Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Defragment ext test 3.6 #9976

Draft
wants to merge 30 commits into
base: mbedtls-3.6
Choose a base branch
from
Draft

Defragment ext test 3.6 #9976

wants to merge 30 commits into from
+611 −52

Conversation

mpg
Copy link
Contributor

@mpg mpg commented Feb 13, 2025
edited
Loading

Description

WIP, pushed for early CI feedback.

Built on top of #9949 - only the last few commits are new.

PR checklist

  • changelog provided | not required because:
  • development PR provided # | not required because:
  • TF-PSA-Crypto PR provided # | not required because:
  • framework PR provided Mbed-TLS/mbedtls-framework# | not required
  • 3.6 PR provided # | not required because:
  • 2.28 PR provided # | not required because:
  • tests provided | not required because:

rojer and others added 27 commits February 3, 2025 09:58
@rojer @mpg
Defragment incoming TLS handshake messages
707eeff 
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
@rojer @minosgalanakis @mpg
Update ChangeLog.d/tls-hs-defrag-in.txt
8679220 
Co-authored-by: minosgalanakis <[email protected]>
Signed-off-by: Deomid Ryabkov <[email protected]>
@rojer @mpg
Review comments
7fff111 
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
@rojer @mpg
Remove mbedtls_ssl_reset_in_out_pointers
2fd90c9 
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
@rojer @mpg
Allow fragments less HS msg header size (4 bytes)
738d394 
Except the first

Signed-off-by: Deomid rojer Ryabkov <[email protected]>
@rojer @mpg
Add a safety check for in_hsfraglen
3ec7cef 
Signed-off-by: Deomid rojer Ryabkov <[email protected]>
@waleed-elmelegy-arm @mpg
Add TLS Hanshake defragmentation tests
d09f14f 
Tests uses openssl s_server with a mix of max_send_frag
and split_send_frag options.

Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Improve TLS handshake defragmentation tests
01abaec 
* Add tests for the server side.
* Remove restriction for TLS 1.2 so that we can test TLS 1.2 & 1.3.
* Use latest version of openSSL to make sure -max_send_frag &
  -split_send_frag flags are supported.

Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Fix typo in TLS Handshake defrafmentation tests
5bc6e26 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Remove unnecessary string check in handshake defragmentation tests
fc8957a 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Require openssl to support TLS 1.3 in handshake defragmentation tests
0c7d3fa 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Add client authentication to handshake defragmentation tests
5aff4d0 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Remove unneeded mtu option from handshake fragmentation tests
f752cdf 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Enforce client authentication in handshake fragmentation tests
3f8d6fa 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Add a comment to elaborate using split_send_frag in handshake defragm…
dd9b4c5 
…entation tests

Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Remove obselete checks due to the introduction of handhsake defragmen…
2a984b9 
…tation

Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Remove unused variable in ssl_server.c
0541040 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Add guard to handshake defragmentation tests for client certificate
acfacde 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Test Handshake defragmentation only for TLS 1.3 only for small values
3a7f67f 
Signed-off-by: Waleed Elmelegy <[email protected]>
@waleed-elmelegy-arm @mpg
Add missing client certificate check in handshake defragmentation tests
270f9d5 
Signed-off-by: Waleed Elmelegy <[email protected]>
@mpg
Add extension structure to ssl_context
dee86dd 
Not used so far, just the scaffolding.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Move in_iv to the extension structure
31ea34b 
Manually remove it in ssl.h, then:

sed -i 's/ssl->in_iv/ssl->in_ext->in_iv/g' library/ssl_*.[ch]

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Move in_hshdr, in_hsfraglen to the extension struct
8d0111b 
Manually remove from ssl.h, then:

 sed -i 's/ssl->in_hs\(hdr\|fraglen\)/ssl->in_ext->in_hs\1/g' library/ssl_*.[ch]

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Improve ABI compat trick
0521d64 
In principle, pointers to char and pointers to word-aligned structs
might have different sizes. However, it's guaranteed that any pointer
can be converted to a char pointer and back, so it's OK to store the
pointer to struct as a pointer to char.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
New test function inject_client_content_on_the_wire()
335e09e 
Not used for real stuff so far, just getting the tooling in place.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Add supported_curves/groups extension
1fe9959 
This allows us to use a ciphersuite that will still be supported in 4.0.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Add reference tests with 1.3 ClientHello
a890326 
Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg mpg added the needs-ci Needs to pass CI tests label Feb 13, 2025
@mpg mpg changed the base branch from development to mbedtls-3.6 February 13, 2025 12:02
@mpg
Fix compile error
bfd73e3 
That struct doesn't really need early initializing anyway, it's not
freed in the exit block.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
mpg added 2 commits February 17, 2025 10:08
@mpg
Add test to TLS 1.3 ClientHello fragmentation
1eae2e9 
Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
@mpg
Add test with non-HS record in-between HS fragments
ee10ee6 
Two of these tests reveal bugs in the code, so they're commented out for
now.

For the other tests, the high-level behaviour is OK (break the
handshake) but the details of why are IMO not good: they should be
rejected because interleaving non-HS record between HS fragments is not
valid according to the spec.

To be fixed in future commits.

Signed-off-by: Manuel Pégourié-Gonnard <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
needs-ci Needs to pass CI tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mpg @rojer @waleed-elmelegy-arm