lib/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-09-11 12:10:46 +03:00
Code Activity
32,156 Commits 174 Branches 272 Tags
mbedtls-3.6.4
Commit Graph

11911 Commits

Author SHA1 Message Date
Gilles Peskine
cc856a2c0e Handshake defragmentation: reassemble incrementally 
Reassemble handshake fragments incrementally instead of all at the end. That
is, every time we receive a non-initial handshake fragment, append it to the
initial fragment. Since we only have to deal with at most two handshake
fragments at the same time, this simplifies the code (no re-parsing of a
record) and is a little more memory-efficient (no need to store one record
header per record).

This commit also fixes a bug. The previous code did not calculate offsets
correctly when records use an explicit IV, which is the case in TLS 1.2 with
CBC (encrypt-then-MAC or not), GCM and CCM encryption (i.e. all but null and
ChachaPoly). This led to the wrong data when an encrypted handshake message
was fragmented (Finished or renegotiation). The new code handles this
correctly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-05 17:03:20 +01:00
Gilles Peskine
9d54be57b0 Generate handshake defragmentation test cases: update analyze_outcomes 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-05 10:08:21 +01:00
Gilles Peskine
2e7f2a2e48 Switch to generated handshake tests 
Replace `tests/opt-testcases/handshake-manual.sh` by
`tests/opt-testcases/handshake-generated.sh`. They are identical except for
comments, and for some extra dependencies on
`MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED` which are needed in `development,
but not in `mbedtls-3.6. Those dependencies don't hurt the useful coverage
of the tests, so we'll live with them.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 21:03:22 +01:00
Gilles Peskine
6183a645fc Normalize requirements in defragmentation test cases 
Be more uniform in where certificate authentication and ECDSA are explicitly
required. A few test cases now run in PSK-only configurations where they
always could. Add a missing requirement on ECDSA to test cases that are
currently skipped.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 21:00:50 +01:00
Gilles Peskine
49e1ed277e Normalize messages in defragmentation test cases 
Make some test case descriptions and log patterns follow more systematic
patterns.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 21:00:50 +01:00
Gilles Peskine
8321ab574c Normalize whitespace in defragmentation test cases 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 21:00:50 +01:00
Gilles Peskine
8ef2e74704 Move most TLS handshake defragmentation tests to a separate file 
Prepare for those test cases to be automatically generated by a script.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 21:00:48 +01:00
Gilles Peskine
28f953c5ec New generated file: tests/opt-testcases/handshake-generated.sh 
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-03-03 20:58:32 +01:00
Waleed Elmelegy
cba05ece2b Replace zero by PSA_ALG_NONE in key derivation test function 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-03-03 12:48:40 +00:00
Waleed Elmelegy
07e5739115 Replace zero by PSA_ALG_NONE in key derivation testing 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-03-03 12:48:16 +00:00
Waleed Elmelegy
b6ed6f72cd Simplify testing psa_key_derivation_input_*() bad state 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-03-03 12:45:43 +00:00
Waleed Elmelegy
72b391fe07 Fix psa_key_derivation_input_integer() not detecting bad state 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-03-03 12:37:02 +00:00
Gilles Peskine
e0f1240cd5 Merge remote-tracking branch 'mbedtls-3.6' into tls-defragmentation-merge-3.6-20250303 2025-03-02 21:16:08 +01:00
Minos Galanakis
5764816335 ssl-opt: Re-introduce certificate dependency for HS negative tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 22:39:56 +00:00
Minos Galanakis
97a24ebdb1 ssl-opt: Removed dependencies for HS defrag negative tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 18:11:20 +00:00
Minos Galanakis
48348261d4 ssl-opt: Adjusted reference hs defragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:26:25 +00:00
Minos Galanakis
19d857d74c ssl-opt: Minor typos and documentation fixes. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:26:24 +00:00
Minos Galanakis
21e4f21df9 analyze_outcomes: Temporary disabled 3 HS Degragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:25:50 +00:00
Minos Galanakis
618ad79395 ssl-opt: Updated documentation of HS-Defrag tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:25:50 +00:00
Minos Galanakis
bb1bd8bf9e ssl-opt: Removed redundant dependencies: requires_openssl_3_x 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:25:49 +00:00
Minos Galanakis
065b89c7ad ssl-opt.sh: Disabled HS Defrag Tests for TLS1.2 where len < 16 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:24:37 +00:00
Minos Galanakis
4335125664 ssl-opt: Replaced max_send_frag with split_send_frag 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:24:37 +00:00
Minos Galanakis
ee8e7c3fb3 ssl-opt: Added coverage for hs defragmentation TLS 1.2 tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:24:35 +00:00
Minos Galanakis
e6dbf495b1 ssl-opt: Updated documentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:23:38 +00:00
Minos Galanakis
79693bf48a ssl-opt: Added negative tests for handshake fragmentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:41 +00:00
Minos Galanakis
03ae352340 ssl-opt: Added handshake fragmentation tests for 4 byte fragments. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:41 +00:00
Minos Galanakis
871469a106 ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled) 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:41 +00:00
Minos Galanakis
48aa2deb0b ssl-opt: Added tls 1.2 tests for HS defragmentation. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:40 +00:00
Minos Galanakis
1d47cebde1 ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:40 +00:00
Minos Galanakis
502da02817 ssl-opt: Adjusted the wording on handshake fragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:40 +00:00
Minos Galanakis
9886fd17db ssl-opt: Added requires_openssl_3_x to defragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:40 +00:00
Minos Galanakis
afb428e584 ssl-opt: Updated the keywords to look up during handshake fragmentation tests. 
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
 2025-02-27 15:20:40 +00:00
Waleed Elmelegy
c5f1ba3d50 Add missing client certificate check in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:40 +00:00
Waleed Elmelegy
5fc8d3f035 Test Handshake defragmentation only for TLS 1.3 only for small values 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:39 +00:00
Waleed Elmelegy
be59ab5671 Add guard to handshake defragmentation tests for client certificate 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:39 +00:00
Waleed Elmelegy
99f4691bd6 Add a comment to elaborate using split_send_frag in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:39 +00:00
Waleed Elmelegy
57f61f82fd Enforce client authentication in handshake fragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:39 +00:00
Waleed Elmelegy
826fc5c383 Remove unneeded mtu option from handshake fragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:39 +00:00
Waleed Elmelegy
e9b08846da Add client authentication to handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:38 +00:00
Waleed Elmelegy
1b2590b125 Require openssl to support TLS 1.3 in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:38 +00:00
Waleed Elmelegy
5b7c8bb064 Remove unnecessary string check in handshake defragmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:38 +00:00
Waleed Elmelegy
8870b99da4 Fix typo in TLS Handshake defrafmentation tests 
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:38 +00:00
Waleed Elmelegy
e11d8c9333 Improve TLS handshake defragmentation tests 
* Add tests for the server side.
* Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3.
* Use latest version of openSSL to make sure -max_send_frag &
  -split_send_frag flags are supported.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:38 +00:00
Waleed Elmelegy
29581ce229 Add TLS Hanshake defragmentation tests 
Tests uses openssl s_server with a mix of max_send_frag
and split_send_frag options.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
 2025-02-27 15:20:37 +00:00
Gilles Peskine
cbe6529170 Run part of ssl-opt.sh in full_no_deprecated 
In particular, run the test case
"Authentication: hostname unset, client required, secure config, CA callback"

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
 2025-02-25 18:46:12 +01:00
Valerio Setti
c516307ad9 md: allow dispatch to PSA whenever CRYPTO_CLIENT is enabled 
Instead of allowing PSA dispatching only when CRYPTO_C is set and
some MBEDTLS_PSA_ACCEL_ALG_xxx is set, we enable dispatching
when CRYPTO_CLIENT and PSA_WANT_ALG_xxx are set. This makes
the feature more useful in cases where the PSA support is
provided externally, like for example TF-M in Zephyr.

This commit also add proper guards for tests trying to use MD+PSA
dispatch.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
 2025-02-21 13:13:24 +01:00
Harry Ramsey
4c1383a9f1 Update documentation regarding metatest 
This commit updates the paths in the documentation for metatest.c as it
has been moved to MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-20 14:51:26 +00:00
Harry Ramsey
d621d344c3 Update path for moved test_zeroize.gdb script 
This commit updates the path for the moved test_zeroize.gdb script which
has been moved to MbedTLS-Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-20 14:51:26 +00:00
Harry Ramsey
151e0892a1 Update paths for moved dlopen_demo.sh 
This commit updates the paths for dlopen_demo.sh in
components-build-system.sh as the file has been moved to the framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-20 14:51:26 +00:00
Harry Ramsey
0c6eb5d6e9 Move programs out of Mbed TLS 
This commit moves demo_common.sh, dlopen_demo.sh, metatest.c
query_compile_time_config.c, query_config.h, query_included_headers.c,
zeroize.c and test_zeroize.gdb from MbedTLS into the MbedTLS framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
 2025-02-17 11:43:55 +00:00