Add crypto configuration components#769
Open
ronald-cron-arm wants to merge 1834 commits intoMbed-TLS:developmentfrom
Open
Add crypto configuration components#769ronald-cron-arm wants to merge 1834 commits intoMbed-TLS:developmentfrom
ronald-cron-arm wants to merge 1834 commits intoMbed-TLS:developmentfrom
Conversation
At initialization, set the verify_result field of the ssl session to MBEDTLS_X509_VERIFY_NOT_STARTED, rather than 0 as it is by default currently. This prevents mbedtls_ssl_get_verify_result() from indicating that certificate verification has passed if it is called prior to the handshake happening. Signed-off-by: David Horstmann <david.horstmann@arm.com>
Write a testcase to get verify_result before we have performed a handshake and make sure that it is initialised to a failure value. Signed-off-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Since we explicitly document the value 0xFFFFFFFF or -1u as representing 'result not available', we can use it as a sensible default value without creating an API change. Use this value instead of introducing a new verification result value. Signed-off-by: David Horstmann <david.horstmann@arm.com>
Initialize the verify_result field in mbedtls_ssl_session_free(). Previously we were just zeroising the entire session object, which would yield a default 'success' value if the same object were reused. Test that this initialisation is actually happening by setting verify_result manually to zero and calling mbedtls_ssl_session_free() on the session before checking its value. Signed-off-by: David Horstmann <david.horstmann@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
The generated unit tests have the input parameters in large stack buffers and therefore ASan doesn't notice under or overflows in them. Copy the input parameter into a locally allocated buffer to trigger ASan if something goes wrong. Signed-off-by: Janos Follath <janos.follath@arm.com>
The flawed condition made us accept invalid IPv6 addresses and in some cases lead to a buffer underread. Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
Signed-off-by: Janos Follath <janos.follath@arm.com>
We were accidentally running the check in TF-PSA-Crypto instead of in Mbed TLS. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…TLS 1.2 TLS-PRF uses either SHA-256 and SHA-384, so the removed paragraph was not correct. The correct version is already available few lines below in the same header file. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
…erated_files-mbedtls-actually_check_mbedtls Actually check committed generated files
When we are using PSK or when authmode == MBEDTLS_SSL_VERIFY_NONE, we intentionally do not verify the certificate. In these cases, do not keep verify_result at -1u but set it to MBEDTLS_X509_BADCERT_SKIP_VERIFY to indicate that no certificate verification took place. Signed-off-by: David Horstmann <david.horstmann@arm.com>
Fix buffer underflow in `x509_inet_pton_ipv6()`
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We do not return failure, but return -1u which is documented as a value that indicates that the result is not available. Signed-off-by: David Horstmann <david.horstmann@arm.com>
…-4.0 Minor improvements to bump_version.sh
In the TLS-Exporter for TLS 1.3 we mistakenly call PSA_HASH_LENGTH() on an mbedtls_md_type_t when it should be called on a psa_algorithm_t. Fortunately, these two types have almost the same values, since we have previously aligned them to make conversion more efficient. As a result, PSA_HASH_LENGTH() produces exactly the same value when called on an mbedtls_md_type_t as with the equivalent psa_algorithm_t. Thanks to this happy coincidence, fix a largely cosmetic issue (rather than a major functional bug). Signed-off-by: David Horstmann <david.horstmann@arm.com>
…0260216 Update submodules
…nversion-tls-exporter Fix missing type conversion in the TLS-Exporter
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Introduce branch specific make_generated_files.py and use it in the development branch. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
…add-4.1-mbedtls Add 1.1 line to the PR template
…create-directory-dev development: Create a directory for maintainer-only Python scripts
…omponents Append all components-configuration-crypto.sh components of mbedtls/development as of 8426c9b. Merge of mbedtls/development where all the "new" mbedtls files are removed, all the conflicts are resolved by taking "ours" but for the tests/scripts/components-configuration-crypto.sh file.
Remove component_test_psa_crypto_config_(accel|reference)_* components and associated utility functions. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
component_build_psa_config_file and component_build_crypto_baremetal are not needed in TF-PSA-Crypto context. They are respectively duplicate of component_tf_psa_crypto_build_custom_config_file in components-build-system.sh and component_build_baremetal (to be added in components-configuration.sh, see Mbed-TLS#117). The others will be re-introduced later: component_build_aes_variations: covered by Mbed-TLS#81 component_build_psa_alt_headers: covered by Mbed-TLS#81 component_test_psa_crypto_drivers: covered by Mbed-TLS#768 component_depends_py_*: see Mbed-TLS/mbedtls-docs#201 Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Adding back the call is covered by Mbed-TLS#140. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The program selftest does not exist in TF-PSA-Crypto and it is not sure we will have one, see Mbed-TLS#128. Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
ronald-cron-arm
changed the title
ronald-cron-arm
added
enhancement
ronald-cron-arm
added
needs-review
valeriosetti
requested changes
Apr 29, 2026
Contributor
valeriosetti
left a comment
valeriosetti
left a comment
There was a problem hiding this comment.
There are also a couple of remaining references to library/libmbedcrypto.a
| ctest | ||
| } | ||
|
|
||
| # Check that the specified libraries exist and are empty. |
Contributor
There was a problem hiding this comment.
This comment was related to the function are_empty_libraries() which has been removed. Should we remove it as well?
ronald-cron-arm
removed
the
needs-reviewer
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
8 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Description
Add the equivalent of all Mbed TLS components-configuration-crypto.sh but:
Only 14 commits to review starting from ab99f98 (merge commit to get the Mbed TLS components-configuration-crypto.sh components and their history into TF-PSA-Crypto).
PR checklist