Gilles Peskine
c34ea472fb
Fix the build without MBEDTLS_DEBUG_C
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
074267282f
Fix the build in PSK-only configurations
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
bc694b3cbd
Fix printf of enum
...
The enum is promoted to `int`, so `%d` is a correct format,
but `gcc -Wformat` complains.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
7ab9fb6d14
Pacify ancient clang -Wmissing-initializer
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
7c1dbeff49
Test split, coalesced-split and empty handshake records
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
92122edf4b
Create handshake record coalescing tests
...
Create tests that coalesce the handshake messages in the first flight from
the server. This lets us test the behavior of the library when a handshake
record contains multiple handshake messages.
Only non-protected (non-encrypted, non-authenticated) handshake messages are
supported.
The test code works for all protocol versions, but it is only effective in
TLS 1.2. In TLS 1.3, there is only a single non-encrypted handshake record,
so we can't test records containing more than one handshake message without
a lot more work.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
a4bf00227f
Document gotcha of move_handshake_to_state
...
A single call to move_handshake_to_state() can't do a full handshake.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
c67befee6a
Add a log message on every SSL state transition
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:26 +02:00
Gilles Peskine
f670ba5e52
Always call mbedtls_ssl_handshake_set_state
...
Call a single function for all handshake state changes, for easier tracing.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-09 12:52:22 +02:00
Felix Conway
52bed3fcef
Update tf-psa-crypto & framework pointers
...
Signed-off-by: Felix Conway <felix.conway@arm.com >
2025-04-09 11:35:29 +01:00
Gilles Peskine
4580c71f67
Merge pull request #10118 from mpg/issue-template
...
Update bug report template for security issues
2025-04-09 10:07:41 +00:00
Felix Conway
1ef121c9b9
Move script and update shebang to fix CI
...
Signed-off-by: Felix Conway <felix.conway@arm.com >
2025-04-09 09:51:13 +01:00
Felix Conway
e6605f9185
Adjust build scripts to accommodate public header move
...
Signed-off-by: Felix Conway <felix.conway@arm.com >
2025-04-08 14:26:29 +01:00
Gilles Peskine
946bf14608
Fix some test helper functions returning 0 on some failures
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-08 09:48:40 +02:00
Gilles Peskine
55b8bb43e7
Check the status of mbedtls_ssl_set_hostname()
...
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com >
2025-04-08 09:44:34 +02:00
Gilles Peskine
3b819cf22f
Merge pull request #10109 from mpg/merge-from-restricted
...
Merge from restricted
2025-04-07 14:04:06 +00:00
Manuel Pégourié-Gonnard
f02784bb2c
Tune wording
...
- add more emphasis
- fix a typo
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-04-07 10:49:49 +02:00
Ronald Cron
16be0f09cf
Merge pull request #10008 from valeriosetti/issue138-development
...
[development] Add test_tf_psa_crypto_cmake_shared to components-build-system.sh
2025-04-04 18:11:00 +02:00
Valerio Setti
48e5c958a7
tf-psa-crypto: update reference
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-04-04 13:51:28 +02:00
Valerio Setti
0690a63472
framework: update reference
...
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no >
2025-04-04 13:51:22 +02:00
Manuel Pégourié-Gonnard
09e35e7ac8
Update bug report template for security issues
...
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com >
2025-04-04 12:59:49 +02:00
Ronald Cron
8bbe60a67f
Merge pull request #10102 from ronald-cron-arm/check-generated-files-follow-up
...
Check generated files follow-up
2025-04-02 20:55:45 +00:00
Ronald Cron
33770e75c3
Update tf-psa-crypto pointer
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2025-04-01 22:30:42 +02:00
Ronald Cron
96121ed94f
Update framework pointer
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2025-04-01 22:30:33 +02:00
Manuel Pégourié-Gonnard
ed4a2b4f0a
Merge branch 'development-restricted' into merge-from-restricted
...
* development-restricted:
Add missing credit for set_hostname issue
Add changelog entry for TLS 1.2 Finished fix
TLS1.2: Check for failures in Finished calculation
ssl_session_reset: preserve HOSTNAME_SET flag
Document the need to call mbedtls_ssl_set_hostname
Improve documentation of mbedtls_ssl_set_hostname
Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients
Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup
mbedtls_ssl_set_hostname tests: add tests with CA callback
Call mbedtls_ssl_set_hostname in the generic endpoint setup in unit tests
Require calling mbedtls_ssl_set_hostname() for security
Create error code for mbedtls_ssl_set_hostname not called
Keep track of whether mbedtls_ssl_set_hostname() has been called
Access ssl->hostname through abstractions in certificate verification
mbedtls_ssl_set_hostname tests: baseline
Add a flags field to mbedtls_ssl_context
Automate MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK dependency
Make guards more consistent between X.509-has-certs and SSL-has-certs
Fix Doxygen markup
Make ticket_alpn field private
Conflicts:
programs/ssl/ssl_test_common_source.c
2025-04-01 09:40:47 +02:00
Manuel Pégourié-Gonnard
e2359585e4
Merge pull request #10078 from bjwtaylor/pk_rsa_alt-removal
...
Pk rsa alt removal
2025-04-01 07:32:46 +00:00
Ronald Cron
762c80199d
Use make_generated_files.py in make_generated_files.bat
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2025-03-31 17:18:03 +02:00
Ronald Cron
444db895f7
Remove check-generated-files.sh
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2025-03-31 17:18:03 +02:00
Ronald Cron
694cbfa6de
Merge pull request #10101 from ronald-cron-arm/remove-all-sh-wrapper
...
Remove all.sh wrapper
2025-03-31 09:36:25 +00:00
Ronald Cron
5d9b9d244f
Rename mbedtls-all.sh to just all.sh
...
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2025-03-29 10:06:38 +01:00
Ronald Cron
8e2d40dbec
Remove all.sh wrapper
...
Now that in TF-PSA-Crypto CI, the TF-PSA-Crypto
all.sh components are run in pure TF-PSA-Crypto
context, there is no need to run them as part of
mbedtls CI anymore. The all.sh wrapper wrapping
./tests/scripts/mbedtls-all.sh and
./tf-psa-crypto/tests/scripts/all.sh can be
removed.
Signed-off-by: Ronald Cron <ronald.cron@arm.com >
2025-03-29 10:01:53 +01:00
Max Fillinger
1a1ec2fcce
Fix up merge conflict resolution
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:54:08 +01:00
Max Fillinger
29f8f9a49d
Fix dependencies for TLS-Exporter tests
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
7577c9e373
Fix doxygen for MBEDTLS_SSL_KEYING_MATERIAL_EXPORT
...
Error was introduced while resolving a merge conflict.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
af2035fcad
Fix mistake in previous comment change
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
ee33b31f0b
Fix HkdfLabel comment
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
5826883ca5
Allow maximum label length in Hkdf-Expand-Label
...
Previously, the length of the label was limited to the maximal length
that would be used in the TLS 1.3 key schedule. With the keying material
exporter, labels of up to 249 bytes may be used.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
9f843332e8
Exporter: Add min. and max. label tests
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
9c5bae5026
Fix max. label length in key material exporter
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
53d9168502
Document BAD_INPUT_DATA error in key material exporter
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
d23579c746
Fix requirements for TLS 1.3 Exporter compat test
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
22728dc5e3
Use mbedtls_calloc, not regular calloc
...
Also fix the allocation size.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
4e21703bcf
Add fixed compatibility test for TLS 1.3 Exporter
...
When testing TLS 1.3, use O_NEXT_CLI.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
7b97712164
Remove exporter compatibility test for TLS 1.3
...
The openssl version in the docker image doesn't support TLS 1.3, so we
can't run the test.
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
6d53a3a647
Fix openssl s_client invocation
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
f8059db4ee
Print names of new tests properly
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
144cccecb7
Fix memory leak in example programs
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
92b7a7e233
ssl-opt.sh: Add tests for keying material export
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00
Max Fillinger
ee467aae69
mbedtls_test_ssl_do_handshake_with_endpoints: Zeroize endpoints
...
Signed-off-by: Max Fillinger <max@max-fillinger.net >
2025-03-28 17:08:12 +01:00
Max Fillinger
d6e0095478
Exporter tests: Don't use unavailbable constant
...
Signed-off-by: Max Fillinger <maximilian.fillinger@foxcrypto.com >
2025-03-28 17:08:12 +01:00