Split the "many transient keys" test function in two: one that expects to
successfully create many keys, and one that expects to fill the key store.
This will make things easier when we add a dynamic key store where filling
the key store is not practical unless artificially limited.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The description was misleading: setting the option doesn't “restrict” the
number of slots, that restriction exists anyway. Setting the option merely
determines the value of the limit.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Ensure that a key ID can't be in range for more than one of volatile keys,
persistent (i.e. user-chosen) keys or built-in keys.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Restricting the built-in key range would be an API break since applications
can hard-code a built-in key value and expect that it won't clash with
anything else. Make it harder to accidentally break the API.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_psa_register_se_key() is not usable with volatile keys, since there
is no way to return the implementation-chosen key identifier which would be
needed to use the key. Document this limitation. Reject an attempt to create
such an unusable key. Fixes#9253.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
At the top level, the macro would have had to be used without a following
semicolon (except with permissive compilers that accept spurious semicolons
outside of a function), which is confusing to humans and indenters. Fix
that.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
mbedtls_test_mock_tcp_recv_msg is currently popping a message
queue and does not check if this was done correctly.
This extra check makes the test more complete/robust.
Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
TLS 1.3 is still experimental and partial, and SSL3 is obsolete, so we don't
expect much coverage about them, in particular we don't expect them to be
the sole supported version. TLS 1.0 and 1.1 exist and we expect good
coverage for them.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* Move to the correct location.
* Adjust the package name for auxiliary modules.
* Adjust the hack to import a module from scripts.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The two were used interchangeably. Align on "setting", which is what
config.py uses in its documentation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
I had accidentally reused a variable name inside the same function. Python
copes but mypy doesn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When option A is only meaningful if option B is enabled, when enumerating
single-option test cases, emit A:B and !A:B rather than A and !A. This way
the "!A" case is actually meaningful.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Generate option-on and option-off cases for test_suite_config, for all
boolean options (MBEDTLS_xxx and PSA_WANT_xxx, collected from the mbedtls
and PSA config files).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add a test suite intended to report configuration options in the outcome
file: we're only interested in SKIP vs PASS.
Add a few test cases for some interesting combinations of options. The
selection here is just for illustration purposes, more will be added later.
A subsequent commit will automatically generate test cases for single options.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix PSA_CRYPTO_CONFIG_H being treated as a configuration setting in
include/psa/crypto_config.h.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Unfortunately this compiler complains about a variable potentially being
used un-initialized. Silence the warning by initializing it to a sane
default.
Signed-off-by: Patrick Wildt <pwildt@google.com>
Summary:
Back port [PR 9241](https://github.com/Mbed-TLS/mbedtls/pull/9241) to
2.28 branch
Test Plan:
Reviewers:
Subscribers:
Tasks:
Tags:
Signed-off-by: lhuang04 <lhuang04@fb.com>
Some functions has input parameters which are erroneously
reported as "param[out]" in the documentation. This commit
fixes them.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Filtering on cipher suites that have RSA in their name excludes a few old
RSA-based cipher suites whose name doesn't contain RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were only requesting 3DES cipher suites (which is weirdly restrictive
since the configuration also includes AES), but DES is in the default
exclusion list for compat.sh, so we ended up having no acceptable cipher
suites. Fix this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With GnuTLS servers, 3DES-CBC cipher suites are enabled by default under our
GNUTLS_LEGACY (3.3.8), but disabled by default under more recent versions
including the one we use by default on the CI (3.4.6). Even modern
versions (I checked 3.7.2) support 3DES if explicitly enabled. So
unconditionally enable 3DES-CBC for GnuTLS.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Alert if all tests are filtered out or skipped: that probably indicates a
test script that set up an unintended configuration or an overly strict
filter. You can pass `--min 0` to bypass this check. You can pass `--min`
with a larger value to require that many test cases to run.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Including `mbedtls/check_config.h` from `mbedtls/config.h` is optional. If
done, `limits.h` gets included. If not done, we were missing the inclusion
of `limits.h` in several source files. Fix this and add a test build that
doesn't include `mbedtls/check_config.h`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
