The generated unit tests have the input parameters in large stack
buffers and therefore ASan doesn't notice under or overflows in them.
Copy the input parameter into a locally allocated buffer to trigger ASan
if something goes wrong.
Signed-off-by: Janos Follath <janos.follath@arm.com>
- adjust function name to mbedtls_ssl_get_fatal_alert
- fix missing property name changes for mbedtls_ssl_context
Signed-off-by: Nico Geyso <ng@gsmk.de>
Keep MBEDTLS_PK_WRITE_C as guard only for "debug_print_pk" but let
"mbedtls_debug_print_crt" to work also when MBEDTLS_PK_WRITE_C is disabled.
In this case the only public key won't be printed, but the rest of the
certificate will be.
This commit also updates test coverage by duplicating test cases: now there
will be one case for when MBEDTLS_PK_WRITE_C is enabled and another one
for !MBEDTLS_PK_WRITE_C.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
In tf-psa-crypto "mbedtls_pk_write_pubkey_psa()" is only available when
MBEDTLS_PK_WRITE_C is defined. Therefore we need to add this guard also
in mbedtls to "debug_print_pk" (and indirectly to
"mbedtls_debug_print_crt") and the corresponding tests using it.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Adjust dumping format of public keys following recent updates to
mbedtls_debug_print_crt() and debug_print_pk()
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Even though the TLS RFCs do not mandate libraries to expose *Error
Alerts* (as defined in RFC8446 6.2 for TLS 1.3 and in RFC5246 7.2.2 for
TLS 1.2) to the user, there are use cases when it is handy to get the
actual last received fatal error instead of a generic one. For instance
this enables the user to differ between received fatal errors in case
`mbedtls_ssl_handshake()`, `mbedtls_ssl_handshake_step()` or
`mbedtls_ssl_read()` returned `MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE`.
This changesets stores the last incoming fatal alert in
`mbedtls_ssl_context` and provides `mbedtls_ssl_get_alert()` as a getter
for retrieving it. Another option would be to provide a callback
mechanisms for all kinds of alerts (not only fatals) but for simplicity
I discarded this option.
Signed-off-by: Nico Geyso <ng@gsmk.de>
This replacement is either:
- "server5-rsa-signed.crt": if a generic secp256r1 EC key is enough, i.e.
any EC key is fine as it's not secp192 since this support is being
removed from TF-PSA-Crypto.
- "server11-rsa-signed.crt": if an EC key which does not belong to "suite-b"
is required. For this case "secp256r1" wouldn't be good, so we use
a "secp256k1" key.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
After some analysis search it was determined that previous test data seem
not to belong to the "framework/data_files" certificate files. Therefore
new test data has been generated from scratch.
The improvement compared to the previous situation is that comments has
been added on top of each test in order to explain how to recreate new test
data.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
The support for TLS ciphersuites without
encryption does not rely anymore on the
MBEDTLS_CIPHER_NULL_CIPHER feature of
the cipher module. Introduce a specific
config option to enable these ciphersuites
and use it instead of MBEDTLS_CIPHER_NULL_CIPHER.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Previously these tests used values that will become PSA aliases,
and so the tests will fail once they're changed.
Signed-off-by: Felix Conway <felix.conway@arm.com>
Return a const char* instead of taking a char* as an argument.
This aligns us with the interface used in TF PSA Crypto.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
Previously 3 different groups were allowed, but since the removal of
secp192r1 and secp224r1 only secp256r1 was left. This commit adds
other 2 options.
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
