When we are doing PSK, we'd like to set verify_result to
0 to indicate success. Previously this was done in
mbedtls_ssl_set_hs_psk() but this is inadequate since this function may
be called for early data (where certificate verification happens later
in the handshake).
Instead, set this value after writing / processing the encrypted
extensions on the server / client respectively, so that we know whether
we are doing certificate verification or not for sure. This change is
effective only for TLS 1.3 as TLS 1.2 sets verify_result for PSK in
ssl_parse_certificate_coordinate().
Signed-off-by: David Horstmann <david.horstmann@arm.com>
In Mbed TLS 3.6 we still need to manually configure the RNG for TLS. Add
this to the testcase for default verify_result.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
The check was wrongly removed by the commit
"ssl_tls12_server.c: Move ClientHello message_seq adjustment".
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Move back the digest update just after
the call to mbedtls_ssl_read_record().
It fits well here as we explain in the
comment associated to the call to
mbedtls_ssl_read_record() that we
update it manually.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The bulk of the script that was moved to the framework is now a pure
python module - bridge scripts like this one will remain in each
individual branch, and continue to be the way to invoke the ABI checks.
This way we can use the bridge scripts to encode branch-specific
information in a more convenient way.
Signed-off-by: Bence Szépkúti <bence.szepkuti@arm.com>
With e.g. `CLOCK_BOOTTIME`, it's plausible that less than 1 second has
passed since the boot reference time.
Only assert that the returned time is nonzero (because all-bits-zero is
highly implausible as an actual clock value, but likely indicates that the
intended value was not copied out correctly).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
MinGW uses a legacy printf by default which doesn't support the `z` modifier
for `size_t`. Skip these test cases on MinGW.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When `MBEDTLS_TEST_PLATFORM_IS_NOT_UNIXLIKE` is defined, do not enable
`MBEDTLS_PLATFORM_IS_UNIXLIKE`. This lets us test baremetal builds as such
even if we happen to be building for Linux or other Unix-like platform.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In particular, test `"%zu"` for `size_t` and `"%lld"` for `long long`, which
older Windows runtimes do not support, but which Mbed TLS uses.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The goal isn't to do any functional testing, but to have a simple diagnostic
if some Unix platform function isn't available, and to have a record of
success in the outcome file.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were using slightly different guards to decide whether to include
`<unistd.h>` in different places. Unify those.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
In `test_suite_debug`, test `mbedtls_debug_snprintf()`, which uses
`mbedtls_vsnprintf()` like `mbedtls_debug_print_msg()`. Do this instead of
testing `mbedtls_snprintf()`, which might be subtly different (older
Windows runtimes had slightly different behavior for vsnprintf() vs
snprintf(); TF-PSA-Crypto might pick up a different function if the
platform configuration is different in TF-PSA-Crypto and Mbed TLS).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
The signature of a dummy hash for which no pre-image is know is probably
not sensitive, but zeroize it anyway.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
In DTLS fragmenting tests, do not check for
ServerKeyExchange message fragmentation as
depending on the configuration and consequently
the chosen ciphersuite the server may not
send the message.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
As done in component_test_tls1_2_ccm_psk_dtls_legacy
enable MBEDTLS_HAVE_TIME in
component_test_tls1_2_ccm_psk_dtls_psa.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
