1
0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-07-10 10:40:59 +03:00
Commit Graph

12456 Commits

Author SHA1 Message Date
ab02cd5e7b Revert "Delete test cases"
This reverts commit ecc5d31139dc6877f135e8090e805c250e32a31d.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
cdd34742cf Fix test case name
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
973a712dd8 Migrate to a usable ciphersuite
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
ff9b2e742a Delete test cases
Only RSA cipgersuits are accepted for these tests and there is no ECDHE-RSA
alternative for AES-128-CCM so delete them.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
dd7c0f1e66 Fix ciphersuit
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
9d7fd3dfe1 Migrate the RSA key exchage tests
Migrate to ECDHE-ECDSA instead of PSK

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
00ab71035e Delete SSL async decryption tests
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:46 +01:00
fc42c22c7b Migrate RSA key exchange tests
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2025-03-05 12:18:30 +01:00
371a1aab87 psasim: update README file
The README file content dates back to the early stages of PSASIM
development. Since then a lot of things have changed, so the README
file required a complete rewrite.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-05 11:02:32 +01:00
461899e382 analyze_outcomes.py: remove exceptions for MBEDTLS_DHM_C
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-05 10:11:22 +01:00
eb63eb2a6a etests: remove MBEDTLS_DHM_C/DHM occurrencies
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-05 10:11:22 +01:00
e0bd20bd58 Generate handshake defragmentation test cases: update analyze_outcomes
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-04 18:24:52 +01:00
f89bc27603 Switch to generated handshake tests
Replace `tests/opt-testcases/handshake-manual.sh` by
`tests/opt-testcases/handshake-generated.sh`. They are identical except for
comments.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-03 16:13:19 +01:00
5071a25320 Normalize requirements in defragmentation test cases
Be more uniform in where certificate authentication and ECDSA are explicitly
required. A few test cases now run in PSK-only configurations where they
always could. Add a missing requirement on ECDSA to test cases that are
currently skipped.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-03 16:13:19 +01:00
46cb8a2aa9 Normalize messages in defragmentation test cases
Make some test case descriptions and log patterns follow more systematic
patterns.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-03 16:13:19 +01:00
aaab090ad8 Normalize whitespace in defragmentation test cases
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-03 16:13:19 +01:00
b40d33b7c8 Move most TLS handshake defragmentation tests to a separate file
Prepare for those test cases to be automatically generated by a script.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-03 16:13:19 +01:00
4773333dc6 New generated file: tests/opt-testcases/handshake-generated.sh
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-03-03 16:13:19 +01:00
1027c4cc3c psasim: add support for psa_can_do_hash()
This commit also includes regenerated C and H files.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-03 15:36:14 +01:00
886fa8d71a psasim: add support for psa_export_public_key_iop
This commit also includes regenerated C and H files.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-03-03 15:35:47 +01:00
5df993dcc9 Merge remote-tracking branch 'development' into tls-defragmentation-merge-development-20250303 2025-03-02 21:15:58 +01:00
4354dc646f ssl-opt: Re-introduce certificate dependency for HS negative tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 22:40:37 +00:00
0dd57a9913 ssl-opt: Removed dependencies for HS defrag negative tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 18:05:48 +00:00
d01ac30cfa ssl-opt: Adjusted reference hs defragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:11:21 +00:00
76957cceab ssl-opt: Minor typos and documentation fixes.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:11:21 +00:00
19dbbe0958 analyze_outcomes: Temporary disabled 3 HS Degragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 11:46:36 +00:00
17170a5ed2 ssl-opt: Updated documentation of HS-Defrag tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 11:40:33 +00:00
c8709c6a85 ssl-opt: Removed redundant dependencies: requires_openssl_3_x
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-26 17:12:01 +00:00
640512eb90 mbedtls_ssl_set_hostname tests: add tests with CA callback
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-24 18:48:49 +01:00
856a370628 Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-24 18:48:49 +01:00
488b91929d Require calling mbedtls_ssl_set_hostname() for security
In a TLS client, when using certificate authentication, the client should
check that the certificate is valid for the server name that the client
expects. Otherwise, in most scenarios, a malicious server can impersonate
another server.

Normally, the application code should call mbedtls_ssl_set_hostname().
However, it's easy to forget. So raise an error if mandatory certificate
authentication is in effect and mbedtls_ssl_set_hostname() has not been
called. Raise the new error code
MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME, for easy
identification.

But don't raise the error if the backward compatibility option
MBEDTLS_SSL_CLI_ALLOW_WEAK_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME is
enabled.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-24 18:48:49 +01:00
434016e2eb Keep track of whether mbedtls_ssl_set_hostname() has been called
No behavior change apart from now emitting a different log message depending
on whether mbedtls_ssl_set_hostname() has been called with NULL or not at all.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-24 18:47:44 +01:00
cd6a24b288 ssl-opt.sh: Disabled HS Defrag Tests for TLS1.2 where len < 16
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:27:09 +00:00
99ca6680f2 ssl-opt: Replaced max_send_frag with split_send_frag
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
a5a8c9f5c9 ssl-opt: Added coverage for hs defragmentation TLS 1.2 tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
d708a63857 ssl-opt: Updated documentation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
36c81f5f05 ssl-opt: Added DSA-RSA dependency on TLS1.2 defragmentation testing.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
74ce7498d7 ssl-opt: Added negative tests for handshake fragmentation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
1c106afd22 ssl-opt: Added handshake fragmentation tests for 4 byte fragments.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
41782a9cd0 ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled)
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
85fe73d55d ssl-opt: Added tls 1.2 tests for HS defragmentation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
a4dde77cbe ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
a8a298c9d6 ssl-opt: Adjusted the wording on handshake fragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
a1b9117f17 ssl-opt: Added requires_openssl_3_x to defragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
270dd7462e ssl-opt: Updated the keywords to look up during handshake fragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-24 09:16:06 +00:00
4028cfd9ca Add missing client certificate check in handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-24 09:16:06 +00:00
5f21537c2a Test Handshake defragmentation only for TLS 1.3 only for small values
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-24 09:16:06 +00:00
a75c7e09c8 Add guard to handshake defragmentation tests for client certificate
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-24 09:16:06 +00:00
f162249e87 Add a comment to elaborate using split_send_frag in handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-24 09:16:06 +00:00
61b8e2d225 Enforce client authentication in handshake fragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-24 09:16:06 +00:00