Skip to content

TlsLib Unit Tests#1747

Merged
Flickdm merged 2 commits intomicrosoft:release/202511from
Flickdm:feat/TlsLibUnitTest
Apr 30, 2026
Merged

TlsLib Unit Tests#1747
Flickdm merged 2 commits intomicrosoft:release/202511from
Flickdm:feat/TlsLibUnitTest

Conversation

@Flickdm
Copy link
Copy Markdown
Member

@Flickdm Flickdm commented Apr 5, 2026
edited
Loading

Included in: MU_CRYPTO_RELEASE Milestone 1

Description

Add unit tests for the TlsLib library class. The test suite validates TLS functionality through the TlsLib API surface. Today there are no unit tests.

The goal with this is to catch regressions as we move through faster crypto changes. Importantly this prints which TLS algorithms are being used to catch regressions against DFCI or other features.

What's included

50 test cases across 6 test suites, with both host-based and UEFI Shell entry points:

Suite Tests Coverage
Function pointer validation 3 TlsInitialize, TlsCtxNew, TlsNew
Context lifecycle 4 Create/free, client/server endpoint, version setting
Cipher suite enumeration 8 14 TLS 1.2 ciphers, DFCI required ciphers (hard-fail), EC curves, TLS 1.3, PQC hybrid groups
Configuration 13 Verify mode, hostname verification, SNI, session ID, signature algorithms, compression, security level, shutdown, handshake state
Certificate management 10 CA cert set/get, host cert, private key, CRL
Getter/query functions 12 Version, connection end, cipher, compression, verify, session ID, client/server random, key material

Key features

  • DFCI/Intune cipher validation: Hard-fails if any of the 4 required ECDHE-RSA cipher suites are missing, catching regressions that would break Surface firmware cloud connectivity
  • Structured capability reports: Outputs machine-parseable SUPPORTED/UNSUPPORTED status for all probed algorithms, suitable for CI action consumption
  • PQC readiness probing: Documents ML-KEM hybrid key exchange group support status (X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024)
  • Firmware policy assertions: Validates that server mode returns EFI_UNSUPPORTED (client-only policy) and TLS compression is disabled (CRIME attack mitigation)

Code coverage

File Line Coverage
TlsConfig.c 74.3%
TlsInit.c 72.6%
TlsProcess.c 8.2% (handshake/IO functions need loopback test)
Overall ~61%

For details on how to complete these options and their meaning refer to CONTRIBUTING.md.

  • Impacts functionality?
  • Impacts security?
  • Breaking change?
  • Includes tests?
  • Includes documentation?

How This Was Tested

This will be added as a automation for MU_CRYPTO_RELEASE on changes to the OpensslPkg and TlsLib

Integration Instructions

N/A

@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch 5 times, most recently from febab6c to 8975eb2 Compare April 7, 2026 04:43
@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch from 8975eb2 to 5e6492d Compare April 21, 2026 17:45
@mu-automation
Copy link
Copy Markdown
Contributor

mu-automation Bot commented Apr 21, 2026
edited
Loading

⏩ QEMU Validation Skipped

The PR was merged before validation completed.

This comment was automatically generated by the Mu QEMU PR Validation workflow.

@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch 6 times, most recently from 07d0658 to 16153f7 Compare April 30, 2026 19:04
@Flickdm Flickdm marked this pull request as ready for review April 30, 2026 19:35
@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch from 16153f7 to a2590c4 Compare April 30, 2026 19:35
@Flickdm Flickdm changed the title TLS Unit Test TlsLib Unit Tests Apr 30, 2026
@Flickdm Flickdm mentioned this pull request Apr 30, 2026
Merged
5 tasks
@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch from a2590c4 to 16153f7 Compare April 30, 2026 21:49
apop5
apop5 approved these changes Apr 30, 2026
View reviewed changes
Comment thread CryptoPkg/Test/UnitTest/Library/TlsLib/TestTlsLib.h Outdated
@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch 2 times, most recently from d395a11 to 9b31cb0 Compare April 30, 2026 22:47
Flickdm added 2 commits April 30, 2026 15:47
@Flickdm
CryptoPkg: Add host-based unit tests for TlsLib
3f04e25 
Add provider-agnostic TlsLib unit tests that validate TLS
functionality through the BaseCryptLib API surface. The test suite
contains 50 test cases organized across 6 suites:

- Function pointer availability (TlsInitialize, TlsCtxNew, TlsNew)
- Context lifecycle (create/free, endpoint, version setting) and
  firmware client-only assertion (server mode returns EFI_UNSUPPORTED)
- Cipher suite validation including DFCI/Intune required ciphers
  (ECDHE-RSA-AES-256/128-GCM/CBC), TLS 1.2 enumeration (14 ciphers),
  EC curve probing (P-256, P-384, P-521, X25519, X448), TLS 1.3
  cipher probing, and PQC hybrid key exchange group probing
  (X25519MLKEM768, SecP256r1MLKEM768, SecP384r1MLKEM1024)
- Configuration tests (verify mode, hostname, SNI, session ID,
  signature algorithms, compression, security level, shutdown)
- Certificate management (CA cert set/get, host cert, private key,
  CRL)
- Getter/query tests (version, connection end, cipher, compression,
  verify, session ID, client/server random, key material)

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm
CryptoPkg: Add TlsLib UEFI Shell unit test application
fb7763f 
Add TestTlsLibApp.inf as a UEFI_APPLICATION and UnitTestMain.c as
the DXE entry point so the TlsLib unit tests can run in the UEFI
Shell environment. Update CryptoPkg.dsc to include the new test
application with OneCrypto library class overrides.

Signed-off-by: Doug Flick <dougflick@microsoft.com>
@Flickdm Flickdm force-pushed the feat/TlsLibUnitTest branch from 9b31cb0 to fb7763f Compare April 30, 2026 22:47
@Flickdm Flickdm enabled auto-merge (rebase) April 30, 2026 23:01
@Flickdm Flickdm merged commit d527542 into microsoft:release/202511 Apr 30, 2026
56 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@vineelko vineelko vineelko approved these changes

@apop5 apop5 apop5 approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@Flickdm @vineelko @apop5