/join abstraction * Migrate to threading_helpers.h * Use mbedtls_test_info accessors internally as well * Add accessor helpers for mbedtls_test_info * psa_util: fix typo in comment * Update mbedtls_ssl_get_output_record_size_limit signature * changelog: improve wording * Update mbedtls_psa_get_stats * Update psa_wipe_all_key_slots * Replace psa_unlock_key_slot calls in operations which act on FULL slots * Update psa_load_X_key_into_slot * Update psa_destroy_key, psa_purge_key and psa_close_key * Update psa_get_and_lock_key_slot_X functions * Update key creation functions to use the new key slot states * Update and rename psa_get_empty_key_slot * Implement psa_key_slot_state_transition * Implement psa_register_read and psa_unregister_read * Implement psa_key_slot_has_readers and remove psa_is_key_slot_occupied * Update psa_wipe_key_slot * Update psa_key_slot_t * Add config dependencies to record size tests * changelog: improve wording * changelog: rename changelog file to reflect the number of the related issue * Indicate which curves Mbed TLS supports * Note unusual curve size * Fix typo in curve name * Add test data for secp192r1 * Fix mixup between secp224r1 and secp224k1 in test scripts * driver-only-builds: fix typo * Remove useless guards on MBEDTLS_BIGNUM_C * Move MBEDTLS_CIPHER modification to appropriate section * Fix MBEDTLS_NO_PLATFORM_ENTROPY for baremetal aarch64 with armclang * Update check_files.py to accomodate non-standard license headers in TF-M config files * minor tidy-up * Mention copyright in the readme * Use verbatim TF-M configs from upstream * Add supporting files to enable use of verbatim TF-M config * Unify MBEDTLS_TEST_OBJS * Fix name in documentation * Minor readability improvement * Finish unifying LOCAL_CFLAGS * Improve readability of null-argument tests * Make input parameter const * adjust_legacy_from_psa: relax condition for legacy block cipher auto-enabling * cipher_wrap: fix guards for some CCM/GCM functions * psa-transition: update with MD translation functions * changelog: document MD's conversion functions * test_suite_md: improve md_to_from_psa() test function and related data * psa_util: add algorithm's availability checks for MD conversion functions * library/tests: replace md_psa.h with psa_util.h as include file for MD conversion * md: move PSA conversion functions from md_psa.h to psa_util.h * Clarify PSA-to-PK copy intent * Resolve ECDSA conversion API: don't use an ASN.1 interface * Our TLS 1.3 API doesn't actually require PSA key identifiers * Minor clarifications * all.sh: keep PSA_WANT_ALG_[CCM/GCM] enabled in common_block_cipher_dispatch() * Fix Max fragmen length test to use TLS 1.2 maximum output size * Fix TLS 1.2 test to use TLS 1.2 maximum output size * all.sh: keep DES_C and CTR_DRBG_C enabled in test_full_no_cipher_with_crypto() * Adjust TLS 1.3 tests to new maximum output changes * oid/pkparse: add missing guards for PKCS[5/12] functions when !CIPHER_C * all.sh: keep PKCS[5/12] enabled in full_no_cipher test components * changelog: enhance description * driver-only-builds: enhancing cipher related sections * driver-only-builds: fix typos * analyze_outcomes: ignore only test concerning AES/ARIA/Camellia in CMAC * test_suite_cmac: add used key type to all test cases * Add warning for PKCS 1.5 decryption * Improve Record size limit testing * Refactor and improve Record size limit handling * analyze_outcomes: update skipped tests following latest changes to all.sh * all.sh: keep legacy cipher modes enabled in test_full_block_cipher_legacy_dispatch() * psa: add key_type as input parameter of psa_can_do_cipher() * test_suite_block_cipher.psa: remove misleading initial comment * check_config/block_cipher: minor improvements * analyze_outcomes: update comments of skipped tests * driver-only-builds: updated ciphers and AEADs related sections * changelog: update description * all.sh: fix messages in test_psa_crypto_config_accel_des * mbedls_config: update documentation for MBEDTLS_PKCS[5/12]_C * use mbedtls_ssl_session_init() to init session variable * Fix typo * RSA: improve readability * RSA: remove unneeded temporaries * RSA: document Montgomery trick in unblind * Asymmetric cryptography: rough draft * Changelog entry for the new ECP functions * Add ECP-heavy-only test cases to the driver parity analysis ignore list * Declare dependency on bignum in sample programs * Use new mbedtls_ecp_keypair functions in sample programs * New function mbedtls_ecp_write_public_key * Rename variable that's a C++ keyword * mbedtls_ecp_read_key: explain how to set the public key * New function mbedtls_ecp_keypair_calc_public * New function mbedtls_ecp_set_public_key * Promise mbedtls_ecp_read_key doesn't overwrite the public key * Support partial export from mbedtls_ecp_keypair * New function mbedtls_ecp_keypair_get_group_id * Correct name and documentation of preprocessor symbol check function * Allow *.make to contain tabs * Explain the use of control * Revert "Add option to pass make variables to depends.py" * Revert "Add ability to pass make variables to psa_collect_statuses.py" * Auto-detect the need to link with pthread on Unix-like platforms * Unify some common rules of programs/Makefile and tests/Makefile * Unify common variables of programs/Makefile and tests/Makefile * Create common.make with LOCAL_CFLAGS and friends * Partly unify LOCAL_CFLAGS * Unify treatment of MBEDTLS_TEST_OBJS * Indent nested conditionals * driver-only-builds: update documentation * fix line length * all.sh: keep PKCS[5/12] enabled in accel_cipher_aead tests * check_config: remove CIPHER_C requirement for PKCS[5/12] * pkcs[5/12]: add CIPHER_C for [en/de]crypting functions * driver-only-builds: fix typos * Fix code style in ssl_tls.c * Refactor record size limit extension handling * Mention functional correctness explicitly * driver-only-builds: add Restrictions section * Clarify key generation and memory-management correctness * changelog: enhancing descriptions * driver-only-builds: enhancing section on removing CIPHER_C * driver-only-builds: fix typos * Only poison memory when buffer copying is enabled * Add all.sh coponent to test with copying disabled * fix/work around dependency issues when !MBEDTLS_ECP_C * changelog: fix missing newline at end of file * pk_*: remove remaining references to MBEDTLS_PSA_CRYPTO_C * non-psa-pk-implementation: rephrase the changelog entry * pk: remove last references to MBEDTLS_PSA_CRYPTO_C * pk_wrap: remove last references to MBEDTLS_PSA_CRYPTO_C * pk test suite: rename the parameter named parameter * rsa: introduce rsa_internal_rsassa_pss_sign_no_mode_check() * pk: implement non-PSA mbedtls_pk_sign_ext() * gitignore: add clangd index files * rsa: minor comment/guard improvements * driver-only-build: remove paragraph about RSA/DH deterministic key generation * Invert note about buffer overlap support * analyze_outcomes: add exceptions to disparities for block_cipher dispatch * analyze_outcomes: allow ignored test suites to have a dot in the name * test_suite_ccm: add missing BLOCK_CIPHER_PSA_[INIT/DONE]() * tests: use new CCM/GCM capability macros in tests * adjust_legacy_crypto: add macros for CCM/GCM capabilities with key types * cipher_wrap: fix guards for alloc/free functions of CCM/GCM * all.sh: disable legacy AES/ARIA/CAMELLIA in test_full_block_cipher_psa_dispatch * Work around clang 3.8 bug * Don't use full path for setting CC * Use gcc in test_full_deprecated_warning * Disable automatic setting of clang target flags on old clang * Add -O2 to some CFLAGS which were not setting it * Don't specify gcc unless the test requires it * Use clang -O2 in common_block_cipher_no_decrypt * Enable -O2 in depends.py * Note that domain parameters are not supported with drivers * Remove DSA and DH domain parameters from the documentation * all.sh: rename test_psa_crypto_config_accel_cipher to accel_des * changelog: add changelog for accelerated ciphers and AEADs * pkwrite: add newlines when calling mbedtls_pem_write_buffer() * Revert "pem: auto add newlines to header/footer in mbedtls_pem_write_buffer()" * Use gcc in test_psa_compliance * Ensure test_psa_compliance uses gcc * Document the domain_parameters_size==SIZE_MAX hack * Ensure clang is present * Use clang by default * Add AES_PSA_INIT() to thread test case * Add missing newline at end of file * Add extra MBEDTLS_PSA_CRYPTO_C guard for header * driver-only-builds: add section for accelerated ciphers/AEADs * Move test dependancies to function file * Remove unnecessary check * Improve make pthread linking mechanism * Remove requirement for SHA512 from ctr_drbg test * Remove explicit linking of PThread in make * Add ability to pass make variables to psa_collect_statuses.py * Add option to pass make variables to depends.py * Remove warning with GCC 12 and TSan * Make TSan test run operate on full config * Make number of threads a test argument * Increase entropy buffer sizes * Guard tests correctly * Fix code style * Explicitly link tests with pthreads * Fix false claim of variables used unitialised * Add TsanDbg, standardise Tsan with other sanitisers * Add re-seeding option to test * Fix missing include * Fix failing multi-threaded unit test * Add multi-threaded unit test * Add tsan to all.sh * Add cmake build type for tsan * Set OpenSSL/GnuTLS variables in release components * all.sh: Parse arguments before checking if a test is supported * Remove accidental addition of MBEDTLS_TEST_HOOKS * Improve guards around memory poisoning setup * Document release components in all.sh * block_cipher: remove psa_key_type from mbedtls_block_cipher_context_t * Make check_files ignore png files in docs * Justify linearization points * Undo accidental change * Add explanatory comment * Fix a typo * Use gcc for -m32 Asan builds * Fix unused function/variable warnings from clang * Use clang as default compiler for Asan * Tweak the behaviour of copy handling macros * Add missing newline at end of file * analyze_outcomes/all.sh: add reference component and entry for coverage comparison * all.sh: keep CIPHER_C enabled in test_full_block_cipher_psa_dispatch() * ccm/gcm: use BLOCK_CIPHER whenever possible * adjust_legacy_crypto: enable BLOCK_CIPHER also when a driver is available * test_suite_block_cipher: fix unused variable when !MBEDTLS_BLOCK_CIPHER_SOME_PSA * config_adjust_legacy_crypto: fix typo * block_cipher: use PSA_BITS_TO_BYTES() in mbedtls_block_cipher_setkey() * block_cipher: add MBEDTLS_PRIVATE to new PSA fields in mbedtls_block_cipher_context_t * all.sh: keep PSA_WANT_ALG_[GCM/CCM] enabled in test_full_block_cipher_psa_dispatch() * block_cipher: remove useless use of psa_cipher_operation_t * test_suite_block_cipher: add new data file for PSA/legacy dispatch test * tests: add PSA_INIT/PSA_DONE to CCM and GCM test suites * all.sh: add new component for block_cipher dispatch to PSA * crypto_builtin_composites: add missing guards for includes * check_config: use new helpers for legacy GCM_C/CCM_C * adjust_legacy_crypto: add helpers for block ciphers capabilities * psa_crypto: add internal helper to signal that cipher driver is ready * psa_util: add error translations from PSA to cipher * block_cipher: add PSA dispatch if possible * Build with -O2, but without assembly * Revert back checking on handshake messages length * Revert "Skip checking on maximum fragment length during handshake" * Add note about support for buffer overlap * Move wrapper include to psa_crypto_helpers.h * Move test hook setup and teardown to helpers.c * Move test hook setup functions into a C file * Redesign local copy handling macros * changelog: add changelog for move of mbedtls_ecc psa helper functions * Link directly to the state transition diagram * Add some clarifications in thread_safety.md * Fix transitions in diagram * Remove redundant use of -O2 with ASAN_FLAGS * Make clienthello comment clear * Change how the state transition diagram is stored * library: Move mbedtls_ecc helper functions to psa_util * Fix compile warning from IAR * Add MBEDTLS_BSWAPxx intrinsics for IAR * Better definition of MBEDTLS_IS_BIG_ENDIAN for IAR * md-cipher-dispatch: editorial improvements * Put local output status in scope * Remove spaces around token-pasting macro operator * Clarify psa_constant_names * Correct and clarify discussion of AES-CMAC-PRF-128 * Fix some MAC-related function names * library: Remove unused psa_crypto_core.h include * Make return statuses unique in FREE_LOCAL_OUTPUT() * Improve FREE_LOCAL_INPUT() and FREE_LOCAL_OUTPUT() * Add comment explaining the purpose of header * Add more information to comment on test hooks * Add missing license header * Remove unnecessary include directory from CMake * Add MBEDTLS_PSA_COPY_CALLER_BUFFERS config option * Use macros to manage buffer copies * Remove write check in driver wrappers tests * Change to use test-hook-based approach * Copy input and output in psa_cipher_encrypt() * Create memory poisoning wrapper for cipher encrypt * Add explicit UNPOISON calls to memory tests * Add memory poisoning hooks * Fix CI failure of uninitialized fp * Avoid use of `ip_len` as it clashes with a macro in AIX system headers * Move MPI initialization to start of function * Revert to ae952174a7 and addressing some comments * Use existing variable containing full path * Update comments * Adjuest checks in generate_key_rsa suite * Error out when get domain_parameters is not supported * Fix style * Make local function static * Add Changelog for the Marvin attack fix * Error out if script is missing when collecting test cases * Revert "Catch ScriptOutputError in analyze_outcomes.py" * Add tls13 in ticket flags helper function names * fix-tls13-server-min-version-check.txt: rephrase ChangeLog * tl13: srv: improve comment * tls13: srv: return BAD_PROTOCOL_VERSION if chosen unsupported version * tls13: srv: improve DEBUG_MSG in case of TLS 1.2 disabled * tls13: srv: replace with internal API to check is_tls12_enabled * Fix wrong format in the function doc * Reword return value description for mbedtls_ssl_tls13_is_kex_mode_supported * Add "_is_" to functions ssl_tls13_key_exchange_.*_available * Consistent renaming * tls13: srv: rename mbedtls_ssl_tls13_check_kex_modes * Consistent renaming * tls13: rename mbedtls_ssl_session_check_ticket_flags * tls13: srv: rename ssl_tls13_ticket_permission_check * tls13: rename mbedtls_ssl_conf_tls13_check_kex_modes * tls13: change return value of mbedtls_ssl_conf_tls13_check_kex_modes * tls13: rename ssl_tls13_check_*_key_exchange functions * Skip checking on maximum fragment length during handshake * Fix potential double-free in calloc selftest * Small clarifications in documentation * Update cipher light -> block cipher definition * Move psa-thread-safety.md * Add graph * Update psa-thread-safety.md * Fix a typo * Remove test_psa_crypto_config_accel_rsa_signature * Fix various issue * Remove the duplicate cases and add early_data_file option * Add the test framework of early data * Open the file once read in the file path * Add one test case with early_data_file * Read early data file * Revert the early data test case * Add read early data code * Rework to revert the early_data enabled flag * Add analyze_driver_vs_reference_rsa for analyze_outcomes * Conditionally check the attribute of generated RSA key * Correctly use asymmetric encrypt/decrypt driver * Add components to test crypto_full w/wo accelerated RSA * Fix possible integer overflows before widening * ssl_tls12_server: do not export/import opaque keys * Add record size checking during handshake * Comply with the received Record Size Limit extension * Do not run Valgrind tests in PR jobs * driver-only-build: update AEADs section * config-tfm: fix typo in comment * changelog: fix typos and working * Enable early data depend on whether the early data file exist * pk: guard key enrollment function with PSA_CRYPTO_CLIENT * remove misbehavior tests and code * Some minor improvement * change prototype of `write_early_data_ext` * remove assignment for `session->max_early_data_size` * fix various issue * Add missing debug message * add ticket max_early_data_size check * share write_early_data_ext function * improve comments of new session ticket * set max_early_data_size of ticket to keep consistent * Add max_early_data_size check * Revert "change max_early_data_size source" * Revert "set init value for max_early_data_size in session" * change max_early_data_size source * set init value for max_early_data_size in session * improve early data comments * replace ticket permission set * replace early data permission check * add early data flag check function * fix various issues * rename nst early data write function * Add tests for ticket early data permission bit * Enable multi max_early_data_size value for connections * Add early data permission check * add early data extension of NST * ssl_tls12_server: export/import PK parsed key in TLS side * Sync the early_data option with internal parameters in ssl_client2 * pkparse: do not set key algorithm for Montgomery keys in pk_ecc_set_key() * Remove the generic file read functions and simply the early data read * Refine the detect code to enable early data or not * Rename the generic read functions to ssl_read_file_text * Improve the comments of early data input * Add a section about ALT implementations * revert output message which used by testing * ChangeLog: add fix-tls13-server-min-version-check.txt * pk_wrap: try both ECDSA signature schemes in ecdsa_sign_psa() * Change early data flag to input file * fix ci test failure * fix various issues * Add a generic section about key management * More information about output buffer sizes * Diffie-Hellman: several clarifications and corrections * Note a few things about PAKE (thanks Manuel) * Use "workflow" rather than "flow" for clarity * typos and minor clarifications * fixup! Correct function names prefixes where they diverge from module names * pkwrite: minor code reshape * config-tfm: disable CIPHER_C * test_suite_block_cipher: fix depends_on for Camellia tests * driver-only-builds: update documentation for AEADs * changelog: add changelog for AEAD support without CIPHER_C * Remove leftover code from initial changelog support * test_driver_key_management: rename counter for export_public_key() hits * test_driver_cipher: add forced return status for encrypt and set_iv * test_suite_psa_crypto_driver_wrappers: add counter for failing psa_cipher_update() * crypto_extra: revert changes to mbedtls_psa_random_free() * test_suite_psa_crypto_driver_wrappers: fix missing hit counter reset before test * test_suite_psa_crypto_slot_management: modify check on open key slots * mbedtls_config: update descriptions of MBEDTLS_CTR_DRBG_C and MBEDTLS_PSA_CRYPTO_C * test_suite_psa_crypto_driver_wrappers: add counter for cipher_update() * test_suite_psa_crypto_driver_wrappers: improving driver access counters * test_suite_psa_crypto_slot_management: some fix for available key slots * test_suite_[ctr_drbg/random]: initialize/close PSA in tests * psa: free RNG implementation before checking for remaining open key slots * ctr_drbg: add alternative PSA implementation when AES_C is not defined * check_config: fix requirements for CTR_DRBG * all.sh: keep CTR_DRBG enabled in test_psa_crypto_config_accel_cipher_aead() * ssl-opt: test handshake for TLS 1.2 only cli with TLS 1.3 only srv * tls13: srv: check tls version in ClientHello with min_tls_version * test_suite_debug.function: check return value for _config_defaults * ssl_helpers: remove guard for rng_get() * tls12 & tls13 server: remove RNG check in `write_server_hello` * ssl_client: remove RNG check in `write_client_hello` * test_suite_debug.function: configure RNG to address test failure * test_suite_ssl.function: configure RNG to address test failure * ssl_helpers: make rng_get available for other test cases * send unexpected alert when not received eoed or app during reading early data * Send decode error alert when EOED parsing fail * fix various issues * Fix bad whitespace in keyword argument assignment * Use guess_mbedtls_root in Mbed-TLS-only script * Modify crypto_core_directory to also return a relative path * pkcs[5|12]: use cipher enums for encrypt and decrypt * tls13: early_data: cli: check a PSK has been selected in EE * Remove unused code * Shortening a comment line Related to: https://github.com/Mbed-TLS/mbedtls/issues/8562 * Remove trailing whitespace * tls13: early_data: cli: improve comment * tls13: early_data: cli: improve comment * improve comments and output message * print received early application data * switch inbound transform to handshake * implement parser of eoed * implement coordinate of eoed * Add dummy framework of eoed state * empty process_end_of_early_data * tls: check RNG in ssl_conf_check when calling mbedtls_ssl_setup * re-introduce process_wait_flight2 * remove wait_flight2 state * tls13: early_data: cli: improve comment * tls13: early_data: cli: remove guard to fix failure * Minor clarification * typo * Update PBKDF2 availability for 3.5 * Correct function names prefixes where they diverge from module names * Be more informative about "No change" * Introduce guess_tf_psa_crypto_root * Introduce guess_mbedtls_root * Rename variable for better clarity * Improve documentation of crypto_core_directory * Rename project_crypto_name * That's not what mbedtls_ecdh_get_params does * Correct lists of sign/verify functions * Corrections and clarifications around asymmetric key formats * Editorial corrections * Remove redundant check * Explain interruptible operations * Use MBEDTLS_HAVE_NEON_INTRINSICS in aesce * tidy up macros in mbedtls_xor * Catch ScriptOutputError in analyze_outcomes.py * Move script outputs handling to collect_from_script * tls13: early_data: cli: rename early_data parser in nst * Revert "tls13: early_data: cli: remove nst_ prefix" * itls13: early_data: cli: improve comment * pkwrite: fix return value in pk_get_type_ext() * pkparse: make pk_internal.h always available * tls13: early_data: cli: assign ciphersuite properly * Say who to contact * Fix typos and make minor style improvements * Allow PSA test cases to depend on test conditions * Use the existing definition of __func__ * Protect against compiler optimizations * Memory poisoning: meta-test writes as well as reads * Avoid unused variable warnings in some plausible usage * Use the existing definition of MBEDTLS_TEST_HAVE_ASAN * Port to platforms where printf doesn't have %zu * Fix MSVC build failure * Basic functional test for memory poisoning * Fix memory poisoning with Asan on arbitrary byte boundaries * Add memory poisoning framework * New files for memory-related test functions * pkwrite: some reshaping for Montgomery keys in mbedtls_pk_write_pubkey_der() * pkwrite: simplify management of opaque keys * Some improvements * Automatically set MBEDTLS_NO_PLATFORM_ENTROPY in TF-M config * Move MBEDTLS_BLOCK_CIPHER_NO_DECRYPT to correct section * Remove references to 3.4 * Add rules to check script test case listing * fix wrong gcc version check * add non-gcc arm_neon support * pk_internal: small renaming for mbedtls_pk_get_group_id() * improve document * Use the outputs as keys if the test case is defined in a script * Print suite name when listing test cases * Guards neon path * Revert "fix build warning with arm64 gcc 5.4" * Use boolean `hit` instead of int `hits` * Expand on the removal of RNG boilerplate * Add links to newly added functions * typos * Align forced ciphersuite with test description * ssl-opt.sh: Remove unnecessary symmetric crypto dependencies * Use common license header * Update tests to refer to our tf-m config wrapper * Clarify "functions that facilitate the transition" * pk: move functions to verify RFC8410 group ID to pk_internal * Create legacy-API bridge API design document * ssl-opt.sh: Fix some symmetric crypto dependencies * ssl-opt.sh: Add a check of the list of supported ciphersuites * Disable hw AES on Arm for IAR * pkwrite: add internal defines for proper key buffer sizes * pkwrite: reorganize code * check_config: fix guards for PSA builtin implementation of cipher/AEAD * adjust_psa_from_legacy: add required CIPHER_C dependencies * all.sh: re-enable CCM/GCM in test_full_no_cipher_with_crypto[_config]() * Use latest TF-M config with bare-minimum changes * We no longer need to undef ALT defines * Simplify test for building P256-M * Update tf-m tests in all.sh for P256-M * Add comment to read_outcome_file in analyze_outcomes.py * Add type annotations to analyze_outcomes.py * pk: use common header/footer macros for pkwrite and pkparse * pem: auto add newlines to header/footer in mbedtls_pem_write_buffer() * Run tests for ref_vs_driver outside task function * fix build warning with arm64 gcc 5.4 * Define named tuple for component outcomes * Use mutable set all the time * Check if driver_component is missing * Break the loop when case hits * Improve readability of the script * Extend the pattern of pkparse test on encrypted keys * Skip calloc overallocation test case * tf-m config: update and enable BLOCK_CIPHER_NO_DECRYPT * mbedtls_config: improve documentation for BLOCK_CIPHER_NO_DECRYPT * Add better documentation for mbedtls_test_mutex_mutex * Revert change that removed in_tf_psa_crypto_repo variable * Remove unused variable * Make function calls consistent * Add documentation for new public functions * Use os.path.join in crypto_core_directory * Fixed compilation for Haiku OS Related to: https://github.com/Mbed-TLS/mbedtls/issues/8562 * Fix comment typos * Ensure mutex test mutex gets free'd * Revert "Refactor `psa_load_persistent_key_into_slot` to remove bad `goto`" * Refactor `psa_load_persistent_key_into_slot` to remove bad `goto` * ssl-opt.sh: Fix getting the list of supported ciphersuites. * Improve description of psa_crypto_input_copy_alloc * Use initializers in alloc functions * Add casts to local input / output initializers * all.sh: export LC_COLLATE=C for sorting in ASCII order * tls13: early_data: cli: remove nst_ prefix * Introduce project_crypto_name in build_tree.py * Make use of crypto_core_directory function in script * tls13: early_data: cli: optimize code * block_cipher_no_decrypt: improve comment * all.sh: check_test_dependencies: add one more option * Improve comments and variable naming * Restruct the structure of outcome file presentation * Share parsed outcomes among tasks when ananlyzing * Rename guess_mbedtls_root to guess_project_root * MSan and TSan complain as well, not just ASan * Improve implementation of crypto_core_directory * Disable check_mbedtls_calloc overallocation under ASan * Detect enabled GCC/Clang sanitizers * Remove initial changelog entry creation support * Replace repo_root with project_root * Make use of new crypto_core_directory function * Remove useless line * prepare_release: sed querry change to strip whitespace * tls13: early_data: fix wrong debug_ret message * tls13: nst early_data: remove duplicate code * TLS Suite B fix: add ChangeLog entry * ssl_tls: improve readability in ssl_*_preset_*_sig_algs * Update tests to the code status * Add server side end-of-early-data handler * Add wait flight2 state. * Add early transform computation when accepted * tls13: fix a wrong RFC reference section * ssl_tls: remove RSA sig-algs in ssl_tls12_preset_suiteb_sig_algs * ssl_tls: remove RSA sig-algs in ssl_preset_suiteb_sig_algs * ssl_tls: remove unnecessary guard * ssl_tls: return correct error code if mbedtls_calloc fails * tls13-misc: cli: check parser of max_early_data_size ext * tls13: early_data: support to parse max_early_data_size ext * Add casts for NEON * misc type fixes in ssl * Use standard byte conversion fns in lms * Use MBEDTLS_GET_UINTxx_BE macro * Fix types in entropy_poll.c * Use size_t cast for pointer subtractions * Enable to specify the name of the project in the changelog * Initial changelog support for changelog assembling * Fix the build with gcc-12 -Wuse-after-free * Fix status assignments when loading persistent keys * Extend blinding to RSA result check * Make RSA unblinding constant flow * Change if to switch case * replace check string * various improvement * improve readability * improve code style * Guards ticket_creation_time * improve document * Add freshness check information into document * Add maximum ticket lifetime check * fix build failure * fix various issues * rename ticket received * rename `ticket_creation` to `ticket_creation_time` * Add maximum ticket lifetime check * Update document of ticket age tolerance * Change the bottom of tolerance window * Cleanup ticket negative tests. * improve comments * guards ticket creation field * update tests * Replace `start` with `ticket_creation` * Add ticket_creation field * fix various issues * Replace c99 fmt macro * Add changelog entry for anti_replay_fail * change time unit of ticket to milliseconds * Rename "output_copy" -> "local_output" * Rename "input_copy" -> "local_input" * ccm/gcm: improve code maintainability * De-abbreviate "len" -> "length" * Change psa_crypto_copy_output error code * Add initializers for input / output copies * [cipher.h] Arithmetic overflow in binary left shift operation (MBEDTLS_KEY_BITLEN_SHIFT) * added changelog * Remove unnecessary checks for NULL-ness of copies * Check for len == 0 rather than buffer == NULL * Fix code style in psa_crypto_core.h * Compare buffers even for zero-length cases * Use TEST_CALLOC_NONNULL * Change data pattern to simpler one * Introduce demo script for PSA hash program * Introduce function to return library/core directory * Explicitly indicating when private fields are accessed in benchmark.c. * Alternative Timing compatible benchmark.c * Rename mutex->is_valid to mutex->state * Make threading helpers tests thread safe * Move handling of mutex->is_valid into threading_helpers.c * Add benchmark for RSA 3072. * Improve explanations of what bad thing a metatest does * Uniformly use MBEDTLS_THREADING_C guards * Only set slot to OCCUPIED on successful key loading * ccm/gcm: reaplace CIPHER_C functions with BLOCK_CIPHER_C ones * tls: fix unused parameter in mbedtls_ssl_cipher_to_psa * check_config: remove dependency check of CCM_C/GCM_C on CIPHER_C * adjust_legacy_crypto: auto-enable BLOCK_CIPHER_C when CIPHER_C is not defined * Change the test messages * ssl: move MBEDTLS_SSL_HAVE_XXX to config_adjust_legacy_crypto.h * all.sh: re-enable CCM/GCM in test_full_no_cipher() * ssl_tls: add missing guard for mbedtls_ssl_cipher_to_psa * Add missing PSA init * Remove redundant NULL check * Skip call to memcpy if buffer length is zero * Make copy functions static-testable * Rename variables in script * Fix unintentional direct use of memcpy() * Readability improvement * Update PSA init for md-ligt * Update to TEST_EQUAL macros for easier debuggability * all.sh: enable compat.sh testing in psa_crypto_config_[accel/reference]_cipher_aead * psa_exercise_key: add missing #else for KNOWN_SUPPORTED_BLOCK_CIPHER * ssl_misc: remove DES from the list of key types supporting CBC * changelog: use better wording and modify changelog section * all.sh: disable CCM_STAR_NO_TAG in test_psa_crypto_config_accel_aead() * ChangeLog: add change log for CCM/CCM* coupling removal * psa_exercise_key: replace legacy symbols with PSA_WANT ones * all.sh: improve components for without CCM/CCM* * adjust_legacy_from_psa: fix comment * test_driver_extension: fix acceleration support for CCM and CCM* * all.sh: accelerate also CCM* in test_psa_crypto_config_accel_cipher_aead * all.sh: add test components for no-CCM and no-CCM* * adjust_legacy_from_psa: treat CCM and CCM* separately * adjust_config_synonyms: make CCM and CCM* indipendent * improve document * improve document * Remove trailing whitespace * Call the right function * Update library/constant_time_impl.h * Update library/constant_time_impl.h * Stylise TF-PSA-Crypto correctly * Refactor repository detection * Apply correct license to generate_driver_wrappers.py * Remove further extraneous whitespace in lcov script * Further modify check-generated-files.sh * Modify generate_driver_wrappers.py to work in both repos * aesce: fix unused parameter * Updated comments. * Simplified check. * Modify check-generated-files.sh to work in both repos * ssl-opt: fix wrong CCM dependencies with GCM * Move enum definition to satisfy `check_names.py` * all.sh: remove redundant make in test_psa_crypto_config_accel_cipher_aead() * Remove superfluous leading whitespace * psa_information: improve code readability * all.sh: add config_block_cipher_no_decrypt to simplify code * all.sh: block_cipher_no_decrypt: clean up cflags * all.sh: block_cipher_no_decrypt: simplify code * all.sh: block_cipher_no_decrypt: fix various issues * Added proposed fixes * Pop only when pushed. * improve brief description of conf_sig_algs * Add documentation * Temporary hack to pacify check_names.py * block_cipher: add encrypt() * block_cipher: add setkey() * Uninitialized read: make the pointer non-volatile rather than the buffer * padlock.c: guard mbedtls_padlock_xcryptcbc by CIPHER_MODE_CBC * Start adding internal module block_cipher.c * all.sh: more comments in check_test_cases() * More consistent usage of volatile * all.sh: robustness improvement * all.sh: add diff to can_keep_going_after_failure * cipher.c: remove checks for CBC,XTS,KW,KWP in cipher_setkey * ssl-opt: set proper cipher dependencies in tests using ticket_aead parameters * ssl_server2: remove usage of mbedtls_cipher_info_from_string() * ssl: move MBEDTLS_SSL_HAVE internal symbols to ssl.h * ssl-opt: set proper dependencies on tests with encrypted server5 key * all.sh: enable ssl-opt testing in psa_crypto_config_[accel/reference]_cipher_aead * all.sh: disable CIPHER_C in test_psa_crypto_config_accel_cipher_aead * BLOCK_CIPHER_NO_DECRYPT: call encrypt direction unconditionally * all.sh: resue support_build_armcc for *_armcc test * all.sh: check additional symbols in asece for block_cipher_no_decrypt * all.sh: refine and simplify component for block_cipher_no_decrypt * Strengthen against possible compiler optimizations * Fixes https://github.com/Mbed-TLS/mbedtls/issues/6910 as proposed in https://github.com/Mbed-TLS/mbedtls/issues/6910#issuecomment-1573301661 * Fix preprocessor syntax error. * fixes invalid default choice of thumb assembler syntax. * Fix compiler error on gcc 4.5.2. * Fix uninitialized variable warnings. * BLOCK_CIPHER_NO_DECRYPT: rephrase ChangeLog * psa_information: compile a regex instead of using string directly * tls1.3: early data: rephrase ChangeLog * aes.c: guard RSb and RTx properly * Improve documents * Update license * Add output round-trip testcase * Add input round-trip testcase * Add psa_crypto_output_copy_free() implementation * Add testcase for psa_crypto_output_copy_free() * Add implementation of psa_crypto_output_alloc() * Add testcase for psa_crypto_output_copy_alloc() * Add function prototypes for psa_crypto_output fns * Add implementation of psa_crypto_input_copy_free() * Add testcase for psa_crypto_input_copy_free() * Add psa_crypto_input_copy_alloc() implementation * Make empty key slots explicit * test_driver_extension: use same def/undef pattern for all accelerated symbols * Add check about legacy dependencies in PSA tests * Add docs re Everest license * Update BRANCHES * Restore bump version * Restore 3.5.1 ChangeLog * Revert back to v3.5.0 * No more limitations accelerated algorithms using a built-in hash * Rm unjustified MD_C dependencies in PSA test * Rm unjustified PK_C dependencies in PSA tests * Rm redundant ECC dependencies in psa_crypto tests * Fix incorrect RSA dependencies in psa_crypto tests * Rm unneeded dep on PK_PARSE_C in psa crypto tests * check_config: make error message in BLOCK_CIPHER_NO_DECRYPT clearer * aes.c: remove non-functional code * tls1.3: early data: rephrase ChangeLog * Remove unused *.cocci files * ssl: replace MBEDTLS_SSL_HAVE_*_CBC with two seperate macros * ssl: use MBEDTLS_SSL_HAVE_* in tests * tls1.3: early data: add ChangeLog entry * ssl: MBEDTLS_SSL_HAVE_* in ssl_misc.h * ssl: use MBEDTLS_SSL_HAVE_* in ssl_ciphersuites.c * ssl: add macro to indicate CBC mode is available * ssl: add macro for available key types * ssl-opt.sh: fix typo * ssl_helper: fix missin initialization of cli_log_obj * config-tfm.h: License Change * Add testcase for psa_crypto_input_copy_alloc() * Changed notes in x509_csr.h to better describe the behavior of mbedtls_x509_csr_parse_der and mbedtls_x509_csr_parse_der_with_ext_cb. * New test cases requested in https://github.com/Mbed-TLS/mbedtls/pull/8378#discussion_r1383779861 * cipher.c: return error for ECB-decrypt under BLOCK_CIPHER_NO_DECRYPT * move ext print to the end of write client hello * Revert "fix miss sent extensions mask" * fix various issues * check the ticket version unconditional * max_early_data_size: rename configuration function * early data: rename configuration function * tls13-misc: Do not check kex mode for some cases * Revert "TLS 1.3: SRV: Don't select ephemeral mode on resumption" * Change base config to full * programs/test/metatest indirectly includes library/common.h * Add missing program to .gitignore * Add metatests for mutex usage * Don't use %llx in printf * Fix cast from pointer to integer of different size * Don't cast a function pointer to a data pointer * Use casts when doing nonstandard pointer conversions * Run metatests in selected components * Strengthen against Clang optimizations * Metatests for basic Asan and Msan features * Script to run all the metatests (with platform filtering) * Metatests for null pointer dereference * Validate that test_fail causes a test failure * Add a metatest program * Add prototypes for psa_crypto_input_copy API * Remove psa_crypto_alloc_and_copy() API * Remove extra blank line at end of file * all.sh: test BLOCK_CIPHER_NO_DECRYPT in build_aes_variations * Revert "ssl-opt.sh: Make record_outcome record the ssl-opt.sh file only" * Add test-suite parameter to filter tests * ChangeLog: rewrite ChangeLog for block-cipher-no-decrypt * Return an error if asking for decrypt under BLOCK_CIPHER_NO_DECRYPT * check_config: add checks for MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with PSA * all.sh: add components to test BLOCK_CIPHER_NO_DECRYPT with PSA * cipher_wrap.c: remove unnecessary NO_DECRYPT guard for DES * dh_client.c: modify prompt message * config.py: exclude MBEDTLS_BLOCK_CIPHER_NO_DECRYPT from full * Pacify mypy * Also complain if licenses are mentioned * Check copyright statements and SPDX license identifier * Sort imports * Move buffer copy tests into new testsuite * Switch error code to more appropriate value * Switch to TEST_CALLOC_NONNULL() * Switch from ret to status as naming convention * Switch from int to psa_status_t for test args * Remove psa_crypto_ prefix from test functions * Remove superfluous comment * Remove not-needed sentence * Standardise some more headers * Update license and copyright in config files * README improvements to 3rdparty section * Fix typos in changelog * Fix header in ssl_tls13_keys.c * psa_information.py: generate dep for AES/ARIA/CAMELLIA ECB test case * Update license for p256-m * Replace compound-initializers with memset * Fix overlooked files * Add Changelog for license * Update documentation * update headers * Refactor: move buffer pattern fills into helper * Add full round-trip tests for buffer copying * Add test case for overlapping buffers * Reject zero-lengths in psa_crypto_copy_and_free() * Reject NULL original_output with non-NULL output * Add implementation of psa_crypto_copy_and_free() * Add testcases for psa_crypto_copy_and_free() * Simplify zero-length buffers to always be NULL * Zero-length test for psa_crypto_alloc_and_copy() * Add extra testcases for buffer copying * Add implementation of psa_crypto_alloc_and_copy() * Add testcases for psa_crypto_alloc_and_copy() * Add buffers struct and prototypes for alloc API * Add implementation of psa_crypto_copy_output() * Add testcases for psa_crypto_copy_output() * Add implementation of psa_crypto_copy_input() * Add testcases for psa_crypto_copy_input() * ssl_server2: small improvement of code readability * Update comment to mention IAR * test_suite_psa_crypto: add dependency for decrypt test cases * all.sh: modify components to test BLOCK_CIPHER_NO_DECRYPT * check_config: add checks for MBEDTLS_BLOCK_CIPHER_NO_DECRYPT * mbedtls_config: add new config option MBEDTLS_BLOCK_CIPHER_NO_DECRYPT * test: tls13: change server output check * move psk check to EE message on client side * Add selected key and ciphersuite check * move ticket version check * fix various issues * Simplify use of __has_builtin * Add case for MSVC * Use non-empty definition for fallback * tidy up comments * Reduce code size in mbedtls_cipher_validate_values * Restructure mbedtls_cipher_validate_values * Introduce MBEDTLS_ASSUME * Fix broken link to psa-driver-example-and-guide in psa-driver-wrappers-codegen-migration-guide.md * Remove auto-generation of test wrappers * Downgrade auto testing testing to a nice-to-have * all.sh: remove leftover loc_curve_list usage * test_suite_x509write: use plaintext key file * Rename MBEDTLS_CIPHER_ENCRYPT_ONLY as MBEDTLS_BLOCK_CIPHER_NO_DECRYPT * Change base config to full minus SSL * Move common config to common function * tls13: add helpers to check if psk[_ephemeral] allowed by ticket * tls13: server: fully check ticket_flags with available kex mode. * Add function prototypes for copying functions * Add auto-generation of test wrappers to design * Add note on platform-specific barriers * Add sections on validation of validation * Add portability consideration to careful-access * Discuss plain-overwriting memory poisoning * ssl_helpers: remove CIPHER_C guards in mbedtls_test_ssl_build_transforms() * ssl_misc: ignore ALG_CBC_PKCS7 for MBEDTLS_SSL_HAVE_xxx_CBC * test_suite_psa_crypto_metadata: remove unnecessary CIPHER_C dependencies * test_suite_ssl: use new internal symbols in tests using CBC * ssl_misc: add internal MBEDTLS_SSL_HAVE_[AES/ARIA/CAMELLIA]_CBC symbols * ssl_context_info: add guards for CIPHER_C * ssl_server2: support ticket_aead only when CIPHER_C is defined * ssl_helpers: allow mbedtls_test_ssl_build_transforms to work without CIPHER_C * check_config: let SSL_TLS depend on either CIPHER_C or USE_PSA_CRYPTO * all.sh: enable SSL_TLS and SSL_TICKET in full_no_cipher with PSA_CRYPTO * all.sh: fix test components using accelerated curves * test_driver_extension: manage curves' acceleration the same as other PSA_WANT symbols * fix various issues * analyze_outcome: only warn on ignored tests that pass * analyze_outcomes: use regexes for cipher/aead * fix miss sent extensions mask * disable stdout in require_*_configs_* functions * Add translation ruler into document * tls13: server: parse pre_shared_key only when some psk is selectable * tests/scripts/all.sh: add test for 32-bit AES-NI intrinsics with clang * AES-NI: use target attributes for x86 32-bit intrinsics * check_test_cases: Minor documentation change * compat.sh: Rename list_test_case to list_test_cases * ssl-opt.sh: Make record_outcome record the ssl-opt.sh file only * Avoid using print_name when --list-test-cases is used * ssl-opt.sh: Correct print format for test cases' names * Remove invalid -l option from test scripts * check_test_cases: Avoid removing duplicated test cases * check_test_cases: Unify walk_compat_sh and walk_opt_sh into one * ssl-opt.sh: Don't affect the order at which functions are printed * ssl-opt.sh: Simplify the implementation of the -l option * Skip unnecessary logic when -l option is used * Only use CONFIGS_ENABLED when not listing tests * Get options at beginning of program * Avoid skipping test when printing * Remove formatted string to make pylint happy * tests/check_test_cases: Use subprocess.check_output instead of run * Use file_name parameter in walk_ssl_opt_sh() * Revert "Add opt-testcases into check list" * tests/check_test_cases: Use ssl-opt.sh -l option instead of parsing * ssl-opt/run_test: Introduce -l option to list test case names * Add deprecated flag in document for sig_hashes * analyze_outcomes: ignore patterns apply to whole suite * analyze_outcome: Simplify some code * analyze_outcome: work around old Python in CI * analyze_outcomes: minor output fix * analyze_outcomes: use regexes with ECC components * analyze_outcomes: remove useless ignore entries * analyze_outcomes: useless ignores are now errors * analyze_outcomes: add regex match for ignored tests * analyze_outcomes: minor code cleanup * all.sh: unset MBEDTLS symbols for modes/keys only when !PSA_CRYPTO_CONFIG * all.sh: improve comments in common_test_full_no_cipher_with_psa_crypto * all.sh: rename common config/test function * all.sh: improve test_full_no_cipher() * all.sh: keep symbols that don't depend on CIPHER_C (directly or indirectly) * all.sh: fix comments in common_test_full_no_cipher_with_crypto() * all.sh: replace minus sign in text messages with "no" * psa_crypto_cipher: add guard for unused variable * psa_crypto_cipher: add helper to validate PSA cipher values * all.sh: add components as full_no_cipher with CRYPTO_C and CRYPTO_CONFIG * psa_crypto_cipher: add mbedtls_cipher_values_from_psa() * psa_crypto_aead: add guard for CIPHER_C dependency * adjust_psa_from_legacy: enable ALG_STREAM_CIPHER on when CIPHER_C is defined * check_config: fix dependency of PSA_CRYPTO_C on CIPHER_C * disable tests when ecp is not available * Add test case for writing early data in EE * write early data indication in EE msg * tls13: add more checks for server early data * Fix test suite never executed due to an undefined symbol * Fix builds in conda-forge, which doesn't have CLOCK_BOOTTIME * Extend design discussion * Threading design: fix internal links * Document chosen goals and priorities for 3.x * analyze_outcomes: update cipher/aead data * Things forgotten in the previous commit * cipher: improve code readibility in mbedtls_cipher_setup() * Rename and specify config options * Careful-access prototyping to design exploration * Fix invocation with explicit .datax file * Define try_chdir everywhere * Remove references to new-test approach in design * De-duplicate section titles * Add blank lines before lists * Fix broken links * Support older IAR versions * all.sh: accelerate ALG_[STREAM_CIPHER/ECB_NO_PADDING] in accel_cipher_aead() * all.sh: accelerate CMAC in test_psa_crypto_config_accel_cipher_aead() * test_suite_psa_crypto: replace builtin dependencies with PSA_WANT * test_suite_cipher: use TEST_ASSUME() to evaluate supported ciphers * analyze_oucomes.py: ignore line-too-long error for skipped tests * all.sh: add a common configuration function for accel/reference components * all.sh: keep PKCS5/12 enabled in the reference component * all.sh: move [accel/reference]_cipher_aead to crypto_full * cipher: check that ctx_alloc_func is not NULL before calling it * cipher_wrap: fix guards for GCM/CCM AES * pkparse: fix missing guards for pkcs5/12 functions * all.sh: fix minor issues * analyze_outcomes.py: skip tests that depends on builtin features * test_suite_cipher: successfully quit test if no cipher is supported * test: add component accelerating both ciphers and AEADs * Remove dependency on asm/hwcap.h * Clarify changelog * Test for presence/absence of AES instructions * Update Changelog to specify Armv8-A * Use MBEDTLS_ARCH_IS_ARMV8_A not MBEDTLS_ARCH_IS_ARMV8 * Add volatile to prevent asm being optimised out * Fix #error typo * Share some definitions that are common for clang and GCC 5 * Don't fail tests if hwcap.h not present * Tidy-up: move GCM code into one place * Code style * Don't use #ifdef on vreinterpretq_xxx * Add link to ACLE docs in comment * Update clang version requirements * Fix tests for older versions of clang * fix tabs * Improve compiler version checking + docs + testing for armclang * Fix behaviour for Armv8 targets without Neon * Changelog * Fix docs for MBEDTLS_AESCE_C * Add build tests for AESCE on A32/T32 * Fix runtime detection on A32/T32 * Suppport AESCE on A32 and T32 * Clarify use of new tests for careful-access * Add detailed design section for careful access * Fix MBEDTLS_MAYBE_UNUSED for IAR * Add check_ticket_flags helper function * move script to `tests/scripts` * improve document * move asn1crypto to ci.requirements.txt * Add exploration section on FVP testing * Add lengths to convenience interface sketch * Rewrite incorrect description of psa_exercise_key * Add notes about configuration of poisoning tests * Add reference to test hooks in detailed design * Refactor note on preferred poison-test approach * Use ASan for memory poisoning as well as Valgrind * Add C language annotation to code block * Fix broken reference * Replace vague 'above' with a reference for ease-of-navigation * Add example wrapper function implementation * Add skeleton of detailed design rewrite * Make lcov.sh run from the build directory * Convert interruptible test over to using TEST_CALLOC * Remove dependency on asm/hwcap.h * all.sh: accelerate ALG_ECB_NO_PADDING in test_psa_crypto_config_accel_cipher() * libtestdriver1: fix acceleration for ALG_STREAM_CIPHER/ALG_ECB_NO_PADDING * all.sh: remove fixes in test components * legacy_from_psa: fix support for PSA_ACCEL_ALG_[STREAM_CIPHER/ECB_NO_PADDING] * Update operation threading strategy * Threading Design: emphasise performance requirement * Threading design: improve language * fix various issues * Rewrite design exploration of copy validation * Add missing exit labels to MPS tests * Explore sanitizers for memory poisoning * Tweak compiler optimization evaluation section * Add build preset full_no_platform * Threading design: update and clarify 3.6 plan * Threading design: Update empty slot tracking * Clarify threading design document structure * Clarify reentrancy requirements for drivers * Add section on possible use of Valgrind tracing * Expand design for validation of careful access * Modify lcov.sh to work in tf-psa-crypto as well * Added changelog. * Modify optimize-testing instructions * Move implementation by module table earlier * Add more detail in design of memory poisoning * Uncrustified * Change unsigned int to uint8_t * Fix some dependencies in ssl-opt.sh * Reword the changelog entry * test_suite_psa_crypto_driver_wrappers.data: fix dependency * PBKDF2-AES-CMAC: remove not needed preprocessor directive * CMAC: accelerate CMAC in accel_cipher * all.sh: fix a typo in comment * Fix dependency check for helper functions. * Add a changelog entry * all.sh: build_mingw: only test build lib without MBEDTLS_AESNI_C * Fix #8372 - Error compiling AESNI in Mbed-TLS with clang on Windows * all.sh: build_mingw: test default config without MBEDTLS_AESNI_C * fix wrong typo * Detailed design of memory protection strategy * Fix code style * Remove NULL-ing of passed in SSL context in ssl_populate_transform() * Move initialisation in test to before first test * analyze_outcomes: add new_section() method to the Results class * analyze_outcomes: fix format interpolation errors * Added parameters to add callback function to handle unsupported extensions. Similar to how the callback functions work when parsing certificates. Also added new test cases. * fix various issues * fix wrong typo and indent issue * Add server9-bad-saltlen generate command * Add asn1crypto to python maintainer requirements * add script for server9_bad_saltlen * analyze_outcomes: fix missing format for args/kwargs * Close file on error path * Use modern macros for calloc in test code * Remove redundant null check * Fix missing initializations on some error paths * Convey that it's ok for mbedtls_ssl_session_save to fail * Now handling critical extensions similarly to how its done in x509_get_crt_ext just without the callback function to handle unknown extensions. * Reword error message on format of SAN arguments * Reword error message on format of SAN arguments * Add plan for 3.6 to threading design * Add clarifications to thread safety design * Add reentrancy section to thread safety design * Added testcase with certificate that contains extensions with critical fields. * analyze_oucomes: do not return Results instance passed as parameter * analyze_outcomes: keep print_line() method non-static * Added missing like between variables and function body. * analyze_outcomes: code style improvement * analyze_outcomes: fix return value in case of test failure * Fixes #8377. * cipher: reset MBEDTLS_CIPHER_HAVE_AEAD to MBEDTLS_CIPHER_MODE_AEAD * all.sh: fix comment * analyze_outcomes: fix newlines * analyze_outcomes: reset name of TestLog to Results * analyze_outcomes: use a single TestLog instance and do not delay output * analyze_outcomes: exit immediately in case of invalid task * Fix static initializer warning * Require at least on curve for ECP_LIGHT * analyze_outcomes: print task list directly to stdout * Test for read-read inconsistency with mprotect and ptrace/gdb * Fix editorial error with semantic consequences * Typos * Tidy-up * Cleanup validation interface * md: restore md.h includes in source files directly using its elements * analyze_outcomes: minor improvements * ssl: improve ssl_check_key_curve() * Improve test for clang presence * cipher_wrap: add VIA_LEGACY_OR_USE_PSA to new internal symbols * cipher: reset MBEDTLS_CIPHER_HAVE_AEAD_LEGACY to previous naming * Make component_build_aes_aesce_armcc silent * cipher: fix guards in mbedtls_cipher_auth_[encrypt/decrypt]_ext() * Fix check for format supported by PSA * Use clearer function name * Make code more robust * Fix a typo in a comment * Fix limitation in checking supported alg in pk_sign * Fix unused warnings in dummy definition * Abstract away MBEDTLS_PK_PARSE_EC_EXTENDED * Fix and document return of pk_ecc_set_pubkey() * Rework pk_ecc_set_pubkey() * New signature for pk_ecc_set_pubkey() * Rework pk_ecc_set_pubkey_psa_ecp_fallback() * Tune body of pk_ecc_set_pubkey_from_prv() * Rename and document pk_ecc_set_pubkey_from_prv() * Document pk_ecc_set_group() and pk_ecc_set_key() * Move code around again * Merge two consecutive #ifs * Start re-ordering functions in pkparse * Minor improvements to pk_ecc_read_compressed() * Avoid nested #ifs in body of pk_get_ecpubkey() * Use helper macro for (deterministic) ECDSA * Make macro definition more consistent with similar defns * Simplify Windows-on-Arm macros * Use new MBEDTLS_ARCH_IS_xxx macros * Use MBEDTLS_HAVE_NEON_INTRINSICS instead of __ARM_NEON * Introduce MBEDTLS_HAVE_NEON_INTRINSICS and simplify NEON header inclusion * Enable 8-byte fastpath in mbedtls_xor on ARM64 and ARM64EC * Support ARM64EC in the same way as ARM64 in sha256 and sha512 * Define MBEDTLS_EFFICIENT_UNALIGNED_ACCESS on Windows-on-Arm * Factor similar code into pk_ecc_set_key() * Group two versions of the same code * Slightly simplify pk_derive_public_key() * Factor common code into a function * Further rationalize includes * Minimize key-type-related includes * Remove redundant include * all.sh: revert changes in test_m32* * Suggest validating copy by memory poisoning * Add a section skeleton for copy bypass * Short explanations of what is expected in the design sections * Distinguish whole-message signature from other asymmetric cryptography * Design change for cipher/AEAD * Clarify terminology: built-in driver * Add a section on write-read feedback * Simplify the relaxed output-output rule * Expand explanations of the vulnerabilities * Fix typos and copypasta * cipher: reintroduce symbol for legacy AEAD support * Invert no_hwcap variable * Stop IAR warning about goto skipping variable definition * Tidy up logic for MBEDTLS_MAYBE_UNUSED * Include existing Makefile * Fix 3rdparty/Makefile.inc when included recursively * Revert "Fix a few IAR warnings" * Fix changelog code style issue * Fix changelog style issue * Fix hwcap test for CI * Fix code style issue in cert_write program * Fix code style issue in cert_req program * Adjust use of deprecated in Doxygen * Require asm/hwcap.h for testing * Doxygen fixes * check_config: fix typo causing build issues with only CCM enabled * Use a block to save 12b * Keep initialisation of p in its original location * Fix IAR 'transfer of control bypasses initialization' warnings * Adjust the full config * Add changelog entry for x509 cert_req null dereference fix * Fix possible NULL dereference issue in X509 cert_req program * Analyze requirements for protection of arguments in shared memory * Add changelog entry for x509 cert_write null dereference fix * Fix possible NULL dereference issue in X509 cert_write program * Fix test data dependencies * Fix Changelog formatting * Add Changelog * Add Encryption test data for AES 128,196,256 PBES2 * Replace AES-CBC test data * Restore array formatting * Revert increase of test buffer size. * Add AES encrypted keys support for PKCS5 PBES2 * Clarify changelog * Alter program layout for better clarity * Update to only serve GCM and CCM * cipher: keep MBEDTLS_CIPHER_HAVE symbols private * ssl: use MBEDTLS_SSL_HAVE_[CCM/GCM/CHACHAPOLY/AEAD] macros for ssl code * Refer to Armv8-A (not Armv8) in comments * analyze_outcomes: improve logging system * fix test fail when ecp disabled * Add early data disable tests * Add data file for early data input * Add early data status update * Add not-received status * Share `early_data_status` between server and client * Add unit test for max_early_data_size of ticket * Add max_early_data_size into copy list * Add max_early_data_size into ticket * Automatically pick up all Markdown files * Remove extra blank line * Test instructions built/not built * Rename local variable in aes.c * Remove superfluous comment * Add missing newline * Add variable for message length * Adjust messages in all.sh * Fix a couple of typos related to renaming options * Add casting size_t to int * Add casting size_t to int * md: remove unnecessary inclusions of mbedtls/md.h * ssl: reorganize guards surrounding ssl_get_ecdh_params_from_cert() * cipher: fix missing spaces * test: use full config in test_psa_crypto_config_accel_cipher * cipher/tls: use new symbols for guarding AEAD code * cipher: add internal symbols for AEAD capabilities * test: keep SSL_TICKET_C and SSL_CONTEXT_SERIALIZATION enabled * test: use full config in accelerated AEAD test * Improve Changelog * SHA256 renaming - fix some missed things * Revert renaming of SHA512 options * Remove trailing white space in documentation * all.sh: Re-enable MBEDTLS_AESNI_C in some components * aesni: select `__cpuid` impl based on compiler type * Inform user when unknown hash algorithm supplied * Update documentation * Add PSA threading design * Rename MBEDTLS_SHAxxx_USE_ARMV8_yyy to MBEDTLS_SHAxxx_USE_ARMV8_A_yyy * Rename MBEDTLS_ARCH_IS_ARMV8 to MBEDTLS_ARCH_IS_ARMV8_A * Refer to Armv8-A (not Armv8) in docs * Code style * More config option renaming * Fix hwcap detection on 32-bit Arm * Rename A64 config options * aesni: declare cpuinfo as int * aesni: support cpuid on WIN32 * Fix excess newline * Make asm without side-effects not optimisable-out * Update to MD light section * Update list of modules using hashes * Update definition of Cipher light * Include psa/build_info.h instead of mbedtls/build_info.h * Update details of modules using cipher operations * Fix C++ build issue when MBEDTLS_ASN1_PARSE_C is not enabled * analyze_outcomes: rename some variables for better readability * benchmark: improve code readability * sha256.h: add guard for is224 in sha256 context * Adapt to new PSA Crypto repo name * Fix arch detection for auto setting of clang flags * Remove logically dead code * Correct styling of Mbed TLS in documentation * md: move definitions of MBEDTLS_MD_CAN to config_adjust_legacy_crypto.h * ssl: fix getting group id in ssl_check_key_curve() * pk_internal: change guards for mbedtls_pk_ec_[ro/rw] * Fix 3rdparty target names for custom config * test_suite_pkcs12: fix typo in test case description * pkcs12: use mbedtls_cipher_crypt() instead of explicitly defining all steps * Note about the lack of Windows support * Print a notice if chdir fails * Support running unit tests from another directory * Fix IAR warnings * Update baremetal config to exclude MBEDTLS_SHAxxx_USE_A64_CRYPTO_IF_PRESENT * Fix cast errors on IAR * code style * Warn if using runtime detection and no Neon * Add tests for runtime detection * Enable run-time detection for Thumb and Arm * Improve docs * Update docs for MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT * Support MSVS with clang * Revert "Auto-generated files for v3.5.0" * require clang 4 for testing * Get MBEDTLS_MAYBE_UNUSED to cover more compilers * Code style * Add Changelog * Improve docs * Improve behaviour on gcc targetting arm or thumb * Fix indentation * Add tests for SHA256 on ARMCE for thumb, arm and aarch64 * Support MBEDTLS_MAYBE_UNUSED in MSVC and IAR * Use MBEDTLS_MAYBE_UNUSED to simplify aes.c and let compiler remove unused variables * Introduce MBEDTLS_MAYBE_UNUSED * tidy up * Tidy-up * Tidy up bash syntax * Improve docs * Use lower-case for local variables * Make SHA256 depend on Armv8, not aarch64 * Introduce MBEDTLS_ARCH_IS_ARMV8 * Improve naming * Use make to generate the test command * Remove redundant test component * Move check into list_files_to_merge * rename function * Check for incorrect changelog extensions * Separate out a resuable option cross-product test function * Remove not-needed edge-case * Simplify makefile generation; don't use -j * fix make issue * Code style * Use make to parellise tests * Improve test speed * Add testing for MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH * Fix some more incorrect guards in aes.c * Extend testing of aes.o options * Restore missing #if * Improve AES hardware-only check * analyze_outcomes: fix incorrect use of Results.log() * analyze_outcomes: ignore asn1parse and asn1write in result analysis * analyze_outcomes: escape {} in string format for test description * Revert "test_suite_asn1parse.data: remove {} in test data description" * test_suite_asn1parse.data: remove {} in test data description * test_suite_pk: add extra dependency for pk_psa_sign * all.sh: remove not needed #define in common_tfm_config * check_config: add check of ASN1_[WRITE/PARSE]_C * all.sh: remove define MD_C in common_tfm_config * config-tfm.h: remove PK_[PARSE/WRITE]_C * all.sh: fix a comment in common_tfm_config * all.sh: simplify common_tfm_config * config-tfm.h: include TF-M medium profile properly * Keep the list in alphabetical order * Documentation improvements * Disable PK_PARSE and PK_WRITE * Update location of TFM config files * Fix broken test with MBEDTLS_PSA_CRYPTO_KEY_ID_ENCODES_OWNER * test-ref-configs: test config-tfm.h * configs: add config_tfm.h which includes TFM configs * configs: move TFM config to a subdirectory * AESNI: improve comments on some guards in aesni.h * test_suite_ssl: improve variable naming in ssl_set_hostname_twice * benchmark: add AES_CFB8 * benchmark: add AES_CFB128 * all.sh: run make clean before make lib in armc6_build_test * all.sh: make sure CIPHER_ENCRYPT_ONLY is enabled in tests * Enable CIPHER_ENCRYPT_ONLY when DES is disabled * all.sh: fix a typo * des: don't consider DES for CIPHER_ENCRYPT_ONLY * Revert "des: add CIPHER_ENCRYPT_ONLY dependency for test cases" * Add ChangeLog entry for MBEDTLS_CIPHER_ENCRYPT_ONLY * all.sh: ciper_encrypt_only: cover VIA PADLOCK * all.sh: ciper_encrypt_only: cover baremetal build for AESCE * all.sh: ciper_encrypt_only: cover AESNI and C Implementation * aes: define internal macro to simplify #if Directive * check_config.h: add checks for CIPHER_ENCRYPT_ONLY * des: add CIPHER_ENCRYPT_ONLY dependency for test cases * camellia: add CIPHER_ENCRYPT_ONLY dependency for DECRYPT test cases * aria: add CIPHER_ENCRYPT_ONLY dependency for DECRYPT test cases * AES-ECB: add CIPHER_ENCRYPT_ONLY dependency for DECRYPT test cases * dh_client: removed under CIPHER_ENCRYPT_ONLY * cipher_wrap: remove *setkey_dec_func in CIPHER_ENCRYPT_ONLY * aria/camellia/des: guard setkey_dec by CIPHER_ENCRYPT_ONLY * all.sh: add test case for CIPHER_ENCRYPT_ONLY * PSA: auto-enable CIPHER_ENCRYPT_ONLY if cipher-decrypt is not needed * AESNI: add macro guard of CIPHER_ENCRYPT_ONLY * AESCE: add macro guard of CIPHER_ENCRYPT_ONLY * aes.c: add config option to support cipher_encrypt_only * Add clarifications to the threading requirements * Fix typo * Add threading non-requirement * Improve thread safety presentation * Tighten thread safety requirements * ssl-opt.sh doesn't actually use OPENSSL_LEGACY: remove unused function * compat.sh: add --preserve-logs option * pkwrite: zeroize buf containing info of private key * Remove GNUTLS_LEGACY and OPENSSL_LEGACY * Stop using "legacy" OpenSSL and GnuTLS * Minor robustness improvement * ssl-opt.sh doesn't actually use OPENSSL_LEGACY, so remove it * aes.c: provide finer guard for RSb * aes.c: clean up and fix wrong comment in #endif * Refine thread safety requirements * pkwrite.c: write ChangeLog accurately * pkwrite.c: call calloc and free properly * pkwrite: add Changelog entry * pkwrite.c: add a cleanup label to save code size * pkwrite.c: save stack usage for pk_write_key_pem * pkwrite.c: save stack usage for pk_write_pubkey_pem * Add tentative definition of Cipher light * Add details on use of ciphers from other modules * Check length before calling memcmp * Add new line at end of file to satisfy code style * Implement cleanup label * Remove further superfluous call to psa_hash_abort * Add missing PSA init * Update old dependency to MBEDTLS_MD_CAN * Correct code style * Stop hashing the null byte * Add extra check to one-shot operation results * Check result of multipart operation * Restructure start of program * Add clarifying comment to new program section * Use memcmp instead of reinventing it * Change hash output formatting * Change wording in error message * Clarify comments * Remove mbedtls_ and psa_ prefix from var names * Remove superfluous calls to psa_hash_abort * Replace hash_size with hash_length * Fix erroneous macro guards * PermissionIssueTracker is obsoleted by ShebangIssueTracker * Skip dlopen demo in static builds * Use demo_common.sh in dlopen test script * Pacify Pylint * Make --quiet a little less quiet * Error out if run from the wrong directory * Add --quiet option to suppress demos' output * Fix some mistakes in descriptive messages * Minor readability improvements * Explain why $root_dir needs a complicated calculation * Print only missing dependencies * cleanup is part of the external interface * Run demo scripts in some builds * Declare the dependencies of key_ladder_demo.sh * Let demo scripts declare their dependencies * Demo scripts: create a seedfile if the configuration requires it * Move common code of demo scripts into a library * Run demo scripts and check that they work * Address review comments * Fix code style * Demonstrate algorithm agility * Improve program from first round review comments * Added ChangeLog entry * Bring code-style up-to-date * Add example program for PSA hash * SSL programs: improve command-line error reporting * SSL programs: allow invoking without arguments * SSL programs: group options processing in 1 place * Show how to extract curve information from an ecp_keypair * The ECP curve name is the one from TLS, not one we made up * Cover ecp.h * Rename PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_USE to ..._BASIC * Cover ECDH and DHM * Mention self-tests * Mention mbedtls_psa_get_random * Legacy-to-PSA transition guide * simplify helper function name * refactor: move ticket_flags check into a function * Revert "TLS 1.3: SRV: Validate kex modes when parsing psk" * Add addition options to detect the correct kex mode * TLS 1.3: SRV: Don't select ephemeral mode on resumption * TLS 1.3: SRV: Validate kex modes when parsing psk * TLS 1.3: SRV: Check ticket_flags in kex mode determination ------------------------------------------------------------------- Wed Jan 31 08:11:12 UTC 2024 - Martin Pluskal <mpluskal@suse.com> - Update to version 3.5.2: * Update BRANCHES.md * Bump version * Assemble Changelog * Update Marvin fix Changelog entry * Add warning for PKCS 1.5 decryption * Fix typo * RSA: improve readability * RSA: remove unneeded temporaries * RSA: document Montgomery trick in unblind * Fix style * Make local function static * Add Changelog for the Marvin attack fix * Extend blinding to RSA result check * Make RSA unblinding constant flow * Add Changelog for #8687 * Add required dependency to the testcase * Remove unneeded testcase * Update test-data to use SIZE_MAX * Add missing newline at the end of test_suite_x509write.data * Update fix to be more platform-independent * Fix Issue #8687 * Add tests for Issue #8687 - Resolves CVE-2024-23170 boo#1219336 ------------------------------------------------------------------- Tue Jan 23 11:12:58 UTC 2024 - Lubos Kocman <lubos.kocman@suse.com> - Mbed TLS is now released under a dual Apache-2.0 OR GPL-2.0-or-later * legalreview already raised this ------------------------------------------------------------------- Tue Nov 14 12:34:09 UTC 2023 - Martin Pluskal <mpluskal@suse.com> - Update to version 3.5.1: * Add docs re Everest license * Update Changelog with bugfix entry * Update BRANCHES * Bump version * Fix typos in changelog * Fix 3rdparty target names for custom config * assemble Changelog * README improvements to 3rdparty section * Update license for p256-m * Add Changelog for license * Update documentation * Fix some non-standard headers * Header updates ------------------------------------------------------------------- Wed Oct 11 09:49:51 UTC 2023 - Martin Pluskal <mpluskal@suse.com> - Update to version 3.5.0 (resolves bsc#1216078 CVE-2023-45199 and bsc#1216076 CVE-2023-43615): * Updated BRANCHES.MD * Re-assemble changelog to add missing item, plus a couple of typo fixes. * Bump library so-crypto, so-x509, so-tls versions. * Ignore tests of built-in interfaces for driver-only testing parity * Renaming all MBEDTLS_HAVE for curves to MBEDTLS_ECP_HAVE * Auto-generated files for v3.5.0 * ChangeLog: Set release date * Prepare ChangeLog for 3.5.0 release * Bump version to 3.5.0 * check-generated-files: Added psa_crypto_driver_wrappers_no_static.c file * Changelog: Added entry for psa_crypto_driver_wrappers rename * Remove leftover local debug line * ChangeLog: Added .txt extension to log entries. * Avoid compiler warning about size comparison * Improve some debug messages and error codes * In TLS 1.2, only servers are affected * Changelog entry for xxdh_psa_peerkey size validation * Improve robustness of ECDH public key length validation * Fix buffer overflow in TLS 1.2 ClientKeyExchange parsing * Fix buffer overflow in TLS 1.3 ECDH public key parsing * Add custom config logic to 3rdparty modules * CMake: fix build with 3rdparty module enabled through a custom config * Changelog entry for #7298 * Fix ChangeLog entry for FFDH in PSA * Undo not-needed change * Remove redundant code * Assume get_num_ops cannot fail * Always call get_num_ops * Add MBEDTLS_TARGET_PREFIX to 3rdparty CMake * Fix return type * Fix IAR statement is unreachable warning * Fix IAR control bypasses initialisation warning * Fix error handling in psa_driver_wrapper_xxx_hash_get_num_ops * Fix IAR pointless integer comparison * Fix IAR control bypasses initialisation warning * Fix IAR change of sign warning * Remove components that partially accelerate ECC keys * Update list of ECC key types in user-config-for-test.h * Remove spurious comments * Remove generated files in all cmake_as_x tests * Fix lowercase comment start * Formatting fixes * Minor clarifications. * Test only what's support with partial curves accel * Add check for unsupported partial curves acceleration * Add check for unsupported partial key type acceleration * Fix typo: weiErstrass * Use lowercase for local variables * Adjust handling of special case for DERIVE * Rename macros for consistency * Update docs/driver-only-builds.md * Improve documentation about driver-only p256-m. * Remove now-redundant tests * Auto-enable ACCEL macros for p256-m driver * Update list of p256-m entry points * Don't extend support for deprecated functions * Update ChangeLog for ECC.BN EPIC * Ensure tests will fail if CMake generation fails * Update padding const-time fix changelog * Put crypto_spe.h on the include search path where needed * Document that MBEDTLS_PSA_CRYPTO_SPM needs crypto_spe.h * Fix include path to psa/crypto_spe.h * Add CMake include path for generated header * Add ChangeLog entry for change in driver config API * Document limitation on "mixed" builds * Re-add python install of requirements to Travis CI. * Add build with only some ECC key types accelerated * Add build with some curves accelerated but not all * Fix a typo in psa-crypto-implementation-structure.md * Change the documenti about psa_crypto_driver_wrappers.c{h} * No need to include the 3rd party entry point head file * Change the description of auto-generated driver dispatch files * Remove useless spaces in Makefile * Remove useless empty line * Remove the UN_USED_DISABLE attribute * Change to os.path functions base on comment * Move the dependency adjacent to the generated file * Change include guards of psa_crypto_driver_wrappers_no_static.h * Change comments to psa_crypto_driver_wrappers.h * Change the extension type of the file psa_crypto_driver_wrapper * Automaticly generate psa_crypto_driver_wrappers_no_static.c * Dont't generate object file for file only include static functions * Revert 3rd party p-256 entry file * Revert the Makefile to remove the dependency of generate_files * Move functions out of the static file * Change code style * Disable unused warning on visual studio and generate files before lib * Enable build of non-static psa wrapper functions * Move function psa_driver_wrapper_export_public_key out of auto-generated * Remove static inline functions declare and make it only in c file * Ensure build of P256 pass * Surpress the unsed function warnings * Remove useless declaration * Define the psa wrapper functions as static inline * Fix propagation of return value from parse_attribute_value_hex_der_encoded * parse_attribute_value_hex_der_encoded: clean up length validation * parse_attribute_value_hex_der_encoded test case fixups * Add may-fail mode to mbedtls_x509_string_to_names output tests * Fix integer overflow with an input buffer larger than INT_MAX * Fix indentation * Rewrite parse_attribute_value_hex_der_encoded() * More test cases for parse_attribute_value_der_encoded * Use modern test macros for ease of debugging * Rename new header file * Declare P-256 as accelerated in p256-m test * Fix another rebasing mistake * Fix rebasing mistake * Be more subtle about key_type -> alg interaction * Special-case KEYPAIR_DERIVE (no driver support yet) * Fix dependencies of built-in ECC keypair types * Fix deterministic ECDSA built-in dependencies * Use consistent ordering for built-in activation * Declare curves as accelerated in all.sh when needed * Fix logic of ECC built-in activation again * Remove components that are no longer needed * Remove useless instances of MBEDTLS_SOME_BUILTIN_EC * Implement new strategy for ECC accel/built-in * Group all ECC-related things in legacy_from_psa.h * Improve PSA config adjustment relate to keypair types * Remove unnecessary block * psa_crypto: fix guards in mbedtls_ecc_group_to_psa() * adjust_legacy_from_psa: undef SOME_BUILTIN_EC when builtin curves are used * config_psa: resolve symbol redefinition issue * test: fix comment * check_config: remove unnecessary check about builtin curve usage * test_suite_psa_crypto: fix curve dependency in test * Renaming all MBEDTLS_HAVE for curves to MBEDTLS_ECP_HAVE * test: fix comments and functions' naming * ssl: don't require MBEDTLS_ECP_DP with TLS1.3 * config_psa: moving PSA_WANT auto-enabling code * config_psa: fix comment * test: fix remaining disparities and remove debug leftovers * test: fix test accelerating all curves keeping only 1 builtin * lib/test: use new internal helpers in library's code and tests * build_info: add helpers to signal some support for a specific curve * check_config: include also ECJPAKE_C as usage for builtin curves * tls/oid: add PSA_WANT_ECC_xxx guards together with existing MBEDTLS_ECP_DP_xxx * test: fix test which are using accelerated ECC/DH keys * check_config: request at least 1 builtin EC alg if there is at least 1 builtin curve * config_psa: include builtin algs if there is at least 1 builtin curve * config_psa: check curves' support before EC ALGs * config_psa: add internal helper to signal that some curve is builtin * config_psa: ensure PSA_WANT_ECC is enabled for each MBEDTLS_ECP_DP * check_config: fix comment * check_config: perform checks only when config_psa.h is evaluated * check_config: skip check on SECP224K1 because the PSA is never enabled * check_config: verify that each ECP_DP has the corresponding PSA_WANT_ECC * x509_crt: Removed unused intsafe.h * x509_crt: Removed length_as_int intermediate variable * x509_crt: Adjusted the len of lpMultiByteStr arg in WideCharToMultiByte * x509_crt: Set WideCharToMultiByte to use -1 for length. * vs2013 templates: Set bcrypt to be the sole dependency. * x509_crt: Removed checks for windows versions < WINXP * entropy_poll: Removed checks for windows versions < WINXP * ChangeLog: Adjusted the updated_windows_apis log * pkey-random: Removed setting mbedtls_target in libs * entropy_poll: Updated documentation for entropy_poll loop. * program-random: Updated Cmake libs variable * pkey Cmakelists: Updated the set libs to be consistent with others. * entropy_poll.c: Added looping logic to `mbedtls_platform_entropy_poll()`. * ChangeLog.d: Added mininum required Windows version. * Removed unsupported Visual Studio related code in entropy_poll.c and x509_crt.c. * ChangeLog.d: Reworded updated_windows_apis.txt. * Changelog: Removed entry from root file * entropy_poll/x509_crt: Added MBEDTLS_POP_TARGET_PRAGMA define guards. * library Makefile: Moved -lbcrypt to LOCAL_LDFLAGS * fuzzer Makefile: Added -lbcrypt linkage * Code style fixes * programs: Cleaned up bcrypt linking refererences. * Fix Visual Studio Release|x64 builds * Fix coding style of length_as_int var in x509_crt.c * Remove redundant Visual Studio 6 data files * Add clarifying comment on use of MultiByteToWideChar() and CP_ACP * Fix the tests build with mingw for the new Win32 APIs * Fix formatting and detail of comments in PR #730 * Fix for building programs with mingw * Correct check for WIN32 in cmake files for programs * Update ChangeLog for PR #730 for Win32 API fixes * Fix the build for mingw and CMake + VStudio * Replace Windows APIs that are banned in Windows Store apps * Set explicit version for the typing packages * Fix SHA-3 dependencies in test_suite_md * Type fixes and wording improvements * Fix SHA-3 in accel tests that need it * Fix dependencies for SHA-3 MD dispatch tests * Document driver-only hashes * Add SHA-3 support to libtestdriver1 * Remove all travis builds except for coverity_scan * Remove invalid comment from mbedtls_cipher_set_padding_mode() * Remove PK options * Set MBEDTLS_MD_C * Update changelog text * Fix test error * Add comment * fix cast warning * Use mbedtls_ct_error_if * Add mbedtls_ct_error_if, with tests * Remove tests for mbedtls_ct_int_if * Remove mbedtls_ct_int_if * Remove use of mbedtls_ct_int_if * Improve implementation of mbedtls_ct_int_if * Update library to use mbedtls_ct_int_if * Improve testing for mbedtls_ct_int_if * Generalise mbedtls_ct_error_if to mbedtls_ct_int_if * Remove unused variable and unreachable return from mbedtls_pk_write_key_der() * Fix compiler cast warning * Add correct dependencies for AES-192/256 cipher tests * Improve pkparse test dependencies and changelog * Add more tests to check setting padding mode * Add tests for mbedtls_ct_error_if * Fix MSVC error C4703 about possibly uninitialized variable in pkwrite.c * Use mbedtls_ct_error for CT error selection * Add mbedtls_ct_error_if * Reduce size of mbedtls_asn1_get_len * Re-order mbedtls_ccm_context * Changelog for padding CT fixes * Fix code style in pkparse tests * Add PKCS5/12 dependecies to pkparse tests * Add a note about the code size benefits * Rename option where concatenated with -D * Add cast for MSVC * Add test pkparse test dependencies * Add a note about p256m near the option to enable secp256r1 * Move MBEDTLS_PSA_P256M_DRIVER_ENABLED to keep alphabetical order * Give a production-sounding name to the p256m option * Add changelog entry for switching pkparse to new pbe functions * Add tests to test pkcs8 parsing of encrypted keys * Fix codestyle issues in pkcs12.h & pkparse.c * Switch pkparse to use new mbedtls_pkcs12_pbe_ext function * Switch pkparse to use new mbedtls_pkcs5_pbes2_ext function * Reinstate more robust return value handling * rename dont_ignore to in_padding * Move declaration for robustness against future edits * Use more meaningful variable name in mbedtls_rsa_rsaes_oaep_decrypt * Correct use of mbedtls_ct_mpi_uint_if_else_0 * Fix typo in variable declaration * Work around a race condition in parallel builds * Simplify unnecessarily complex error code handling * Fix documentation of error codes * Improve comments on key formats * Improve return code * Use properly typed versions of mbedtls_ct_xxx_if * Add mbedtls_ct_bool_if and mbedtls_ct_bool_if_else_0 * Fix MSVC type complaint * Fix error in handling of return value from mbedtls_nist_kw_unwrap * code style * Fix error in handling of return value from mbedtls_nist_kw_unwrap * Simplify add_zeros_padding * Use CT interface in get_zeros_padding * Rename mbedtls_ct_bool_xor to mbedtls_ct_bool_ne * Use CT interface in get_one_and_zeros_padding * use CT interface in add_zeros_and_len_padding() * Use CT interface in get_pkcs_padding * Use const-time interface throughout mbedtls_rsa_rsaes_oaep_decrypt * Make TEST_CALLOC_NONNULL more robust * Simplify mbedtls_ct_memcmp_partial test * Add docs for mbedtls_ct_memcmp_partial test * Use exact bounds for allocations in mbedtls_ct_memcmp_partial test * Introduce TEST_CALLOC_NONNULL * Remove expected param from mbedtls_ct_memcmp_partial test * Make padlen check const-time * Simplify mbedtls_ct_memcmp_partial * Add correct dependency to DES3 test * Use mbedtls_ct_memcmp in mbedtls_rsa_rsaes_oaep_decrypt * Improve const-timeness of mbedtls_nist_kw_unwrap * Add tests for mbedtls_ct_memcmp_partial * Add mbedtls_ct_memcmp_partial * Eliminate duplicate ct memcmp * mbedtls_ssl_decrypt_buf(): fix buffer overread with stream cipher * Test mbedtls_ssl_decrypt_buf(): stream cipher, negative cases * Adjust cipher tests to new requirement of specifying padding mode * Refactoring: create mbedtls_test_ssl_prepare_record_mac() * Add missing cleanup * Refactoring: prepare to create mbedtls_test_ssl_prepare_record_mac() * Move testing of mbedtls_ssl_decrypt_buf to a new test suite * Add clarifying comment * Fix preset shared between 1.2 and 1.3 * Improve a comment * Remove extra copies of a block of comment/define * Fix some issues in comments * Fix issue #8215 : add missing requires documentation in mbedtls_config.h * code style * Fix poorly named function * Remove unneeded setting of ret from ssl programs * Adding changelog for log level message fix * Reduce line size in new pkcs function changelog * code style * Fix some clang-18 warnings * Move MBEDTLS_SSL_MAX_EARLY_DATA_SIZE to the correct section * MBEDTLS_SSL_MAX_EARLY_DATA_SIZE: default value should be commented out in config * cipher_wrap: remove 192- and 256-bit for AES_ONLY_128_BIT_KEY_LENGTH * Fixes log level for got supported group message * Improve statement in driver-only-builds.md * Add a changelog entry for p256-m * Reflect the fact p256-m has been integrated into Mbed TLS * Modify changelog entry to add pkcs12 pbe functions * Update p256-m to state that it's ready for production * Improve use of ct interface in mbedtls_ssl_decrypt_buf * More spelling corrections * Update spelling "mbed TLS" to "Mbed TLS" * Allow "Mbed TLS" as the project name in Doxygen * Remove double blank line in x509_create.c * Remove magic number in x509.c * Update CMake minimum version(s) to match main CMakeLists.txt * Add changelog entry for checking set_padding() before cipher_finish() * Use the correct variable when tracking padding length * Return back to modifying input parameters in pkcs12_parse_pbe_params * Check set_padding has been called in mbedtls_cipher_finish * Avoid implementation defined behaviour * Prevent potential use of uninitialised data in pkcs7 tests * Fix test under memsan * Test INT_MAX rather than UINT_MAX * Update comment, and replace bit-twiddling with #error * code style * Use macros for sizes in p256-m driver * Add comment to p256-m driver JSON file * Update list of ignored tests * Move common things to common function * Fix INVALID vs NOT_SUPPORTED issue in test suite * Improve error codes in p256-m driver * Disable ECP_C in component with p256-m driver * Add JSON file for p256-m driver * Add export_public_key entry point to p256-m driver * Add import_key entry point to p256-m driver * Add key management utilities to p256-m * Ensure mbedtls_ct_memcpy behaves correctly with 16-bit int * Add single-bit difference tests * Fix type error * Fix type-conversion error * Eliminate duplicate of mbedtls_asn1_find_named_data * Tidy up mbedtls_asn1_write_len * Refactor out some common code * code style * Reduce code size in mbedtls_asn1_write_len * Ensure all md_<hash>_finish functions perform zeroization * Remove always-false null pointer check in sha3.c that Coverity complains about * Reinforce warning about a significant comment * Move comment to its intended location * Fix `prepare_release.sh -u` with CMakeLists.txt * Mark y as modified in x86 asm for mbedtls_ct_uint_lt * Eliminate a redundant not from x86 asm * Make variable name consistent in x86_64 asm * Better register allocation for x86_64 asm * Remove not-needed mov in x86_64 asm * Add new mbedtls_pkcs12_pbe_ext function to replace old function * In releases, turn off GEN_FILES in Makefile and CMakeLists.txt * Prepare to generalize the script to do more than .gitignore * Allow turning off re-generation of files with make * Fix code style * Fix bug with checking max dn length with hexpairs * Move conditionals to keep doxygen with function * Add missing hyphen * Improve changelog * wip * Add reference to x86 asm * Changelog * Fix generate_query_config.pl usage * Fix query_config.c generation with CMake build system * Add correct dependencies to pkcs12 tests * Fix identation error in pkcs12 tests * Fix incorrect test dependencies in pkwrite tests * Change pkcs12 test comparison macro to the new macro * Modernize documentation of MBEDTLS_PLATFORM_ZEROIZE_ALT * Change pkcs12 test allocation macros to the new macros * PSA config: Add comment about HKDF * pkwrite: Fix defined but not used warning * Use the zeroize function from Mbed TLS * Improve sanity checking of MBEDTLS_HAVE_INTxx * Update bignum_core.c * Comment out default definition * Fix unused variable in some TLS 1.3 builds * Fix some TLS 1.3 settings that were required in mbedtls_config.h * TLS 1.3 support is mostly complete * Fix boolean options in the wrong section * Simplify fixes for unreachable code * Fix warnings about unreachable code * Improve pkcs12 pbe tests * Introduce MBEDTLS_IGNORE_UNREACHABLE_BEGIN * Improve & test legacy mbedtls_pkcs12_pbe * Prevent pkcs12_pbe encryption when PKCS7 padding has been disabled since this not part of the specs. * Allow decryption when PKCS7 padding is disabled for legacy reasons, However, invalid padding is not checked. * Document new behaviour, known limitations and possible security concerns. * Add tests to check these scenarios. Test data has been generated by the below code using OpenSSL as a reference: * Set input cost as 1 for psa_key_exercise test * Rename parse_binary_string function * Split build_info.h: create and populate mbedtls/config_adjust_ssl.h * Split build_info.h: create mbedtls/config_adjust_x509.h * Split build_info.h: create and populate mbedtls/config_adjust_legacy_crypto.h * Split config_psa.h: create and populate mbedtls/config_adjust_legacy_from_psa.h * Split config_psa.h: create and populate mbedtls/config_adjust_psa_from_legacy.h * Split config_psa.h: create and populate mbedtls/config_adjust_psa_superset_legacy.h * Split config_psa.h: create and populate psa/crypto_adjust_auto_enabled.h * Split config_psa.h: create and populate psa/crypto_adjust_config_synonyms.h * Don't include configuration adjustment headers * all.sh: fix comments * Add round trip tests for x509 RDNs * Add asn1 get tag and len to x509 create config * Add asn1 write tag and len to x509 use c config * driver-only-builds.md: fix text * Use quotes include of psa_util_internal.h * config-wrapper-zeroize-memset.h should be user-config-zeroize-memset.h and not include mbedtls_config.h * Move the description of MBEDTLS_TEST_DEFINES_ZEROIZE to before its use * Move zeroize-as-memset into a config file under tests/ * Add a build to all.sh to check mbedtls_platform_zeroize() calls * Fix incorrect use of mbedtls_platform_zeroize() in tests * Add the ability to verify mbedtls_platform_zeroize() calls with -Wsizeof-pointer-memaccess * Update guard for ecp * Add Everest to threat model * Add Changelog entry * Fix typo in pkcs5.c * Avoid error from old gcc version * Code style * Fix gcc compile warnings * Add more protection to mbedtls_platform_zeroize * Define all PSA_xxx macros to 1 rather than have them empty, for consistency * Covert PSA guards to MBEDTLS * Use MBEDTLS_MD_LIGHT instead of MBEDTLS_MD_C * Simplify camellia error conversion macros * Add missing error conversion case * Remove not-needed #include * Explain the story about cryptography version requirements * Call mbedtls_platform_zeroize via mbedtls_sha3_free * Ensure mbedtls_sha3_finish zeroizes the context * Regenerate coverity scan token * Fix code style * Fix unsafe behaviour in MBEDTLS_ASN1_IS_STRING_TAG * Refactor parse_attribute_value_string * Make hexpair_to_int take a char pointer * Reword and reformat comments * Add blank lines after variable declarations * Fix unnecessary header prefixes in tests * Fix mbedtls_pkcs5_pbes test function failure * check_test_cases: add a comment to explain idx in walk_compat_sh * Use '--target' instead of shortened '-t' * Disable pylint error for non-uppercase names * Fix use of mbedtls_psa_safer_memcmp in test code * Add missing import in test_psa_compliance.py * Fix pylint errors * Move -B switch into a single argument * Improve mbedtls_pkcs5_pbes2_ext changelog description * Improve mbedtls_pkcs5_pbes2_ext function test data * Fully replace mbedtls_psa_safer_memcmp * Appease pylint by renaming variables * Test PSA compliance: Build only the crypto target * Tidy up reference to Mbed TLS in help message * Disable p256-m asm on aarch64 * Disable pylint error in CMake command * Remove or qualify references to Mbed TLS * Rename 'mbedtls_dir' -> 'root_dir' * Correctly detect presence of the built library * Use repo detection functions at start of all.sh * Separate directory discernment into 2 functions * Improve directory coverage in PSA repo detection * Typo fix * Fix typo in doxygen for mbedtls_ct_memcpy_offset * Improve docs in mbedtls_mpi_lt_mpi_ct * Improve docs re duplicate declarations * Whitespace - tidy up asm and make it more consistent * Add x86 const-time assembly * Add x86-64 const-time assembly * improve various issues * Rename is_psa_crypto -> in_psa_crypto_repo * Rename psa_crypto_lib_filename to just crypto_lib_filename * Parameterize out of source build directory * Invert logic for repo detection in all.sh * Tweak test_psa_compliance pylint annotations * Support psa-crypto repo in psa_storage.py * Modify test_psa_compliance.py for psa-crypto repo * Modify build_tree.py for the PSA Crypto repo * Make all.sh PSA-crypto-friendly * Correct analyze_outcomes identation * Announce that #7420 is fixed * Add Changelog entry for DN changes * Remove trailing whitespace in data file. * Add test for rejecting empty AttributeValue * Refactor previous fix * Add guard for empty AttributeValue * replace target arch macros in padlock * replace aesni target detection macros * replace arm64 macro and aesce enable flag * Add target platform detection macros * Fix code style * Refactor reading AttributeValue in dn gets * Prevent output of escaped null characters dn gets * Rename parse_attribute_value_ber_encoded * Add return for buffer too small when reading OIDs * Remove questionable use of macro. * Add corruption detected return when writing asn1 * Revert "Install cryptography only on linux platform" * Remove IAR warning fixes to 2.28 from changelog * Reword IAR changelog for fixing compiler warnings * Correct analyze_outcomes.py identation * Remove magic number for null tag * Remove x509_oid_from_numericoid * Add catch for alloc error x509_oid_from_numericoid * Use mbedtls_calloc instead of calloc * Fix oid memory leak * Reject null bytes in DER encoded values in DNs * Fix code style * Make MBEDTLS_ASN1_IS_STRING_TAG to take signed int * Amend test in test_suite_x509write * Reject escaped null hexpairs in DNs * Add malformatted DER test for string_to_names * Alter MBEDTLS_ASN1_IS_STRING_TAG macro * Remove redundant tests in test_suite_x509write * Add test for non ascii x509 subject name * Remove duplicate test in test_suite_x509write * Accept short name/ber encoded data in DNs * Change error from unknown oid to invalid name * Add more comprehensive string to name tests * Add test reject null characters in string to names * Accept any valid oid in string_to_names * Write numeric oid directly to buffer * Remove duplicate '+' in comparison string * Reword test in test_suite_x509write * Refactor dn_gets use library function to write tag * Fix style on left shift operations * Use MBEDTLS_X509_MAX_DN_NAME_SIZE for buffer size * Format preprocessor conditionals * Rename in_tag to in_attr_type * Fix code style in mbedtls_x509_string_to_names * Fix Windows x64 build errors with type conversions * Fix memory leak in alternative code route * FIx memory leak in x509_attr_descr_from_numericoid; * Move declaration of variables in dn_gets to top * Alter conditions on hexstring output dn_gets * Update x509 test for numericoid/hexstring output * Fix code style on x509.c and x509_create.c * Refactor AttributeType in mbedtls_x509_dn_gets * Add preprocessor config guards * Parse DER tag mbedtls_x509_string_to_names * Add mbedtls_x509_dn_gets hexstring output * Add more tests for RFC 4514 * Implement parse_attribute_value_ber_encoded * Refactor mbedtls_x509_string_to_names * Add x509 tests for upper and lowercase hexpairs * Rewrite nibble_to_hex_digit for readability * Rename x509_int_to_hexdigit to nibble_to_hex_digit * Add and update tests for x509write and x509parse * Escape hexpairs characters RFC 4514 * Escape special characters RFC 4514 * Fix off-by-one error * Tidy up allow list definition * Make non-executed tests that are not in the allow list an error * Fix type annotation * Remove dead code * New test suite for the low-level hash interface * Fix missing operand modifier * Fixup incorrectly-formatted ChangeLog entry * Move PSA information and dependency automation into their own module * Avoid signed right shift UB * Restore a comment and fix it * Don't try to include mbedtls/config_*.h * Remove obsolete header inclusions * Fix condition to include MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE * Move the inclusion of the PSA config file(s) into build_info.h * Remove spurious extern "C" * Simplify aarch64 asm for mbedtls_ct_uint_lt * Move non-function-specific macro outside of function definition * ssl_ciphersuites: fix typo * Fix PBKDF2 with empty salt segment on platforms where malloc(0)=NULL * Rename mbedtls_aesce_has_support macro to satisfy case rules * Use -1 as uninitialised marker * Make mbedtls_aesce_has_support more efficient * Add ChangeLog entry for otherName SAN fixes * Fix incorrect detection of HardwareModuleName * Fix: Set type_id in x509_get_other_name() * Add tests in derive_key for pbkdf2 * Add tests in derive_key_type for pbkdf2 * Add tests in derive_key_export for pbkdf2 * Add tests for derive_key_exercise for pbkdf2 * Move parse_binary_string function to psa_crypto_helpers Add test code for pbkdf2 in psa_exercise_key * revert padlock from aesni module * improve readability of error message * Add missing check * Modify test description * Add tests with higher input costs for pbkdf2 * Add changelog entry for new mbedtls_pkcs5_pbe2_ext function * Remove the workaround for psa_key_agreement_internal * Improve mbedtls_pkcs5_pbes2_ext function signature comments * Remove new bignum when not needed * Fix unused parameters warnings when MBEDTLS_CIPHER_PADDING_PKCS7 is disabled * Fix heap overflow issue in pkcs5_pbes2 testing functions * Add new mbedtls_pkcs5_pbe2_ext function * Fix formatting in changelog * Add newline at end of changelog * driver-only-builds: update EC and FFDH sections * replace padlock_c with padlock_have_code * improve readability * Fix style * Change document to match real status * Add ChangeLog entry * remove return-type when runtime detection enabled without plain c * remove aesni + padlock - plain c tests * add hardware only check for padlock * Add via padlock detection macro * Change the order of runtime detection * exclude arm64ec mode for aesni * Reduce code size in ccm * Adjust struct layout for small size win * add ifdefs to reduce size of mbedtls_to_psa_error * add #ifdefs to reduce switch size * Adjust layout of some stucts * Reduce code-size to access key slots init flag * Eliminate redundant version of mbedtls_ct_memcmp * Use MBEDTLS_GET_UINT16_BE in mbedtls_ecp_tls_read_group_id * Remove unnecessary const type qualifiers in casts * Use asm instead of __asm in constant_time.c * Fix error strings without quotes * BUILD: Update For IAR support * disable aesni for componets without cpu modifiers * fix msvc build fail on i386 target * Add compiler cflags error message * fix build fail for via padlock test * Add aesni test for i386 * enable runtime detection when padlock enabled and plain c disabled * fix `-Werror=return-type` when runtime detection enabled and plain c disabled * code_size_compare: handle deleted files and new files properly * Restore aesni for i386 * Code styling * Modify derive output test cases and add actual output * analyze_outcomes: add case for "ECC+FFDH w/o BN" * test: add accelerated and reference test for ECC+FFDH without BN * Remove unnecessary include from constant_time.c * Add EdDSA and XTS to the allow list * Add a flag for requiring full coverage in coverage tests * Add allow list for non-executed test cases * Make naming more consistent * Fix Changelog * Changelog * Fix compile fail for empty enum in cipher_wrap * code_size_compare: add old text and data section in CSV output * code_size_compare: add `+` in front of positive values * code_size_compare: right-align numbers in the comparison result * logging_util: support to tweak loglevel directed to stderr/stdout * Fix logical dead code found by Coverity * Add changelog * Fix potential corruption of IV for AES CBC * Fix incorrect size used for zeroization of buffer * Fix resource leak in test failure case * Add changelog entry * Undo a change * Perf improvement in memcpy_if * Test CT asm under valgrind * Fix unified asm syntax issue * Add aarch32 const-time asm * Add aarch64 const-time asm * ssl-opt: remove redundant requirement for RSA_C * test: use ASAN flags for testing the accelerated TFM configuration * analyze_outcome: add new check for parity for TFM configuration * test: update components' descriptions * test: improve accelerated TFM configuration test and add reference * p256m: minor fixes to the driver interface * test: add component testing TFM configuration and P256M driver * pk: return PK_USE_PSA_EC_DATA to pk.h * analyze_outcomes: skip tests that depend on BIGNUM_C * ssl-opt: add RSA_C requirement when RSA encryption is used in certificate * ssl_tls13: fix guard for FFDH function * test: enable TLS, key exchances and ssl-opt teting in ecc_no_bignum() * Add gnu check for aseni assembly code * mbedtls_mpi_exp_mod: remove spurious copy of the output variable * pk: fix some comments * Fix some renames that were missed * test: solve test disparities for x509[parse/write] suites * check_config: remove unnecessary BIGNUM_C requirements * test: enable X509 testing in ecc_no_bignum component * Fix mbedtls_ct_size_if_else_0 docs * Improve docs * Document and test mbedtls_ct_size_if_else_0 * Fix comment typo * Rename ...if0 to ...else_0 * Rename uint->bool operators to reflect input types * Reduce the size of the small primes table used by primality testing * Remove redundant test component * improve aesni check for x86_64 * pkwrite: fix internal buffer size in pk_write_ec_pubkey() * improve check config option for i386 * pk: return PK_USE_PSA_EC_DATA to pk.h * test: use unset-all option in config.py to optimize test code * test: remove redundant code setting MBEDTLS_PSA_CRYPTO_CONFIG * pk: move PK_HAVE_ECC_KEYS to build_info.h * Remove asm check for aarch64 aesce * pkwrite: add new internal symbol to properly size DER buffer * pkparse: remove unnecessary header * test: minor optimizations to ecc_no_bignum components * test: remove BIGNUM dependencies from pk[parse/write] suites * analyze_outcomes: skip tests that unavoidably depend on bignum * test: disable BIGNUM support on the test ecc_no_bignum component * test: disable FFDH support on the test ecc_no_bignum component * test: disable RSA support on the test ecc_no_bignum component * test: adding new components for testing and driver coverage analysis without BN * debug: remove redundant variable assignments * code style * Reduce code size for exp_mod_get_window_size * Remove redundant code in mbedtls_mpi_cmp_abs * Use __builtin_ctz to count trailing zeros * Generate smaller code for picking a sign value * Fix copypasta * Minor readability improvement * More unsigned literal in size macros * Add changelog * replace strings command with grep * Fix doc * Remove "export_key" from transparent driver json * Adjust presence of warning/link. * improve test * improve error message and config check for padlock * test_suite_ecp: Moved curve bitlenth check after quasi reduction. * test_suite_ecp: Fixed curve bit-length. * Improve doc on special use of A in ecp group structure * Added a note about new primitives for secure destruction * Elaborate on psa_destroy_key requirements * Update w.r.t. test macro name changes from #6253 * Add link to examples in relevant places * Fix error in the guide to drivers * remove unnecessary definition * Add negative test for aesni only * Remove trailing whitespace * Put both gitignore modifications in one script * Update links to Rijndael paper and NIST SP 800-90 DRBGs * Remove unnecessary name check tag * improve platform relative check * remove padlock only mode * fix unreachable code warnings * Add aesce test string filter * Add via padlock build test * Add aesce build test * Improve mbedtls_pkcs5_pbes2 function signature comments * Remove trailing whitespace * Add aesni only test * Add MBEDTLS_AES_USE_HADWARE_ONLY for test_aesni * Run aes tests only for test_aesni * Remove test_aes_* * ssl-opt: don't assume TLS 1.3 usage for external tool that don't have support * tls: fix guards for ECDSA support * tls: add new symbol for generic TLS 1.2 and 1.3 support * Change tests to work on different MBEDTLS_RSA_GEN_KEY_MIN_BITS configs * psa_is_key_slot_occupied: change to using the key identifier * Clarify changelog not needed for compiler warnings * Remove test vector * De-duplicate ecp.c * improve document about hardware only * Improve error message and documents * Mention the crash risk without runtime detection * Fix code-style too-long line fail * move accelerator checks to `aes.c` * add changelog entry * fix various issues * Rename plain c option and update comments * fix wrong checks * Rename HAS_NO_PLAIN_C to DONT_USE_SOFTWARE_CRYPTO * Update comments * Add check for no aes implementation provided * Rename plain c disable option * Add std output information for AESCE in gcm * Add accelerator only tests. * Add option to disable built-in aes implementation. * Fix missing check in mbedtls_ecp_read_key * Move variant test to ecp_curves * test: add new components for testing without ECDHE-ECDSA and TLS13 * crypto_config_profile_medium: add comment for new KEY_PAIR symbols * tls: replace ECDSA_C and PK_CAN_ECDSA_SOME with key exchange related ones * ssl_ciphersuites: adding new internal helper symbols * Rename ADD_SUB_DEFAULT to ADD_SUB_DATA * Use ADD_SUB_DEFAULT as test input for bignum tests * Add default test cases for add/subtract in bignum * Fix a few unchecked value issue * Fix comment typo * Tidy-up: move GCC warning fix to constant_time_impl.h * Improve variable name in mbedtls_mpi_lt_mpi_ct * Use mbedtls_zeroize_and_free() in psa_remove_key_data_from_memory() * Sort full config exceptions in config.py * Improve wording of MBEDTLS_ECP_WITH_MPI_UINT doc * Update default variable values for compilers * Fix test dependency * Revert to not enabling asm under Memsan * Revert "Move constant_flow.h into the main library" * Revert "Fix doxygen error" * Fix full config in config.py * Add PSA_HAVE_SOFT_PBKDF2 to crypto_driver_context_key_derivation * test: use only rev-parse for getting the current branch * test: add GIT alternative commands for older GIT versions * Fix doxygen error * Move constant_flow.h into the main library * Revert to old design for mbedtls_ct_memmove_left * Make const-time test not depend on internal knowledge of mbedtls_ct_condition_t * Improve docs for mbedtls_ct_memcmp * Remove GCC redundant-decls workaround for mbedtls_ct_memcmp * Fix docs grammar * Clarify docs for mbedtls_ct_memcpy_if * Improve docs for mbedtls_ct_compiler_opaque * Improve comments in mbedtls_mpi_lt_mpi_ct * Clarify comments in mbedtls_ct_memcpy_if * Improve docs for mbedtls_mpi_core_cond_assign * Move MBEDTLS_ECP_WITH_MPI_UINT to mbedtls_config.h * crypto_sizes: use PSA_WANT_ALG for MAX signatures and key agreement sizes * test: properly size output buffer in key_agreement_fail() * Revert "crypto_sizes: check also if DH is enabled for PSA_SIGNATURE_MAX_SIZE" * Use config.py in all new bignum tests * Fix new bignum tests * Fix fast quasi-reduction modulo value of p192K1 in comments * ecp_mod_p448 has been moved to ecp_mod_p_generic_raw, remove here * Fix the type cast(size_t to unsigned short) warning * Free P and N of the group cause they are dynamic allocated * Declare mbedtls_ecp_fix_negative() always static to fix check_name failures * Use new ECP_LIGHT symbol in ecp_curves.c * Fix use of sizeof without brackets in ecp_curves.c * Make ecp_mode_xxx functions depend on the new macro * Revert ecp_curves.c to commit 449bd83 to save code size * code style * Fix asm Memsan workaround * fix check for no-longer-used macro * Use variables for selecting compilers * Fix error in test vectors * Use compgen to gather components in all.sh * code style * Enable testing of asm under Memsan * Remove test_clang_opt check * test: check exported length against proper MAX_SIZE * Improve mbedtls_ct_memmove_left w.r.t. const-flow tests * tls: fix definition of symbol KEY_EXCHANGE_SOME_XXDH_PSA_ANY * Fix false-positive non-const-time errors in test * crypto_sizes: check also if DH is enabled for PSA_SIGNATURE_MAX_SIZE * debug: improve debug_print_psa_ec() as not to depend on bignum * debug: use proper guard for PK_DEBUG_MPI items * code_size_compare: add option '--show-all' * code_size_compare: use '.md' suffix if '--markdown' enabled * code_size_compare: track removed object as well * Fix dependencies for pbkdf2 cmac * Add ifdef for hmac and cmac set password * crypto_sizes: change initial MAX_SIZE value to 1 * crypto_sizes: fix typo * whitespace fix * pylint tidy-up * Make code_style.py -s default to -s=development * Make code_style.py -s more precise * crypto_sizes: size PSA max symbols according to actual support * Add test cases for 16 byte and empty password * Add issue link instead of issue number * Add ifdef for hmac and cmac specific functions * Replace AES_CMAC_128_PRF_OUTPUT_SIZE with PSA_MAC_LENGTH() * Define PSA_ALG_IS_PBKDF2 * Replace MBEDTLS_PSA_BUILTIN_PBKDF2_XXX with PSA_HAVE_SOFT_PBKDF2 * Add PSA_HAVE_SOFT_PBKDF2 * Change config_psa.h PBKDF2_CMAC dependencies * Add OID tests for HMAC-xxx * Improve naming of mimimum RSA key size generation configurations * Add OID for HMAC-RIPEMD160 * Add OIDs for HMAC-SHA3 * Fix pre-existing missing closing #endif comment * Fix missing opening brace in comments * Fix code style * MBEDTLS_PSA_CRYPTO_CONFIG is ready for production * Replace TEST_ASSERT("message" == 0) with TEST_FAIL * code style * Strengthen psa_mac_verify testing * Use psa_mac_compare in tests; add some HMAC edge-cases * Adapt tests to work on all possible minimum RSA key sizes * Add a minimum rsa key size config to psa config * Enforce minimum key size when generating RSA key size * Fix overly specific description in public doc * rsa_signature: Use heap memory to allocate DER encoded RSA private key * crypto_legacy: fix initial comment * generate_psa_tests: remove checks for DH's LEGACY symbols * changelog: fix errors/typos * ChangeLog: improving descriptions of KEY_PAIR changes * test: accelerate all KEY_PAIR symbols in accel FFDH component * psa: replace DH_KEY_PAIR_LEGACY with new symbols * code_size_compare: change format for comparison result * code_size_compare: remove column of percentage for code size change * PSA_CRYPTO_DRIVER_TEST_ALL is incompatible with MBEDTLS_PSA_CRYPTO_CONFIG * Add PSA HMAC MD5 test * Add HMAC tests for other digest algorithms * Add HMAC test-cases for SHA3 * Don't call psa_crypto_init with uninitialized local contexts (entropy) * Fix warnings from clang-16 * Update test scripts to use latest/earliest compilers * Add 32bit test component for ecp with new bignum interface * Update CONTRIBUTING.md * Have a single source of truth for licensing information * Clarify in README.md that 'the project' is Mbed TLS * code_size_compare: detect architecture of x86_32 properly * code_size_compare: make sure _remove_worktree executed * code_size_compare: check --record-dir properly * Fix KeyType.can_do() for DH+FFDH * Fix dependencies for DH (and RSA) key pairs * Shorten DH_FAMILY just like ECC_FAMILY * Enable DH in generate_psa_tests.py * code_size_compare: remove unnecessary -r in cp command * code_size_compare: simplify some code for python dictionary * logging_util: rename argument * code_size_compare: use `current` as default new Git revision * code_size_compare: left align file names in markdown table * code_size_compare: print prompt message under correct condition * code_size_compare: set log level as ERROR in option --stdout * code_size_compare: direct error message by logger.error * Add PSA SHA3 tests for hash_verify and multipart * Protect macro parameter expansion with parentheses * Use a macro for mbedtls_mpi_zeroize_and_free() * Remove remaining redundant casts * Remove redundant casts * test: remove GENPRIME dependency when RSA_KEY_PAIR_GENERATE * psa_crypto_rsa: fix guards for importing the key * tls12: check buffer size before memcpy-ing data into it * tls: use TLS 1.3 guards in ssl_tls13 modules * tls: fix a comment a rename a variable/symbol * debug: keep ECDH_C guard for debug printf accessing ecdh_context's items * tls: use TLS 1.2 macros in ssl_tls12_server.c * code_size_compare: add comments to make code more readable * code_size_compare: round percentage to an integer value * Fix CI errors related pkcs5_pbe changes * code_size_compare: print 'None' if comparing size for a new file * code_size_compare: add extra indication if print to sys.stdout * code_size_compare: simplify how to generate file name of code size * code_size_compare: simplify CodeSizeGeneratorWithSize * code_size_compare: make CodeSizeBuildInfo more flexible * code_size_compare: replace SimpleNameSpace to a clearer data struct * code_size_compare: clean up comments * code_size_compare: clean up code to make it more readable * code_size_compare: add logging module and tweak prompt message * Fix server1.crt.der in makefile * code_size_compare: add option --stdout to show result in sys.stdout * code_size_compare: add --markdown to show result in a markdown table * code_size_compare: generate text,data as comparison result * code_size_compare: support to measure code size with multiple tools * code_size_compare: introduce SimpleNamespace to store info * code_size_compare: simplify methods in CodeSizeComparison * code_size_compare: add CodeSizeCalculator to calculate code size * code_size_compare: add a base class as CodeSizeGenerator * code_size_compare: add a parser to generate code size with size tool * Remove trailing backslash * Simplify the logic in a test * Fix some dependencies on symmetric crypto in some TLS 1.3 tests * Fix PBKDF2 with empty salt on platforms where malloc(0)=NULL * Make sure that size constants are unsigned * Correct some msg messages in full config * Simplify msg messages in full config * When subtracting classic symbols from full, turn off PSA_CRYPTO_CONFIG * Enable MBEDTLS_PSA_CRYPTO_CONFIG in "config.py full" * Make malloc-0-null a user config file * Fix inconsistencies in no-chachapoly test * Fix typo in function name * Remove comments that duplicate the 'msg' call just below * Remove duplicated component * For tests, rename TEST_BUFFERS_EQUAL() to TEST_MEMORY_COMPARE() * Rename the length argument to TEST_CALLOC() to be the more accurate item_count * For tests, rename TEST_CALLOC_OR_FAIL() to just TEST_CALLOC() * Align ECP_MPI_INIT with mbedtls_mpi struct order in ecp_new.c * Rework the clone of ecp_curves.c * Enable build of ecp_curves_new.c * Clone the ecp_curve.c file as ecp_curve_new.c * For tests, rename ASSERT_ALLOC_WEAK() to TEST_CALLOC_OR_SKIP() * Fix copypasta in function documentation * For tests, rename ASSERT_ALLOC() to TEST_CALLOC_OR_FAIL() * For tests, rename ASSERT_COMPARE() to TEST_BUFFERS_EQUAL() * all.sh: Use consistently CONFIG_TEST_DRIVER_H * all.sh: Use consistently CRYPTO_CONFIG_H * all.sh: Use consistently CONFIG_H * Fix PSA crypto configuration file name * Robustness fix to MBEDTLS_LIKELY * Improve & test legacy mbedtls_pkcs5_pbe2 * Use defined macros for MBEDTLS_MPI_UINT_MAX * Internal function mbedtls_mpi_zeroize() can be mbedtls_mpi_zeroize_and_free() * Better wording around passing NULL to mbedtls_zeroize_and_free() * Use correct asm keyword for IAR compilers * Explain why we check 65535 (not USHORT_MAX) * Align ECP_MPI_INIT parameter order with mbedtls_mpi struct order * Rename ASSERT_FALSE to TEST_FAIL * Add ASSERT_FALSE macro for tests * Misc wording fixes and improvements * Fix IAR trying to use memset_s in platform_util * Add cast in test macros.h * Add cast in psa_crypto * Move declarations in psa_crypto to top * Make consistent suffix MBEDTLS_MPI_UINT_MAX * Change MBEDTLS_MPI_UINT_MAX suffix * Remove trailing whitespace bignum_core * Provide and use internal function mbedtls_zeroize_and_free() * Add enum type casts in lmots.c and lms.c * Add enum casts in ssl_helpers.c * Add type casts in rsa.c * Add type casts in psa_exercise_key * Add type casts in ssl library * Refactor preprocessing for arm none * Move declarations to top in ssl_helpers.c * Move declaration in ecp_mod_koblitz to top * Move declarations in mbedtls_mpi_add_abs to top * Add change log and non-regression test * Align guards of Windows specific configuration checks * tests: Fix header inclusion * Add dependency of builtin CCM* on builtin cipher * Fix order of steps in DTLS server example program * Remove tautology in mbedtls_mpi_core_clz * Add macros for mpi uint max sizes * Ensure constant values not known to compiler * Fix gcc warnings when -Wredundant-decls set * Fix comment * Update test function dependencies * Fix ecp variant check * Improve the documentation of MBEDTLS_PLATFORM_MEMORY * Reduce size of static data in gcm * Don't force the _WIN32_WINT version * Don't force the default windows version down * Don't use FindFirstFileW() before Windows XP * doxygen: \p commands misuse - review comments * doxygen: fix parameter name typos and misused \p commands * doxygen: fix misused \p commands in rsa.h * doxygen: fix parameter name typos and misused \p commands * Fix documentation - parameter name mistakes * doxygen: remove unnecessary description * Replace cpu modifier flags * Update compiler versions requirement * Add error message for old armclang * update document and error message * Add guards for arm_neon.h * Add armclang version requirement for sha512 * fix armclang build fail for sha512. * fix armclang compile fail * fix compile fail for armclang * Updated changelog * Re-order mbedtls_mpi to save a few extra bytes with clang * Use designated initializers for mbedtls_mpi * psa: fix missed LEGACY symbols caused by the rebase * config_psa: enable KEY_PAIR_GENERATE only when GENPRIME is defined * Fix MBEDTLS_BSWAP32 on armcc 5 * psa: remove redundant GENPRIME when RSA_KEY_PAIR_GENERATE is defined * config_psa: enable KEY_PAIR_[IMPORT/EXPORT] as soon as BASIC is enabled * config_psa: enable GENPRIME when BUILTIN_KEY_TYPE_RSA_KEY_PAIR_GENERATE * generate_psa_tests: fix automatically generated tests for RSA * test: replace RSA_KEY_PAIR_LEGACY with proper symbols * library: replace MBEDTLS_PSA_BUILTIN_KEY_TYPE_RSA_KEY_PAIR_LEGACY * library: replace PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_LEGACY symbols with proper ones * Remove getter functions of PAKE if no PAKE algorithms are required * test: set MBEDTLS_ECP_DP dependency also for Montgomery curves * test: add more tests for Montgomery's invalid masks * test: verify that Montgomery keys can be fixed on parsing * ecp: rearrange code in ecp_read_key() * test: replace ECP_DP_CURVE25519_ENABLED with PSA_WANT_ECC_MONTGOMERY_255 * test: add proper key requirements in X25519 key parsing tests * pkparse: always check all private keys on import * pkparse: parse also Weierstrass private keys using ecp_read_key() * analyze_outcomes: do not skip test about wrong Montgomery private key * pkparse: use ecp_read_key() for parsing private key of Montgomery curves * test: test of Montgomery keys with uncorrect bits whenever PK_HAVE_ECC_KEYS * Improve wording & fix a typo * Fix inaccurate information about FFDH * Adapt names (curves -> groups) in a separately added test case * tls: use already existing symbols to size the buffer for XXDḦ peer key * Add a missing guard in cert_req.c * Add missing resource deallocation in tests * ssl_test_lib: fix rebase error * ssl_test_lib: fix variable naming for curve group * tls: replace numeric values with proper TLS IANA symbols * ssl_test_lib: simplify function which prints supported curves * ssl_test_lib: manage FFDH keys the same way as ECC ones * debug: replace occurence of ECP_LIGHT with PK_HAVE_ECC_KEYS * tls: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS * programs: add helper functions for supported EC curves * test: fix message's text * test: enabled ssl-opt testing in no_ecp_at_all components * tls: replace ECP_LIGHT occurrencies with PK_HAVE_ECC_KEYS * test: re-enable TLS and key exchanges in no_ecp_at_all component * Add changelog entries * Add test for cache timeout getter * Add test for endpoint getter * Add test for hostname getter * Make endpoint getter parameter a pointer to const * Add getter access to endpoint field in mbedtls_ssl_config * Add getter access to hostname field in mbedtls_ssl_context * ssl_cache: Add getter access to timeout field * build_info: replace PK_CAN_ECDH with CAN_ECDH and fix comments * tls: fix guards for legacy ECDH contexts * ssl_misc: fix guards for PSA data used in XXDH key exchanges * ssl: keep all helper definitions in ssl_ciphersuites.h * ssl: improve/fix definitions for internal helpers * pk: do not duplicate internal symbols for ECDH/ECDSA capabilities * ssl: update new symbols to include also FFDH * debug: replace ECDH_C symbol with key exchange one * tls: replace PK_CAN_ECDH guards with new helpers * tls: replace ECDH_C guards with new helpers * ssl: add new helpers for TLS 1.2/1.3 ECDH(E) key exchanges * Add Changelog for driver-only ECC so far * Add ChangeLog entry for PK_OPAQUE extensions * Add documentation on driver-only ECC * Add docs/driver-only-builds.md * Add change log * tls13: server: Fix spurious HRR * Changelog entry * Unify csr and crt san writing functions * Test x509 csr SAN DN and RFC822 generation * Update comment * Add ChangeLog entry for CMake config defines * Support more SAN subtypes in cert_req.c * Add support for x509 SAN RCF822 and DirectoryName for csr generation * Fix code style * Update file permissions * Add script to manage gitignore anchors * Add gitignore anchors to denote generated files * Add dependency MBEDTLS_ECP_NIST_OPTIM for ECP test * tests/test_suite_pem: Augment DES test cases with AES: PEM * Link to the guide for writing a driver * Use minimal include in test_suite_random * Make the PSA-mbedtls RNG API public * Fix missing includes * Rationalize includes in psa_util * Remove unnecessary (and harmful) include * Move error functions to internal header * Move ECC and FFDH macros to internal header * Remove unused function from psa_util.h * Use consistent guards for deprecated feature * Remove unused function in cipher.c * Make cipher functions static in cipher.c * Create psa_util_internal.h * Adapt function name: mbedtls_ssl_tls13_generate_and_write_dh_key_exchange * parse_groups: curve -> group adaptations * Provide additional comments for claryfication * AES: fix mismatch comment in #endif * Remove value assignment for enum entries * Test OID lookup for every hash algorithm * Use only `MBEDTLS_ECP_WITH_MPI_UINT` to switch between the ecp variants * Add indent * Add missed intermediate file * Remove workaround code * fix python lint fails * Add commands for `test_certs.h` * Add test_certs.h generate script * Move certs/keys data to seperate file * Fix test dependency * Fix free before pointers initialised * Add tests for MBEDTLS_MD_SHA3_xxx_VIA_PSA * Support MBEDTLS_MD_SHA3_xxx_VIA_PSA * fix missing include * Improve testing of md/PSA alg identifier macro conversions * Add OID tests for SHA-3 * Add SHA-3 cases in mbedtls_md_type_from_psa_alg, mbedtls_md_psa_alg_from_type * Add OID definitions for SHA3 * Add a new test component to test the new bignum interface with `TEST_HOOKS` * Fix comment * Used preferred macro definition check * Use emptiness-checks rather than DEFINED checks * Use CONFIG_H variable rather than config file name * all.sh component to test cmake custom config file * Pass config file options to mbedtls_test(_helpers) * Pass MBEDTLS_CONFIG_FILE defines through cmake * Add msan and asan env variables to .travis.yml * Disable msan errors on null allocation in all.sh * Improve doxygen formatting * Improve comments * Fix formatting of explanatory commented code * Cleanup the code * Improve comment formatting * Rename variables to more descriptive names * Fix function name after rebase * Adapt names: dh -> xxdh * Adapt names (curves -> groups) * Adapt functions names for ffdh * Adapt handshake fields to ffdh * Use valid size of peerkey buffer (EC vs FF) * Minor adaptations after ffdh was enabled for tls1.3 * aesce: use correct target attribute when building with clang * Add ffdh accel vs reference check to analyze_outcomes.py * Enable TLS1.3 in FFDH alg build with drivers and add reference config(without drivers) * tls: client: Improve writing of supported_groups ext * Add changelog entry * Add max iterations test case for cmac * Add test case for zero input cost * Add test cases for key and plain inputs * FIx name of macro * Define PSA_ALG_WANT_PBKDF2_AES_CMAC_PRF_128 and fix config * Add test cases for output validation of pbkdf2 cmac * Add test cases for input validation of pbkdf2 cmac * Change mac_size parameter in driver_mac_compute to output length * Add pbkdf2 cmac to key derivation output_bytes * Add input password function for pbkdf2 cmac * Add pbkdf2_cmac to key derivation setup * Add AES_CMAC_PRF_128 output size macro * Add builtin pbkdf2 cmac guard for all the pbkdf2 functions * Define struct for pbkdf2_cmac * Add define for builtin pbkdf2_cmac * Rename some local variables * Fix the command for server9-sha*.crt * Add target for parse_input/cert_example_multi_nocn.crt * Fix typo and long line format * Update crl-rsa-pss-*.pem manually * upgrade server9-bad-saltlen.crt * Update server9*.crt * Add server9-bad-{mgfhash,saltlen}.crt * Add rules to generate server9*.crt * Update server1-nospace.crt * Update v1 crt files * Update cert_example_multi_nocn.crt * Add rules to generate cert_example_multi_nocn.crt * Update server5.[e]ku-*.crt * Add rules to generate server5.[e]ku-*.crt * cert_write: Support write any for extended key usage * Update server2.ku-*.crt * Add rules to generate server2.ku-*.crt * Add rule for server2-badsign.crt * Update test-ca2.ku-*.crt * Fix the rule for server5-ss-forgeca.crt * Add the rule and update server6-ss-child.crt * Update server5-selfsigned.crt * code_size_compare.py: add comment for sys_arch * code_size_compare.py: run make clean before build libraries * tls13: fix guards for PSA error translating function * Officially require Python 3.8 * Correct Python requirements in releases * Add a dummy usage of a pointer in tests * Enable certain documented defines only when generating doxygen * pk: ignore opaque EC keys in pk_setup when they are not supported * pk_wrap: fix: always clear buffer holding private key in eckey_check_pair_psa * Add comments and remove unneeded defines * pk_wrap: do not support opaque EC keys when !PK_HAVE_ECC_KEYS * Change spaces to a tab in a makefile recipe * Add check for the ecp module variants * Enable testing the cloned ecp module * Enable build of the new ecp_new.c file * Clone the ecp.c file as ecp_new.c * generate_psa_tests: fix docstring for tweak_key_pair_dependency function * config_psa: enabled EC key derivation support when ECP_C is enabled * generate_psa_tests: optimize code for key pair dependencies generation * test: replace all KEY_TYPE_ECC_KEY_PAIR with proper symbols * lib/test: replace BASIC_IMPORT_EXPORT internal symbol with BASIC,IMPORT,EXPORT * psa: fix guards for EC key derivation * test: use proper key pair symbols in accelerated list for EC curve test * generate_psa_tests: minor fixes * psa: fix wrong naming for ECC derive symbols in code * configs: adapt to new symbols * generate_psa_tests: improve script to handle all generated files * psa: replace remaining ECC_KEY_PAIR_LEGACY symbols with proper ones * generate_psa_tests: remove GENPRIME from dependencies of RSA key pair * generate_psa_tests: improve code for key pairs dependency generation * generate_psa_tests: fix comments * test: reset proper guards for ECJPAKE tests * psa_crypto_ecp: fix wrong comment in #endif * test: rename function testing EC key generation in driver_wrappers * psa: fix guards for EC key derivation * test: remove useless accelerator intialization + minor restyling * test: use better naming for new components * library/test: replace LEGACY symbol with BASIC_IMPORT_EXPORT * config_psa: introduce new internal KEY_PAIR symbol for BASIC+IMPORT+EXPORT * test: properly handle new KEY_PAIR_yyy symbols in PSA generated test * test: replace ECC_KEY_PAIR_LEGACY with GENERATE * library: replace ECC_KEY_PAIR_LEGACY with GENERATE * test: replace ECC_KEY_PAIR_LEGACY with DERIVE * library: replace ECC_KEY_PAIR_LEGACY with DERIVE * test: add new component to test with all KEY_PAIRs enabled but one * Reduce the size of mbedtls_mpi * fix fragile way to refer to server1.req.sha256 * Remove options not known to older gcc * pk_wrap: use PK_HAVE_ECC_KEYS as guard for ecdsa_opaque_check_pair_wrap * pk_wrap: guard all ECDSA function with MBEDTLS_PK_HAVE_ECC_KEYS * pk_wrap: minor fixes for guards * pk_wrap: always fill all the fields of the pk_info structures * pk: uniform naming of functions and structures in pk/pk_wrap * pk_wrap: share code for selecting the psa_alg in ECDSA sign * pk_wrap: minor reorganization for opaque keys * pk_wrap: add missing labels to #else and #endif * pk_wrap: optimize eckey_check_pair() * pk_wrap: name all the fields of the pk_info structs * pk_wrap: add support for ECDSA verify for opaque keys * pk_wrap: optimize code for ECDSA verify * pk_wrap: optimize code for ECDSA sign * Change build target as Cortex-A32 not supported on CI * Nicer formatting * Improve #endif comments * Improve #endif comments * Correct #endif comments * Split armcc tests to separate component * Correct comments on #endif's * Add comment * Test combinations of macros for aes.o * Make parse_input targets depend on files in parse_input if possible * Fix malformed directoryName extensions * fix the command of server5-sha%.crt * fix wrong dependency file path * Revert "Extend TF-M build test to test all shipped configs" * Extend TF-M build test to test all shipped configs * Fix unused function warning in x509.c * Change ffdh testing strategy * fix trailing whitespace * Changelog * Add TF-M build test to all.sh * Actually run MD<->PSA test, and fix it * Fix description of functions * test_suite_ecp: Changed to BITS_TO_LIMBS(224) * 2 in `ecp_mod_p_generic_raw`. * code style * Fix comment * More dependency fixes * Fix unused variable * Fix unused variable if MBEDTLS_AES_SETKEY_ENC_ALT and MBEDTLS_AES_DECRYPT_ALT set * Fix unused fn when MBEDTLS_AES_SETKEY_DEC_ALT and MBEDTLS_AES_SETKEY_ENC_ALT set * Fix unused function when MBEDTLS_AES_SETKEY_ENC_ALT set * ecp.py: Extended EcpP224K1Raw tests for 32/64 bit architectures. * bignum_common.py: Added `bits_to_limbs` method. * test_suite_ecp: Updated ecp_mod_p_generic_raw to use the `BITS_TO_LIMBS` macro. * Add ChangeLog entry for string_to_names() fix * Add regression testcase for string_to_names() * Return an error when no name is parsed * Docs improvement * Disable asan errors on null allocation in all.sh * Move the overallocation test to test suites * Add an mbedtls_calloc(SIZE_MAX/2, SIZE_MAX/2) test * Add a description of how mbedtls_calloc is determined * Add a calloc selftest for more than a page * Documentation and cosmetic fixes * Move the calloc buffer initialization test to selftest.c * Extend mbedtls_calloc and mbedtls_free documentation * Add a test for calloc zeroization * Document mbedtls_calloc zeroization * ecp_curves: Adjusted expected_width inputs to use `BITS_TO_LIMBS` macro. * Move clarification to a separate note * aes.c: use uint8_t for local x, y, z in aes_gen_tables to save RAM * aes.c: use uint8_t for array of pow and log to save RAM * Replace unnecessary '>=' with '==' * Add PSA_JPAKE_FINISHED to EXPECTED_{IN,OUT}PUTS() * Short too long lines * remove parse input only files from `all_final` * Replace MBEDTLS_ECDH_C dependency in ssl-opt tests * fix wrong dependency file path * Change path for the files only exits in parse_input * Add explanatory comment * copy command for parse_input/* when it exists in data_files * Fix clang warning from -Wasm-operand-widths * add test case for zero input cost * Add test and test case for input cost greater than vendor maximum * test_suite_ecp.data: Added test cases for modulo-1 in coordinate representation. * bignum_mod_raw: Updated documentation for mpi_mod_raw_mul * Fix incorrectly named macro * Fix PSA_HMAC_MAX_HASH_BLOCK_SIZE and PSA_HASH_MAX_SIZE definitions * Adapt guards in ssl_write_client_hello_body * Add ssl-opt functions to check openssl with ffdh support and openssl ephemeral key exchange * Update guards for supported groups * test: solve disparities in driver coverage analysis for no_ecp_at_all() * x509: update ECP_LIGHT dependencies to PK_HAVE_ECC_KEYS * test: enable X509 testing in no_ecp_at_all() components * Fix test dependencies * Fix test dependencies * code style * Use more standard PSA macro names * bignum_mod_raw: Fixed a documentation typo. * test_suite_ecp.data: Limb aligned inputs * Add PSA SHA-3 tests * Add support for SHA-3 in PSA * Handle deleted files correctly * bignum_mod_raw: Adjusted OPT_RED limb size requirements for mod_raw_mul(). * ecp_curves: Added dataset for SECP224K1 Coordinate Modulus. * ecp_curves: Fixed modp pointers on `mbedtls_ecp_modulus_setup`. * Fix empty union when TLS is disabled * Allow second run for ffdhe8192 ssl-opt tests * aesce: do not specify an arch version when enabling crypto instructions * Drop not-used items from the base look-up table * Improve docs * More struct re-ordering * Adjust stuct order for better packing / smaller accessor code size * Add casts for enums in cipher.c * Fix direct use of cipher_info->type * Fix direct reference to cipher_info->key_bitlen * Fix some compiler type warnings * Fix accidental mis-named field * Dependency fixes * Fix use of enum in a bitfield * Use fewer bits for block_size * code style * Use look-up table for base * Use fewer bits for iv_size * Don't directly access iv_size * Use fewer bits for key_bitlen * Don't directly access key_bitlen * Re-order mbedtls_cipher_info_t * Use bit-fields * Unify ssl_calc_finished_tls_sha{256,384} * Unify ssl_calc_verify_sha{256,384} * Reword the description of mbedtls_net_free() * Fix extra character in debug string * Change types in mbedtls_cipher_info_t * Improve documentation in bn_mul.h * Add --since option to check files modified since a given commit * Clean up subprocess invocation in get_src_files * Simplify directory name comparison in tests * bignum_mod_raw: Updated documentation for mbedtls_mpi_mod_raw_mul * test_suite_ecp: Extended `ecp_mul_inv` tests for optimised reduction. * ecp_mod_raw: Enabled fast reduction. * Refactor injecting errors in the second round * Explain the sequence of mbedtls_psa_pake_ calls * Test extra inputs and outputs at the end of J-PAKE * Add testing for extra calls during a round * Remove unnecessary checks in psa_jpake_prologue() * Remove comment explaining the state machine * Simplify logic of driver step conversion * Tweak wording for clarity * Remove unnecessary initialization of state * Use memset for initialization * Add "completed" clarification to struct comments * Remove redundant structures from previous design * Rename struct member mode to io_mode * Rename function_mode to io_mode * Properly namespace enum values within PSA_JPAKE_ * Change J-PAKE internal state machine * bignum_mod: Added a typedef for OPT_RED function pointer. * tls: always zeroize buffer on exit * tls: keep buffer declaration in a single line * Work around updating pointers from ILP32 * code style * Remove redundant checks in constant_time.c * Fix pointer constraint in bn_mul.h * code style * Improve changelog * Use UINTPTR_MAX not SIZE_MAX * Be strict about pointer size in mbedtls_get_unaligned_volatile_uint32 * Changelog * Omit block_size when MD_C is not enabled * test: remove duplicate PK_HAVE_ECC_KEYS dependency in pkparse suite * Separate ILP32 and normal-aarch64 code paths * Remove useless extern declarations and includes * Docs improvement * Fix for arm64_32 (aka ILP32) on Clang (attempt 2) * Fix for arm64_32 (aka ILP32) on Clang * Fix 32 bit unreachable code build failure * Fix very high stack usage in SSL debug code * Add a do-while loop around macros * Pacify clang15 warnings about empty /retval * Use DER format for x509 SAN tests * MD: isolate strings to separate table * test: ignore compressed points' tests when checking coverage without ECP at all * pkwrite: fix wrong guard position for pk_get_opaque_ec_family() * pk/psa: use PSA guard for mbedtls_ecc_group_to_psa() and mbedtls_ecc_group_of_psa() * psa: move mbedtls_ecc_group_to_psa() from inline function to standard one * build_info: do not enable ECP_LIGHT when PSA_WANT_ALG_ECDSA * pk: remove useless internal function * test: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS * library: replace occurencies of ECP_LIGHT with PK_HAVE_ECC_KEYS * pk: add new symbol to state that PK has support for EC keys * test: re-enable PK and RSA in component without ECP/ECP_LIGHT * x509parse tests: Replace TEST_ASSERT with TEST_EQUAL * Fix tests? * Simplify aesni support test * Fixed AlgorithmIdentifier parameters when used with ECDSA signature algorithm in x509 certificate * Clarify support_test_aesni * mbedtls_config: improved description of PK_PARSE_EC_COMPRESSED * build_info: improved description of ECP_LIGHT auto-enabling symbols * Improve logic for checking for presence of AESNI code * Improve logic for checking for presence of AESNI code * test: remove leftover paragraph in test_psa_crypto_config_accel_ecc_ecp_light_only * Fix typo * Fix test error * fix CI failure * Fix typo * code style * Address test review comments * Remove not-needed compiler flags * Add test for plain C path * Simplify aesni test * Improve changelog * Only force O2 when hw acceleration available * build_info: auto enable PK_PARSE_EC_COMPRESSED when PK_PARSE_C && ECP_C * test: update depends.py with new dependencies * test: fix bug for test without bugnum * build_info: complete list of symbols that auto-enable ECP_LIGHT * mbedtls_config: add new MBEDTLS_PK_PARSE_EC_COMPRESSED symbol * pk: let PK_PARSE_EC_EXTENDED auto-enable ECP_LIGHT * test: remove leftover from past PR development * test: renaming component testing accelerated EC * Only enable gcc -Os fix if we have AES hw support * Improve comment * Use valid guard for filling group list with EC groups * Respect -Os for everything except XTS * ecp_curves: Updated the optimised reduction function pointer. * bignum_mod: Updated documentation. * test_suite_ecp: Added `MBEDTLS_ECP_NIST_OPTIM` define guards. * test_suite_ecp: Updated `ecp_mod_p_generic_raw` for optimised reduction. * ecp_curves: Updated `mbedtls_ecp_modulus_setup` to use optimised reduction. * ecp_curves: Updated input argument for `mbedtls_ecp_modulus_setup`. * bignum_mod: Updated `optred_modulus_setup` to use function input. * bignum_mod: Added `mbedtls_mpi_opt_red_struct` structure. * bignum_mod: Fixed code-style * bignum_mod: Added static `standard_modulus_setup()`. * bignum_mod: Refactored `mbedtls_mpi_mod_modulus_setup()` * test_suite_bignum: Removed `test_read_modulus()`. * binum_mod: Added `mbedtls_mpi_mod_optred_modulus_setup()`. * Don't use inet_pton() before Windows Vista * Don't force the default windows version down * Don't call wincrypt on builds older than Windows XP * Allow all.sh to override intrinsics vs asm selection * Test asm and intrinsics from all.sh * tls: never destroy a priavte key that is not owned/created by TLS module * config_psa: replace USE symbols with BASIC one for all KEY_PAIRs * test: run all the test suite in the temporary component and grep outcome file * test: add a temporary test for checking conversion for new symbols * config_psa: only KEY_PAIR_USE includes PUBLIC_KEY * config_psa: always enable PUBLIC_KEY when any KEY_PAIR is enabled * test_driver_extension: manage public and private keys the same way * config_psa: fix logic for updating legacy symbols * config_psa: ECP_C do not enable ECC_KEY_PAIR_DERIVE * crypto_config_test_driver_extension: remove leftover comment * psa: move PSA_WANT checks to check_crypto_config * config_psa: avoid repetitions when including MBEDTLS symbols * changelog: added entries for explaining changes of this PR * crypto: move legacy symbols support to a dedicated header file * config_psa: add missing BUILTIN symbols when ECP_C is defined * config_psa: fix comment for LEGACY symbols * config_psa: remove support for PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE * config_psa: remove GENPRIME from enabled symbols of PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_USE * config_psa: remove leftover comment on ECC derivation * psa: fixing psa_crypto_generate_key.generated * test: fix python script for PSA test generation * tests: replace deprecated symbols with temporary _LEGACY ones * library: replace deprecated symbols with temporary _LEGACY ones * config_psa: replace legacy symbols with new ones * psa: add support for legacy symbols * crypto_config: introducing new definitions for PSA_WANT KEY_PAIRs * tls: optimize code in ssl_get_ecdh_params_from_cert() * Rename MBEDTLS_OPTIMIZE_ALWAYS * Improve readability of unrolled AESCE code * Rename _USE to _BASIC * code style * Update changelog * Use MBEDTLS_OPTIMIZE_ALWAYS for gcm * Use MBEDTLS_OPTIMIZE_ALWAYS for ccm * Use MBEDTLS_OPTIMIZE_ALWAYS in aesce * use MBEDTLS_OPTIMIZE_ALWAYS in AES-XTS * Use mbedtls_xor_no_simd from cmac and cbc * Add a non-NEON variant of mbedtls_xor * Introduce MBEDTLS_OPTIMIZE_ALWAYS * Introduce MBEDTLS_COMPILER_IS_GCC * Move mbedtls_ecp_modulus_type out of the public headers * Add cleanup for intermediate buffer * Split out mbedtls_ecp_mod_p448_raw() * Unroll aesce_decrypt_block * Unroll aesce_encrypt_block * Add missing ECDH dependencies in ssl-opt tests * Fix selection of default FFDH group * Adapt remaining guards to FFDH * Properly disable ECDH in only (psk) ephemeral ffdh key exchange components * Rename NUL to null in x509 IP parsing description * Reword changelog entry * Add copyright (as agreed with Manuel) * Fix unintentional config reduction in prev commit * add return statement * mbedtls_config.h: add description for CTR_DRBG about AES-128 only * code style * fix check-names failure * Limit number ffdh test cases (ffdhe2048, ffdhe8192) * Optimise final 2 rounds * Do not use NEON for AES-CBC on aarch64 * Revert "improve cbc encrypt perf" * Replace sizeof(mbedtls_mpi_uint) with ciL define * Shorten encoding of version features * Changelog entry for the MBEDTLS_CIPHER_BLKSIZE_MAX deprecation * Officially deprecate MBEDTLS_CIPHER_BLKSIZE_MAX * Rename MBEDTLS_CIPHER_BLKSIZE_MAX internally * Replacement for MBEDTLS_CIPHER_BLKSIZE_MAX * Explicitly document that Camellia and ARIA aren't supported * Add not-supported test case for ARIA and for other Camellia key sizes * Test consistency of cipher max-size macros * Use predefined serial numer in certificates * Remove PSA_TO_MD_ERR from ssl_tls.c * Use output block as U_accumulator * Update PSA_WANT spec for new KEY_PAIR scheme * Disable MBEDTLS_DHM_C in component_test_tls13_only_psk * all.sh: use clang for one test of AES_ONLY_128_BIT_KEY_LENGTH * Add FFDH tests to ssl-opt * pake: fixed warning for casting between different types * Fix coding style issue * More about whether to have the driver key id in the transaction list * Discuss the cost of a get_key_attributes entry point * Move corner test case into python framework * Three round solution * Add ffdh support yo generate_tls13_compat_tests.py * Code cleanup #2 * Add missing guards in tls 1.3 * Move an include * Fix wrong array size calculation in error translation code * Move the ARRAY_LENGTH definition to common.h * Add missing ifdefs * Optimize error translation code size * Fix ecp test * Build the docs in realfull config * Add test components: only PSK ephemeral ffdh, only ephemeral ffdh key exchange * Code cleanup * Fix special-case with all curves except one. * Docs update * Code style * Make mbedtls_ct_zero non-static * Add crypt_and_hash decrypt issue to Changelog * Remove references to non-existing options * Make -SE_C part of adjust_config * Group both configuration steps * Replace function calls in crypt_and_hash program with locals * Re-enable MBEDTLS_DHM_C in tls13_only_psk, tls13_only_psk_ephemeral, tls13_only_psk_all * Improve phrasing * Changelog for SHA-384 max block size bug * Fix typo in MBEDTLS_MD_CAN macros * Use a single fast-path in mbedtls_xor, gains around 1% in benchmarks * Code style * Update Changelog * Fix AES-XTS perf regression * Fix error: comparison of integers of different signs: 'SOCKET' and 'int' * x509_parse_time() perf * Reuse time when verifying certificate chain * mbedtls_x509_time_gmtime() read struct directly * mbedtls_x509_time_gmtime() to fill struct w/ time * mbedtls_x509_time_cmp() perf * mbedtls_x509_time_cmp() compare mbedtls_x509_time * Fix crypt_and_hash decrypt issue when used with stream cipher * Remove unnecessary cast * Remove the all.sh test for this, since armclang on CI is too old * Fix armc5-bin-dir and armc6-bin-dir options to all.sh * Merge the two ARM Compiler 6 - Target ARMv8.2-A - AArch64 builds * Add an all.sh build test that catches the unterminated pragmas * Fix "unterminated '#pragma clang attribute push'" in sha256/sha512.c * Strengthen fall-back for mbedtls_ct_compiler_opaque * Replace use of MBEDTLS_SHA3_C with MBEDTLS_MD_CAN_SHA3_xxx * Fix definition of MBEDTLS_MD_MAX_SIZE and MBEDTLS_MD_MAX_BLOCK_SIZE * Fix failing Ci * Fix test dependencies * Edit changelog * Remove negative tests for input validation * Use size of buffer for mac_size * Use multipart mac operation for adding salt and counter * Make MD<->PSA translation static inline * Remove guarantee about converting NONE * Simplify implementation of MD<->PSA translation * Replace loop zeroise with memset * Fix missing call to mbedtls_ssl_md_alg_from_hash() * Change values of md_type enum * Add comments to 448 optimised reduction * Add corner case for p448 (A0+A1= full 1 of 448 bits) * Restore accidentally removed comment * Replace MBEDTLS_MD_CAN_SHA3 with MBEDTLS_MD_CAN_SHA3_xxx * Fix error status for PSA RSA-OAEP unknown hash * Change contract of MD<->PSA conversion * Add size measurements per library * Use helper_libtestdriver1_adjust_config more * Fix some typos * Fix for big-endian architectures * Unify ABSORB and ABSORB8 to fix compile error * Fix test dependency * Correct minor merge mistakes * Add HMAC DRBG SHA-3 tests * Tidy-up * Remove NULL checks * Remove reference to SHAKE * Use MBEDTLS_PRIVATE * Spell as SHA-3 not SHA3 * Add tests for invalid paramters * Tidy-up definition of mbedtls_sha3_context * move mbedtls_sha3_family_functions out of public interface * Use faster type for state index * remove not-needed fields from SHA-3 context * Consume input in 8-byte chunks * Avoid possible NEON alignment issue * Revert not-useful changes to AES-CBC decrypt * improve cbc encrypt perf * Extend NEON use to 32-bit Arm * Add tests for xor over large blocks * Add clangd compilation databases to gitignore * Add a guard for IP parsing in cert_req app * Fix param documentation for mbedtls_x509_crt_parse_cn_inet_pton * Remove references to x509_invasive.h * Use better IP parsing in x509 programs * Remove redundant test and add tests: keyid only (without issuer) * Adapt test (use path instead of bytes) after rebase * Fix code style * Further test improvements * Fix after rebase (remove redundant variables in tests) * Add more test cases * Use RSA keys in generated certificates * Add test for invalid KeyIdentifier tag length + adapt error code * Use TEST_EQUAL instead of TEST_ASSERT in tests * Test optional fields in authorityKeyId * Check values in tests * Use generated certs in DER format in tests * Provide makefile rules to generate cerst for authorityKeyId, subjectKeyId tests * Fix fall through warning * ssl_client2, ssl_server2: code optimization + guards adaptation * mbedtls_psa_ffdh_export_public_key: allow bigger output buffer * Further code optimizations * Adapt function names * Combine mbedtls_ssl_tls13_generate_and_write_ecdh/ffdh_key_exchange functions * Adapt guards, dependencies + optimizations * Move FFDH helper functions and macros to more suitable locations * Adapt guards for FFDH * Replace deprecated functions * Fix test configs * Add changelog entry (FFDH in TLS 1.3) * Compile out length check to silent the compiler warning * ssl-opt.sh: Add FFDH tests * Add FFDH support in client2, server2 applications * Add support for FFDH in TLS 1.3 * Add FFDH definitions and translation functions * ssl_write_supported_groups_ext(): add support for ffdh keys * Add the DHE groups to the default list of supported groups * Use safe snprintf * Add test for invalid IP length (+use der format in tests) * Fix parsing of SAN IP (use mbedtls_snprintf, validate buffer length) * Add separate case for ip address * Add test to parse ipV4 and ipV6 addresses * Add support for parsing SAN IP address * Fix code style * Add changelog entry * Add negative cases for pbkdf2 output * Add RFC tests for pbkdf2 output * Change derive_input test cases for implemented output_bytes * Add cost and password steps to derive_output_test function * Add pbkdf2 function to key_derivation_output_bytes * Add pbkdf2_generate_block function * Add additional members to pbkdf2 struct * Update FFDH component * Add documentation about libtestdriver1 usage * all.sh: make libtestdriver1 components more uniform * all.sh: add helper_libtestdriver1_make_main() * all.sh: add helper_libtestdriver1_make_drivers() * all.sh: add helper_libtestdriver1_adjust_config * Add static check for macros that should be in sync * Add comment on macros that should be kept in sync * Remove mbedtls_psa_translate_md(). * Keep MD and PSA max size in sync * Use PSA-neutral function for availability check * Fix guard for PSA->MD error conversion * Fix duplicated definition of a function * Use function instead of macro for error conversion * Add total when printing sizes in all.sh * Add missing include * Use general framework for PSA status conversion * Formally deprecate mbedtls_psa_translate_md() * Use actual function instead of static inline * Remove hash_info.[ch] * Use MD<->PSA functions from MD light * Add MD <-> PSA translation functions to MD light * Remove unused function * Replace hash_info macro with MD macro * Replace hash_info_get_type with MD function * Add convenience inline function to md.h * Restore rsa_single_san_uri.crt.der * Mark all_intermediate as .SECONDARY * Remove redundant PHONY targets * Fix long line format * server5-der*.crt: Simplify the size calculation * Update cert macros in tests/src/certs.c * Update crl-ec-sha*.pem, crl.pem, crl_cat_*.pem * Add rules to generate crl_cat* * Update server10*.crt * Update server8*.crt * Update server7*.crt * Update pkcs7 files * Extend the validity period of pkcs7-rsa-sha*.crt to 10 years * Update test-int-ca*.crt * Add rules to generate test-int-ca{2,3}.crt * Update test-ca2_cat-*.crt and test-ca_cat*.crt * Update server6.crt * Update test-ca[1|2].crt[.der] * Clarify when key derivation entry points are mandatory/permitted * Copyediting * Generate PEM pub key directly from DER prv key * pk_internal: minor rearrangement in mbedtls_pk_get_group_id() * test: add key pair check verification for opaque EC keys * pk: allow key pair checking for opaque keys * pk_wrap: add support for key pair check for EC opaque keys * code_size_compare.py: change prompt message in code size measurement * code_size_compare: clarify input and return types * code_size_compare.py: integrate code with CodeSizeBase * code_size_compare.py: add a CodeSizeBase class * Comment tidy-up * Rename MULADDC_PRESERVE_R1 etc to MULADDC_PRESERVE_SCRATCH etc * Improve docs & check for non-gcc compilers * Improve changelog * Add armclang -O0 build test * Add build tests for Thumb and Thumb2 with clang * Do not use assembly on Thumb 1 / clang * Rework the description of key derivation output/verify key * Note that we may want to rename derive_key * Probably resolve concern about the input size for derive_key * Minor copyediting * Fix bug in calculation of maximum possible bytes * Allow subidentifiers of size UINT_MAX * Fix spelling in Changelog * Remove unnecessary addition to buffer size estimation * Modify tests in response to review comments. * Refactor code in cert_write.c * Fix overflow checks in x509write_crt * Change the name of the temporary san variable * Update the descriptions of SANs * code_size_compare.py: fix make command logic in default config * Reword description and change NUL to null * Rename minimum_mem to resized_mem * Rearrange declarations for readability * Change behaviour away from NUL-terminated strings * Cosmetic fixes to doxygen comment * Remove certain null pointer checks when only MD_LIGHT enabled * Add docs for mbedtls_ecp_mod_p448() * pk: minor code fixes * pk: fix guard position * test: remove debug echo in component * pk: optimized/reshape code for writing private key PEM * pk: optimized/reshape code for writing private key DER * pk: extend pk_write_ec_private to support opaque keys * pk: optimize/reshape public key writing * pk: uniformmize public key writing functions * pk: add internal helpers for opaque keys * psa_util: add support for rfc8410's OIDs * pk_internal: add support for opaque keys for getting EC curve ID * test: optimizing test_suite_pkwrite code * Hoist variable declarations to before goto * Refactor while loop for simplicity * Improve line spacing after variable declarations * Reword function description slightly * Reword ChangeLog entry for consistency * Revert setting optimization flag(use O2) * Adapt guards for psa_is_dh_key_size_valid * Change input cost type to uint64_t and fix max iteration test case * code_size_compare.py: classify arguments in parser * code_size_compare.py: add prompt for unsupported arch and config * Fix invalid commands for ec_x{25519,448}_{prv,pub}.{der,pem} * Change coding style to fix multi lines into one line * Key agreement needs an attribute structure for our key * Note possible issue with derive_key: who should choose the input length? * State explicitly that cooked key derivation uses the export format * Clarify sequencing of long inputs * Rationale on key derivation inputs and buffer ownership * Key derivation dispatch doesn't depend on the key type * Copyediting * Finish test strategy * Modify tests to suit new behaviour * Add driver support for DH import key and export public key * Revert "Handle simple copy import/export before driver dispatch" * Update server5[-der*|-sha*].crt * Add rules to generate test-ca2_cat-*.crt * Add rules to generate server10*.crt * Add rules to generate server8*.crt * Add rules to generate server7*.crt * Add rules to generate server6.crt * Add rules to generate server5-sha*.crt * Add server5-der*crt generate command * Add rules to generate server5[-badsign].crt * Update server3.crt and server4.crt * Add rules to generate server4.crt * Add rules to generate server3.crt * Fix wrong target names in the Makefile in tests/data_files * Mark all_intermediate as intermediate files * change path of mbedtls_x509_crl_parse input data * change path of mbedtls_x509_csr_parse_file input data * change path of mbedtls_x509_csr_info input data * change path of x509_parse_san input data * change path of x509parse_crt_file input data * change path of x509_cert_info input data * change path of mbedtls_x509_crl_info input data * code_size_compare.py: add armv8-m option for arch * Add test code for big endian write/read * Add intermediate variable to represent the bytes of big num * code_size_compare.py: change default path of armclang * Create bugfix_iar_typo.txt * Fix typo in cmake file for IAR * code style * Move base64 test interfaces into base64_internal.h * Remove references to rsa.h and ssl_misc.h from constant_time.c * Fix RSA perf regression * Document and test that memcpy_if may have src == dest * Fix non-opaque use of mbedtls_ct_condition_t * Improve tests for mbedtls_ct_uchar_in_range_if * Whitespace etc * Improve use of compiler_opaque * Make memmove_left more efficient * Rename mbedtls_ct_uint_if_new to mbedtls_ct_uint_if * Remove old interface * Use new CT interface in mbedtls_ct_memcpy_offset * Use new CT interface in mbedtls_mpi_safe_cond_swap * Use new CT interface in mbedtls_mpi_core_random * Use new CT interface in mbedtls_mpi_core_add_if * Use new CT interface in mbedtls_mpi_core_lt_ct * Remove not-needed mbedtls_ct_mpi_uint_cond_assign * Update mbedtls_mpi_core_uint_le_mpi to new CT interface * Update mpi_select to use new CT interface * Update mbedtls_mpi_lt_mpi_ct to new interface * Update mbedtls_mpi_safe_cond_(assign|swap) part 2 * Update mbedtls_mpi_safe_cond_(assign|swap) to use new CT interface * Use new CT interface in ssl_msg.c * Add impl of mbedtls_ct_memcpy_if * Use new CT interface in ssl_tls12_server.c * Use new CT interface in rsa.c * Use new interface in mbedtls_ct_memmove_left * Remove old interface for mem_move_to_left * Add impl of mbedtls_ct_zeroize_if * Remove not-needed compiler_opaque in ct_if * Improve const-timeness of mbedtls_ct_bool_lt * Introduce new CT interface (retain old interface) * tests * Move some bignum functions out of constant_time module * Move mbedtls_ct_rsaes_pkcs1_v15_unpadding into rsa.c * Expose mbedtls_ct_size_gt and mbedtls_ct_mem_move_to_left in ct interface * Move mbedtls_ct_hmac into ssl_msg.c * Evolve mbedtls_ct_uchar_in_range_if interface * Move mbedtls_ct_base64_(enc|dec)_char into base64.c * Improve ISA detection * Fix output width of mbedtls_ecp_mod_p448() to 448 bits * Simplify ifdefs * Restrict use of r7 in Thumb 1 code * Don't use r7 in generic codepath * Update Changelog * Revert to detecting __GNUCC__ instead of armclang * code_size_compare.py: add missing aes.o in code size comparison * code_size_compare.py: add suffix to code size report * code_size_compare.py: clean up worktree in errors of subprocess * code_size_compare.py: support measurement of tfm-medium * code_size_compare.py: add --arch and detection of host arch * pkwrite: remove unnecessary code duplication * Improve comments * Move const result to the first parameter * Update comments about how to generate mod_read_write data * Add test data for function ecp_mod_random * Add test function ecp_mod_random * Add test data for ecp mod read write * Add mod test functions for unit read write * Give options clearer names * Minor tidy-up * Write up the transaction/recovery processess * Add test case for PSA_VENDOR_PBKDF2_MAX_ITERATIONS * Tidy-up macros and fix guards around option B * Gate all arm asm on Armv6 or better architecture * Change output length parameter in pbkdf2_hmac_set_password * Restructure set salt function * Correct comment header block * First draft at fixing the choice of asm * ecp_curves: Adjusted the expected limb size for `ecp_mod_p255()`. * pkparse: avoid creating extra copy of the private key * tls: use pk_get_group_id() instead of directly accessing PK's structure * Fix Changelog formatting * pk: minor code fixes/enhancements * pk: fix key properties when importing private key * Add build test for armclang / Cortex-M0 / -Os * Add Changelog * Disable bignum assembly for certain Arm M-class CPUs * Fix code style and initialize status * Design document for storage resilience * Add tests with direct and key output * Add HMAC specific function for setting password * Add PSA_ALG_PBKDF2_HMAC_GET_HASH macro * Restructure pbkdf2_set_salt function * Define PSA_VENDOR_PBKDF2_MAX_ITERATIONS * Change pbkdf2 password to array * Use functions in alignment.h to get value * Change assert to equal base one comments * Fix missed renames from N to X * pk: improve description for the new priv_id field * ecp_curves: Adjusted input checking for `ecp_mod_p255`. * test: add exception in analyze_outcomes.py and fix test for montgomery curves * pk: fix eckey_check_pair_psa * test_suite_pkparse: fix failure * test: minor enhancement for using the new private key format * tls/x509: minor enhancement for using the new private key format * pk: improve sign, check_pair and wrap_as_opaque functions with new format * pk: manage parse and write for the new format * pk: manage allocate and free space when working with PSA private key * pk: change location of Montgomery helpers * pk: move PSA error translation macros to internal header * ecp_curves: Extended documentation for CURVE25519. * ecp_curves: Added documentation for mbedtls_ecp_mod_p255_raw * ecp_curves: Reintroduced input checking for * ecp_curves: Switched to dynamic memory for * ecp_curves: Minor refactoring of `mbedtls_ecp_mod_p255_raw()` * ecp.py: Fixed types for `arguments()` overrides. * ecp.py: Added tests for `mbedtls_ecp_mod_p255_raw` * Modify TFM files to allow them to build on baremetal with Mbed TLS and fix code style. Also change the include path of crypto_spe.h in crypto_platform.h to allow the former file to be included in library-only builds. * Bring over both necessary medium config files (regular and PSA style) from TFM. * Fix xor fail for large block size * Add test data "modulus-1" and "modulus-2" for every curve * Fix AES-CBC for in-place operation * ecp_curves: Refactored `mbedtls_ecp_mod_p255`. * fix: correct calling to time function in tls13 client&server * Add missing AES_C dependency in x509 tests * Changelog update * Make AES-CBC more efficient * Add NEON to mbedtls_xor * pk: fix a return value and a typo in comment * pk: add checks for the returned ECC family * Fix wrong makefile target * Remove extraneous check in for loop condition * Update comments how to generate the randoms to make it reproducible * Prefer intrinsics over asm for AES-NI * build_info.h: rewrite comment * Fix the comments of sum in ecp function * mbedtls/platform.h: Avoid potential macro redefinition warnings. * pk: fixing and improving comments * XOR perf improvements * Generate test data with special seed 2,3,4 * Fix the limb mismatch issue on 32-bit platform * Compare the libs of two input value and add comments * Remove useless parameters for ecp_mod_add_sub * Refine code to align with the styles of ecp_mod_mul_inv * Add test data for ecp_add_sub * Add add_sub test data for named moduli curves * Add add_sub test cases for named moduli curves * Remove DIY SIZE_MAX definitions * Both compare the least significant limb 1 and the left limbs 0 * Remove useless parameter iret for ecp mul_inv cases * Check for overflows when writing x509 SANs * Enable escaping ';' in cert_write.c SANs * Add missing RFC822_NAME case to SAN setting * Remove unnecessary zeroization * Return an error on an unsupported SubjectAltName * Fix a code style issue * Fix temporary IP parsing error * Update ip_string_to_bytes to cert_req version * Fix subjectAltName test prerequisites * Add missing memory deallocation * Fix a copy-paste typo * Add braces to a switch case * Add documentation and a changelog entry * Add a test for SubjectAltName writing to a certificate * pk: minor fixes (guards and a wrong assignment) * Add input parameter length check for the Koblitz reduction * Add a possibility to write subject alt names in a certificate * Add a certificate exercising all supported SAN types * Move mbedtls_x509_san_list to x509.h * Add documentation * tests: fixes for using the new public key raw format * test_suite_debug: fix USE_PSA_INIT/DONE guards in a test * tls12: use the the raw format for the public key when USE_PSA is enabled * debug: add support for printing the new EC raw format * pkwrap: update ECDSA verify and EC pair check to use the new public key * pk: update pkparse and pkwrite to use the new public key storing solution * pk: adding a new field to store the public key in raw format * Convert comments over to X rather than N * pk: fix typos in description of mbedtls_pk_ec_[ro/rw] * build_info.h: rewrite comment for inclusion of config_psa.h * Compare final result with ASSERT_COMPARE * Check all of the limbs of result * Re-order the variable orders and rename them * Refine error check for mbedtls_ecp_modulus_setup * Remove the useless modulus validaty * Remove modulus double free * Add back 255 bit test data for SECP224K1 test cases * Add comments to the data file for the cureve secp224k1 * Revert to 224bit random data no need leading bit "1" * Increase bit size to 225 for SECP224K1 test cases * Add comments about how the mod_inv data is generated * Update ecp mul_inv test cases * Change coding styles of white space * Tidy up ecp mul_inv_test code * Add ecp test cases for mont mul and inv after named moduli setup * Add ecp test function for mont mul and inv * Use valid MD5 dependency for test * build_info.h: change location of including config_psa.h * Use const where appropriate * Group memory allocations earlier * Convert over to using X, X_limbs * Convert curve 448 to use ecp core functions * bignum: Updated documentation for `mbedtls_mpi_shift_l()` * bignum: Updated `mbedtls_mpi_shift_l` to use the core method. * Make use of MBEDTLS_STATIC_ASSERT * Document minimum size for DEBUG_BUF_SIZE * simplify code * code style * make code readable and change var name * send debug msg if contains '\n' * Update library/debug.c * Fix: no newline when debug msg over DEBUG_BUF_SIZE * Fix comment * Add `_raw` function to P256K1 * Add `_raw` function to P224K1 * Add `_raw` function to P192K1 * bignum_core.py: Simplified result calculation for `BignumCoreShiftL` * Fix compilation errors(unused variables, guards) * Fix copypasta * mbedtls_x509_crt_free: release authorityCertIssuer sequence * Add test to cover memory leak in authorityCertIssuer case * Fix comment * pk: fix: explicilty set const in casted value in mbedtls_pk_ec_ro * pk: fix build issues * pk: align library and tests code to the new internal functions * pk: make mbedtls_pk_ec internal when !ECP_C * Minor adjustments after review. * Replace references to Mbed Crypto with Mbed TLS through-out documentation and comments. * Replace references to Mbed Crypto with Mbed TLS through-out documentation and comments. * Ignore *.o everywhere * Only include psa_pake_setup() and friends if some PAKE algorithms are required * Fuzz programs: print an error if loading the reproducer fails * Add test cases to test overflow in the Kobltz reduction * Update comments * Add another round in the Koblitz reduction * all.sh: test AES built-in implementation in AES-128-bit key only * Set LANGUAGES explicitly in CMakeLists.txt project() * Add changelog entry (FFDH driver dispatch) * nist_kw.c: remove non-128-bit data if aes_128bit_only enabled * Handle simple copy import/export before driver dispatch * Fix peer vs our key missmatch in ffdh key agreement transparent driver * Adapt guards in ffdh driver * Adapt test driver configuration for FFDH * Add FFDH support for transparent drivers(generate, export public key) * gcm.c: do not set length for some arrays in selftest * gcm selftest: remove non-128-bit data if aes_128bit_only enabled * cmac selftest: add macro for non-128-bit data/test * aes selftest: determine selftest loop limit in runtime * bignum_common.py: Addressed minor typos * Add test component for accelerated FFDH * Work around Readthedocs command parsing bug * aes selftest: remove non-128-bit data if aes_128bit_only enabled * Add partial support for URI SubjectAltNames * ChangeLog: remove issue number as this is a new feature * mbedtls_config.h: remove empty * line before closing */ line * mbedtls_config.h: rewrite comment for AES_ONLY_128_BIT_KEY_LENGTH * rewrite ChangeLog * aes.h: rewrite comment for aes round key buf * generate_psa_tests.py: fix typo * cert_audit: Fix DER files missed from parsing * cert_audit: Remove merge_auditdata * cert_audit: Use dictionary to store parsed AuditData * cert_audit: Output format improvement * cert_audit: Calculate identifier for X.509 objects * cert_audit: Fix bug in check_cryptography_version * cert_audit: Sort the outputs by not_valid_after date * cert_audit: Merge audit_data for identical X.509 objects * cert_audit: Support parsing file with multiple PEMs * Reword the API token explanation in redirects.yaml * Use if statement for post_build control flow * Fix demo scripts for out-of-tree builds * Fix coding style. * Install cryptography only on linux platform * Clean up commented code * Limit max input cost to 32bit * Enable empty salt as input for pbkdf2 * Remove redundant code in key_derivation_abort() * Code optimization * Use int instead uint in test function arguments * Fix parsing of KeyIdentifier (tag length error case) + test * aesce.c: add macro of MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH * Correct comment about mbedtls error codes * fix wrong target detection * Fix input parameter alignment in P256K1 test cases * Determine special cases in-place in the common Koblitz function * mbedtls_psa_export_ffdh_public_key: return fixed key size * pk: improve description for the next opaque ID field * pkwrite: removing unused/duplicated variables * Remove `delay milliseconds` test * pk: use better naming for the new key ID field * pk: fix library code for using the new opaque key solution * pk: store opaque key ID directly in the pk_context structure * add ChangeLog entry * all.sh: add test for AES-128bit only without MBEDTLS_CTR_DRBG_C * Auto-enable CTR_DRBG_USE_128_BIT_KEY with AES_ONLY_128_BIT_KEY_LENGTH * aes.h: add comment for round key buffer in aes context * Fix code style * mbedtls_config.h: paraphrase code size saving in comment * mbedtls_psa_ffdh_generate_key: optimize code and return fixed key size * mbedtls_config.h: fix issue in grammar * generate_psa_tests.py: add extra dependencies based on key bit * Add AES 128-bit key dependency in test_suite_ssl.data * Add AES 128-bit key dependency in test_suite_psa_crypto.data * Add AES 128-bit key dependency for tests data * all.sh: add test for AES_ONLY_128_BIT_KEY_LENGTH * Add checks if MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH enabled * AES: adjust AES RAM usage according to config options * AES: skip 192bit and 256bit key in selftest if 128bit_only enabled * AES: add macro of MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH * Minor cosmetic changes * Update broken link to doxygen homepage * Remove most of the doxygen mainpage * bignum_core: Removed input checking for `mbedtls_mpi_core_shift_l` * Update PR template * Silence bad "maybe unitialized" warning for ec_grp_id * Fix unsued variable in mbedtls_pk_write_pubkey_der in certain configurations * Only use mbedtls_ecc_group_of_psa if defined(MBEDTLS_ECP_LIGHT) * Fix bug in mbedtls_pk_wrap_as_opaque * Add pkwrite tests for X25519/X448 DER * Add derive public test for X25519/X448 * Refactor EC SPKI serialization * Add comment about version 1 PKCS8 keys not containing a public key * Read and write X25519 and X448 private keys * Add FFDH alg to test driver extensions * Fix failing CI * Enable FFDH through PSA if it's enabled in the legacy interface * Use TEST_EQUAL instead of TEST_ASSERT * Fix cross-platform compilation issue * Fix parsing of authorityCertSerialNumber (use valid tags) * mbedtls_pem_write_buffer: Correctly report needed buffer size for all possible line lengths and counts * Remove unrequired limb size calculation * Correct max canonical multiplication result * Fix pastapasta * typo * Document a known issue with testing of mbedtls_x509_crt_parse_path * Improve testing of mbedtls_x509_crt_parse_file * Make output_byte return not_supported for pbkdf2 * Explicitly exit IPv4 parsing on a fatal error * Add test cases for pbkdf2 input functions * Add pbkdf2 to psa_key_derivation_abort * Enable can_output_key with PSA_KEY_DERIVATION_INPUT_PASSWORD * Add pbkdf2 input functions to psa_key_derivation_input_internal * Add input password function for pbkdf2 * add input salt function for pbkdf2 * Add input cost function for pbkdf2 * Add pbkdf2_hmac to is_kdf_alg_supported() * Add pbkdf2 to ATLEAST_ONE_BUILTIN_KDF definition * Add pbkdf2 to key_derivation context struct * Add pbkdf2 struct to crypto_builtin_key_derivation.h * Add psa_pbkdf2_key_derivation_state_t * Add builtin PBKDF2_HMAC definition in config_psa.h * Enable PSA_WANT_ALG_PBKDF2_HMAC in crypto_config.h * Use mbedtls_ct_uint_if() rather than mbedtls_ct_cond_select_sign() * Halve size of mbedtls_error_pair_t * Add post-build step to update redirects * Add readthedocs-cli to requirements.in * test: check for exact length of returned pub key * test: optimize code for pk_write_public_from_private() * test: use better naming for the newly introduced test function * pk: fix position for mbedtls_platform_zeroize * test: fix makefile for ec_pub.[der/pem] generation * test: fix wrong private key file * test: add test function for public key derivation starting from private one * pk: fix: clear buffer holding raw EC private key on exit * test: align ec_pub public keyfile with its ec_prv.sec1 counterpart * Add test for parse_binary_string * Disallow leading zeroes when parsing IPv4 addresses * MBEDTLS_PSA_INJECT_ENTROPY: ignore seed file * MBEDTLS_PSA_INJECT_ENTROPY: check the seed file UID * MBEDTLS_PSA_INJECT_ENTROPY: check the lifecycle of the seed file * Modernize remove_seed_file() * Test MBEDTLS_PSA_INJECT_ENTROPY * MBEDTLS_PSA_INJECT_ENTROPY: Skip incompatible tests * MBEDTLS_PSA_INJECT_ENTROPY: Make sure the seed file exist when running tests * Tests: provide necessary functions for MBEDTLS_PSA_INJECT_ENTROPY * Fix a build error when MBEDTLS_PSA_INJECT_ENTROPY is enabled * Regroup component that had gotten separated from its close siblings * Change from Mbed TLS 3.3.0 to 3.4.0 in driver documentation. * Minor changes to documentation and code comments for clarity * Add support for building p256-m alongside Mbed TLS with CMake. Also check if p256-m is enabled in the config before including the contents of p256-m.c * Migrate p256-m_driver_entrypoints.[hc] to new code style * Minor formatting change to driver wrapper jinja template * Add warnings to documentation stating that p256-m code may be out of date with upstream, plus other minor grammatical fixes. * Use psa_generate_random() instead of mbedtls_ctr_dbrg * Add 3rdparty license information to the README * Add SPDX license identifiers to driver entry point files * Add README and license from the p256-m repo * Remove rand() from p256_generate_random() and move to an implementation based on mbedtls_ctr_drbg * Add README in p256-m/ * Remove unnecessary no-check-names comments * Add information for driver points where auto-generation is implemented * Add example for integrating a driver alongside Mbed TLS for entrypoints where auto-generation of driver wrappers is not implemented yet. Using p256-m as the example driver/software accelerator. * Rename p256m to p256 for uniform function/macro prefixes * Start the driver example write-up (p256-m integration) * Add step-by-step guide for writing and integrating drivers for entry points where auto-generation is not implemented * Integrate p256-m as an example driver alongside Mbed TLS and write documentation for the example. * mbedtls_psa_ffdh_set_prime_generator: use switch instead if-else * Fix definition of PSA_RAW_KEY_AGREEMENT_OUTPUT_MAX_SIZE (ECC vs FFDH max) * Update config files to make PSA FFDH undependent on MBEDTLS_DHM_C * Add guards for psa_is_dh_key_size_valid * test: use define for initializing ssl_message_queue struct * Fix naming: FFDH key -> DH key and fix guard in psa_validate_key_type_and_size_for_key_generation * test: fix USE_PSA_INIT position in test_suite_ssl * change binary_string_parser for big-endian input * Update tests/suites/test_suite_psa_crypto.function * change binary_string_parser for big-endian input * Don't explicitly inline mbedtls_mpi_core_clz * Add tests with INPUT_INTEGER as key_type_arg * Use key_type_arg for determining input method * Remove unrelated comment * mbedtls_test_psa_exported_key_sanity_check: check for length equality for DH keys * Fix FFDH tests dependencies * Use import_with_data for testing FFDH invalid key length * Add function to validate dh key size * Use PSA_MAX_OF_THREE in PSA_EXPORT_KEY_PAIR_MAX_SIZE * mbedtls_psa_ffdh_generate_key: Fix random number generation * Optimize code (if-else format, action on error) * mbedtls_psa_ffdh_set_prime_generator: check if key size is equal and use sizeof * Adjust ChangeLog * Add Curve 448 tests * Enable curve 448 to be tested * Make mbedtls_ecdsa_can_do definition unconditional * Bug Fix: mbedtls_ecdsa_verify_restartable fails with ECDSA_SIGN_ALT * Fix VS2022 build error * Adjust code style for pointer types and casts * typo * Add test cases with a question mark * Fix wrong comment * Explain the format argument expected by the test functions * Fix typos in test descriptions * Test the line number returned by parse_test_data * Remove string hack for mbedtls_mpi_mod_int testing * Allow more signed integer types in test function arguments * Support larger integer test arguments: C part * parse_function_arguments: stricter type parsing * Support (void) as an argument list of a test function * parse_function_arguments: extract per-argument function * parse_function_arguments: make local_vars a list * Support different types in the parameter store * Simplify parsing of integers in .datax files * Exercise string parsing in the test framework * Simplify string escapes * Factor get_function_info out of gen_from_test_data * Add line number to a few error messages * printf testing: exercise integer parsing in the test framework * Remove stdint.h substitute for older MSVC * Remove declarations of the nonstandard function strcasecmp * Stop supporting non-canonical case in mpi_write_string test data * bignum_core.py: Add "BignumCoreShiftL()" * Allocate the right amount of memory * Remove unused macro * Ignore carry since it can not be generated * Fix value in comment * Ensure input parameter size for Koblitz reduction * Use core API in `ecp_mod_koblitz()` * Add ChangeLog entry for string-to-OID parsing * Limit OIDs to 128 components * fix clang test fail * Fix typos, comments, style, optimize macros * Provide PSA_WANT_KEY_TYPE_FFDH_PUBLIC_KEY configuration * psa_export_public_key_internal: add missing check for FFDH key type * Move check of the key type to mbedtls_psa_key_agreement_ffdh * Add psa_crypto_ffdh to build * test driver: add support for FFDH key agreement * Move FFDH layer to separate file * Add sanity check for FFDH key excercise * Remove redundant test case (PSA_ALG_FFDH key agreement is now supported) * Add FFDH key agreement tests * Add FFDH key generation tests * Add import/export FFDH key tests * Adapt import/export test for FFDH * Adapt size macros for FFDH * Add key generation for FFDH keys * Add key agreement for FFDH keys * Add import/export of FFDH keys * Adapt config files for FFDH * authorityCertIssuer and authorityCertSerialNumber MUST both be present or absent * Add compiler version checks. * Improve minimum compiler versions document * README: add section about drivers * Remove undesirable test * Remove unnecessary if to save 16 bytes * Use ASSERT_COMPARE for comapring buffers * test_suite_ecp: Refactored `ecp_mod_p256k1` to alignt with `ecp_mod_p192k1` * ecp_curves: Renamed `ecp_mod_p256k1` -> `mbedtls_ecp_mod_p256k1` * ecp_curves: Added unit-tests for `secp256k1` * Optimize code (pake role type, freeing buffers) * bignum_core_test_suite: Added `mpi_core_shift_l()` * bignum_core: Aligned `xxx_core_shift_l` to `xxx_core_shift_r` * bignum_core: Extracted mbedtls_mpi_shift_l from prototype * Add undfined role for ec j-pake * cert_audit: Reword the options and their descriptions * cert_audit: Check the version of cryptography * Add msvc version document * fix wrong compiler checks * Revert increase of MEMORY_HEAP_SIZE in ssl_client2 * Fix documentation * test: update guards also for pkwrite and pkparse * test: fix max value in test_mx32 * test: minor fix for non-initialized variable * doc: update use-psa-crypto.md * test: proper positioning of USE_PSA_INIT + added missing exit labels * doc: update USE_PSA_CRYPTO description * test: fix USE_PSA_INIT/DONE for SSL test suite * test: fix USE_PSA_INIT/DONE for x509 test suite * test: fix USE_PSA_INIT/DONE for PK test suite * improve syms.sh script for external dependencies analysis * test_suite_pkwrite: replace memcpy with memmove * fix typos * Use do-while(0) format in macros * Fix code-style * fix new line difference in Windows * Add guards for mbedtls_psa_crypto_free() * Init PSA in fuzz programs * Add changelog entry (PSA initialization in sample programs) * cert_audit: Clarify the abstraction of Auditor * cert_audit: Add simple parser of suite data file * Use loop for two passes in the reduction * Document undefined case. Clarify test code. * Add link to review guideline fro contributors * cert_audit: Improve the method to find tests folder * cert_audit: Add data-files and suite-data-files options * cert_audit: Enable logging module * Remove test-case for all-zero * Further size optimisation * pk: pass pk_context pointer to wrappers intead of void one * Change clock source to boottime on linux. * Remove unnecessary check * fix msvc fail on embed assembly code * fix msvc type cast fail. * Add msvc build for aesce module * fix grammar issues * Fix tests * Change to using an alloc-realloc strategy * Size/perf optimisation for mbedtls_mpi_core_clz * Fix code style * Fix hex_string converter * Fix input_integer testing * Init PSA in pkey programs * Free psa crypto at the end of programs when initialized * cert_audit: Reuse generate_test_code.FileWrapper * New implementation for generate_test_code.FileWrapper * Improve comments about the time_delay test. * Remove trailing whitespace from ecdsa.c * Split a complex condition into separate ones * test_suite_ecp: Refactored `ecp_mod_p224k1` to alignt with `ecp_mod_p192k1` * ecp_curves: Introduced `mbedtls_ecp_mod_p224k1()` * ecp_curves: Added unit-tests for `secp224k1` * Add an IPv4 mapped IPv6 test * Refactor IPv6 parsing * test: properly check written PEM buffer len * test: fix extension in DER test files * Further refactor IPv4 parsing * test: fix dependencies in DER and PEM tests * test: specify input file type through enum * Add warning to reserve the reason * test: add Makefile target for the generated DER files * Update comments and remove delay seconds test * cert_audit: Code refinement * test: use proper macros for checks * cert_audit: Improve documentation * remove time delay tests * Update gen_prvkey_mx paras to align with comments and c code * test: add DER file format for pkwrite tests * test: add support for DER format in pkwrite tests * test: memory footprint optimization for pkwrite tests * Fix code style * Fix test case dependency * Add claryfication for PSA_PAKE_INPUT/OUTPUT_MAX_SIZE macros * test: remove useless ECP_LIGHT guard in psa_exercise_key * test: add coverage's analysis framework for accel EC algs w/o ECP * Remove print from mini_client * Move psa_crypto_init() after other init calls * fix comments issues * ecdsa: fix `-missing-prototypes` warning when `MBEDTLS_ECDSA_SIGN_ALT` is defined - In `mbedtls/v3.4.0`, ECDSA restartable sign and verify functions (`ecdsa.c`) were made public. - But the `mbedtls_ecdsa_sign_det_restartable` function prototype was declared in the file `ecdsa.h`, only when `MBEDTLS_ECDSA_SIGN_ALT` is not defined. * cert_app: init entropy unconditionally * Init PSA in ssl and x509 programs * Fix so that PSA_WANT_ALG_DETERMINISTIC_ECDSA implies PSA_HAVE_FULL_ECDSA. * Code style * Ensure variables initialised * More fixes for big-endian * Rename a variable in ipv4 and ipv6 parsing * Refactor ipv6 parsing * Rename ipv6 parsing variables, introduce one new one * Introduce a test for a sw implementation of inet_pton * Introduce an additional test for IPV4 parsing * Replace old macro in test_suite_x509parse * Improve x509_inet_pton_ipv4 readability * Tidy-up * Fix compile error * Tidy-up * Test fixes for big-endian * Remove unneeded limb variables * Add checks to guarantee positive input parameters * Add dependency for P192K1 tests * Fix function declaration * Use macro guard for function declaration * Add generated tests for ecp_mod_p192k1 * Add a testable function for ecp_mod_p192k1 * cert_audit: Output line/argument number for *.data files * cert_audit: Make FILE as positional argument * Fix derive_ecjpake_to_pms dependency to PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS. * test_suite_ecp: Removed `MBEDTLS_ECP_DP_SECP_GENERIC_ENABLED` dependency. * Update links in ecp.c * Update SEC1 link in ecdsa.c * Update SEC1 link in ecdh.c * Updating makefile to document key generation * Fix PSA AEAD ChaCha20 test dependency. * test: resolve remaining disparities in test_suite_ssl * Handle endianness in x509_inet_pton_ipv6() * use MBEDTLS_PK_CAN_ECDSA_SOME * use MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA * Add mbedtls_x509_crt_parse_cn_inet_pton() tests * add IP SAN tests changes per mbedTLS standards * x509 crt verify local implementation to parse IP * x509 crt verify SAN iPAddress * test: revert undesired debug change in ssl-opt * remove KEY_TYPE_ECC_PUBLIC_KEY unnecessary requirement * test: include also test_suite_ecp for the coverage analysis * solve disparities for ECP_LIGHT between ref/accel * psa: fix ECP guards for key derivation * pk_wrap: fix guards in eckey_check_pair to only include 1 option at build time * build_info: fixed comment * test: fix remaining failures in test due to the ECP_LIGHT symbol * test: let test_psa_crypto_config_accel_all_ec_algs_use_psa use ECP_LIGHT * library: add remaining changes for the new ECP_LIGHT symbol * pk: adapt to new ECP_LIGHT symbol * ecp: introduce new ECP_LIGHT symbol * BRANCHES.md: improve wording * remove PSA_HAVE_FULL_JPAKE symbol * remove PSA_HAVE_FULL_ECDSA symbol * remove PSA_HAVE_FULL_ECDH symbol * cert_audit: Disable pylint error for importing cryptography * test: fix guards position in test_suite_pk * test: fix error handling in the new pk_genkey_ec() function * test: use proper macros for PSA init/done * ecp: revert changes to ECP module and related tests/programs * gen_key: limit EC key generation to when USE_PSA is disabled * pk: add alternate function for keypair generation using PSA * cert_audit: Fill validity dates in AuditData constructor * workaround the assert fail with tollerance * cert_audit: Introduce not-[before|after] option * try to reproduce random assert fail * ssh_cache: Add back description of other errors for cache getter * updating test-ca.key to use AES instead of DES * Fix the wrong debug _message function to _ret * Update the todo comment of record size limits * Update group ext debug message in ssl_tls13_server.c * Wrap lines in library/ssl_tls13_client.c * Wrap lines which exceed 80 chars in ssl_tls13_server.c * Wrap lines which exceed 80 chars in ssl_tls13_client.c * Wrap lines which exceed 80 chars in ssl_tls13_generic.c * Improve code styles(line numbers) for tls13_key.c * Update SEC1 link in ecp.c * ssl_cache: Error renaming and document improvement * Fix unused variable warning * cert_audit: Parse more information from test suite data file * pkparse: fix return value * pk: fix return codes' precedence and code style * Change the format of md.h include comments * pk_wrap: simplify prototype of eckey_check_pair_psa() * pkparse: fix guards position * test: use proper macros for PSA init/done * pkparse: use proper sizing for buffer * pkparse: add new function for deriving public key from private using PSA * pk_wrap: minor code optimizations * ecp.py: Set test-dependencies as attributes. * test_suite_ecp: Updated dependency macros for ecp_raw_generic. * test_suite_ecp: Introduced `ecp_mod_p_generic_raw` * Test key_derivation_input_integer function * Add key_derivation_input_integer function * Remove unnecessary include * tests: ssl: Restore !MBEDTLS_SSL_PROTO_TLS1_3 dependency * tls13: srv: Fix comment * tls12: srv: Use sizeof() instead of constant * Add downgrade protection mechanism * Use specific pointer to loop over proposed cipher suites * ssl-opt.sh: Improve description of server negotiation tests * Improve and align variable names for supported versions data * Check for TLS 1.3 version first * Fix, improve and add comments * Update TLS 1.3 documentation and add change log * ssl-opt.sh: Add version selection by the server tests * ssl-opt.sh: Remove some unnecessary forcing of TLS 1.3 * tls: srv: Set hybrid TLS 1.2/1.3 as default configuration * tests: ssl: Extend move to handshake state tests * tls: srv: Allow server hybrid TLS 1.2 and 1.3 configuration * tls: Add logic in handshake step to enable server version negotiation * tls: Initialize SSL context tls_version in mbedtls_ssl_setup() * tls13: srv: Add detection to negotiate TLS 1.2 * tls13: srv: Parse supported versions extension early * tls13: srv: Postpone cipher suite selection * tls13: srv: Postpone legacy session id copy * tls13: srv: Postpone client random copy * tls13: srv: Move TLS version setting * tls13: Add function to search for a supported_versions extension * ssl-opt.sh: Force TLS 1.2 on TLS 1.2 specific tests * ssl-opt.sh: Force TLS 1.2 version * ssl-opt.sh: Extend scope of some tests to TLS 1.3 * ssl-opt.sh: Remove unnecessary explicit MBEDTLS_SSL_PROTO_TLS1_2 dep * ssl-opt.sh: Remove unnecessary TLS 1.3 forcing on client side * ssl-opt.sh: Remove dummy TLS 1.3 kex modes tests * tests: ssl: Add some missing dependencies * tests: ssl: Move min/max TLS version setting to endpoint init * Add a changelog entry * cert_audit: Support audit on test suite data files * cert_audit: Initial script for auditing expiry date * Add a justification for early md.h include in programs * Revert to using MBEDTLS_SHA_1_C when mbedtls_sha1 is called directly * Remove duplicated md.h includes * bignum: Removed merge scaffolding. * Fix code style * Remove redundant memory relase for authorityCertIssuer * Release memory for subject alt name in test * Use MBEDTLS_MD_CAN_SHA1 macro as test dependency * Fix after rebase * Remove redundant test cases * Adapt test for authority_key_id (parsing subject alt name) * Fix parsing of authorityCertIssuer * Add indication of extension error while parsing authority/subject key id * x509_get_authority_key_id: add length check + test * Fix tests dependencies * Use MBEDTLS_ERROR_ADD() and tag macros * Remove parsing of rfc822Name * Remove duplicated function * Remove generation of authorityKeyId_subjectKeyId.crt from makefile * Rename back mbedtls_x509_parse_general_name->mbedtls_x509_parse_subject_alt_name * Fix Subject Key Identifier, Authority Key Identifier entries in oid_x509_ext * Adapt mbedtls_x509_crt_free after rebase * Adding some comments for easier understand * Removing obsolete test after merging and correcting missing macro * Renaming x509_get_subject_alt_name to x509_get_general_names and mbedtls_x509_parse_subject_alt_name to mbedtls_x509_parse_general_name so they can be used not only to collect subject alt name, but the V3 authority cert issuer that is also GeneralName type. Also updated the x509_get_general_names function to be able to parse rfc822Names * - Removing obsolete test files (DER strings are used instead of them to minimize resource usage) - Renaming test functions to match the naming conventions * Correcting tests: - Wrong condition was checked (ref_ret != 0 instead of ref_ret == 0) - tags were not checked (nor lengths) - Using ASSERT_COMPARE where possible * Correting findings: Using DER format instead of PEM while testing to minimize the resource usage. Comparation of byte arrays in test are now done via the dedicated ASSERT_COMPARE test macro for better understanding * Correcting documentation issues: - Changelog entry is Feature instead of API Change - Correcting whitespaces around braces - Also adding defensive mechanism to x509_get_subject_key_id to avoid malfunction in case of trailing garbage * x509parse tests used only last 16 bits of the return values. They are updated to check the whole 32 bit value * Replacing hard-coded literals with macros of the library in the new x509parse tests * Adding openssl configuration file and command to Makefile to be able to reproduce the certificate for testing Authority and Subject Key Id fields Increasing heap memory size of SSL_Client2 and SSL_Server2, because the original value is not enough to handle some certificates. The AuthorityKeyId and SubjectKeyId are also parsed now increasing the size of some certificates * Extracting SubjectKeyId and AuthorityKeyId in case of x509 V3 extensions. Updating mbedtls_x509_crt_free function to also free the new dynamic elements (issuer field of AuthorityKeyId). A few tests are also added which test the feature with a correct certificate and multiple ones with erroneous ASN1 tags. * Add missing md.h includes * ecp: revert changes to ECP module and test suite * pk_wrap: fix sizing for private key buffer * Fix memory allocations in pkcs7_verify test * Fix documentation * Multplication is simmetric so only generate unique combinations * fixed guard position for doxygen * pk: add an alternative function for checking private/public key pairs * Fix code style issues * adding missing newline at the end of changelog file * Update BRANCHES.md * add Changelog * test: disable all RSA algs and fix tests * Whitespace fix * Test that setting reset actually does something * Fix cast alignment warning in timing.c * Fix documentation * Add generated test for core_mul * Fix 0 limb size for value 0 * Add unit tests for mbedtls_mpi_core_mul() * Tidy up, remove MPI_CORE(), apply the naming convention, and use the new mbedtls_mpi_core_mul() * Extract MPI_CORE(mul) from the prototype * all.sh: Fix test component name * Fix documentation * psa: Introduce PSA crypto core common symbols * Pacify doxygen.sh * psa: Introduce psa/build_info.h * psa: Remove MBEDTLS_PSA_CRYPTO_DRIVERS configuration option * psa: include: Move key derivation builtin and driver contexts * psa: include: Move some Mbed TLS headers * psa: Remove unnecessary headers * Clarify LTS lifetime * Fix a typo * Fix dependency check for TLS 1.3 ECDH * Remove unnecessary tabs * Clarify SAN structure memory management * Fix rfc822name test arguments * Add missing information about supported subjectAltName types * Add missing deallocation of subject alt name * Move an x509 malformation test * Add changelog entry for directoryname SAN * Add a test for a malformed directoryname sequence * Switch from PEM to DER format for new x509 directoryname test * Adjust error reporting in x509 SAN parsing * Introduce a test for a malformed directoryname SAN * Introduce proper memory management for SANs * Add the original certificate to be malformed for x509 tests * Add support for directoryName subjectAltName * test: remove old component errouneously reintroduced during rebase * Update documented dependencies on ECC algs * Use proper log function * Fix function description * test: fix/improve comments in all.sh * Minor improvements * Update documentation to mention ECC drivers * test: fix text output * test: minor refactoring * test: improve comments and code in newly added helper function * check_config: add helper symbol for SECP256R1 * test: add a companion test for another curve (x25519) and fix issues * test: use full config as test starting point and solve issues * test: use BUILTIN symbols in as weierstrass key derivation guard * test: disable proper key exchanges while testing accel EC algs * test: minor fixes to all.sh * psa: use only PSA_WANT symbols for PSA_VENDOR_ECC_MAX_CURVE_BITS * test: add legacy dependency for weierstrass key derivation * psa: set PSA_VENDOR_ECC_MAX_CURVE_BITS based on both SW and accelerated support * test: add specific test with only accel EC curves and algs * Remove obsolete ecp_fix_negative function * tls12_client: remove unnecessary parentheses * test: fix wrong accelerated SHA1 symbol * test: simplify comment in test_psa_crypto_config_accel_all_ec_algs_use_psa() * test: removing test with all accel EC algs without USE_PSA * test: moving accel ECJPAKE test close to accel ECDH and ECDSA ones * ssl: remove useless guard * test: improve comment in the added test * test: remove unused tasks in analyze_outcomes.py * test: fix erroneous changes in all.sh * psa_crypto: fix guard for mbedtls_ecc_group_of_psa() * test: fix comments in test_psa_crypto_config_accel_ecc() * test: remove previous tests for accelerated ECDSA/ECDH/ECJPAKE coverage analysis * ssl_tls: fix guard symbols for EC accelerated tests * test: add a test with all EC based algs accelerated * Add _build/ and api/ to gitignore * Fix comments * Typo: reorder testing classes * Add test cases for P256 fast reduction testing * Add test cases for P384 fast reduction testing * Typo: reformat numbers * Clean the breathe-apidoc files with make clean * Add test cases for P521 fast reduction testing * Add test cases for P224 fast reduction testing * Add test cases for P192 fast reduction testing * Add a second round of carry reduction for P192 fast reduction * Fix conflict between restricted and development * Revert "Add generated files" * ecp_mod_p224_raw: Added `MBEDTLS_ECP_DP_SECP224R1_ENABLED` as a dependency * Revert "Add exemption for make.bat in checks for tabs" * Remove make.bat for documentation * Improve docs Makefile to do full build * Prevent mpi_mod_write from corrupting the input * ssl_cache: Add descriptions of returns of cache accessors * tests/.gitignore: ignore *.o under tests/src/test_helpers * Fix a typo * Mention EC J-PAKE opaque passwords. * Try again to clarify USE_PSA_CRYPTO * Fix documented dependencies on TLS 1.2 * Add a ChangeLog entry for driver-only hashes * Use PSA Crypto: try clarifying what it means * Update psa-limitations.md * Update psa-migration/strategy.md * Fix typos * Fix depends.py failure with correct TLS 1.2 deps * Disable built-in SHA-256 in accel_hash too * Fix and simplify TLS hash dependency declarations * Use helper macros for hashes in check_config.h * Fix failures in test_suite_random * Manually fix two remaining instances of old macros * Fix instances of old feature macros being used * Fix entropy-related feature macros * Force SHA-256 for entropy in libtestdriver1 * Test entropy.c with driver-only hashes * Fix driver_wrappers test * Use MD-light in entropy.c * test: improve analyze_outcomes.py script * Fix signed/unsigned comparison (windows compilation failure) * Add change log entry (j-pake user/peer accept any values) * Extend j-pake input getters tests for user and peer * Remove driver_pake_get_role function * Adapt pake tests * Adapt J-PAKE built-in impl to use user/peer * ecp_curves: Updated ecp_mod_p384_raw documentation * ssl_tls: fix guard in ssl_misc.h * ssl_cache: Return standard mbedtls error code * Update documentation of psa_pake_input * Add tests case for step with different buffer size * psa_pake_input: validate buffer size using PSA_PAKE_INPUT_SIZE * Improve function return value description * Improve positioning of GENERATE_XML option * Remove Exhale from requirements and regenerate * ecp_curves: Re-introduced `mbedtls_ecp_fix_negative()` * changelog: fix description for ECDH changes * ssl_tls13: use PSA_WANT_ALG_ECDH as symbol for marking ECDH capability * added changelog for accelerated ECDH changes * ssl_tls: fix proper guards for accelerated ECDH * ssl_tls13: fix guards for accel ECDH * accelerated ecdh: re-enable TLS 1.3 key exchanges and fix guards in check_config * fix typo * ecdh: simplify guards for the newly created PSA_HAVE_FULL_ECDH symbol * test_suite_ssl: remove redundant dependencies when the key exchange is specified * ecdhe: solve disparities in accelerated ECDHE vs reference * ecdhe: fix guards for accelerated ECDHE key exchanges * test: enable ECDHE key exchanges for driver coverage tests * EC-JPAKE: remove limitation for user/peer (alow any value) * EcpP384R1Raw: Added test case for 2nd round of carry reduction. * ecp_curves: Minor rework for p384 * ecp test generator: Added EcpPp384R1Raw(). * test_suite_ecp: Added ecp_mod_p384_raw() test case. * Remove now-spurious dependencies * Enable ECDSA-det in driver-only hashes component * Enable HMAC-DRBG in driver-only hashes component * Enable PKCS7 in driver-only hashes component * Enable HKDF in driver-only hashes test * ecp_curves: Ported prototypes * Fix typos & improve wording in comments * MD: use MD_CAN in test suite and check for parity * Remove legacy_or_psa.h * SSL: fix test failures * SSL: use MD_CAN macros * X.509: fix test failures * X.509: use MD_CAN macros * PK: fix test failures * PK: use MD_CAN macros * OID + misc crypto: use MD_CAN and fix failures * test_suite_psa_crypto: use PSA_WANT * PKCS5: use MD_CAN macros * PKCS5: always use MD * RSA: use MD_CAN macros * RSA: always use MD light * PEM: use MD_CAN macros * PEM: always use MD light * PKCS12: use MD_CAN macros * PKCS12: always use MD light * ECJPAKE: use MD_CAN macros * ECJPAKE: always use MD light * Make MD_PSA_INIT/DONE available to all suites * PSA hash algs must be a superset of built-ins * MD no longer depends on a built-in hash * test_suite_ssl: remove redundant ECDH dependencies when the key exchange is specified * ssl-opt: remove leftover debug commands and fix comment * ecdh: solve disparities in accelerated ECDH vs reference * ssl_tls: fix guards for accelerated ECDH * ssl-opt: solve errors in ECDH reference tests * test: enable ECDH key exchanges for driver coverage tests * Add exemption for make.bat in checks for tabs * Ignore mbedtls macros causing warnings * Add configuration for Read The Docs * Add initial API doc configuration * Tell Doxygen to generate XML * Add space to appease doxygen bug * ssl_helpers.c: add mbedtls_test prefix for tweak_tls13_certificate* * ssl_helpers.c: add mbedtls_test_ssl prefix for *_exchange_data * ssl_helpers.c: add mbedtls_test prefix for mbedtls_mock_socket_init * ssl_helpers.c: change prefix and move *queue_peek_info to static * ssl_helpers.c: change prefix and move *certificate_free to static * ssl_helpers.c: move some internal functions to static * ssl_cache: Improve some comments * ssl_helpers.c: move #define Directive to header file * ssl_helpers.c: unify code format between source file and header file * fix win32 ms time fail * Adjust time delay tests to fix fails * change the clock source to MONOTONIC * remove extra spaces * fix random fails * Fix llvm error: variables may be used uninitialized * Add time test with delay * Update changelog * compat.sh: return $? in option --list-test-case to handle error case * check_test_cases.py: do not redirect stderr to stdout * check_test_cases.py: use check_output to capture error and return * Fix md test with sha3. * Add tests for time rountine * Add change log entry for `mbedtls_ms_time` * check_test_cases.py: simplify how to store test case description * compat.sh: uniform TITLE format for --list-test-case and run_client * compat.sh: fix uncompatiable name of peers in --list-test-case * ssl-opt.sh: support to parse --outcome-file * test-framework.md: document compat.sh * compat.sh: add support to record outcome of test cases * compat.sh: call record_fail if test case fails * compat.sh: uniform test description * check_test_cases.py: support checking test coverage in compat.sh * compat.sh: add --list-test-case * Change free'd to freed for consistency * Correct INT_MAX overflow check to UINT_MAX * Revert minimal integer requests * Return seconds when clock_gettime error * Improve documents about ms_time * Add negative test cases for OID parsing * Clarify structure of parsing with comments: * Remove superfluous sizeof(unsigned char) * Fixup: Correct signedness of val local variable * Use return for errors only in oid_parse_number() * Improve header docs and rename parameter * Correct error in processing of second component * Change some error codes to be more accurate * Add tests for OID parsing from string * Add function to parse an OID from a string * Improve readability * Put *MS_TIME* into together. * Improve code style * Add check, if the algorithm supports psa_sign_hash() before running the test. * Correct style. * SHA3 cannot be tested alone, as ENTROPY_C needs also SHA256 enabled. * Style. * Bad merge. These tests are not used. * Add std PRI macro for printing milliseconds * fix comments issues * Change type of mbedtls_ms_time_t * Add more comment for mbedtls_ms_time * Implement ms time with GetSystemTimeAsFile time. * Pass attributes alongside key buffer * Fix math character used in text mode * Fix entry point name * Key derivation: improve overview of the problem space * Add milliseconds time function * Add million seconds time type. * Remove useless debug log of pk type from test cases * typo * Update library/sha3.c * Add const to move variables to .rodata section * Update mps_common.h * Fix naming confusion with opaque key derivation * New function psa_crypto_driver_key_derivation_get_input_type * Add guide to implementing new cryptographic mechanisms * List all markdown files in makefile * Be more consistent with raw/cooked key derivation terminology * Fix typos and copypasta * Fix internal links * Fix dependency of HMAC-SHA384 tests. * Add sha3 streaming and reuse tests. * Add self tests (taken from #1549). * Fix travis build. * Adding tests for MD SHA3 (taken from #1549). * Fix when reusing the same context for another operation. * Added SHA3 to benchmark. * Added SHA3 to MD. * olen parameter shall contain the length of the buffer. * Remove sha3_alt.h * Fix when no SHA3 family is found. * olen = 0 is not allowed for SHA-3. * SHA-3 does not use SHA3_ALT anymore. * Aligning spaces * Add test vectors (from NIST) for SHA-3. * Add SHA-3 module. * Use QueryPerformanceCounter as fallback timer on non-x86 mingw * Clarify backward compatibility requirement * Write up requirements * Updated slot->attr and slot->key access * Rename a function parameter to avoid confusion * Draft specification for key derivation * PSA thread safety analysis ------------------------------------------------------------------- Mon Aug 07 12:37:11 UTC 2023 - info@paolostivanin.com - Update to version 3.4.1: * Update more test dependencies when using test-ca.key * Update test dependencies when using test-ca.key * Add _build/ and api/ to gitignore * Clean the breathe-apidoc files with make clean * Revert "Add exemption for make.bat in checks for tabs" * Remove make.bat for documentation * Improve docs Makefile to do full build * Improve positioning of GENERATE_XML option * Remove Exhale from requirements and regenerate * Add exemption for make.bat in checks for tabs * Ignore mbedtls macros causing warnings * Add configuration for Read The Docs * Add initial API doc configuration * Tell Doxygen to generate XML * Add space to appease doxygen bug * Announce a release for Friday * Prepare changelog for release * Bump version to 3.4.1 * Write changelog entry for the test data update * Update failing unit tests to use the moved data files * Copy test certificates files from development * Add changelog entry * Support compilation using CLang on Windows ------------------------------------------------------------------- Mon May 29 17:41:24 UTC 2023 - Arjen de Korte <suse+build@de-korte.org> - Remove obsolete CMake options as these are not used in 3.0+ (USE_PKCS11_HELPER_LIBRARY, ENABLE_ZLIB_SUPPORT) - Enable MBEDTLS_THREADING_C and MBEDTLS_THREADING_PTHREAD (boo#1211810) + mbedtls-enable-pthread.patch - Parallel execution of ctest works just fine (no need to limit to one job) ------------------------------------------------------------------- Sun May 7 20:44:12 UTC 2023 - Mariusz Fik <fisiu@opensuse.org> - Enable THREADING with PTHREAD. ------------------------------------------------------------------- Fri Apr 28 08:25:31 UTC 2023 - Martin Pluskal <mpluskal@suse.com> - Update to version 3.4.0: * psa_util: fix for correctly computing elements in array * Add generated files * Update BRANCHES.md * Bump library, libcrypto and libx509 versions * Assemble Changelog for 3.4.0 release * Add security entry to ChangeLog for AES-NI * Add security entry to ChangeLog for AES-CE * Add TLS1.2 Opaque ECJPAKE changelog entry - Switch to scm service ------------------------------------------------------------------- Wed Mar 8 11:38:26 UTC 2023 - Martin Pluskal <mpluskal@suse.com> - Build AVX2 enabled hwcaps library for x86_64-v3 ------------------------------------------------------------------- Wed Dec 21 11:10:10 UTC 2022 - Alexander Bergmann <abergmann@suse.com> - Update to 2.28.2: (bsc#1206576, CVE-2022-46393) Security: * Fix potential heap buffer overread and overwrite in DTLS if MBEDTLS_SSL_DTLS_CONNECTION_ID is enabled and MBEDTLS_SSL_CID_IN_LEN_MAX > 2 * MBEDTLS_SSL_CID_OUT_LEN_MAX. * An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation if the window size used for the exponentiation was 3 or smaller. Found and reported by Zili KOU, Wenjian HE, Sharad Sinha, and Wei ZHANG. See "Cache Side-channel Attacks and Defenses of the Sliding Window Algorithm in TEEs" - Design, Automation and Test in Europe 2023. Bugfix: * Fix a long-standing build failure when building x86 PIC code with old gcc (4.x). The code will be slower, but will compile. We do however recommend upgrading to a more recent compiler instead. Fixes #1910. * Fix support for little-endian Microblaze when MBEDTLS_HAVE_ASM is defined. Contributed by Kazuyuki Kimura to fix #2020. * Use double quotes to include private header file psa_crypto_cipher.h. Fixes 'file not found with include' error when building with Xcode. * Fix handling of broken symlinks when loading certificates using mbedtls_x509_crt_parse_path(). Instead of returning an error as soon as a broken link is encountered, skip the broken link and continue parsing other certificate files. Contributed by Eduardo Silva in #2602. * Fix a compilation error when using CMake with an IAR toolchain. Fixes #5964. * Fix bugs and missing dependencies when building and testing configurations with only one encryption type enabled in TLS 1.2. * Provide the missing definition of mbedtls_setbuf() in some configurations with MBEDTLS_PLATFORM_C disabled. Fixes #6118, #6196. * Fix compilation errors when trying to build with PSA drivers for AEAD (GCM, CCM, Chacha20-Poly1305). * Fix memory leak in ssl_parse_certificate_request() caused by mbedtls_x509_get_name() not freeing allocated objects in case of error. Change mbedtls_x509_get_name() to clean up allocated objects on error. * Fix checks on PK in check_config.h for builds with PSA and RSA. This does not change which builds actually work, only moving a link-time error to an early check. * Fix ECDSA verification, where it was not always validating the public key. This bug meant that it was possible to verify a signature with an invalid public key, in some cases. Reported by Guido Vranken using Cryptofuzz in #4420. * Fix a possible null pointer dereference if a memory allocation fails in TLS PRF code. Reported by Michael Madsen in #6516. * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable bytes when parsing certificates containing a binary RFC 4108 HardwareModuleName as a Subject Alternative Name extension. Hardware serial numbers are now rendered in hex format. Fixes #6262. * Fix bug in error reporting in dh_genprime.c where upon failure, the error code returned by mbedtls_mpi_write_file() is overwritten and therefore not printed. * In the bignum module, operations of the form (-A) - (+A) or (-A) - (-A) with A > 0 created an unintended representation of the value 0 which was not processed correctly by some bignum operations. Fix this. This had no consequence on cryptography code, but might affect applications that call bignum directly and use negative numbers. * Fix undefined behavior (typically harmless in practice) of mbedtls_mpi_add_mpi(), mbedtls_mpi_add_abs() and mbedtls_mpi_add_int() when both operands are 0 and the left operand is represented with 0 limbs. * Fix undefined behavior (typically harmless in practice) when some bignum functions receive the most negative value of mbedtls_mpi_sint. Credit to OSS-Fuzz. Fixes #6597. * Fix undefined behavior (typically harmless in practice) in PSA ECB encryption and decryption. ------------------------------------------------------------------- Fri Nov 4 16:53:36 UTC 2022 - Mia Herkt <mia@0x0.st> - Update to 2.28.1: (CVE-2022-35409) Default behavior changes * mbedtls_cipher_set_iv will now fail with ChaCha20 and ChaCha20+Poly1305 for IV lengths other than 12. The library was silently overwriting this length with 12, but did not inform the caller about it. gh#Mbed-TLS/mbedtls#4301 Features * When MBEDTLS_PSA_CRYPTO_CONFIG is enabled, you may list the PSA crypto feature requirements in the file named by the new macro MBEDTLS_PSA_CRYPTO_CONFIG_FILE instead of the default psa/crypto_config.h. Furthermore you may name an additional file to include after the main file with the macro MBEDTLS_PSA_CRYPTO_USER_CONFIG_FILE. Security * Zeroize dynamically-allocated buffers used by the PSA Crypto key storage module before freeing them. These buffers contain secret key material, and could thus potentially leak the key through freed heap. * Fix a potential heap buffer overread in TLS 1.2 server-side when MBEDTLS_USE_PSA_CRYPTO is enabled, an opaque key (created with mbedtls_pk_setup_opaque()) is provisioned, and a static ECDH ciphersuite is selected. This may result in an application crash or potentially an information leak. * Fix a buffer overread in DTLS ClientHello parsing in servers with MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE enabled. An unauthenticated client or a man-in-the-middle could cause a DTLS server to read up to 255 bytes after the end of the SSL input buffer. The buffer overread only happens when MBEDTLS_SSL_IN_CONTENT_LEN is less than a threshold that depends on the exact configuration: 258 bytes if using mbedtls_ssl_cookie_check(), and possibly up to 571 bytes with a custom cookie check function. Reported by the Cybeats PSI Team. Bugfix * Fix a memory leak if mbedtls_ssl_config_defaults() is called twice. * Fix several bugs (warnings, compiler and linker errors, test failures) in reduced configurations when MBEDTLS_USE_PSA_CRYPTO is enabled. * Fix a bug in (D)TLS curve negotiation: when MBEDTLS_USE_PSA_CRYPTO was enabled and an ECDHE-ECDSA or ECDHE-RSA key exchange was used, the client would fail to check that the curve selected by the server for ECDHE was indeed one that was offered. As a result, the client would accept any curve that it supported, even if that curve was not allowed according to its configuration. gh#Mbed-TLS/mbedtls#5291 * Fix unit tests that used 0 as the file UID. This failed on some implementations of PSA ITS. gh#Mbed-TLS/mbedtls#3838 * Fix API violation in mbedtls_md_process() test by adding a call to mbedtls_md_starts(). gh#Mbed-TLS/mbedtls#2227 * Fix compile errors when MBEDTLS_HAVE_TIME is not defined. Add tests to catch bad uses of time.h. * Fix bug in the alert sending function mbedtls_ssl_send_alert_message() potentially leading to corrupted alert messages being sent in case the function needs to be re-called after initially returning MBEDTLS_SSL_WANT_WRITE. gh#Mbed-TLS/mbedtls#1916 * In configurations with MBEDTLS_SSL_DTLS_CONNECTION_ID enabled but none of MBEDTLS_SSL_HW_RECORD_ACCEL, MBEDTLS_SSL_EXPORT_KEYS or MBEDTLS_DEBUG_C, DTLS handshakes using CID would crash due to a null pointer dereference. Fix this. gh#Mbed-TLS/mbedtls#3998 * Fix incorrect documentation of mbedtls_x509_crt_profile. The previous documentation stated that the allowed_pks field applies to signatures only, but in fact it does apply to the public key type of the end entity certificate, too. gh#Mbed-TLS/mbedtls#1992 * Fix PSA cipher multipart operations using ARC4. Previously, an IV was required but discarded. Now, an IV is rejected, as it should be. * Fix undefined behavior in mbedtls_asn1_find_named_data(), where val is not NULL and val_len is zero. psa_raw_key_agreement() now returns PSA_ERROR_BUFFER_TOO_SMALL when applicable. gh#Mbed-TLS/mbedtls#5735 * Fix a bug in the x25519 example program where the removal of MBEDTLS_ECDH_LEGACY_CONTEXT caused the program not to run. gh#Mbed-TLS/mbedtls#4901 gh#Mbed-TLS/mbedtls#3191 * Encode X.509 dates before 1/1/2000 as UTCTime rather than GeneralizedTime. gh#Mbed-TLS/mbedtls#5465 * Fix order value of curve x448. * Fix string representation of DNs when outputting values containing commas and other special characters, conforming to RFC 1779. gh#Mbed-TLS/mbedtls#769 * Silence a warning from GCC 12 in the selftest program. gh#Mbed-TLS/mbedtls#5974 * Fix mbedtls_asn1_write_mpi() writing an incorrect encoding of 0. * Fix resource leaks in mbedtls_pk_parse_public_key() in low memory conditions. * Fix server connection identifier setting for outgoing encrypted records on DTLS 1.2 session resumption. After DTLS 1.2 session resumption with connection identifier, the Mbed TLS client now properly sends the server connection identifier in encrypted record headers. gh#Mbed-TLS/mbedtls#5872 * Fix a null pointer dereference when performing some operations on zero represented with 0 limbs (specifically mbedtls_mpi_mod_int() dividing by 2, and mbedtls_mpi_write_string() in base 2). * Fix record sizes larger than 16384 being sometimes accepted despite being non-compliant. This could not lead to a buffer overflow. In particular, application data size was already checked correctly. ------------------------------------------------------------------- Mon Jan 17 13:11:33 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Fix baselib.conf ------------------------------------------------------------------- Thu Jan 13 12:46:09 UTC 2022 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Update to 2.28.0: (bsc#1193979, CVE-2021-45450) API changes * Some fields of mbedtls_ssl_session and mbedtls_ssl_config are in a different order. This only affects applications that define such structures directly or serialize them. Requirement changes * Sign-magnitude and one's complement representations for signed integers are not supported. Two's complement is the only supported representation. Removals * Remove config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_CERTIFICATES, which allowed SHA-1 in the default TLS configuration for certificate signing. It was intended to facilitate the transition in environments with SHA-1 certificates. SHA-1 is considered a weak message digest and its use constitutes a security risk. * Remove the partial support for running unit tests via Greentea on Mbed OS, which had been unmaintained since 2018. Features * The identifier of the CID TLS extension can be configured by defining MBEDTLS_TLS_EXT_CID at compile time. * Warn if errors from certain functions are ignored. This is currently supported on GCC-like compilers and on MSVC and can be configured through the macro MBEDTLS_CHECK_RETURN. The warnings are always enabled (where supported) for critical functions where ignoring the return value is almost always a bug. Enable the new configuration option MBEDTLS_CHECK_RETURN_WARNING to get warnings for other functions. This is currently implemented in the AES, DES and md modules, and will be extended to other modules in the future. * Add missing PSA macros declared by PSA Crypto API 1.0.0: PSA_ALG_IS_SIGN_HASH, PSA_ALG_NONE, PSA_HASH_BLOCK_LENGTH, PSA_KEY_ID_NULL. * Add new API mbedtls_ct_memcmp for constant time buffer comparison. * Add PSA API definition for ARIA. Security * Zeroize several intermediate variables used to calculate the expected value when verifying a MAC or AEAD tag. This hardens the library in case the value leaks through a memory disclosure vulnerability. For example, a memory disclosure vulnerability could have allowed a man-in-the-middle to inject fake ciphertext into a DTLS connection. * In psa_cipher_generate_iv() and psa_cipher_encrypt(), do not read back from the output buffer. This fixes a potential policy bypass or decryption oracle vulnerability if the output buffer is in memory that is shared with an untrusted application. * Fix a double-free that happened after mbedtls_ssl_set_session() or mbedtls_ssl_get_session() failed with MBEDTLS_ERR_SSL_ALLOC_FAILED (out of memory). After that, calling mbedtls_ssl_session_free() and mbedtls_ssl_free() would cause an internal session buffer to be free()'d twice. Bugfix * Stop using reserved identifiers as local variables. Fixes #4630. * The GNU makefiles invoke python3 in preference to python except on Windows. * The check was accidentally not performed when cross-compiling for Windows on Linux. Fix this. Fixes #4774. * Prevent divide by zero if either of PSA_CIPHER_ENCRYPT_OUTPUT_SIZE() or PSA_CIPHER_UPDATE_OUTPUT_SIZE() were called using an asymmetric key type. * Fix a parameter set but unused in psa_crypto_cipher.c. Fixes #4935. * Don't use the obsolete header path sys/fcntl.h in unit tests. These header files cause compilation errors in musl. Fixes #4969. * Fix missing constraints on x86_64 and aarch64 assembly code for bignum multiplication that broke some bignum operations with (at least) Clang 12. Fixes #4116, #4786, #4917, #4962. * Fix mbedtls_cipher_crypt: AES-ECB when MBEDTLS_USE_PSA_CRYPTO is enabled. * Failures of alternative implementations of AES or DES single-block functions enabled with MBEDTLS_AES_ENCRYPT_ALT, MBEDTLS_AES_DECRYPT_ALT, MBEDTLS_DES_CRYPT_ECB_ALT or MBEDTLS_DES3_CRYPT_ECB_ALT were ignored. This does not concern the implementation provided with Mbed TLS, where this function cannot fail, or full-module replacements with MBEDTLS_AES_ALT or MBEDTLS_DES_ALT. Reported by Armelle Duboc in #1092. * Some failures of HMAC operations were ignored. These failures could only happen with an alternative implementation of the underlying hash module. * Fix the error returned by psa_generate_key() for a public key. Fixes #4551. * Fix the build of sample programs when neither MBEDTLS_ERROR_C nor MBEDTLS_ERROR_STRERROR_DUMMY is enabled. * Fix PSA_ALG_RSA_PSS verification accepting an arbitrary salt length. This algorithm now accepts only the same salt length for verification that it produces when signing, as documented. Use the new algorithm PSA_ALG_RSA_PSS_ANY_SALT to accept any salt length. Fixes #4946. * The existing predicate macro name PSA_ALG_IS_HASH_AND_SIGN is now reserved for algorithm values that fully encode the hashing step, as per the PSA Crypto API specification. This excludes PSA_ALG_RSA_PKCS1V15_SIGN_RAW and PSA_ALG_ECDSA_ANY. The new predicate macro PSA_ALG_IS_SIGN_HASH covers all algorithms that can be used with psa_{sign,verify}_hash(), including these two. * Fix issue in Makefile on Linux with SHARED=1, that caused shared libraries not to list other shared libraries they need. * Fix a bug in mbedtls_gcm_starts() when the bit length of the iv exceeds 2^32. Fixes #4884. * Fix an uninitialized variable warning in test_suite_ssl.function with GCC version 11. * Fix the build when no SHA2 module is included. Fixes #4930. * Fix the build when only the bignum module is included. Fixes #4929. * Fix a potential invalid pointer dereference and infinite loop bugs in pkcs12 functions when the password is empty. Fix the documentation to better describe the inputs to these functions and their possible values. Fixes #5136. * The key usage flags PSA_KEY_USAGE_SIGN_MESSAGE now allows the MAC operations psa_mac_compute() and psa_mac_sign_setup(). * The key usage flags PSA_KEY_USAGE_VERIFY_MESSAGE now allows the MAC operations psa_mac_verify() and psa_mac_verify_setup(). Changes * Set config option MBEDTLS_TLS_DEFAULT_ALLOW_SHA1_IN_KEY_EXCHANGE to be disabled by default. * Improve the performance of base64 constant-flow code. The result is still slower than the original non-constant-flow implementation, but much faster than the previous constant-flow implementation. Fixes #4814. * Indicate in the error returned if the nonce length used with ChaCha20-Poly1305 is invalid, and not just unsupported. * The mbedcrypto library includes a new source code module constant_time.c, containing various functions meant to resist timing side channel attacks. * This module does not have a separate configuration option, and functions from this module will be included in the build as required. Currently most of the interface of this module is private and may change at any time. ------------------------------------------------------------------- Tue Jul 20 07:33:28 UTC 2021 - Pedro Monreal <pmonreal@suse.com> - Update to 2.27.0: API changes: * Update AEAD output size macros to bring them in line with the PSA Crypto API version 1.0 spec. This version of the spec parameterizes them on the key type used, as well as the key bit-size in the case of PSA_AEAD_TAG_LENGTH. The old versions of these macros were renamed and deprecated as follows: - PSA_AEAD_TAG_LENGTH -> PSA_AEAD_TAG_LENGTH_1_ARG - PSA_AEAD_ENCRYPT_OUTPUT_SIZE -> PSA_AEAD_ENCRYPT_OUTPUT_SIZE_2_ARG - PSA_AEAD_DECRYPT_OUTPUT_SIZE -> PSA_AEAD_DECRYPT_OUTPUT_SIZE_2_ARG - PSA_AEAD_UPDATE_OUTPUT_SIZE -> PSA_AEAD_UPDATE_OUTPUT_SIZE_2_ARG - PSA_AEAD_FINISH_OUTPUT_SIZE -> PSA_AEAD_FINISH_OUTPUT_SIZE_1_ARG - PSA_AEAD_VERIFY_OUTPUT_SIZE -> PSA_AEAD_VERIFY_OUTPUT_SIZE_1_ARG * Implement one-shot cipher functions, psa_cipher_encrypt and psa_cipher_decrypt, according to the PSA Crypto API 1.0.0 specification. Features: * Add mbedtls_rsa_rsassa_pss_sign_ext() function allowing to generate a signature with a specific salt length. This function allows to validate test cases provided in the NIST's CAVP test suite. * Added support for built-in driver keys through the PSA opaque crypto driver interface. Refer to the documentation of MBEDTLS_PSA_CRYPTO_BUILTIN_KEYS for more information. * Implement psa_sign_message() and psa_verify_message(). * The new function mbedtls_mpi_random() generates a random value in a given range uniformly. * Implement psa_mac_compute() and psa_mac_verify() as defined in the PSA Cryptograpy API 1.0.0 specification. * MBEDTLS_ECP_MAX_BITS is now determined automatically from the configured curves and no longer needs to be configured explicitly to save RAM. Security * Fix a bias in the generation of finite-field Diffie-Hellman-Merkle (DHM) private keys and of blinding values for DHM and elliptic curves (ECP) computations. * Fix a potential side channel vulnerability in ECDSA ephemeral key generation. An adversary who is capable of very precise timing measurements could learn partial information about the leading bits of the nonce used for the signature, allowing the recovery of the private key after observing a large number of signature operations. This completes a partial fix in Mbed TLS 2.20.0. * It was possible to configure MBEDTLS_ECP_MAX_BITS to a value that is too small, leading to buffer overflows in ECC operations. Fail the build in such a case. * An adversary with access to precise enough information about memory accesses (typically, an untrusted operating system attacking a secure enclave) could recover an RSA private key after observing the victim performing a single private-key operation. * An adversary with access to precise enough timing information (typically, a co-located process) could recover a Curve25519 or Curve448 static ECDH key after inputting a chosen public key and observing the victim performing the corresponding private-key operation. Bugfix * Add printf function attributes to mbedtls_debug_print_msg to ensure we get printf format specifier warnings. * Fix premature fopen() call in mbedtls_entropy_write_seed_file which may lead to seed file corruption in the case where the path to the seed file is equal to MBEDTLS_PLATFORM_STD_NV_SEED_FILE. * PSA functions other than psa_open_key now return PSA_ERROR_INVALID_HANDLE rather than PSA_ERROR_DOES_NOT_EXIST for an invalid handle, bringing them in line with version 1.0.0 of the specification. * PSA functions creating a key now return PSA_ERROR_INVALID_ARGUMENT rather than PSA_ERROR_INVALID_HANDLE when the identifier specified for the key to create is not valid, bringing them in line with version 1.0.0 of the specification. * Fix some cases in the bignum module where the library constructed an unintended representation of the value 0 which was not processed correctly by some bignum operations. This could happen when mbedtls_mpi_read_string() was called on "-0", or when mbedtls_mpi_mul_mpi() and mbedtls_mpi_mul_int() was called with one of the arguments being negative and the other being 0. * Fix a bug in ECDSA that would cause it to fail when the hash is all-bits zero. * Fix a compilation error when MBEDTLS_ECP_RANDOMIZE_MXZ_ALT is defined. * Fix an incorrect error code when parsing a PKCS#8 private key. * In a TLS client, enforce the Diffie-Hellman minimum parameter size set with mbedtls_ssl_conf_dhm_min_bitlen() precisely. Before, the minimum size was rounded down to the nearest multiple of 8. * In library/net_sockets.c, _POSIX_C_SOURCE and _XOPEN_SOURCE are defined to specific values. If the code is used in a context where these are already defined, this can result in a compilation error. Instead, assume that if they are defined, the values will be adequate to build Mbed TLS. * The cipher suite TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384 was not available when SHA-1 was disabled and was offered when SHA-1 was enabled but SHA-384 was disabled. Fix the dependency. * Do not offer SHA384 cipher suites when SHA-384 is disabled. * With MBEDTLS_PSA_CRYPTO_C disabled, some functions were getting built nonetheless, resulting in undefined reference errors when building a shared library. * Fix test suite code on platforms where int32_t is not int, such as Arm Cortex-M. * Fix some issues affecting MBEDTLS_ARIA_ALT implementations: a misplaced directive in a header and a missing initialization in the self-test. * Fix a missing initialization in the Camellia self-test, affecting MBEDTLS_CAMELLIA_ALT implementations. * Restore the ability to configure PSA via Mbed TLS options to support RSA key pair operations but exclude RSA key generation. When MBEDTLS_GENPRIME is not defined PSA will no longer attempt to use mbedtls_rsa_gen_key(). * Fix a regression introduced in 2.24.0 which broke (D)TLS CBC ciphersuites (when the encrypt-then-MAC extension is not in use) with some ALT implementations of the underlying hash (SHA-1, SHA-256, SHA-384), causing the affected side to wrongly reject valid messages. * Remove outdated check-config.h check that prevented implementing the timing module on Mbed OS. * Fix PSA_ALG_TLS12_PRF and PSA_ALG_TLS12_PSK_TO_MS being too permissive about missing inputs. * Fix a resource leak in a test suite with an alternative AES implementation. * Fix a crash in mbedtls_mpi_debug_mpi on a bignum having 0 limbs. This could notably be triggered by setting the TLS debug level to 3 or above and using a Montgomery curve for the key exchange. * psa_verify_hash() was relying on implementation-specific behavior of mbedtls_rsa_rsassa_pss_verify() and was causing failures in some _ALT implementations. This reliance is now removed. * Disallow inputs of length different from the corresponding hash when signing or verifying with PSA_ALG_RSA_PSS (The PSA Crypto API mandates that PSA_ALG_RSA_PSS uses the same hash throughout the algorithm.) * Fix a null pointer dereference when mbedtls_mpi_exp_mod() was called with A=0 represented with 0 limbs. Up to and including Mbed TLS 2.26, this bug could not be triggered by code that constructed A with one of the mbedtls_mpi_read_xxx functions (including in particular TLS code) since those always built an mpi object with at least one limb. * Fix mbedtls_mpi_gcd(G,A,B) when the value of B is zero. This had no effect on Mbed TLS's internal use of mbedtls_mpi_gcd(), but may affect applications that call mbedtls_mpi_gcd() directly. * The PSA API no longer allows the creation or destruction of keys with a read-only lifetime. The persistence level PSA_KEY_PERSISTENCE_READ_ONLY can now only be used as intended, for keys that cannot be modified through normal use of the API. * When MBEDTLS_PSA_CRYPTO_SPM is enabled, crypto_spe.h was not included in all the right places. Include it from crypto_platform.h, which is the natural place. * mbedtls_pk_sign() and mbedtls_pk_verify() and their extended and restartable variants now always honor the specified hash length if nonzero. Before, for RSA, hash_len was ignored in favor of the length of the specified hash algorithm. * Fix which alert is sent in some cases to conform to the applicable RFC: on an invalid Finished message value, an invalid max_fragment_length extension, or an unsupported extension used by the server. * Correct (change from 12 to 13 bytes) the value of the macro describing the maximum nonce length returned by psa_aead_generate_nonce(). Changes * Add extra printf compiler warning flags to builds. * Fix memsan build false positive in x509_crt.c with Clang 11 * Fix the setting of the read timeout in the DTLS sample programs. * Remove the AES sample application programs/aes/aescrypt2 which shows bad cryptographic practice. * Alternative implementations of CMAC may now opt to not support 3DES as a CMAC block cipher, and still pass the CMAC self test. * Remove configs/config-psa-crypto.h, which was identical to the default configuration except for having some extra cryptographic mechanisms enabled and for unintended differences. This configuration was primarily intended to demonstrate the PSA API, and lost most of its usefulness when MBEDTLS_PSA_CRYPTO_C became enabled by default. * When building the test suites with GNU make, invoke python3 or python, not python2, which is no longer supported upstream. * When using session cache based session resumption on the server, double-check that custom session cache implementations return sessions which are consistent with the negotiated ciphersuite and compression method. * Fix build failure on MinGW toolchain when __USE_MING_ANSI_STDIO is on. When that flag is on, standard GNU C printf format specifiers should be used. * Reduce the default value of MBEDTLS_ECP_WINDOW_SIZE. This reduces RAM usage during ECC operations at a negligible performance cost. * mbedtls_mpi_read_binary(), mbedtls_mpi_read_binary_le() and mbedtls_mpi_read_string() now construct an mbedtls_mpi object with 0 limbs when their input has length 0. Note that this is an implementation detail and can change at any time, so this change should be transparent, but it may result in mbedtls_mpi_write_binary() or mbedtls_mpi_write_string() now writing an empty string where it previously wrote one or more zero digits when operating from values constructed with an mpi_read function and some mpi operations. * Implicitly add PSA_KEY_USAGE_SIGN_MESSAGE key usage policy flag when PSA_KEY_USAGE_SIGN_HASH flag is set and PSA_KEY_USAGE_VERIFY_MESSAGE flag when PSA_KEY_USAGE_VERIFY_HASH flag is set. This usage flag extension is also applied when loading a key from storage. * Remove mbedtls-4237.patch upstream * Library soname bump to libmbedcrypto7 ------------------------------------------------------------------- Thu Apr 15 16:00:07 UTC 2021 - Martin Pluskal <mpluskal@suse.com> - Workaround for building with gcc-11 boo#1181876 ------------------------------------------------------------------- Mon Mar 22 15:54:07 UTC 2021 - Guillaume GARDET <guillaume.gardet@opensuse.org> - Update to 2.26.0: [bsc#1189589, CVE-2021-24119] * * This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues. * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.26.0 - Fix build with patch from https://github.com/ARMmbed/mbedtls/pull/4237 mbedtls-4237.patch ------------------------------------------------------------------- Tue Jan 19 20:25:34 UTC 2021 - Luigi Baldoni <aloisio@gmx.com> - Fix build for Leap targets - Use upstream tarball name ------------------------------------------------------------------- Tue Dec 22 10:11:45 UTC 2020 - Dirk Müller <dmueller@suse.com> - update to 2.25.0: * This release of Mbed TLS provides bug fixes, minor enhancements and new features. This release includes fixes for security issues. * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.25.0 * The functions mbedtls_cipher_auth_encrypt() and mbedtls_cipher_auth_decrypt() would write past the minimum documented size of the output buffer when used with NIST_KW. As a result, code using those functions as documented with NIST_KW could have a buffer overwrite of up to 15 bytes, with consequences ranging up to arbitrary code execution depending on the location of the output buffer. * Limit the size of calculations performed by mbedtls_mpi_exp_mod to MBEDTLS_MPI_MAX_SIZE to prevent a potential denial of service when generating Diffie-Hellman key pairs. Credit to OSS-Fuzz. * A failure of the random generator was ignored in mbedtls_mpi_fill_random(), which is how most uses of randomization in asymmetric cryptography (including key generation, intermediate value randomization and blinding) are implemented. This could cause failures or the silent use of non-random values. A random generator can fail if it needs reseeding and cannot not obtain entropy, or due to an internal failure (which, for Mbed TLS's own CTR_DRBG or HMAC_DRBG, can only happen due to a misconfiguration). * Fix a compliance issue whereby we were not checking the tag on the algorithm parameters (only the size) when comparing the signature in the description part of the cert to the real signature. This meant that a NULL algorithm parameters entry would look identical to an array of REAL (size zero) to the library and thus the certificate would be considered valid. However, if the parameters do not match in any way then the certificate should be considered invalid, and indeed OpenSSL marks these certs as invalid when mbedtls did not. Many thanks to guidovranken who found this issue via differential fuzzing and reported it in #3629. * Zeroising of local buffers and variables which are used for calculations in mbedtls_pkcs5_pbkdf2_hmac(), mbedtls_internal_sha*_process(), mbedtls_internal_md*_process() and mbedtls_internal_ripemd160_process() functions to erase sensitive data from memory. Reported by Johan Malmgren and Johan Uppman Bruce from Sectra. ------------------------------------------------------------------- Wed Sep 9 11:24:12 UTC 2020 - Dirk Mueller <dmueller@suse.com> - update to 2.24.0: * see https://github.com/ARMmbed/mbedtls/releases/tag/v2.24.0 * Fix a vulnerability in the verification of X.509 certificates when matching the expected common name (the cn argument of mbedtls_x509_crt_verify()) with the actual certificate name: when the subjecAltName extension is present, the expected name was compared to any name in that extension regardless of its type. This means that an attacker could for example impersonate a 4-bytes or 16-byte domain by getting a certificate for the corresponding IPv4 or IPv6 (this would require the attacker to control that IP address, though). Similar attacks using other subjectAltName name types might be possible. * When checking X.509 CRLs, a certificate was only considered as revoked if its revocationDate was in the past according to the local clock if available. In particular, on builds without MBEDTLS_HAVE_TIME_DATE, certificates were never considered as revoked. On builds with MBEDTLS_HAVE_TIME_DATE, an attacker able to control the local clock (for example, an untrusted OS attacking a secure enclave) could prevent revocation of certificates via CRLs. Fixed by no longer checking the revocationDate field, in accordance with RFC 5280. Reported by yuemonangong in #3340. Reported independently and fixed by Raoul Strackx and Jethro * In (D)TLS record decryption, when using a CBC ciphersuites without the Encrypt-then-Mac extension, use constant code flow memory access patterns to extract and check the MAC. This is an improvement to the existing countermeasure against Lucky 13 attacks. The previous countermeasure was effective against network-based attackers, but less so against local attackers. The new countermeasure defends against local attackers, even if they have access to fine-grained measurements. In particular, this fixes a local Lucky 13 cache attack found and reported by Tuba Yavuz, Farhaan Fowze, Ken (Yihan) Bai, Grant Hernandez, and Kevin Butler (University of Florida) and Dave Tian (Purdue University). * Fix side channel in RSA private key operations and static (finite-field) Diffie-Hellman. An adversary with precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could bypass an existing counter-measure (base blinding) and potentially fully recover the private key. * Fix a 1-byte buffer overread in mbedtls_x509_crl_parse_der(). Credit to OSS-Fuzz for detecting the problem and to Philippe Antoine for pinpointing the problematic code. * Zeroising of plaintext buffers in mbedtls_ssl_read() to erase unused application data from memory. ------------------------------------------------------------------- Mon Sep 7 01:37:34 UTC 2020 - Stefan Brüns <stefan.bruens@rwth-aachen.de> - Add workaround for failing builds (Python not found) due to https://gitlab.kitware.com/cmake/cmake/-/issues/21168 ------------------------------------------------------------------- Mon Aug 31 10:41:19 UTC 2020 - Martin Pluskal <mpluskal@suse.com> - Do not run testsuite in parallel - its not reliable ------------------------------------------------------------------- Mon Aug 17 07:53:22 UTC 2020 - Dirk Mueller <dmueller@suse.com> - update to 2.23.0: a lot of changes see https://github.com/ARMmbed/mbedtls/releases/tag/v2.23.0 * Fix a side channel vulnerability in modular exponentiation that could reveal an RSA private key used in a secure enclave. Noticed by Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim and Hyesoon Kim (Georgia Institute of Technology); and Marcus Peinado (Microsoft Research). Reported by Raoul Strackx (Fortanix) in #3394. * Fix side channel in mbedtls_ecp_check_pub_priv() and mbedtls_pk_parse_key() / mbedtls_pk_parse_keyfile() (when loading a private key that didn't include the uncompressed public key), as well as mbedtls_ecp_mul() / mbedtls_ecp_mul_restartable() when called with a NULL f_rng argument. An attacker with access to precise enough timing and memory access information (typically an untrusted operating system attacking a secure enclave) could fully recover the ECC private key. Found and reported by Alejandro Cabrera Aldaya and Billy Brumley. * Fix issue in Lucky 13 counter-measure that could make it ineffective when hardware accelerators were used (using one of the MBEDTLS_SHAxxx_ALT macros). This would cause the original Lucky 13 attack to be possible in those configurations, allowing an active network attacker to recover plaintext after repeated timing measurements under some conditions. Reported and fix suggested by Luc Perneel in #3246. ------------------------------------------------------------------- Thu Apr 2 10:16:05 UTC 2020 - Martin Pluskal <mpluskal@suse.com> - Update to version 2.16.5: * Security improvements and bugfixes ------------------------------------------------------------------- Wed Nov 13 13:54:02 UTC 2019 - Martin Pluskal <mpluskal@suse.com> - Update to version 2.16.3: * Security improvements and bugfixes ------------------------------------------------------------------- Tue Sep 3 15:01:56 UTC 2019 - Martin Pluskal <mpluskal@suse.com> - Update to version 2.16.2: * Security improvements and bugfixes - Use ninja to for build ------------------------------------------------------------------- Mon Jan 7 15:18:11 UTC 2019 - Martin Pluskal <mpluskal@suse.com> - Update to version 2.16.0: Features * Add a new config.h option of MBEDTLS_CHECK_PARAMS that enables validation of parameters in the API. This allows detection of obvious misuses of the API, such as passing NULL pointers. The API of existing functions hasn't changed, but requirements on parameters have been made more explicit in the documentation. See the corresponding API documentation for each function to see for which parameter values it is defined. This feature is disabled by default. See its API documentation in config.h for additional steps you have to take when enabling it. API Changes * The following functions in the random generator modules have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT for the underlying AES or message digest primitive. Fixes #1798. mbedtls_ctr_drbg_update() -> mbedtls_ctr_drbg_update_ret() mbedtls_hmac_drbg_update() -> mbedtls_hmac_drbg_update_ret() * Extend ECDH interface to enable alternative implementations. * Deprecate error codes of the form MBEDTLS_ERR_xxx_INVALID_KEY_LENGTH for ARIA, CAMELLIA and Blowfish. These error codes will be replaced by the more generic per-module error codes MBEDTLS_ERR_xxx_BAD_INPUT_DATA. * Additional parameter validation checks have been added for the following modules - AES, ARIA, Blowfish, CAMELLIA, CCM, GCM, DHM, ECP, ECDSA, ECDH, ECJPAKE, SHA, Chacha20 and Poly1305, cipher, pk, RSA, and MPI. Where modules have had parameter validation added, existing parameter checks may have changed. Some modules, such as Chacha20 had existing parameter validation whereas other modules had little. This has now been changed so that the same level of validation is present in all modules, and that it is now optional with the MBEDTLS_CHECK_PARAMS flag which by default is off. That means that checks which were previously present by default will no longer be. New deprecations * Deprecate mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() in favor of functions that can return an error code. Bugfix * Fix for Clang, which was reporting a warning for the bignum.c inline assembly for AMD64 targets creating string literals greater than those permitted by the ISO C99 standard. Found by Aaron Jones. Fixes #482. * Fix runtime error in mbedtls_platform_entropy_poll() when run through qemu user emulation. Reported and fix suggested by randombit. Fixes #1212. * Fix an unsafe bounds check when restoring an SSL session from a ticket. This could lead to a buffer overflow, but only in case ticket authentication was broken. Reported and fix suggested by Guido Vranken in #659. * Add explicit integer to enumeration type casts to example program programs/pkey/gen_key which previously led to compilation failure on some toolchains. Reported by phoenixmcallister. Fixes #2170. * Clarify documentation of mbedtls_ssl_set_own_cert() regarding the absence of check for certificate/key matching. Reported by Attila Molnar, #507. * Fix double initialization of ECC hardware that made some accelerators hang. ------------------------------------------------------------------- Tue Dec 11 14:07:44 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> - Library package version bumped to libmbedtls12 ------------------------------------------------------------------- Tue Dec 11 13:48:05 UTC 2018 - Pedro Monreal Gonzalez <pmonrealgonzalez@suse.com> - Update to version 2.14.1: [bsc#1118727, CVE-2018-19608] Security * Fix timing variations and memory access variations in RSA PKCS#1 v1.5 decryption that could lead to a Bleichenbacher-style padding oracle attack. In TLS, this affects servers that accept ciphersuites based on RSA decryption (i.e. ciphersuites whose name contains RSA but not (EC)DH(E)). Discovered by Eyal Ronen (Weizmann Institute), Robert Gillham (University of Adelaide), Daniel Genkin (University of Michigan), Adi Shamir (Weizmann Institute), David Wong (NCC Group), and Yuval Yarom (University of Adelaide, Data61). The attack is described in more detail in the paper available here: http://cat.eyalro.net/cat.pdf CVE-2018-19608 * In mbedtls_mpi_write_binary(), don't leak the exact size of the number via branching and memory access patterns. An attacker who could submit a plaintext for RSA PKCS#1 v1.5 decryption but only observe the timing of the decryption and not its result could nonetheless decrypt RSA plaintexts and forge RSA signatures. Other asymmetric algorithms may have been similarly vulnerable. Reported by Eyal Ronen, Robert Gillham, Daniel Genkin, Adi Shamir, David Wong and Yuval Yarom. * Wipe sensitive buffers on the stack in the CTR_DRBG and HMAC_DRBG modules. API Changes * The new functions mbedtls_ctr_drbg_update_ret() and mbedtls_hmac_drbg_update_ret() are similar to mbedtls_ctr_drbg_update() and mbedtls_hmac_drbg_update() respectively, but the new functions report errors whereas the old functions return void. We recommend that applications use the new functions. - Version 2.14.0: Security * Fix overly strict DN comparison when looking for CRLs belonging to a particular CA. This previously led to ignoring CRLs when the CRL's issuer name and the CA's subject name differed in their string encoding (e.g., one using PrintableString and the other UTF8String) or in the choice of upper and lower case. Reported by Henrik Andersson of Bosch GmbH in issue #1784. * Fix a flawed bounds check in server PSK hint parsing. In case the incoming message buffer was placed within the first 64KiB of address space and a PSK-(EC)DHE ciphersuite was used, this allowed an attacker to trigger a memory access up to 64KiB beyond the incoming message buffer, potentially leading to an application crash or information disclosure. * Fix mbedtls_mpi_is_prime() to use more rounds of probabilistic testing. The previous settings for the number of rounds made it practical for an adversary to construct non-primes that would be erroneously accepted as primes with high probability. This does not have an impact on the security of TLS, but can matter in other contexts with numbers chosen potentially by an adversary that should be prime and can be validated. For example, the number of rounds was enough to securely generate RSA key pairs or Diffie-Hellman parameters, but was insufficient to validate Diffie-Hellman parameters properly. See "Prime and Prejudice" by by Martin R. Albrecht and Jake Massimo and Kenneth G. Paterson and Juraj Somorovsky. Features * Add support for temporarily suspending expensive ECC computations after some configurable amount of operations. This is intended to be used in constrained, single-threaded systems where ECC is time consuming and can block other operations until they complete. This is disabled by default, but can be enabled by MBEDTLS_ECP_RESTARTABLE at compile time and configured by mbedtls_ecp_set_max_ops() at runtime. It applies to the new xxx_restartable functions in ECP, ECDSA, PK and X.509 (CRL not supported yet), and to existing functions in ECDH and SSL (currently only implemented client-side, for ECDHE-ECDSA ciphersuites in TLS 1.2, including client authentication). * Add support for Arm CPU DSP extensions to accelerate asymmetric key operations. On CPUs where the extensions are available, they can accelerate MPI multiplications used in ECC and RSA cryptography. Contributed by Aurelien Jarno. * Extend RSASSA-PSS signature to allow a smaller salt size. Previously, PSS signature always used a salt with the same length as the hash, and returned an error if this was not possible. Now the salt size may be up to two bytes shorter. This allows the library to support all hash and signature sizes that comply with FIPS 186-4, including SHA-512 with a 1024-bit key. * Add support for 128-bit keys in CTR_DRBG. Note that using keys shorter than 256 bits limits the security of generated material to 128 bits. API Changes * Add a common error code of `MBEDTLS_ERR_PLATFORM_FEATURE_UNSUPPORTED` for a feature that is not supported by underlying alternative implementations implementing cryptographic primitives. This is useful for hardware accelerators that don't implement all options or features. New deprecations * All module specific errors following the form MBEDTLS_ERR_XXX_FEATURE_UNAVAILABLE that indicate a feature is not supported are deprecated and are now replaced by the new equivalent platform error. * All module specific generic hardware acceleration errors following the form MBEDTLS_ERR_XXX_HW_ACCEL_FAILED that are deprecated and are replaced by the equivalent plaform error. * Deprecate the function mbedtls_mpi_is_prime() in favor of mbedtls_mpi_is_prime_ext() which allows specifying the number of Miller-Rabin rounds. Bugfix * Fix wrong order of freeing in programs/ssl/ssl_server2 example application leading to a memory leak in case both MBEDTLS_MEMORY_BUFFER_ALLOC_C and MBEDTLS_MEMORY_BACKTRACE are set. Fixes #2069. * Fix a bug in the update function for SSL ticket keys which previously invalidated keys of a lifetime of less than a 1s. Fixes #1968. * Fix failure in hmac_drbg in the benchmark sample application, when MBEDTLS_THREADING_C is defined. Found by TrinityTonic, #1095 * Fix a bug in the record decryption routine ssl_decrypt_buf() which lead to accepting properly authenticated but improperly padded records in case of CBC ciphersuites using Encrypt-then-MAC. * Fix memory leak and freeing without initialization in the example program programs/x509/cert_write. Fixes #1422. * Ignore IV in mbedtls_cipher_set_iv() when the cipher mode is MBEDTLS_MODE_ECB. Found by ezdevelop. Fixes #1091. * Zeroize memory used for buffering or reassembling handshake messages after use. * Use `mbedtls_platform_zeroize()` instead of `memset()` for zeroization of sensitive data in the example programs aescrypt2 and crypt_and_hash. * Change the default string format used for various X.509 DN attributes to UTF8String. Previously, the use of the PrintableString format led to wildcards and non-ASCII characters being unusable in some DN attributes. Reported by raprepo in #1860 and by kevinpt in #468. Fix contributed by Thomas-Dee. * Fix compilation failure for configurations which use compile time replacements of standard calloc/free functions through the macros MBEDTLS_PLATFORM_CALLOC_MACRO and MBEDTLS_PLATFORM_FREE_MACRO. Reported by ole-de and ddhome2006. Fixes #882, #1642 and #1706. Changes * Removed support for Yotta as a build tool. * Add tests for session resumption in DTLS. * Close a test gap in (D)TLS between the client side and the server side: test the handling of large packets and small packets on the client side in the same way as on the server side. * Change the dtls_client and dtls_server samples to work by default over IPv6 and optionally by a build option over IPv4. * Change the use of Windows threading to use Microsoft Visual C++ runtime calls, rather than Win32 API calls directly. This is necessary to avoid conflict with C runtime usage. Found and fixed by irwir. * Remember the string format of X.509 DN attributes when replicating X.509 DNs. Previously, DN attributes were always written in their default string format (mostly PrintableString), which could lead to CRTs being created which used PrintableStrings in the issuer field even though the signing CA used UTF8Strings in its subject field; while X.509 compliant, such CRTs were rejected in some applications, e.g. some versions of Firefox, curl and GnuTLS. Reported in #1033 by Moschn. Fix contributed by Thomas-Dee. * Improve documentation of mbedtls_ssl_get_verify_result(). Fixes #517 reported by github-monoculture. * Add MBEDTLS_MPI_GEN_PRIME_FLAG_LOW_ERR flag to mbedtls_mpi_gen_prime() and use it to reduce error probability in RSA key generation to levels mandated by FIPS-186-4. - Version 2.13.1 API Changes * Extend the platform module with an abstraction mbedtls_platform_gmtime_r() whose implementation should behave as a thread-safe version of gmtime(). This allows users to configure such an implementation at compile time when the target system cannot be deduced automatically, by setting the option MBEDTLS_PLATFORM_GMTIME_R_ALT. At this stage Mbed TLS is only able to automatically select implementations for Windows and POSIX C libraries. Bugfix * Fix build failures on platforms where only gmtime() is available but neither gmtime_r() nor gmtime_s() are present. Fixes #1907. - Version 2.13.0 Security * Fix an issue in the X.509 module which could lead to a buffer overread during certificate extensions parsing. In case of receiving malformed input (extensions length field equal to 0), an illegal read of one byte beyond the input buffer is made. Found and analyzed by Nathan Crandall. Features * Add support for fragmentation of outgoing DTLS handshake messages. This is controlled by the maximum fragment length as set locally or negotiated with the peer, as well as by a new per-connection MTU option, set using mbedtls_ssl_set_mtu(). * Add support for auto-adjustment of MTU to a safe value during the handshake when flights do not get through (RFC 6347, section 4.1.1.1, last paragraph). * Add support for packing multiple records within a single datagram, enabled by default. * Add support for buffering out-of-order handshake messages in DTLS. The maximum amount of RAM used for this can be controlled by the compile-time constant MBEDTLS_SSL_DTLS_MAX_BUFFERING defined in mbedtls/config.h. API Changes * Add function mbedtls_ssl_set_datagram_packing() to configure the use of datagram packing (enabled by default). Bugfix * Fix a potential memory leak in mbedtls_ssl_setup() function. An allocation failure in the function could lead to other buffers being leaked. * Fixes an issue with MBEDTLS_CHACHAPOLY_C which would not compile if MBEDTLS_ARC4_C and MBEDTLS_CIPHER_NULL_CIPHER weren't also defined. #1890 * Fix a memory leak in ecp_mul_comb() if ecp_precompute_comb() fails. Fix contributed by Espressif Systems. * Add ecc extensions only if an ecc based ciphersuite is used. This improves compliance to RFC 4492, and as a result, solves interoperability issues with BouncyCastle. Raised by milenamil in #1157. * Replace printf with mbedtls_printf in the ARIA module. Found by TrinityTonic in #1908. * Fix potential use-after-free in mbedtls_ssl_get_max_frag_len() and mbedtls_ssl_get_record_expansion() after a session reset. Fixes #1941. * Fix a bug that caused SSL/TLS clients to incorrectly abort the handshake with TLS versions 1.1 and earlier when the server requested authentication without providing a list of CAs. This was due to an overly strict bounds check in parsing the CertificateRequest message, introduced in Mbed TLS 2.12.0. Fixes #1954. * Fix a miscalculation of the maximum record expansion in mbedtls_ssl_get_record_expansion() in case of ChachaPoly ciphersuites, or CBC ciphersuites in (D)TLS versions 1.1 or higher. Fixes #1913, #1914. * Fix undefined shifts with negative values in certificates parsing (found by Catena cyber using oss-fuzz) * Fix memory leak and free without initialization in pk_encrypt and pk_decrypt example programs. Reported by Brace Stout. Fixes #1128. * Remove redundant else statement. Raised by irwir. Fixes #1776. Changes * Copy headers preserving timestamps when doing a "make install". Contributed by xueruini. * Allow the forward declaration of public structs. Contributed by Dawid Drozd. Fixes #1215 raised by randombit. * Improve compatibility with some alternative CCM implementations by using CCM test vectors from RAM. * Add support for buffering of out-of-order handshake messages. * Add warnings to the documentation of the HKDF module to reduce the risk of misusing the mbedtls_hkdf_extract() and mbedtls_hkdf_expand() functions. Fixes #1775. Reported by Brian J. Murray. ------------------------------------------------------------------- Thu Aug 23 07:22:18 UTC 2018 - mpluskal@suse.com - Update to version 2.12.0: * Security + Fixed a vulnerability in the TLS ciphersuites based on use of CBC and SHA-384 in DTLS/TLS 1.0 to 1.2, that allowed an active network attacker to partially recover the plaintext of messages under certains conditions by exploiting timing side-channels. + Fixed a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker, with the ability to execute code on the local machine as well as to manipulate network packets, to partially recover the plaintext of messages under certain conditions by using a cache attack targetting an internal MD/SHA buffer. + Added a counter-measure against a vulnerability in TLS ciphersuites based on CBC, in DTLS/TLS 1.0 to 1.2, that allowed a local attacker with the ability to execute code on the local machine as well as manipulate network packets, to partially recover the plaintext of messages certain conditions (see previous entry) by using a cache attack targeting the SSL input record buffer. * Features + Added new cryptographic primitives, the stream cipher Chacha20, one-time authenticator Poly1305 and AEAD construct Chacha20-Poly1305, as defined in RFC 7539. Contributed by Daniel King. + Added support for the CHACHA20-POLY1305 ciphersuites from RFC 7905. + Made the receive and transmit buffers independently configurable in size, for situations where the outgoing buffer can be fixed at a smaller size than the incoming buffer + Added support for the AES based key wrapping modes defined by NIST SP 800-38F algorithms KW and KWP and by RFC's 3394 and 5649. + Added platform support for the Haiku OS. * Bugfix + Fixed the key_app_writer example which was creating an invalid ASN.1 tag by writing an additional leading zero byte. Found by Aryeh R. #1257. + Fixed a C++ compilation error, caused by a variable named new. Found and fixed by Hirotaka Niisato. #1783. + Fixed the "no symbols" warning issued by ranlib when building on Mac OS X. Fix contributed by tabascoeye. + Clarified documentation for mbedtls_ssl_write() to include 0 as a valid return value. Found by @davidwu2000. #839. + Fixed a memory leak in mbedtls_x509_csr_parse(). Found and fixed by catenacyber, Philippe Antoine. #1623. + Added length checks to some TLS parsing functions. Found and fixed by Philippe Antoine from Catena cyber. #1663. + Remove unused headers included in x509.c. Found by Chris Hanson and fixed by Brendan Shanks. #992. + Fixed compilation error when MBEDTLS_ARC4_C is disabled and MBEDTLS_CIPHER_NULL_CIPHER is enabled. Found by TrinityTonic in #1719. + Fixed the inline assembly for the MPI multiply helper function for i386 and i386 with SSE2. Found by László Langó. #1550. + Fixed the namespacing in header files. Remove the mbedtls namespacing in the #include in the header files. #857. + Fixed a compiler warning of 'use before initialisation' in mbedtls_pk_parse_key(). Found by Martin Boye Petersen and fixed by Dawid Drozd.#1098. + Fixed decryption of zero length messages (which contain all padding) when a CBC based ciphersuite was used together with Encrypt-then-MAC. + Fixed the ssl_client2 example to send application data with 0-length content when the request_size argument is set to 0 as stated in the documentation. #1833. + Corrected the documentation for mbedtls_ssl_get_session(). This API has deep copy of the session, and the peer certificate is not lost. #926. + Fixed issues when building to the C99 standard, using -std=c99. Fixed by Nick Wilson. * Changes + Fails when receiving a TLS alert message with an invalid length, or invalid zero-length messages when using TLS 1.2. Contributed by Espressif Systems. + Changed the default behaviour of mbedtls_hkdf_extract() to return an error when calling with a NULL salt and non-zero salt length. Contributed by Brian J Murray + Change the shebang line in Perl scripts to look up perl in the PATH. Contributed by fbrosson. + Allow overriding the time on Windows via the platform-time abstraction. Fixed by Nick Wilson. + Use gmtime_r/gmtime_s for thread-safety. Fixed by Nick Wilson. ------------------------------------------------------------------- Mon Jul 9 13:21:03 UTC 2018 - mpluskal@suse.com - Update to version 2.11.0: * Features + Added support for the XTS block cipher mode with AES (AES-XTS). Contributed by Aorimn in pull request #414. + Implemented the HMAC-based extract-and-expand key derivation function (HKDF) per RFC 5869. Contributed by Thomas Fossati. + For TLS servers, added support for offloading private key operations to an external cryptoprocessor. Private key operations can be asynchronous to allow non-blocking operation of the TLS server stack. + Added support for ARIA cipher (RFC 5794) and associated TLS ciphersuites (RFC 6209). ARIA is disabled by default. To enable, see MBEDTLS_ARIA_C in config.h. + Added support for the CCM* block cipher mode as defined in IEEE Std 802.15.4. + Added an additional block mode, OFB (Output Feedback) per NIST SP 800-38a, to the AES module and cipher abstraction module. * API Changes + Mbed TLS 2.11.0 maintains source code compatibility with the last minor version, Mbed TLS 2.9.0, but extends the interface with additional capabilities. Mbed TLS 2.11.0 modifies the ABI and increases the SOVERSION. * Bugfix + Fixed the cert_write example to handle certificates signed with elliptic curves as well as RSA. Fixes #777 found by dbedev. + Fixed the redefinition of _WIN32_WINNT, to avoid overriding a definition used by user applications. Found and fixed by Fabio Alessandrelli. + Fixed compilation warnings with the IAR toolchain on 32-bit platforms. Reported by rahmanih in #683. + Fixed an issue with MicroBlaze support in bn_mul.h which was causing the build to fail. Found by zv-io. Fixes #1651. + Fixed braces in mbedtls_memory_buffer_alloc_status(). Found by sbranden in #552. + Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to configure the maximum length of a file path that can be buffered when calling mbedtls_x509_crt_parse_path(). Fixes #492. + Fixed redundant declaration of mbedtls_ssl_list_ciphersuites. Raised by TrinityTonic in #1359. - Changes for version 2.9.0: + Security + Fixed an issue in the X.509 module which could lead to a buffer overread during certificate validation. Additionally, the issue could also lead to unnecessary callback checks being made or to some validation checks to be omitted. The overread could be triggered remotely, while the other issues would require a non DER-compliant certificate to be correctly signed by a trusted CA, or a trusted CA with a non DER-compliant certificate. Found by luocm. Fixes #825. + Fixed the buffer length assertion in the ssl_parse_certificate_request() function which could lead to an arbitrary overread of the message buffer. The overreads could be caused by receiving a malformed algorithms section which was too short. In builds with debug output, this overread data was output with the debug data. + Fixed a client-side bug in the validation of the server's ciphersuite choice which could potentially lead to the client accepting a ciphersuite it didn't offer or a ciphersuite that could not be used with the TLS or DTLS version chosen by the server. This could lead to corruption of internal data structures for some configurations. * Features + Added an option of MBEDTLS_AES_FEWER_TABLES, to dynamically compute smaller AES tables during runtime, thereby reducing the RAM/ROM footprint by ~6KiB. Suggested and contributed by jkivilin. + Added initial support for Curve448 (RFC 7748). So far only mbedtls_ecp_mul() and ECDH primitive functions (mbedtls_ecdh_gen_public(), mbedtls_ecdh_compute_shared()) are supported for now. Contributed by Nicholas Wilson. * API Changes + Mbed TLS 2.9.0 maintains source code and binary compatibility with the last minor version, Mbed TLS 2.8.0, but extends the interface with additional capabilities. + Extended the API with the function of mbedtls_net_poll() to allow user applications to wait for a network context to become ready before reading or writing. + Added the function mbedtls_ssl_check_pending() to the public API to allow a check for whether more more data is pending to be processed in the internal message buffers. This function is necessary to determine the underlying transport when event-driven IO is used. * Bugfix + Fixed a spurious uninitialized variable warning in cmac.c. Fix independently contributed by Brian J Murray and David Brown. + Added missing dependencies in test suites that led to build failures in configurations that omit certain hashes or public-key algorithms. Fixes #1040. + Fixed a C89 incompatibility issue in benchmark.c. Contributed by Brendan Shanks. Fixes #1353. + Added missing dependencies for MBEDTLS_HAVE_TIME_DATE and MBEDTLS_VERSION_FEATURES in some test suites. Contributed by Deomid Ryabkov. Fixes #1299, #1475. + Fixed the Makefile build process for building shared libraries on Mac OS X. Fixed by mnacamura. + Fixed parsing of PKCS#8 encoded Elliptic Curve keys. Previously Mbed TLS was unable to parse keys which had only the optional parameters field of the ECPrivateKey structure. Found by Jethro Beekman, fixed in #1379. + Added an optimisation to return the plaintext data more quickly on unpadded CBC decryption, as stated in the mbedtls_cipher_update() documentation. Contributed by Andy Leiserson. + Fixed the overriding and ignoring of return values when parsing and writing to a file in the pk_sign program. Found by kevlut in #1142. + Added restrictions to the usage of the error code MBEDTLS_ERR_SSL_WANT_READ to situations where data needs to be fetched from the underlying transport in order to make progress. Previously, this error code was also occasionally returned when unexpected messages were being discarded, ignoring that further messages could potentially already be pending to be processed in the internal buffers; these cases led to deadlocks when event-driven I/O was used. Found and reported by Hubert Mis in #772. + Fixed buffer length assertions in the ssl_parse_certificate_request() function which led to a potential one byte overread of the message buffer. + Fixed invalid buffer sizes being passed to zlib during record compression and decompression. + Raised the soversion of libmbedcrypto to match the soversion of the maintained 2.7 branch. The soversion was increased in Mbed TLS version 2.7.1 to reflect breaking changes in that release, but the increment was missed in 2.8.0 and later releases outside of the 2.7 branch. ------------------------------------------------------------------- Fri Apr 6 08:17:46 UTC 2018 - mpluskal@suse.com - Update to version 2.8.0: * Security: + Defend against Bellcore glitch attacks by verifying the results of RSA private key operations. + Fix implementation of the truncated HMAC extension. The previous implementation allowed an offline 2^80 brute force attack on the HMAC key of a single, uninterrupted connection (with no resumption of the session). + Reject CRLs containing unsupported critical extensions. Found by Falko Strenzke and Evangelos Karatsiolis. + Fix a buffer overread in ssl_parse_server_key_exchange() that could cause a crash on invalid input. + Fix a buffer overread in ssl_parse_server_psk_hint() that could cause a crash on invalid input. * Features: + Enable reading encrypted PEM files produced by software that uses PBKDF2-SHA2, such as OpenSSL 1.1. Submitted by Antonio Quartulli, OpenVPN Inc. Fixes #1339 + Support public keys encoded in PKCS#1 format. #1122 * New deprecations: + Compression and crypto don't mix. We don't recommend using compression and cryptography, and have deprecated support for record compression (configuration option MBEDTLS_ZLIB_SUPPORT). * Bugfix: + Fix mbedtls_x509_crt_profile_suiteb, which used to reject all certificates with flag MBEDTLS_X509_BADCERT_BAD_PK even when the key type was correct. In the context of SSL, this resulted in handshake failure. Reported by daniel in the Mbed TLS forum. #1351 + Fix setting version TLSv1 as minimal version, even if TLS 1 is not enabled. Set MBEDTLS_SSL_MIN_MAJOR_VERSION and MBEDTLS_SSL_MIN_MINOR_VERSION instead of MBEDTLS_SSL_MAJOR_VERSION_3 and MBEDTLS_SSL_MINOR_VERSION_1. #664 + Fix compilation error on Mingw32 when _TRUNCATE is defined. Use _TRUNCATE only if __MINGW32__ is not defined. Fix suggested by Thomas Glanzmann and Nick Wilson on issue #355 + Fix memory allocation corner cases in memory_buffer_alloc.c module. Found by Guido Vranken. #639 + Don't accept an invalid tag when parsing X.509 subject alternative names in some circumstances. + Fix a possible arithmetic overflow in ssl_parse_server_key_exchange() that could cause a key exchange to fail on valid data. + Fix a possible arithmetic overflow in ssl_parse_server_psk_hint() that could cause a key exchange to fail on valid data. + Fix a 1-byte heap buffer overflow (read-only) during private key parsing. Found through fuzz testing. * Changes + Fix tag lengths and value ranges in the documentation of CCM encryption. Contributed by Mathieu Briand. + Fix a typo in a comment in ctr_drbg.c. Contributed by Paul Sokolovsky. + Remove support for the library reference configuration for picocoin. + MD functions deprecated in 2.7.0 are no longer inline, to provide a migration path for those depending on the library's ABI. + Use (void) when defining functions with no parameters. Contributed by Joris Aerts. #678 ------------------------------------------------------------------- Thu Mar 8 09:32:12 UTC 2018 - mpluskal@suse.com - Use more cmake macros - Update spec file using spec-cleaner ------------------------------------------------------------------- Tue Feb 13 15:55:27 UTC 2018 - kbabioch@suse.com - Update to version 2.7.0: - Security * Fix a heap corruption issue in the implementation of the truncated HMAC extension. When the truncated HMAC extension is enabled and CBC is used, sending a malicious application packet could be used to selectively corrupt 6 bytes on the peer's heap, which could potentially lead to crash or remote code execution. The issue could be triggered remotely from either side in both TLS and DTLS. (CVE-2018-0488 boo#1080828) * Fix a buffer overflow in RSA-PSS verification when the hash was too large for the key size, which could potentially lead to crash or remote code execution. Found by Seth Terashima, Qualcomm Product Security Initiative, Qualcomm Technologies Inc. (CVE-2018-0487 boo#1080826) * Fix buffer overflow in RSA-PSS verification when the unmasked data is all zeros. * Fix an unsafe bounds check in ssl_parse_client_psk_identity() when adding 64 KiB to the address of the SSL buffer and causing a wrap around. * Fix a potential heap buffer overflow in mbedtls_ssl_write(). When the (by default enabled) maximum fragment length extension is disabled in the config and the application data buffer passed to mbedtls_ssl_write is larger than the internal message buffer (16384 bytes by default), the latter overflows. * Add a provision to prevent compiler optimizations breaking the time constancy of mbedtls_ssl_safer_memcmp(). * Ensure that buffers are cleared after use if they contain sensitive data. Changes were introduced in multiple places in the library. * Set PEM buffer to zero before freeing it, to avoid decoded private keys being leaked to memory after release. * Fix dhm_check_range() failing to detect trivial subgroups and potentially leaking 1 bit of the private key. Reported by prashantkspatil. * Make mbedtls_mpi_read_binary() constant-time with respect to the input data. Previously, trailing zero bytes were detected and omitted for the sake of saving memory, but potentially leading to slight timing differences. Reported by Marco Macchetti, Kudelski Group. * Wipe stack buffer temporarily holding EC private exponent after keypair generation. * Fix a potential heap buffer over-read in ALPN extension parsing (server-side). Could result in application crash, but only if an ALPN name larger than 16 bytes had been configured on the server. * Change default choice of DHE parameters from untrustworthy RFC 5114 to RFC 3526 containing parameters generated in a nothing-up-my-sleeve manner. - Features * Add alternative implementation support for CCM and CMAC (MBEDTLS_CCM_ALT, MBEDTLS_CMAC_ALT). Submitted by Steven Cooreman, Silicon Labs. * Add support for alternative implementations of GCM, selected by the configuration flag MBEDTLS_GCM_ALT. * Add support for alternative implementations for ECDSA, controlled by new configuration flags MBEDTLS_ECDSA_SIGN_ALT, MBEDTLS_ECDSA_VERIFY_ALT and MBEDTLS_ECDSDA_GENKEY_AT in config.h. The following functions from the ECDSA module can be replaced with alternative implementation: mbedtls_ecdsa_sign(), mbedtls_ecdsa_verify() and mbedtls_ecdsa_genkey(). * Add support for alternative implementation of ECDH, controlled by the new configuration flags MBEDTLS_ECDH_COMPUTE_SHARED_ALT and MBEDTLS_ECDH_GEN_PUBLIC_ALT in config.h. The following functions from the ECDH module can be replaced with an alternative implementation: mbedtls_ecdh_gen_public() and mbedtls_ecdh_compute_shared(). * Add support for alternative implementation of ECJPAKE, controlled by the new configuration flag MBEDTLS_ECJPAKE_ALT. * Add mechanism to provide alternative implementation of the DHM module. - API changes * Extend RSA interface by multiple functions allowing structure- independent setup and export of RSA contexts. Most notably, mbedtls_rsa_import() and mbedtls_rsa_complete() are introduced for setting up RSA contexts from partial key material and having them completed to the needs of the implementation automatically. This allows to setup private RSA contexts from keys consisting of N,D,E only, even if P,Q are needed for the purpose or CRT and/or blinding. * The configuration option MBEDTLS_RSA_ALT can be used to define alternative implementations of the RSA interface declared in rsa.h. * The following functions in the message digest modules (MD2, MD4, MD5, SHA1, SHA256, SHA512) have been deprecated and replaced as shown below. The new functions change the return type from void to int to allow returning error codes when using MBEDTLS_<MODULE>_ALT. mbedtls_<MODULE>_starts() -> mbedtls_<MODULE>_starts_ret() mbedtls_<MODULE>_update() -> mbedtls_<MODULE>_update_ret() mbedtls_<MODULE>_finish() -> mbedtls_<MODULE>_finish_ret() mbedtls_<MODULE>_process() -> mbedtls_internal_<MODULE>_process() - Deprecations * Deprecate usage of RSA primitives with non-matching key-type (e.g. signing with a public key). * Direct manipulation of structure fields of RSA contexts is deprecated. Users are advised to use the extended RSA API instead. * Deprecate usage of message digest functions that return void (mbedtls_<MODULE>_starts, mbedtls_<MODULE>_update, mbedtls_<MODULE>_finish and mbedtls_<MODULE>_process where <MODULE> is any of MD2, MD4, MD5, SHA1, SHA256, SHA512) in favor of functions that can return an error code. * Deprecate untrustworthy DHE parameters from RFC 5114. Superseded by parameters from RFC 3526 or the newly added parameters from RFC 7919. * Deprecate hex string DHE constants MBEDTLS_DHM_RFC3526_MODP_2048_P etc. Supserseded by binary encoded constants MBEDTLS_DHM_RFC3526_MODP_2048_P_BIN etc. * Deprecate mbedtls_ssl_conf_dh_param() for setting default DHE parameters from hex strings. Superseded by mbedtls_ssl_conf_dh_param_bin() accepting DHM parameters in binary form, matching the new constants. - Several bug fixes ------------------------------------------------------------------- Mon Sep 11 21:03:15 UTC 2017 - fisiu@opensuse.org - Update to version 2.6.0: * Add the functions mbedtls_platform_setup() and mbedtls_platform_teardown() and the context struct mbedtls_platform_context to perform platform-specific setup and teardown operations. The macro MBEDTLS_PLATFORM_SETUP_TEARDOWN_ALT allows the functions to be overridden by the user in a platform_alt.h file. These new functions are required in some embedded environments to provide a means of initialising underlying cryptographic acceleration hardware. * Reverted API/ABI breaking changes introduced in mbed TLS 2.5.1, to make the API consistent with mbed TLS 2.5.0. Specifically removed the inline qualifier from the functions mbedtls_aes_decrypt, mbedtls_aes_encrypt, mbedtls_ssl_ciphersuite_uses_ec and mbedtls_ssl_ciphersuite_uses_psk. Found by James Cowgill. #978 * Certificate verification functions now set flags to -1 in case the full chain was not verified due to an internal error (including in the verify callback) or chain length limitations. * With authmode set to optional, the TLS handshake is now aborted if the verification of the peer's certificate failed due to an overlong chain or a fatal error in the verify callback. * Fix authentication bypass in SSL/TLS: when authmode is set to optional, mbedtls_ssl_get_verify_result() would incorrectly return 0 when the peer's X.509 certificate chain had more than MBEDTLS_X509_MAX_INTERMEDIATE_CA (default: 8) intermediates, even when it was not trusted. This could be triggered remotely from either side. (With authmode set to 'required' (the default), the handshake was correctly aborted). Fix for CVE-2017-14032 and boo#1056544. * Reliably wipe sensitive data after use in the AES example applications programs/aes/aescrypt2 and programs/aes/crypt_and_hash. Found by Laurent Simon. ------------------------------------------------------------------- Mon Jul 10 14:17:59 UTC 2017 - mpluskal@suse.com - Update to version 2.5.1: * Adds hardware acceleration support for the Elliptic Curve Point module. This has involved exposing parts of the internal interface to enable replacing the core functions and adding an alternative, module level replacement to support for enabling the extension of the interface. * Adds a new configuration option to mbedtls_ssl_config() to enable suppressing the CA list in Certificate Request messages. The default behaviour has not changed, namely every configured CA's name is included. * Fixes an unlimited overread of heap-based buffers in mbedtls_ssl_read(). The issue could only happen client-side with renegotiation enabled. This could result in a Denial of Service (such as crashing the application) or information leak. * Adds exponent blinding to RSA private operations as a countermeasure against side-channel attacks like the cache attack described in https://arxiv.org/abs/1702.08719v2. * Wipes stack buffers in RSA private key operations (rsa_rsaes_pkcs1_v15_decrypt(), rsa_rsaes_oaep_decrypt()). * Removes SHA-1 and RIPEMD-160 from the default hash algorithms for certificate verification. SHA-1 can be turned back on with a compile-time option if needed. * Fixes offset in FALLBACK_SCSV parsing that caused TLS server to fail to detect it sometimes. Reported by Hugo Leisink. * Tighten parsing of RSA PKCS#1 v1.5 signatures, to avoid a potential Bleichenbacher/BERserk-style attack. ------------------------------------------------------------------- Sat Mar 11 15:50:12 UTC 2017 - mpluskal@suse.com - Update to version 2.4.2: * Add checks to prevent signature forgeries for very large messages while using RSA through the PK module in 64-bit systems. The issue was caused by some data loss when casting a size_t to an unsigned int value in the functions rsa_verify_wrap(), rsa_sign_wrap(), rsa_alt_sign_wrap() and mbedtls_pk_sign(). Found by Jean-Philippe Aumasson. * Fixed potential livelock during the parsing of a CRL in PEM format in mbedtls_x509_crl_parse(). A string containing a CRL followed by trailing characters after the footer could result in the execution of an infinite loop. The issue can be triggered remotely. Found by Greg Zaverucha, Microsoft. * Removed MD5 from the allowed hash algorithms for CertificateRequest and CertificateVerify messages, to prevent SLOTH attacks against TLS 1.2. Introduced by interoperability fix for #513. * Fixed a bug that caused freeing a buffer that was allocated on the stack, when verifying the validity of a key on secp224k1. This could be triggered remotely for example with a maliciously constructed certificate and potentially could lead to remote code execution on some platforms. Reported independently by rongsaws and Aleksandar Nikolic, Cisco Talos team. #569 CVE-2017-2784 (boo#1029017) ------------------------------------------------------------------- Sun Nov 13 18:18:58 UTC 2016 - mpluskal@suse.com - Update to version 2.4.0: * Removes the MBEDTLS_SSL_AEAD_RANDOM_IV configuration option, because it was not compliant with RFC-5116 and could lead to session key recovery in very long TLS sessions. * Fixes potential stack corruption in mbedtls_x509write_crt_der() and mbedtls_x509write_csr_der() when the signature is copied to the buffer without checking whether there is enough space in the destination. The issue cannot be triggered remotely. * Added support for CMAC for AES and 3DES and AES-CMAC-PRF-128, as defined by NIST SP 800-38B, RFC-4493 and RFC-4615. * Added hardware entropy self-test to verify that the hardware entropy source is functioning correctly. * Added a script to print build environment information for diagnostic use in test scripts, which is also now called by all.sh verification script. * Added the macro MBEDTLS_X509_MAX_FILE_PATH_LEN that enables the user to configure the maximum length of a file path that can be buffered when calling mbedtls_x509_crt_parse_path(). * Added a configuration file config-no-entropy.h that configures the subset of library features that do not require an entropy source. * Added the macro MBEDTLS_ENTROPY_MIN_HARDWARE in config.h. This allows users to configure the minimum number of bytes for entropy sources using the mbedtls_hardware_poll() function. * Miscelanous bugfixes - Drop no longer needed mbedtls_fix522.patch ------------------------------------------------------------------- Sat Aug 27 11:11:20 UTC 2016 - mpluskal@suse.com - Merge changes from home:X0F:HSF - Add mbedtls_fix522.patch which fixes building of dpendant libraries ------------------------------------------------------------------- Fri Aug 12 19:30:14 UTC 2016 - jengelh@inai.de - Update description ------------------------------------------------------------------- Thu Aug 11 08:05:16 UTC 2016 - mpluskal@suse.com - Split shared libraries to subpackages ------------------------------------------------------------------- Tue Aug 9 21:13:29 UTC 2016 - astieger@suse.com - update to 2.3.0: * adding libmbedcrypto, libmbedx509 * headers moved to /usr/include/mbedtls * remove compatibility symlink * source compatibility header /usr/include/mbedtls/compat-1.3.h * Use primary upstream license (Apache-2.0) ------------------------------------------------------------------- Thu Jul 14 12:00:56 UTC 2016 - mpluskal@suse.com - Update to version 1.3.17 (boo#988956): * Security + Fix missing padding length check in mbedtls_rsa_rsaes_pkcs1_v15_decrypt required by PKCS1 v2.2 + Fix a potential integer underflow to buffer overread in mbedtls_rsa_rsaes_oaep_decrypt. It is not triggerable remotely in SSL/TLS. + Fix potential integer overflow to buffer overflow in mbedtls_rsa_rsaes_pkcs1_v15_encrypt and mbedtls_rsa_rsaes_oaep_encrypt * Bugfix + Fix bug in mbedtls_mpi_add_mpi() that caused wrong results when the three arguments where the same (in-place doubling). Found and fixed by Janos Follath. #309 + Fix issue in Makefile that prevented building using armar. + Fix issue that caused a hang up when generating RSA keys of odd bitlength + Fix bug in mbedtls_rsa_rsaes_pkcs1_v15_encrypt that made null pointer dereference possible. + Fix issue that caused a crash if invalid curves were passed to mbedtls_ssl_conf_curves. #373 * Changes + On ARM platforms, when compiling with -O0 with GCC, Clang or armcc5, don't use the optimized assembly for bignum multiplication. This removes the need to pass -fomit-frame-pointer to avoid a build error with -O0. + Disabled SSLv3 in the default configuration. + Fix non-compliance server extension handling. Extensions for SSLv3 are now ignored, as required by RFC6101. ------------------------------------------------------------------- Sun Jan 10 13:08:11 UTC 2016 - mpluskal@suse.com - Update to 1.3.16 * Fixes a potential double free when mbedtls_asn1_store_named_data() fails to allocate memory. This was only used for certificate generation and was not triggerable remotely in SSL/TLS. boo#961290 * Disables by default MD5 handshake signatures in TLS 1.2 to prevent the SLOTH (CVE-2015-7575) attack on TLS 1.2 server authentication (other attacks from the SLOTH paper do not apply to any version of mbed TLS or PolarSSL). boo#961284 * Fixes an over-restrictive length limit in GCM. * Fixes a bug in certificate validation that caused valid chains to be rejected when the first intermediate certificate has a pathLenConstraint equal to zero. * Removed potential leak in mbedtls_rsa_rsassa_pkcs1_v15_sign() * Added config.h option POLARSSL_SSL_ENABLE_MD5_SIGNATURES to control use of MD5-based signatures for TLS 1.2 handshake (disabled by default). ------------------------------------------------------------------- Wed Nov 18 13:29:03 UTC 2015 - mpluskal@suse.com - Update to 1.3.15 * Fix potential double free if ssl_set_psk() is called more than once and some allocation fails. Cannot be forced remotely. Found by Guido Vranken, Intelworks. * Fix potential heap corruption on Windows when x509_crt_parse_path() is passed a path longer than 2GB. Cannot be triggered remotely. Found by Guido Vranken, Intelworks. * Fix potential buffer overflow in some asn1_write_xxx() functions. Cannot be triggered remotely unless you create X.509 certificates based on untrusted input or write keys of untrusted origin. Found by Guido Vranken, Intelworks. * The X509 max_pathlen constraint was not enforced on intermediate certificates. Found by Nicholas Wilson, fix and tests provided by Janos Follath. #280 and #319 * Self-signed certificates were not excluded from pathlen counting, resulting in some valid X.509 being incorrectly rejected. Found and fix provided by Janos Follath. #319 * Fix bug causing some handshakes to fail due to some non-fatal alerts not begin properly ignored. Found by mancha and Kasom Koht-arsa, #308 * Fix build error with configurations where ECDHE-PSK is the only key exchange. Found and fix provided by Chris Hammond. #270 * Fix failures in MPI on Sparc(64) due to use of bad assembly code. Found by Kurt Danielson. #292 * Fix typo in name of the extKeyUsage OID. Found by inestlerode, #314 * Fix bug in ASN.1 encoding of booleans that caused generated CA certificates to be rejected by some applications, including OS X Keychain. Found and fixed by Jonathan Leroy, Inikup. * Fix "Destination buffer is too small" error in cert_write program. Found and fixed by Jonathan Leroy, Inikup. ------------------------------------------------------------------- Thu Oct 8 06:53:02 UTC 2015 - mpluskal@suse.com - Update to 1.3.14 * Added fix for CVE-2015-5291 (boo#949380) to prevent heap corruption due to buffer overflow of the hostname or session ticket. Found by Guido Vranken, Intelworks. * Fix stack buffer overflow in pkcs12 decryption (used by mbedtls_pk_parse_key(file)() when the password is > 129 bytes. Found by Guido Vranken, Intelworks. Not triggerable remotely. * Fix potential buffer overflow in mbedtls_mpi_read_string(). Found by Guido Vranken, Intelworks. Not exploitable remotely in the context of TLS, but might be in other uses. On 32 bit machines, requires reading a string of close to or larger than 1GB to exploit; on 64 bit machines, would require reading a string of close to or larger than 2^62 bytes. * Fix potential random memory allocation in mbedtls_pem_read_buffer() on crafted PEM input data. Found and fix provided by Guido Vranken, Intelworks. Not triggerable remotely in TLS. Triggerable remotely if you accept PEM data from an untrusted source. * Fix potential double-free if ssl_set_psk() is called repeatedly on the same ssl_context object and some memory allocations fail. Found by Guido Vranken, Intelworks. Can not be forced remotely. * Fix possible heap buffer overflow in base64_encode() when the input buffer is 512MB or larger on 32-bit platforms. Found by Guido Vranken, Intelworks. Found by Guido Vranken. Not trigerrable remotely in TLS. * Fix potential heap buffer overflow in servers that perform client authentication against a crafted CA cert. Cannot be triggered remotely unless you allow third parties to pick trust CAs for client auth. Found by Guido Vranken, Intelworks. * Fix compile error in net.c with musl libc. Found and patch provided by zhasha (#278). * Fix macroization of 'inline' keywork when building as C++. (#279) * Added checking of hostname length in ssl_set_hostname() to ensure domain names are compliant with RFC 1035. - Changes for 1.3.13 * Fix possible client-side NULL pointer dereference (read) when the client tries to continue the handshake after it failed (a misuse of the API). (Found and patch provided by Fabian Foerg, Gotham Digital Science using afl-fuzz.) * Add countermeasure against Lenstra's RSA-CRT attack for PKCS#1 v1.5 signatures. (Found by Florian Weimer, Red Hat.) https://securityblog.redhat.com/2015/09/02/factoring-rsa-keys-with-tls-perfect-forward-secrecy/ * Setting SSL_MIN_DHM_BYTES in config.h had no effect (overriden in ssl.h) (found by Fabio Solari) (#256) * Fix bug in mbedtls_rsa_public() and mbedtls_rsa_private() that could result trying to unlock an unlocked mutex on invalid input (found by Fredrik Axelsson) (#257) * Fix -Wshadow warnings (found by hnrkp) (#240) * Fix unused function warning when using MBEDTLS_MDx_ALT or MBEDTLS_SHAxxx_ALT (found by Henrik) (#239) * Fix memory corruption in pkey programs (found by yankuncheng) (#210) * Fix memory corruption on client with overlong PSK identity, around SSL_MAX_CONTENT_LEN or higher - not triggerrable remotely (found by Aleksandrs Saveljevs) (#238) * Fix off-by-one error in parsing Supported Point Format extension that caused some handshakes to fail. * When verifying a certificate chain, if an intermediate certificate is trusted, no later cert is checked. (suggested by hannes-landeholm) (#220). - Changes for 1.3.12 * Increase the minimum size of Diffie-Hellman parameters accepted by the client to 1024 bits, to protect against Logjam attack. * Increase the size of default Diffie-Hellman parameters on the server to 2048 bits. This can be changed with ssl_set_dh_params(). * Fix thread-safety issue in SSL debug module (found by Edwin van Vliet). * Some example programs were not built using make, not included in Visual Studio projects (found by Kristian Bendiksen). * Fix build error with CMake and pre-4.5 versions of GCC (found by Hugo Leisink). * Fix missing -static-ligcc when building shared libraries for Windows with make. * Fix compile error with armcc5 --gnu. * Add SSL_MIN_DHM_BYTES configuration parameter in config.h to choose the minimum size of Diffie-Hellman parameters accepted by the client. * The PEM parser now accepts a trailing space at end of lines (#226). ------------------------------------------------------------------- Wed Jul 29 10:16:37 UTC 2015 - dimstar@opensuse.org - Add baselibs.conf: build libmbedtls9-32bit, as needed by libbzrtp0-32bit. ------------------------------------------------------------------- Mon Jun 15 22:19:07 UTC 2015 - fisiu@opensuse.org - Update to 1.3.11: * Remove bias in mpi_gen_prime (contributed by Pascal Junod). * Remove potential sources of timing variations (some contributed by Pascal Junod). * Options POLARSSL_HAVE_INT8 and POLARSSL_HAVE_INT16 are deprecated. * Enabling POLARSSL_NET_C without POLARSSL_HAVE_IPV6 is deprecated. * compat-1.2.h and openssl.h are deprecated. * ssl_set_own_cert() no longer calls pk_check_pair() since the performance impact was bad for some users (this was introduced in 1.3.10). * Move from SHA-1 to SHA-256 in example programs using signatures (suggested by Thorsten Mühlfelder). * Remove dependency on sscanf() in X.509 parsing modules. * Fix compile errors with PLATFORM_NO_STD_FUNCTIONS. * Fix bug in entropy.c when THREADING_C is also enabled that caused entropy_free() to crash (thanks to Rafał Przywara). * Fix memory leak when gcm_setkey() and ccm_setkey() are used more than once on the same context. * Fix bug in ssl_mail_client when password is longer that username (found by Bruno Pape). * Fix undefined behaviour (memcmp( NULL, NULL, 0 );) in X.509 modules (detected by Clang's 3.6 UBSan). * mpi_size() and mpi_msb() would segfault when called on an mpi that is initialized but not set (found by pravic). * Fix detection of support for getrandom() on Linux (reported by syzzer) by doing it at runtime (using uname) rather that compile time. * Fix handling of symlinks by "make install" (found by Gaël PORTAY). * Fix potential NULL pointer dereference (not trigerrable remotely) when ssl_write() is called before the handshake is finished (introduced in 1.3.10) (first reported by Martin Blumenstingl). * Fix bug in pk_parse_key() that caused some valid private EC keys to be rejected. * Fix bug in Via Padlock support (found by Nikos Mavrogiannopoulos). * Fix thread safety bug in RSA operations (found by Fredrik Axelsson). * Fix hardclock() (only used in the benchmarking program) with some versions of mingw64 (found by kxjhlele). * Fix potential unintended sign extension in asn1_get_len() on 64-bit platforms. * Fix potential memory leak in ssl_set_psk() (found by Mansour Moufid). * Fix compile error when POLARSSL_SSL_DISABLE_RENEGOTATION and POLARSSL_SSL_SSESSION_TICKETS where both enabled in config.h (introduced in 1.3.10). * Add missing extern "C" guard in aesni.h (reported by amir zamani). * Add missing dependency on SHA-256 in some x509 programs (reported by Gergely Budai). * Fix bug related to ssl_set_curves(): the client didn't check that the curve picked by the server was actually allowed. - Drop getrandom-syscall-fallback.patch: fixed upstream. ------------------------------------------------------------------- Wed Apr 1 11:05:55 UTC 2015 - schwab@suse.de - getrandom-syscall-fallback.patch: Fall back to /dev/urandom if getrandom syscall is not implemented. ------------------------------------------------------------------- Fri Mar 27 16:59:55 UTC 2015 - mpluskal@suse.com - Update package categories ------------------------------------------------------------------- Wed Mar 18 18:56:26 UTC 2015 - mpluskal@suse.com - Create symlink to ensure compatibility with polarssl ------------------------------------------------------------------- Mon Mar 16 12:54:22 UTC 2015 - mpluskal@suse.com - Update provides/obsoletes ------------------------------------------------------------------- Sun Mar 15 21:23:17 UTC 2015 - mpluskal@suse.com - Fix sed for includes ------------------------------------------------------------------- Sun Mar 15 11:44:53 UTC 2015 - mpluskal@suse.com - Rename to mbedtls - Use cmake macro for building - Update to 1.3.10 * NULL pointer dereference in the buffer-based allocator when the buffer is full and polarssl_free() is called (found by Mark Hasemeyer) (only possible if POLARSSL_MEMORY_BUFFER_ALLOC_C is enabled, which it is not by default). * Fix remotely-triggerable uninitialised pointer dereference caused by crafted X.509 certificate (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix remotely-triggerable memory leak caused by crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix potential stack overflow while parsing crafted X.509 certificates (TLS server is not affected if it doesn't ask for a client certificate) (found using Codenomicon Defensics). * Fix timing difference that could theoretically lead to a Bleichenbacher-style attack in the RSA and RSA-PSK key exchanges (reported by Sebastian Schinzel). * Add support for FALLBACK_SCSV (draft-ietf-tls-downgrade-scsv). * Add support for Extended Master Secret (draft-ietf-tls-session-hash). * Add support for Encrypt-then-MAC (RFC 7366). * Add function pk_check_pair() to test if public and private keys match. * Add x509_crl_parse_der(). * Add compile-time option POLARSSL_X509_MAX_INTERMEDIATE_CA to limit the length of an X.509 verification chain. * Support for renegotiation can now be disabled at compile-time * Support for 1/n-1 record splitting, a countermeasure against BEAST. * Certificate selection based on signature hash, prefering SHA-1 over SHA-2 for pre-1.2 clients when multiple certificates are available. * Add support for getrandom() syscall on recent Linux kernels with Glibc or a compatible enough libc (eg uClibc). * Add ssl_set_arc4_support() to make it easier to disable RC4 at runtime while using the default ciphersuite list. * Added new error codes and debug messages about selection of ciphersuite/certificate. ------------------------------------------------------------------- Tue Jan 20 19:33:12 UTC 2015 - fisiu@opensuse.org - Add polarssl-CVE-2015-1182.patch: Remote attack using crafted certificates: fix boo#913903, CVE-2015-1182. ------------------------------------------------------------------- Mon Nov 3 12:25:24 UTC 2014 - fisiu@opensuse.org - Update to 1.3.9, detailed changes available in ChangeLog file: * Lowest common hash was selected from signature_algorithms extension in TLS 1.2: fix boo#903672, CVE-2014-8627. * Remotely-triggerable memory leak when parsing some X.509 certificates, CVE-2014-8628. * Remotely-triggerable memory leak when parsing crafted ClientHello, CVE-2014-8628. * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x. * Ciphersuites using RSA-PSK key exchange now require TLS 1.x. * POLARSSL_MPI_MAX_SIZE now defaults to 1024 in order to allow 8192 bits RSA keys. * X.509 certificates with more than one AttributeTypeAndValue per RelativeDistinguishedName are not accepted any more. - Build with POLARSSL_THREADING_PTHREAD: fix boo#903671. ------------------------------------------------------------------- Fri Aug 15 17:17:05 UTC 2014 - fisiu@opensuse.org - Update to 1.3.8, detailed changes available in ChangeLog file: * Fix length checking for AEAD ciphersuites (found by Codenomicon). It was possible to crash the server (and client) using crafted messages when a GCM suite was chosen. * Add CCM module and cipher mode to Cipher Layer * Support for CCM and CCM_8 ciphersuites * Support for parsing and verifying RSASSA-PSS signatures in the X.509 modules (certificates, CRLs and CSRs). * Blowfish in the cipher layer now supports variable length keys. * Add example config.h for PSK with CCM, optimized for low RAM usage. * Optimize for RAM usage in example config.h for NSA Suite B profile. * Add POLARSSL_REMOVE_ARC4_CIPHERSUITES to allow removing RC4 ciphersuites from the default list (inactive by default). * Add server-side enforcement of sent renegotiation requests (ssl_set_renegotiation_enforced()) * Add SSL_CIPHERSUITES config.h flag to allow specifying a list of ciphersuites to use and save some memory if the list is small. ------------------------------------------------------------------- Sat Mar 29 14:01:16 UTC 2014 - fisiu@opensuse.org - Update to 1.3.5, detailed changes available in ChangeLog file: * Elliptic Curve Cryptography module added * Elliptic Curve Diffie Hellman module added * Ephemeral Elliptic Curve Diffie Hellman support for SSL/TLS (ECDHE-based ciphersuites) * Ephemeral Elliptic Curve Digital Signature Algorithm support for SSL/TLS (ECDSA-based ciphersuites) * Ability to specify allowed ciphersuites based on the protocol version. * PSK and DHE-PSK based ciphersuites added * Memory allocation abstraction layer added * Buffer-based memory allocator added (no malloc() / free() / HEAP usage) * Threading abstraction layer added (dummy / pthread / alternate) * Public Key abstraction layer added * Parsing Elliptic Curve keys * Parsing Elliptic Curve certificates * Support for max_fragment_length extension (RFC 6066) * Support for truncated_hmac extension (RFC 6066) * Support for zeros-and-length (ANSI X.923) padding, one-and-zeros (ISO/IEC 7816-4) padding and zero padding in the cipher layer * Support for session tickets (RFC 5077) * Certificate Request (CSR) generation with extensions (key_usage, ns_cert_type) * X509 Certificate writing with extensions (basic_constraints, issuer_key_identifier, etc) * Optional blinding for RSA, DHM and EC * Support for multiple active certificate / key pairs in SSL servers for the same host (Not to be confused with SNI!) ------------------------------------------------------------------- Wed May 15 12:21:45 UTC 2013 - fisiu@opensuse.org - Update to 1.2.7: * Ability to specify allowed ciphersuites based on the protocol version. * Default Blowfish keysize is now 128-bits * Test suites made smaller to accommodate Raspberry Pi * Fix for MPI assembly for ARM * GCM adapted to support sizes > 2^29 ------------------------------------------------------------------- Sat Mar 16 16:03:03 UTC 2013 - fisiu@opensuse.org - Update to 1.2.6: * Fixed memory leak in ssl_free() and ssl_reset() * Corrected GCM counter incrementation to use only 32-bits instead of 128-bits * Fixed net_bind() for specified IP addresses on little endian systems * Fixed assembly code for ARM (Thumb and regular) * Detailed information available in ChangeLog file. ------------------------------------------------------------------- Fri Mar 8 13:38:43 UTC 2013 - fisiu@opensuse.org - Update to 1.2.5 ------------------------------------------------------------------- Sun Jan 29 14:29:51 UTC 2012 - jengelh@medozas.de - Remove redundant tags/sections per specfile guideline suggestions ------------------------------------------------------------------- Sat Jun 11 04:46:46 UTC 2011 - crrodriguez@opensuse.org - Update to version 0.99.5 ------------------------------------------------------------------- Sun Apr 10 19:21:16 UTC 2011 - crrodriguez@opensuse.org - Initial version
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor