update to 3.6.5 #46
Open
update to 3.6.5 #46
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
tomi-font
force-pushed
the
zephyr_mbedtls_v3.6.5
branch
from
622da34 to
c5b06d8
Compare
-This checks if GCM_C is enabled in gcm.h before including the functions. This was causing build issues when the GCM is disabled but GCM_ALT is enabled. Signed-off-by: Georgios Vasilakis <[email protected]> (cherry picked from commit 819f6fe)
-Enable use of SNI without x509 by testing for MBEDTLS_SSL_SERVER_NAME_INDICATION -Note that this was updated for Mbed TLS v3.6.1 by additionally checking if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) is not defined to prevent duplicate symbols for mbedtls_ssl_check_cert_usage ref: NCSDK-15193 Signed-off-by: Frank Audun Kvamtrø <[email protected]> (edited cherry pick of 5081e5b)
-Enable more TLS/DTLS types being auto-generated in documentation in Mbed TLS. Note that these are not in use in nRF Connect SDK documentation generation at the moment, this commit currently has no effect ref: NCSDK-15193 This one conflicted because PREDEFINED was removed in the doxyfile. Check if this commit can be dropped. Conflict resolution is to bring back the old defines. Signed-off-by: Pete Skeggs <[email protected]> (cherry picked from commit b4e0e5c)
-Disabling this prevents in-field devices from returning errors when non ECJPAKE PSK is used for OpenThread devices. ref: NCSDK-14629 Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 4c64e64)
-The runtime library expects key-bits to be set when it is not for cipher and ECDSA, this is fixed here. This may be an issue either in Mbed TLS or in nrf_cc3xx v0.9.14. Hence setting as a noup ref: NCSDK-13857 Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 427c287)
This makes sure that the content of the mutex inside the mbedtls_entropy_context is zeroed. This is a workaround because the CryptoCell runtime library will generate a fault if the mutex is not zeroed. This workaround will be reverted later when NCSDK-17004 is fixed. There is no reason to upstream this since it is a limitation in our CryptoCell runtime library and not an upstream limitation. Ref: NCSDK-8075 Signed-off-by: Georgios Vasilakis <[email protected]> (cherry picked from commit 333c076)
The Oberon PSA core has some replacement headers but it also uses headers from the library folder. Since the headers and the C files in this folder perform inclusion with double quotes this can create issues since the Oberon PSA core may use headrs from this repo that it shouldn't. This moves the headers that the Oberon PSA core replaces with to another folder so that they don't accidentaly included from the Oberon PSA core. Signed-off-by: Georgios Vasilakis <[email protected]> (cherry picked from commit d2d1dc7)
This is temporary fix until: NCSDK-26077 is fixed The given hash algorithm for an ecdsa verify operation was just omitted by setting the algorithm for psa_verify_hash to PSA_ALG_ECDSA_ANY. As the PSA spec states: This is the same signature scheme as PSA_ALG_ECDSA(), but without specifying a hash algorithm, and skipping the message hashing operation. This algorithm is only recommended to sign or verify a sequence of bytes that are an already-calculated hash. Note that the input is padded with zeros on the left or truncated on the right as required to fit the curve size. So the input should be hashed but thats not the case for ecdsa_verify_psa therefore changing it to PSA_ALG_ECDSA(hash_alg) Upstream PR: Mbed-TLS/mbedtls#8834 Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit 9462939)
This is a temporary noup as the mbed TLS PSA core hasn't adapted the final PSA PAKE APIS from the 1.2 spec. Once that is done this can be removed. Check the signature of psa_pake_setup and if psa_pake_get_implicit_key is removed and replaced with psa_pake_get_shared_key Signed-off-by: Markus Swarowsky <[email protected]> (cherry picked from commit 9beb52e)
-This is a [nrf noup] because Mbed TLS doesn't currently support proper MBEDTLS_PSA_CRYPTO_CLIENT vs CRYPTO_C abstraction, and the effort to fix this is delayed in the Mbed TLS project (tacked on to Mbed TLS 4.X.Y timelines) Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 9e12479)
-This is a [nrf noup] because it does a change that is likely not easily supported in mainline Mbed TLS (where there is a clearer dependency on MBEDTLS_PSA_CRYPTO_C enabling legacy features and using a fallback to depend on e.g. MBEDTLS_ECP_C. -This adds include-folder additions for mbedtls/ecp.h in oid.c -This adds incldue-folder additions for mbedtls/ecp.h in pk_wrap.c and pk.h when MBEDTLS_USE_PSA_CRYPTO is set Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 467178f)
-Hoping to not have this addition Signed-off-by: Frank Audun Kvamtrø <[email protected]> (cherry picked from commit 904de73)
…S_MD_xxx_VIA_PSA" This reverts commit 460d2ee. This is a problematic addition from upstream because it prioritizes MBEDTLS_PSA_CRYPTO_C over MBEDTLS_PSA_CRYPTO_CLIENT. For us MBEDTLS_PSA_CRYPTO_CLIENT should come first as PSA_WANT_ALG_* is what we use. Signed-off-by: Tomi Fontanilles <[email protected]>
This change is re-applied from commit 2cc273b that was reverted to split it into separate noups. Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 200fec3)
Make definitions from md.h available in psa_util.h. This change is re-applied from commit 2cc273b that was reverted to split it into separate noups. This is needed otherwise we get errors regarding missing definitions, e.g. of mbedtls_md_type_t in mbedtls_md_type_from_psa_alg(). Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit d0d966e)
Make block_cipher call into PSA. This allows code calling legacy CCM/GCM to end up calling PSA Crypto, especially useful from NS when TF-M is in use. This change is re-applied from commit 2cc273b that was reverted to split it into separate noups. Signed-off-by: Tomi Fontanilles <[email protected]> (cherry picked from commit 16832cf)
-This allows TF-M minimal configuration to stil dispatch using legacy while we are waiting for more apps/samples to be ported to use PSA crypto APIs Signed-off-by: Frank Audun Kvamtrø <[email protected]> (edited cherry pick of 98603a8) Signed-off-by: Tomi Fontanilles <[email protected]>
tomi-font
force-pushed
the
bump_to_3.6.5
branch
from
31e95cd to
ad0600b
Compare
frkv
approved these changes
Nov 7, 2025
Contributor
frkv
left a comment
frkv
left a comment
There was a problem hiding this comment.
LGTM (verified the noup list)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
5 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Based off https://github.com/zephyrproject-rtos/mbedtls/tree/zephyr_mbedtls_v3.6.5.