Merge defragmentation feature branch onto 3.6 #10056
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
Co-authored-by: minosgalanakis <30719586+minosgalanakis@users.noreply.github.com> Signed-off-by: Deomid Ryabkov <rojer@rojer.me>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
Except the first Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
The first fragment of a fragmented handshake message always starts at the beginning of the buffer so there's no need to store it. Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
No behavior change. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Prepare to unify two fields of the `mbedtls_ssl_context` structure: `badmac_seen` (always present but only used in DTLS) and `in_hsfraglen` (always present but only used in non-DTLS TLS). Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the `mbedtls_ssl_context` structure, change the type of `in_hsfraglen` from `size_t` to `unsigned`. This is in preparation for merging `in_hsfraglen` into `badmac_seen_or_in_hsfraglen`, which has the type `unsigned` and cannot change since we do not want to change the ABI. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In the `mbedtls_ssl_context` structure, merge the field `in_hsfraglen` into `badmac_seen_or_in_hsfraglen`. This restores the ABI of `libmbedtls` as it was in Mbed TLS 3.6.0 through 3.6.2. The field `badmac_seen_or_in_hsfraglen` (formerly `badmac_seen`) was only used for DTLS (despite being present in non-DTLS builds), and the field `in_hsfraglen` was only used in non-DTLS TLS. Therefore the two values can be stored in the same field. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
tation. h/t @waleed-elmelegy-arm Mbed-TLS@909e716 Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com> Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com> Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
…g_in-3.6-badmac_seen [Backport 3.6] Defragment incoming TLS handshake messages (reuse badmac_seen)
Tests uses openssl s_server with a mix of max_send_frag and split_send_frag options. Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
* Add tests for the server side. * Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3. * Use latest version of openSSL to make sure -max_send_frag & -split_send_frag flags are supported. Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
…entation tests Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…ent-doc-3.6 Backport 3.6: Document the limitations of TLS handshake message defragmentation
minosgalanakis
added
size-s
6 tasks
minosgalanakis
changed the title
…' into feature_merge_defragmentation_36 Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
minosgalanakis
force-pushed
the
feature_merge_defragmentation_36
branch
from
15efb49 to
51668e5
Compare
3 tasks
gilles-peskine-arm
approved these changes
Mar 12, 2025
There was a problem hiding this comment.
104bd06 is a correct merge with no conflicts (apart from an automatic framework submodule reconciliation) of the https://github.com/Mbed-TLS/mbedtls/tree/features/tls-defragmentation/3.6 branch.
The ABI changes are ok:
- Removed
mbedtls_ssl_reset_in_out_pointers, which is an undocumented function that's internal to libmbedtls. - Renamed a field in
mbedtls_ssl_context, which does not change the syntactic ABI, and the semantic effect was approved in [Backport 3.6] Defragment incoming TLS handshake messages (reuse badmac_seen) #9981.
This PR is the merge plus a framework submodule pointer update to Mbed-TLS/mbedtls-framework#148 . As that is currently a descendant of the head of https://github.com/Mbed-TLS/mbedtls-framework/tree/development, it can be merged as is.
|
The ABI-API checker points out changes but these are all to private fields/functions, so acceptable for an LTS branch. |
mpg
added
approved
Merged
via the queue into
Mbed-TLS:mbedtls-3.6
with commit Mar 13, 2025
5b11416
4 of 6 checks passed
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Description
Merging the defragmentation feature branch back into mbedtls 3.6 branch
PR checklist
Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.