lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-19 01:04:04 +03:00
Code
33,152 Commits 172 Branches 267 Tags
Commit Graph

12340 Commits

Author SHA1 Message Date
Gilles Peskine
b40d33b7c8 Move most TLS handshake defragmentation tests to a separate file 
Prepare for those test cases to be automatically generated by a script.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 16:13:19 +01:00
Gilles Peskine
4773333dc6 New generated file: tests/opt-testcases/handshake-generated.sh 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 16:13:19 +01:00
Valerio Setti
1027c4cc3c psasim: add support for psa_can_do_hash() 
This commit also includes regenerated C and H files.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-03-03 15:36:14 +01:00
Valerio Setti
886fa8d71a psasim: add support for psa_export_public_key_iop 
This commit also includes regenerated C and H files.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-03-03 15:35:47 +01:00
Gilles Peskine
5df993dcc9 Merge remote-tracking branch 'development' into tls-defragmentation-merge-development-20250303 2025-03-02 21:15:58 +01:00
Minos Galanakis
4354dc646f ssl-opt: Re-introduce certificate dependency for HS negative tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 22:40:37 +00:00
Minos Galanakis
0dd57a9913 ssl-opt: Removed dependencies for HS defrag negative tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 18:05:48 +00:00
Minos Galanakis
d01ac30cfa ssl-opt: Adjusted reference hs defragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:11:21 +00:00
Minos Galanakis
76957cceab ssl-opt: Minor typos and documentation fixes. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:11:21 +00:00
Minos Galanakis
19dbbe0958 analyze_outcomes: Temporary disabled 3 HS Degragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 11:46:36 +00:00
Minos Galanakis
17170a5ed2 ssl-opt: Updated documentation of HS-Defrag tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 11:40:33 +00:00
Minos Galanakis
c8709c6a85 ssl-opt: Removed redundant dependencies: requires_openssl_3_x 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-26 17:12:01 +00:00
Gilles Peskine
640512eb90 mbedtls_ssl_set_hostname tests: add tests with CA callback 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-24 18:48:49 +01:00
Gilles Peskine
856a370628 Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-24 18:48:49 +01:00
Gilles Peskine
488b91929d Require calling mbedtls_ssl_set_hostname() for security 
In a TLS client, when using certificate authentication, the client should
check that the certificate is valid for the server name that the client
expects. Otherwise, in most scenarios, a malicious server can impersonate
another server.

Normally, the application code should call mbedtls_ssl_set_hostname().
However, it's easy to forget. So raise an error if mandatory certificate
authentication is in effect and mbedtls_ssl_set_hostname() has not been
called. Raise the new error code
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME, for easy
identification.

But don't raise the error if the backward compatibility option
MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME is
enabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-24 18:48:49 +01:00
Gilles Peskine
434016e2eb Keep track of whether mbedtls_ssl_set_hostname() has been called 
No behavior change apart from now emitting a different log message depending
on whether mbedtls_ssl_set_hostname() has been called with NULL or not at all.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-24 18:47:44 +01:00
Minos Galanakis
cd6a24b288 ssl-opt.sh: Disabled HS Defrag Tests for TLS1.2 where len < 16 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:27:09 +00:00
Minos Galanakis
99ca6680f2 ssl-opt: Replaced max_send_frag with split_send_frag 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
a5a8c9f5c9 ssl-opt: Added coverage for hs defragmentation TLS 1.2 tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
d708a63857 ssl-opt: Updated documentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
36c81f5f05 ssl-opt: Added DSA-RSA dependency on TLS1.2 defragmentation testing. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
74ce7498d7 ssl-opt: Added negative tests for handshake fragmentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
1c106afd22 ssl-opt: Added handshake fragmentation tests for 4 byte fragments. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
41782a9cd0 ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled) 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
85fe73d55d ssl-opt: Added tls 1.2 tests for HS defragmentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
a4dde77cbe ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
a8a298c9d6 ssl-opt: Adjusted the wording on handshake fragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
a1b9117f17 ssl-opt: Added requires_openssl_3_x to defragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Minos Galanakis
270dd7462e ssl-opt: Updated the keywords to look up during handshake fragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
4028cfd9ca Add missing client certificate check in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
5f21537c2a Test Handshake defragmentation only for TLS 1.3 only for small values 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
a75c7e09c8 Add guard to handshake defragmentation tests for client certificate 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
f162249e87 Add a comment to elaborate using split_send_frag in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
61b8e2d225 Enforce client authentication in handshake fragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
39d83dd38d Remove unneeded mtu option from handshake fragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
48874b3aba Add client authentication to handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
f9120311e3 Require openssl to support TLS 1.3 in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
fccd014c2d Remove unnecessary string check in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
c0118d87b9 Fix typo in TLS Handshake defrafmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
0e0d5d4dc8 Improve TLS handshake defragmentation tests 
* Add tests for the server side.
* Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3.
* Use latest version of openSSL to make sure -max_send_frag &
  -split_send_frag flags are supported.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Waleed Elmelegy
79a8ded315 Add TLS Hanshake defragmentation tests 
Tests uses openssl s_server with a mix of max_send_frag
and split_send_frag options.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-24 09:16:06 +00:00
Gilles Peskine
e5054e495a mbedtls_ssl_set_hostname tests: baseline 
Test the current behavior.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-20 19:24:16 +01:00
Gilles Peskine
58b399e81e Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-20 18:51:14 +01:00
Harry Ramsey
21506fd7f1 Update documentation regarding metatest 
This commit updates the paths in the documentation for metatest.c as it
has been moved to MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-19 15:30:25 +00:00
Harry Ramsey
9b4035cc9e Update path for moved test_zeroize.gdb script 
This commit updates the path for the moved test_zeroize.gdb script which
has been moved to MbedTLS-Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-19 15:30:25 +00:00
Harry Ramsey
d096793c3f Update paths for moved program files in components-build-system.sh 
This commit updates the paths for dlopen_demo.sh in
components-build-system.sh as the file has been moved to the framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-19 15:30:25 +00:00
Harry Ramsey
b14141dd71 Move programs out of Mbed TLS 
This commit moves demo_common.sh, dlopen_demo.sh, metatest.c
query_compile_time_config.c, query_config.h, query_included_headers.c,
zeroize.c and test_zeroize.gdb from MbedTLS into the MbedTLS framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-19 15:17:32 +00:00
Harry Ramsey
2a75a60d34 Update path to user-config-zeroize-memset.h 
This commit updates the path to user-config-zeroize-memset.h as it has
been moved to TF-PSA-Crypto.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-19 08:03:57 +00:00
Harry Ramsey
76e476245a Move zeroize config to TF-PSA-Crypto 
This commit moves user-config-zeroize-memset.h to TF-PSA-Crypto where it
more appropriately belongs.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-19 08:03:57 +00:00
Valerio Setti
24e6ecb502 tests: move components-compliance.sh to tf-psa-crypto repo 
This file is cancelled from the Mbed TLS repo and copied to the
TF-PSA-Crypto one.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-17 17:40:08 +01:00