Gilles Peskine
Gilles Peskine
`analyze_outcomes.py` should complain if the same test run identification (platform, configuration, test suite, test case) appears more than once in `outcomes.csv`. That would likely be caused by having a test...
Since Mbed TLS 3.6.0, one of the types declared in an Mbed TLS header is a struct with a flexible array member: [`typedef struct psa_key_production_parameters_s psa_key_production_parameters_t`](https://github.com/Mbed-TLS/mbedtls/blob/mbedtls-3.6.0/include/psa/crypto_struct.h#L226). ``` struct psa_key_production_parameters_s {...
When running a test suite verbosely, if a test case is skipped due to a compile-time dependency on the test case, show e.g. `Unmet dependencies: PSA_WANT_ALG_XTS PSA_WANT_ECC_FAMILY_TWISTED_EDWARDS` rather than `Unmet...
`tests/src/test_certs.h` is generated by `tests/scripts/generate_test_cert_macros.py`. Despite the name, `tests/src/test_certs.h` is not really a header file, it's just included from one `.c` file. So it should be handled normally like other...
We want our public headers to work in C++. For the most part, this means our headers should contain balanced `extern { … }` blocks. It also means public headers...
A large block of code is only reachable if MBEDTLS_PK_USE_PSA_EC_DATA is enabled, i.e. if MBEDTLS_USE_PSA_CRYPTO is enabled with driver-only ECC. Compilers are likely to figure it out, but still, for...
Configuring a CA callback with `mbedtls_ssl_conf_ca_cb()` has no effect in TLS 1.3. This is not documented as a limitation, and there is no reason not to support it. See https://github.com/Mbed-TLS/mbedtls/issues/7075#issuecomment-1425604707...
In `test_suite_pk.function`, there is some code to construct suitable keys for testing. This test code is rather complex. Part of this is necessary to support many different cases (opaque or...
When `MBEDTLS_HAVE_TIME_DATE` is disabled, in Mbed TLS up to 3.x, X.509 silently skip expiration verification. This is an insecure default. Consider changing to always flag expiry, and allow a runtime...
We have two platform support options `MBEDTLS_HAVE_TIME` and `MBEDTLS_HAVE_TIME_DATE`. Do we need them? Are we testing adequately with/without each option? Ronald notes that in TLS 1.3 you can have tickets...