Move some scripts from mbedtls#283
Merged
gilles-peskine-arm merged 157 commits intoMbed-TLS:mainfrom Mar 12, 2026
Merged
Conversation
Even though the TLS RFCs do not mandate libraries to expose *Error Alerts* (as defined in RFC8446 6.2 for TLS 1.3 and in RFC5246 7.2.2 for TLS 1.2) to the user, there are use cases when it is handy to get the actual last received fatal error instead of a generic one. For instance this enables the user to differ between received fatal errors in case `mbedtls_ssl_handshake()`, `mbedtls_ssl_handshake_step()` or `mbedtls_ssl_read()` returned `MBEDTLS_ERR_SSL_FATAL_ALERT_MESSAGE`. This changesets stores the last incoming fatal alert in `mbedtls_ssl_context` and provides `mbedtls_ssl_get_alert()` as a getter for retrieving it. Another option would be to provide a callback mechanisms for all kinds of alerts (not only fatals) but for simplicity I discarded this option. Signed-off-by: Nico Geyso <ng@gsmk.de>
Signed-off-by: Nico Geyso <ng@gsmk.de>
Signed-off-by: Nico Geyso <ng@gsmk.de>
Signed-off-by: Nico Geyso <ng@gsmk.de>
reset indicator (in_alert_recv) and type (in_alert_type) in mbedtls_ssl_session_reset_msg_layer Signed-off-by: Nico Geyso <ng@gsmk.de>
Signed-off-by: Nico Geyso <ng@gsmk.de>
This function is no more used anywhere and can be safely removed. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Remove usage of mbedtls_pk_debug stuff and related functions (mbedtls_debug_print_psa_rsa(), mbedtls_debug_print_psa_ec(), mbedtls_debug_print_integer() and debug_count_valid_bits()) and use mbedtls_pk_write_pubkey_psa() to get the public key from the PK context. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Move single line printing to a separate function named mbedtls_debug_print_buf_one_line(). This accepts one extra parameter 'add_text' to tell if the final text chars are to be printed at the end of the line or not. Add also mbedtls_debug_print_buf_ext() as a generalized version of mbedtls_debug_print_buf() by adding the extra 'add_text' param. debug_print_pk() will now use mbedtls_debug_print_buf_ext() in order not to print chars while dumping the buffer. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Adjust dumping format of public keys following recent updates to mbedtls_debug_print_crt() and debug_print_pk() Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
In tf-psa-crypto "mbedtls_pk_write_pubkey_psa()" is only available when MBEDTLS_PK_WRITE_C is defined. Therefore we need to add this guard also in mbedtls to "debug_print_pk" (and indirectly to "mbedtls_debug_print_crt") and the corresponding tests using it. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Guards for "mbedtls_debug_print_crt()" were updated in previous commit, but those changes were not applied to MBEDTLS_SSL_DEBUG_CRT therefore causing build failures in the CI. This commit fixes the problem. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
%zu creates problem in MinGW testing. Use MBEDTLS_PRINTF_SIZET intead. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Keep MBEDTLS_PK_WRITE_C as guard only for "debug_print_pk" but let "mbedtls_debug_print_crt" to work also when MBEDTLS_PK_WRITE_C is disabled. In this case the only public key won't be printed, but the rest of the certificate will be. This commit also updates test coverage by duplicating test cases: now there will be one case for when MBEDTLS_PK_WRITE_C is enabled and another one for !MBEDTLS_PK_WRITE_C. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
This is similar to the already existing "component_full_no_pkparse_pkwrite". The biggest difference is that this new component starts from "full" config instead of "crypto_full" because we want to test also some TLS modules, in particular "test_suite_debug" where the new function "mbedtls_pk_write_pubkey_psa" has been introduced. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Now that the crypto files have been moved to the crypto repository, consume them there. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Let crypto own its part of the makefiles
Switching to CMake build caused some failures due to the fact that: - binary objects in tf-psa-crypto are not in the same location as before; - header files from "<mbedtls-root>/include" are no more included when building tf-psa-crypto ojects. This commit fixes both problems. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Remove use of pk_debug()
A switch has recently been made from make to cmake to build these tests but paths for "not grep" were not properly updated. Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
…lying type Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
…09_pk_type_as_string Signed-off-by: Ben Taylor <ben.taylor@linaro.org>
gilles-peskine-arm
added
needs-work
and removed
needs-reviewer
Move a bunch of files from `scripts` and `mbedtls/scripts` to the framework. The following files will be added (moved from Mbed TLS `development`): * `scripts/ecp_comb_table.py` * `scripts/massif_max.pl` * `tests/scripts/audit-validity-dates.py` (moved to `scripts/`) * `tests/scripts/gen_ctr_drbg.pl` (moved to `scripts/`) * `tests/scripts/gen_gcm_decrypt.pl` (moved to `scripts/`) * `tests/scripts/gen_gcm_encrypt.pl` (moved to `scripts/`) * `tests/scripts/gen_pkcs1_v21_sign_verify.pl` (moved to `scripts/`) * `tests/scripts/generate-afl-tests.sh` (moved to `scripts/`) * `tests/scripts/generate_server9_bad_saltlen.py` (moved to `scripts/`) * `tests/scripts/run-metatests.sh` (moved to `scripts/`) * `tests/scripts/run_demos.py` (moved to `scripts/`) * `tests/scripts/test_config_script.py` (moved to `scripts/`) Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com> Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…_dates-move-from-mbedtls
gilles-peskine-arm
force-pushed
the
audit_validity_dates-move-from-mbedtls
branch
from
002dc03 to
e95dfd4
Compare
5 tasks
gilles-peskine-arm
added
needs-ci
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
We were missing `mbedtls_framework/code_wrapper/*.py` because we were not traversing the directory recursively. Also improve the comment explaining the duplicate-code workaround for code that's being moved between files in different repositories. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
force-pushed
the
audit_validity_dates-move-from-mbedtls
branch
from
e95dfd4 to
c5135a0
Compare
Contributor
Author
|
I had to inject an additional merge of |
valeriosetti
approved these changes
Mar 9, 2026
bjwtaylor
approved these changes
Mar 11, 2026
github-project-automation
bot
moved this from In Development
to Has Approval
in Roadmap pull requests (new board)
gilles-peskine-arm
added
approved
github-project-automation
bot
moved this from Has Approval
to Done
in Roadmap pull requests (new board)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
11 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Move some branch-independent scripts from mbedtls. In particular
audit-validity-dates.pywhich I need to change for #282.Moved using Mbed-TLS/mbedtls-docs#145, so most of the content is some history picked up from mbedtls. The review consists of checking that the history starts from a PR merge on
mainand a PR merge ondevelopment, that the subsequent merges do what is expected to effectively move files around, and that the subsequent non-merge commits are acceptable and end up with a sane result.PR checklist