Fix some build errors when MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED is false
but MBEDTLS_X509_CRT_PARSE_C is enabled. This is not a particularly useful
configuration, but for quick testing, it's convenient for it to work.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit updates the paths in documentation for test_zeroize since
it has been moved to MbedTLS Framework.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This commit updates the file paths necessary for dlopen_demo.sh,
metatest.c query_compile_time_config.c, query_config.h,
query_included_headers.c and zeroize.c.
This commit also adds a CFLAG to find header files now contained in the
framework.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This commit moves demo_common.sh, dlopen_demo.sh, metatest.c
query_compile_time_config.c, query_config.h, query_included_headers.c,
zeroize.c and test_zeroize.gdb from MbedTLS into the MbedTLS framework.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
Improve the description of the API changes in the changelog and
fix some incorrect alg selection variables in ssl_server2.c.
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
Remove all code guarded by `PSA_WANT_ECC_SECP_K1_224`, which is not and will
not be implemented. (It would be K1_225 anyway, but we don't intend to
implement it anyway.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This reverts commit 939ce9d0d5.
Build mbedtls_test library of objects to link
with TLS and x509 test suites and programs
with mbedtls framework not TF-PSA-Crypto
one (when it will be there).
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit uses static paths in the makefile to create programs since
the script generate_visualc_files.pl cannot substitute variable paths.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This commit moves generate_psa_constants.py to tf-psa-crypto and updates
the paths inside the script necessary for that move.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This commit refactors the Makefile in the programs directory to remove
unused variables and consistent naming schemes.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This commit moves psa programs from the programs/psa directory to
tf-psa-crypto/programs/psa directory.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
The fuzzer needs both kinds of test helper so needs to include things
from both new and old locations.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Rename mbedcrypto target to tfpsacrypto and
prefix all cmake related variables with
tfpsacrypto instead of mbedcrypto.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The header structure was initialized only field by
field. This does not initialized the padding bytes
and MemSan was complaining with use of
uninitialized data in test_memsan all.sh component.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit disables printing strerror messages in test programs. This
is due to moving the functions back to Mbed TLS and wanting to keep
dependencies of programs small. The code has not been removed but simply
commented out for when these functions are reimplemented.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This commit adds Mbed TLS x509 as a library dependency for utility
programs. This is necessary for strerror.c to work correctly.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
This is harmless, but we might as well remove the unreachable line. If we
ever add a break to the loop and we don't think of changing the surrounding
code, it would make more sense not to set exit_code to SUCCESS.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
If MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE happens during the handshake, don't
show it as an "error". It might be an error, but it might also be a fact of
life if it happens during the second or more handshake: it can be a
duplicated packet or a close_notify alert from the previous connection,
which is hard to avoid and harmless.
Fixes#9652.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In Mbed TLS 4.0, all cryptography goes through PSA, so calling
psa_crypto_init() is now mandatory before starting a TLS connection (as was
the case in Mbed TLS 3.x with MBEDTLS_USE_PSA_CRYPTO enabled).
Switch the TLS sample programs to calling psa_crypto_init() unconditionally.
Otherwise TLS 1.3 connections fail, and (D)TLS 1.2 connections soon will.
This commit omits the test programs ssl_client2 and ssl_server2, which don't
require a change right now. They will be covered when we make
MBEDTLS_USE_PSA_CRYPTO always on.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is necessary when testing against OpenSSL 1.0.2g.
In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test against both OpenSSL and GnuTLS.
Don't use a proxy. It's not particularly useful here, and would complicate
figuring out port numbers.
Clean up compile-time requirements dtls_server.c: any certificate-based key
exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_fork_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.
In the server, only write output for 10 seconds, not 100. That's enough time
to start concurrent clients if desired. 100 seconds causes ssl-opt to take a
very long time when the client actually listens to the whole input (which
`gnutls-cli` does, but not `openssl s_client`).
Clean up compile-time requirements in ssl_fork_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_pthread_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.
Clean up compile-time requirements in ssl_pthread_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Test ssl_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.
Clean up compile-time requirements in ssl_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
