1
0
mirror of https://github.com/ARMmbed/mbedtls.git synced 2025-06-27 07:37:05 +08:00

31930 Commits

Author SHA1 Message Date
Minos Galanakis
03ae352340 ssl-opt: Added handshake fragmentation tests for 4 byte fragments.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:41 +00:00
Minos Galanakis
871469a106 ssl-opt: Added negative-assertion testing, (HS Fragmentation disabled)
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:41 +00:00
Minos Galanakis
48aa2deb0b ssl-opt: Added tls 1.2 tests for HS defragmentation.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:40 +00:00
Minos Galanakis
1d47cebde1 ssl-opt: Dependency resolving set to use to requires_protocol_version HS deframentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:40 +00:00
Minos Galanakis
502da02817 ssl-opt: Adjusted the wording on handshake fragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:40 +00:00
Minos Galanakis
9886fd17db ssl-opt: Added requires_openssl_3_x to defragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:40 +00:00
Minos Galanakis
afb428e584 ssl-opt: Updated the keywords to look up during handshake fragmentation tests.
Signed-off-by: Minos Galanakis <minos.galanakis@arm.com>
2025-02-27 15:20:40 +00:00
Waleed Elmelegy
c5f1ba3d50 Add missing client certificate check in handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:40 +00:00
Waleed Elmelegy
5fc8d3f035 Test Handshake defragmentation only for TLS 1.3 only for small values
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:39 +00:00
Waleed Elmelegy
be59ab5671 Add guard to handshake defragmentation tests for client certificate
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:39 +00:00
Waleed Elmelegy
99f4691bd6 Add a comment to elaborate using split_send_frag in handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:39 +00:00
Waleed Elmelegy
57f61f82fd Enforce client authentication in handshake fragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:39 +00:00
Waleed Elmelegy
826fc5c383 Remove unneeded mtu option from handshake fragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:39 +00:00
Waleed Elmelegy
e9b08846da Add client authentication to handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:38 +00:00
Waleed Elmelegy
1b2590b125 Require openssl to support TLS 1.3 in handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:38 +00:00
Waleed Elmelegy
5b7c8bb064 Remove unnecessary string check in handshake defragmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:38 +00:00
Waleed Elmelegy
8870b99da4 Fix typo in TLS Handshake defrafmentation tests
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:38 +00:00
Waleed Elmelegy
e11d8c9333 Improve TLS handshake defragmentation tests
* Add tests for the server side.
* Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3.
* Use latest version of openSSL to make sure -max_send_frag &
  -split_send_frag flags are supported.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:38 +00:00
Waleed Elmelegy
29581ce229 Add TLS Hanshake defragmentation tests
Tests uses openssl s_server with a mix of max_send_frag
and split_send_frag options.

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
2025-02-27 15:20:37 +00:00
Gilles Peskine
9dfe548008 Document the need to call mbedtls_ssl_set_hostname
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:46:17 +01:00
Gilles Peskine
5ee008d15f Improve documentation of mbedtls_ssl_set_hostname
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:46:17 +01:00
Gilles Peskine
4f563e7d90 Expand and rectify the documentation of mbedtls_ssl_context::hostname
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:46:17 +01:00
Gilles Peskine
20c7748575 Changelog entries for requiring mbedls_ssl_set_hostname() in TLS clients
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:46:17 +01:00
Gilles Peskine
11f74c5751 Add a note about calling mbedtls_ssl_set_hostname to mbedtls_ssl_setup
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:46:17 +01:00
Gilles Peskine
cbe6529170 Run part of ssl-opt.sh in full_no_deprecated
In particular, run the test case
"Authentication: hostname unset, client required, secure config, CA callback"

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-25 18:46:12 +01:00
Manuel Pégourié-Gonnard
cca140b1e1
Merge pull request #9981 from gilles-peskine-arm/tls_hs_defrag_in-3.6-badmac_seen
[Backport 3.6] Defragment incoming TLS handshake messages (reuse badmac_seen)
2025-02-24 09:28:06 +01:00
Valerio Setti
cc1b26bd9a changelog: add note for MD changes
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 15:01:04 +01:00
Valerio Setti
79a98bd7b6 crypto_extra: improve description of psa_can_do_hash()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 15:01:04 +01:00
Valerio Setti
05b3835bd6 psa: move definition of psa_can_do_hash() to crypto_extra.h
This allows any implementer of the PSA client interface to easily
include this header and therefore function's prototype.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 15:01:04 +01:00
Valerio Setti
1a2d07d83a docs: update md-cipher-dispatch
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 14:15:36 +01:00
Valerio Setti
460d2ee363 adjust_legacy_crypto: improve enablement of MBEDTLS_MD_xxx_VIA_PSA
The previous change that replaced CRYPTO_C with CRYPTO_CLIENT
caused an increase of the mbedtls_md struct in scenarios where
the hash related PSA_WANTs were enabled, but not accelerated.
This caused an ABI-API break which is not allowed for an LTS
branch.
Since the main goal here is to allow PSA dispatch in a "pure
crypto client" scenario, we partially revert the previous change
to config_adjust_legacy_crypto.h and add an extra condition
for "CRYPTO_CLIENT && !CRYPTO_C".

This commit also reverts changes done in analyze_outcomes.py
because they are no more necessary.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 13:13:24 +01:00
Valerio Setti
c516307ad9 md: allow dispatch to PSA whenever CRYPTO_CLIENT is enabled
Instead of allowing PSA dispatching only when CRYPTO_C is set and
some MBEDTLS_PSA_ACCEL_ALG_xxx is set, we enable dispatching
when CRYPTO_CLIENT and PSA_WANT_ALG_xxx are set. This makes
the feature more useful in cases where the PSA support is
provided externally, like for example TF-M in Zephyr.

This commit also add proper guards for tests trying to use MD+PSA
dispatch.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 13:13:24 +01:00
Valerio Setti
2c1de04e9d adjust_legacy_crypto: move auto-enabling of CRYPTO_CLIENT when CRYPTO_C
Move the auto-enabling of CRYPTO_CLIENT when CRYPTO_C at the
beginning of the file so that all that becomes later is aware
of this.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2025-02-21 13:13:24 +01:00
Ronald Cron
1ba478d9cf
Merge pull request #9988 from Harry-Ramsey/move-program-files-to-mbedtls-framework-3-6
[Backport 3.6] Move program files to mbedtls framework
2025-02-21 07:13:01 +00:00
Gilles Peskine
730be78ce5 Document PSA's need for threading
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-20 20:20:19 +01:00
Harry Ramsey
1da22a8946 Update framework pointer
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
4c1383a9f1 Update documentation regarding metatest
This commit updates the paths in the documentation for metatest.c as it
has been moved to MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
65e9bef19f Update documentation regarding test_zeroize
This commit updates the paths in documentation for test_zeroize since it
has been moved to MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
4e1a12e13a Update path to demo_common.sh
This commit updates the path to demo_common.sh as it has been moved into
MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
d621d344c3 Update path for moved test_zeroize.gdb script
This commit updates the path for the moved test_zeroize.gdb script which
has been moved to MbedTLS-Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
03f49578d2 Update paths for moved programs in generate_visualc_files.pl
This commit updates the paths for moved programs in
generate_visualc_files.pl.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
151e0892a1 Update paths for moved dlopen_demo.sh
This commit updates the paths for dlopen_demo.sh in
components-build-system.sh as the file has been moved to the framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
061e0f5466 Update paths for moved program files in CMakeLists
This commit fixes the paths of program files which were moved to the
MbedTLS Framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
dab817a4c6 Update include paths in C files
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:26 +00:00
Harry Ramsey
a67f1338b6 Update paths for moved program files in makefiles
This commit updates the file paths necessary for dlopen_demo.sh,
metatest.c query_compile_time_config.c, query_config.h,
query_included_headers.c and zeroize.c.

This commit also adds a CFLAG to find header files now contained in the
framework.

Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
2025-02-20 14:51:18 +00:00
Janos Follath
6eb335dfda
Merge pull request #9919 from davidhorstmann-arm/clarify-x509-security-md-3.6
[Backport 3.6] Add X.509 formatting validation to SECURITY.md
2025-02-20 14:41:42 +00:00
Waleed Elmelegy
4726d20320 Remove unused variable in ssl_server.c
Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-02-19 22:03:28 +01:00
Deomid rojer Ryabkov
716aead3b9 Update the changelog message
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-02-19 22:03:19 +01:00
Deomid rojer Ryabkov
2878a0559e Remove obselete checks due to the introduction of handhsake defragmen...
tation. h/t @waleed-elmelegy-arm

909e71672f

Signed-off-by: Waleed Elmelegy <waleed.elmelegy@arm.com>
Signed-off-by: Deomid rojer Ryabkov <rojer@rojer.me>
2025-02-19 22:03:13 +01:00
Gilles Peskine
c52273d017 Add a note about badmac_seen's new name in ssl_context_info
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2025-02-18 14:11:25 +01:00