Copy of mbedtls top CMakeLists.txt file.
The TF-PSA-Crypto top CMakeList.txt file
will be derived from that file to outline
what is common and what is different
between the two.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move library options to the top CMakeLists.txt.
That way:
- we will be able to set the TF-PSA-Crypto
library options according to the Mbed TLS ones.
- we can define the crypto library target names
in the top CMakeLists.txt and not in the library
one that is dedicated to the TLS and x509
libraries now.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Remove dependency on mbedtls_test_helpers
to build the crypto test suites.
mbedtls_test_helpers is TLS specific.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Rename MBEDTLS_PSA_CRYPTO_(USER_)CONFIG_FILE to
TF_PSA_CRYPTO_(USER_)CONFIG_FILE as we rename
crypto_config.h to tf_psa_crypto_config.h.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Re-organize "Mbed TLS modules" and "Module configuration options"
into "X.509 feature selection" and "TLS feature selection" for
better alignment with tf_psa_crypto_config.h.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Re-order mbedtls_config.h sections for
the order to be more aligned with the
tf_psa_crypto_config.h one.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
This commit removes the MBEDTLS_OID_C guard from the static functions in
the library/x509_create.c as this function is no longer included in the
oid.c file.
Signed-off-by: Harry Ramsey <harry.ramsey@arm.com>
Stop testing configurations without PSA (MBEDTLS_PSA_CRYPTO_C or at least
MBEDTLS_PSA_CRYPTO_CLIENT). No future release from this branch will support
such configurations, and we can no longer build the SSL sample programs
without psa_crypto_init.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In Mbed TLS 4.0, all cryptography goes through PSA, so calling
psa_crypto_init() is now mandatory before starting a TLS connection (as was
the case in Mbed TLS 3.x with MBEDTLS_USE_PSA_CRYPTO enabled).
Switch the TLS sample programs to calling psa_crypto_init() unconditionally.
Otherwise TLS 1.3 connections fail, and (D)TLS 1.2 connections soon will.
This commit omits the test programs ssl_client2 and ssl_server2, which don't
require a change right now. They will be covered when we make
MBEDTLS_USE_PSA_CRYPTO always on.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When building with `configs/config-suite-b.h`, the SSL I/O buffer size is
1024 bytes. Experimentally, this isn't quite enough for the test certificate
that we use: the server aborts the handshake with
`MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` raised from
`mbedtls_ssl_write_certificate()`. State an ad hoc minimum output buffer
size to skip testing `ssl_server` in `config-suite-b`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
dtls_client connects to "localhost", which is usually IPv6 on modern
systems. On our CI, $OPENSSL is OpenSSL 1.0.2g which doesn't support IPv6.
Pitching dtls_client against $OPENSSL works on the CI at the moment, but
only because the CI runs in Docker with default network settings which has
IPv6 disabled. This would stop working if we changed the CI's Docker setup,
and the test case is likely to fail on a developer machine. So switch the
test case to using $OPENSSL_NEXT (which is a version of OpenSSL that has
IPv6 support).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This is necessary when testing against OpenSSL 1.0.2g.
In the server, flush more often. Otherwise, when stdout is redirected to a
file, the server gets killed before it writes important information, such as
the logs that we expect in the test cases.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
GnuTLS 3.4.x doesn't allow repeated `-p PORT` arguments.
OpenSSL 1.0.2 has different logs. For TLS 1.2 test cases, use a line that
is present in logs from OpenSSL 1.0.2g, 3.3.0 and presumably all versions
in between.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
