* public/mbedtls-2.28: (88 commits)
tests/ssl_helpers: Check that message queue is popped
Upgrade python dependencies in requirements file
Fix some typo for include folder
Adjust TLS protocol cases for 2.28
Fix copypasta
Declare the new generated files
Add generated config tests
Remove some settings that don't exist in 2.28
Adjust generate_config_tests.py for 2.28
Terminology: use "dependencies" for a list of settings
Terminology: consistently use "setting", not "option"
Explain why we require TLS client and server simultaneously
Fix missing negation
Pacify mypy
Detect sub-options
Generate config test cases for single options
Anchor relative paths
New test suite to report configuration options
Recognize that a double-inclusion guard is not a config setting
Add and update some .gitignore files
...
mbedtls_test_mock_tcp_recv_msg is currently popping a message
queue and does not check if this was done correctly.
This extra check makes the test more complete/robust.
Signed-off-by: Tomás González <tomasagustin.gonzalezorlando@arm.com>
If MBEDTLS_CTR_DRBG_C is enabled, force MBEDTLS_PSA_HMAC_DRBG_MD_TYPE to be
disabled. This resolves the former inconsistency in builds where
MBEDTLS_PSA_HMAC_DRBG_MD_TYPE is explicitly defined but MBEDTLS_CTR_DRBG_C
remains enabled, where PSA called the CTR_DRBG functions but other parts of
the code based assumed that HMAC was in use, in particular error code
conversions (leading to a test failure in test_suite_psa_crypto_init).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
MBEDTLS_PSA_HMAC_DRBG_MD_TYPE was documented and announced as causing the
PSA DRBG to be HMAC_DRBG. However, that was never actually implemented:
CTR_DRBG is prioritized if enabled.
Since there is a simple workaround of disabling MBEDTLS_CTR_DRBG_C if you
want to use HMAC_DRBG, we have decided to accept the actual behavior and fix
the documentation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
TLS 1.3 is still experimental and partial, and SSL3 is obsolete, so we don't
expect much coverage about them, in particular we don't expect them to be
the sole supported version. TLS 1.0 and 1.1 exist and we expect good
coverage for them.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
* Move to the correct location.
* Adjust the package name for auxiliary modules.
* Adjust the hack to import a module from scripts.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The two were used interchangeably. Align on "setting", which is what
config.py uses in its documentation.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
I had accidentally reused a variable name inside the same function. Python
copes but mypy doesn't.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When option A is only meaningful if option B is enabled, when enumerating
single-option test cases, emit A:B and !A:B rather than A and !A. This way
the "!A" case is actually meaningful.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Generate option-on and option-off cases for test_suite_config, for all
boolean options (MBEDTLS_xxx and PSA_WANT_xxx, collected from the mbedtls
and PSA config files).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Add a test suite intended to report configuration options in the outcome
file: we're only interested in SKIP vs PASS.
Add a few test cases for some interesting combinations of options. The
selection here is just for illustration purposes, more will be added later.
A subsequent commit will automatically generate test cases for single options.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Fix PSA_CRYPTO_CONFIG_H being treated as a configuration setting in
include/psa/crypto_config.h.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Unfortunately this compiler complains about a variable potentially being
used un-initialized. Silence the warning by initializing it to a sane
default.
Signed-off-by: Patrick Wildt <pwildt@google.com>
Summary:
Back port [PR 9241](https://github.com/Mbed-TLS/mbedtls/pull/9241) to
2.28 branch
Test Plan:
Reviewers:
Subscribers:
Tasks:
Tags:
Signed-off-by: lhuang04 <lhuang04@fb.com>
Some functions has input parameters which are erroneously
reported as "param[out]" in the documentation. This commit
fixes them.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Filtering on cipher suites that have RSA in their name excludes a few old
RSA-based cipher suites whose name doesn't contain RSA.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were only requesting 3DES cipher suites (which is weirdly restrictive
since the configuration also includes AES), but DES is in the default
exclusion list for compat.sh, so we ended up having no acceptable cipher
suites. Fix this.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With GnuTLS servers, 3DES-CBC cipher suites are enabled by default under our
GNUTLS_LEGACY (3.3.8), but disabled by default under more recent versions
including the one we use by default on the CI (3.4.6). Even modern
versions (I checked 3.7.2) support 3DES if explicitly enabled. So
unconditionally enable 3DES-CBC for GnuTLS.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Alert if all tests are filtered out or skipped: that probably indicates a
test script that set up an unintended configuration or an overly strict
filter. You can pass `--min 0` to bypass this check. You can pass `--min`
with a larger value to require that many test cases to run.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Including `mbedtls/check_config.h` from `mbedtls/config.h` is optional. If
done, `limits.h` gets included. If not done, we were missing the inclusion
of `limits.h` in several source files. Fix this and add a test build that
doesn't include `mbedtls/check_config.h`.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
