Commit Graph

1256 Commits

Author SHA1 Message Date
David Horstmann
b4dcb952ea Add SSL-related test includes to ssl programs
Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-11-18 15:50:44 +00:00
David Horstmann
5b93d97b95 Update references to test helpers
Replace:
* tests/src -> framework/tests/src
* tests/include -> framework/tests/include

Except for occurrences of:
* tests/src/test_helpers (since this only contains ssl_helpers.c)
* tests/src/test_certs.h
* tests/include/alt_dummy

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-11-18 15:50:44 +00:00
Ronald Cron
939ce9d0d5 Remove mbedtls_test
Use tf_psa_crypto_test instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-11-14 13:52:36 +01:00
Paul Elliott
fc140d0c6b
Merge pull request #9672 from gilles-peskine-arm/coverity-20241004
Fix edge cases of mbedtls_psa_raw_to_der and mbedtls_psa_der_to_raw
2024-11-06 19:03:13 +00:00
Bence Szépkúti
cd0fb1d178
Merge pull request #9105 from jetm/ssl-client2-get-req-host
ssl_client2: Add Host to HTTP GET request
2024-10-31 11:32:49 +00:00
Ronald Cron
b2478989e2 cmake: GNU GCC: Set base compile options target by target
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-10-25 18:09:33 +02:00
Gilles Peskine
1392017263 Remove unreachable assignments
This is harmless, but we might as well remove the unreachable line. If we
ever add a break to the loop and we don't think of changing the surrounding
code, it would make more sense not to set exit_code to SUCCESS.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-10-07 11:23:39 +02:00
Gilles Peskine
713127de4c dtls_server: allow unexpected messages during handshake
If MBEDTLS_ERR_SSL_UNEXPECTED_MESSAGE happens during the handshake, don't
show it as an "error". It might be an error, but it might also be a fact of
life if it happens during the second or more handshake: it can be a
duplicated packet or a close_notify alert from the previous connection,
which is hard to avoid and harmless.

Fixes #9652.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-10-02 11:09:20 +02:00
Gilles Peskine
5333425891 Always call psa_crypto_init before using TLS
In Mbed TLS 4.0, all cryptography goes through PSA, so calling
psa_crypto_init() is now mandatory before starting a TLS connection (as was
the case in Mbed TLS 3.x with MBEDTLS_USE_PSA_CRYPTO enabled).

Switch the TLS sample programs to calling psa_crypto_init() unconditionally.
Otherwise TLS 1.3 connections fail, and (D)TLS 1.2 connections soon will.

This commit omits the test programs ssl_client2 and ssl_server2, which don't
require a change right now. They will be covered when we make
MBEDTLS_USE_PSA_CRYPTO always on.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 21:12:57 +02:00
Gilles Peskine
6e3de21492 dtls_client: don't force the use of IPv6
Default to connecting to "localhost", like ssl_client1.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
530cb417fe ssl_server: Allow the client to close the connection first
This is necessary when testing against OpenSSL 1.0.2g.

In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
6b4d6931e7 Test dtls_server
Test against both OpenSSL and GnuTLS.

Don't use a proxy. It's not particularly useful here, and would complicate
figuring out port numbers.

Clean up compile-time requirements dtls_server.c: any certificate-based key
exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
c83e56cc45 Test ssl_fork_server
Test ssl_fork_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.

In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.

In the server, only write output for 10 seconds, not 100. That's enough time
to start concurrent clients if desired. 100 seconds causes ssl-opt to take a
very long time when the client actually listens to the whole input (which
`gnutls-cli` does, but not `openssl s_client`).

Clean up compile-time requirements in ssl_fork_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
3abca9510a Test ssl_pthread_server
Test ssl_pthread_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.

In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.

Clean up compile-time requirements in ssl_pthread_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
a21e893398 Test ssl_server
Test ssl_server with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.

Clean up compile-time requirements in ssl_server.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
ae710c8b01 Test dtls_client
Test against both OpenSSL and GnuTLS.

Don't use a proxy. It's not particularly useful here, and would complicate
figuring out port numbers.

Clean up compile-time requirements in dtls_client.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
7985d454c4 Test ssl_client1
Test ssl_client1 with both TLS 1.2 and TLS 1.3.
Test against both OpenSSL and GnuTLS.

Clean up compile-time requirements in ssl_client1.c: any certificate-based
key exchange is ok, so don't insist on built-in RSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
6959f53896 ssl_client1: Exit with an error status if the TLS connection failed
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-25 18:05:17 +02:00
Gilles Peskine
26650f5711
Merge pull request #9565 from gilles-peskine-arm/test-ref-configs-go-away
Switch from test-ref-configs.pl to separate components
2024-09-24 13:00:50 +00:00
Gilles Peskine
b63064854b CMake: support "make ssl-opt" to just build what ssl-opt.sh needs
This also suffices for compat.sh.

Include the sample programs in this build. They aren't tested by ssl-opt.sh
yet, but they soon will be.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-14 12:19:19 +02:00
Gilles Peskine
5dab92ee4e CMake: support "make programs"
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-09-14 12:19:19 +02:00
Elena Uziunaite
8d8620bf18 Address review comments: add PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-09 11:18:10 +01:00
Elena Uziunaite
a6950b8ce7 Replace MBEDTLS_PK_CAN_ECDSA_SOME with PSA_HAVE_ALG_SOME_ECDSA
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-09 11:17:36 +01:00
Elena Uziunaite
9fc5be09cb Replace MBEDTLS_MD_CAN_SHA1 with PSA_WANT_ALG_SHA_1
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-09-04 18:12:59 +01:00
David Horstmann
36fe9188e2
Merge pull request #9252 from gabor-mezei-arm/9114_replace_MBEDTLS_MD_CAN_SHA512_with_PSA_WANT
Replace MBEDTLS_MD_CAN_SHA512 with its PSA_WANT counterpart
2024-09-03 14:07:05 +00:00
Gilles Peskine
99b57bd35a
Merge pull request #1272 from eleuzi01/forward-1263
Fix 1.3 cli-auth optional reporting of (ext)KeyUsage issues
2024-08-28 19:38:36 +02:00
Gabor Mezei
c15ef93aa5
Replace MBEDTLS_MD_CAN_SHA512 with PSA_WANT_ALG_SHA_512
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2024-08-28 18:20:25 +02:00
Manuel Pégourié-Gonnard
92a391e0fe Always print detailed cert errors in test programs
Previously the client was only printing them on handshake success, and
the server was printing them on success and some but not all failures.

This makes ssl-opt.sh more consistent as we can always check for the
presence of the expected message in the output, regardless of whether
the failure is hard or soft.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2024-08-16 17:24:05 +01:00
Gilles Peskine
0858fdca38
Merge pull request #9189 from misch7/fix-v3.6-issues-9186-and-9188
Fix build of v3.6 (issues #9186 and #9188)
2024-08-12 09:34:17 +00:00
Michael Schuster
f672b694fa Use correct conditionals in programs/ssl (fix unused-function errors)
Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:29:59 +01:00
Michael Schuster
0420093795 Adjust spacing in sample programs
Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:29:58 +01:00
Michael Schuster
8db8d6182f Fix missing-prototype errors in sample programs
Signed-off-by: Michael Schuster <michael@schuster.ms>
2024-08-09 10:29:58 +01:00
Elena Uziunaite
8dde3b3dec Replace MBEDTLS_PK_HAVE_ECC_KEYS with PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-08-05 15:41:58 +01:00
Elena Uziunaite
0916cd702f Replace MBEDTLS_MD_CAN_SHA256 with PSA_WANT_ALG_SHA_256
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-11 11:13:35 +03:00
David Horstmann
dcf18dd876 Update paths pointing to tests/data_files
These now point to framework/data_files instead.

Signed-off-by: David Horstmann <david.horstmann@arm.com>
2024-07-05 15:49:03 +01:00
Ronald Cron
2cf41a273e
Merge pull request #9171 from eleuzi01/replace-mbedtls-md-can-sha384
Replace MBEDTLS_MD_CAN_SHA384 with PSA_WANT_ALG_SHA_384
2024-07-04 08:56:52 +00:00
Elena Uziunaite
b476d4bf21 Replace MBEDTLS_MD_CAN_SHA384 with PSA_WANT_ALG_SHA_384
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-03 10:20:41 +01:00
Elena Uziunaite
fcc9afaf9d Replace MBEDTLS_MD_CAN_SHA224 with PSA_WANT_ALG_SHA_224
Signed-off-by: Elena Uziunaite <elena.uziunaite@arm.com>
2024-07-02 11:08:04 +01:00
Javier Tia
1aef649dde
ssl_client2: Add Host to HTTP GET request
If an IP address shares multiple domain names with different SSL
certificates and makes a GET request without the remote server name
(host), it will fail with a 421 Misdirect Request.

Signed-off-by: Javier Tia <javier.tia@linaro.org>
2024-05-06 14:39:33 -06:00
Gilles Peskine
aa82464dec
Merge pull request #8897 from IVOES/cpp/unbounded-write
ssl_mail_client: Fix unbounded write of sprintf()
2024-05-02 16:06:23 +00:00
Mingjie Shen
d97b96f2ec ssl_mail_client: Fix code style issue
Signed-off-by: Mingjie Shen <shen497@purdue.edu>
2024-03-18 14:30:06 -04:00
Ronald Cron
74191a56e8 ssl_server2: Split early data enablement from max_early_data_size setting
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-14 20:00:42 +01:00
Mingjie Shen
8e35d96057 ssl_mail_client: Check return value of mbedtls_snprintf
The return value of snprintf() is the number of characters (excluding
the null terminator) which would have been written to the buffer if
enough space had been available. Thus, a return value of size or more
means the output was truncated.

Signed-off-by: Mingjie Shen <shen497@purdue.edu>
2024-03-12 16:23:41 -04:00
Mingjie Shen
0fc20cd447 ssl_mail_client: Replace snprintf with mbedtls_snprintf
Signed-off-by: Mingjie Shen <shen497@purdue.edu>
2024-03-12 16:00:28 -04:00
Ronald Cron
7201bc6b05 ssl_client2: Fix early data log
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-03-08 16:03:09 +01:00
Mingjie Shen
7d08983cb2 ssl_mail_client: Fix unbounded write of sprintf()
These calls to sprintf may overflow buf because opt.mail_from and opt.mail_to
are controlled by users. Fix by replacing sprintf with snprintf.

Signed-off-by: Mingjie Shen <shen497@purdue.edu>
2024-03-05 18:13:28 -05:00
Manuel Pégourié-Gonnard
e33b349c90
Merge pull request #8864 from valeriosetti/issue8848
Deprecate or remove mbedtls_pk_wrap_as_opaque
2024-03-01 15:54:32 +00:00
Ronald Cron
9b4e964c2c
Merge pull request #8760 from ronald-cron-arm/tls13-write-early-data
TLS 1.3: Add mbedtls_ssl_write_early_data() API
2024-02-29 14:31:55 +00:00
Valerio Setti
90eca2adb0 ssl_test_lib: add guards for pk_wrap_as_opaque()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-28 10:45:43 +01:00
Valerio Setti
7541ebea52 programs: remove usage of mbedtls_pk_wrap_as_opaque() from tests
This is replaced with: mbedtls_pk_get_psa_attributes() +
mbedtls_pk_import_into_psa() + mbedtls_pk_setup_opaque().

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-02-27 10:44:33 +01:00