From 11c362a050670504a1ea57527858cdfa1cfbf5ae Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:34:31 +0200 Subject: [PATCH 01/23] Add component to build and test default config with stream cipher only Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 28a20d2b7..862b8822b 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1274,6 +1274,38 @@ component_test_crypto_full_no_cipher () { make test } +component_test_crypto_default_stream_cipher_only () { + msg "build: default with only stream cipher" + + # Disable all ciphers + # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_DES_C + # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Indirect dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + + # Enable stream(null) cipher only + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + make + + msg "test: default with only stream cipher" + make test +} + + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From 89ad62352dae7fede94bcfec3717e9c17c40be6b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:36:12 +0200 Subject: [PATCH 02/23] Fix guards for mbedtls_ct_size_mask() and mbedtls_ct_memcpy_if_eq() Both functions are used when MBEDTLS_SSL_SOME_SUITES_USE_MAC is defined not MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC. Signed-off-by: Przemek Stekiel --- library/constant_time.c | 8 ++++---- library/constant_time_internal.h | 4 ++-- 2 files changed, 6 insertions(+), 6 deletions(-) diff --git a/library/constant_time.c b/library/constant_time.c index 8980701e5..01a6976d8 100644 --- a/library/constant_time.c +++ b/library/constant_time.c @@ -81,7 +81,7 @@ unsigned mbedtls_ct_uint_mask( unsigned value ) #endif } -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) size_t mbedtls_ct_size_mask( size_t value ) { @@ -97,7 +97,7 @@ size_t mbedtls_ct_size_mask( size_t value ) #endif } -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) @@ -404,7 +404,7 @@ static void mbedtls_ct_mem_move_to_left( void *start, #endif /* MBEDTLS_PKCS1_V15 && MBEDTLS_RSA_C && ! MBEDTLS_RSA_ALT */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) void mbedtls_ct_memcpy_if_eq( unsigned char *dest, const unsigned char *src, @@ -654,7 +654,7 @@ cleanup: } #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_BIGNUM_C) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index fc24ae59a..340a5882d 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -213,7 +213,7 @@ signed char mbedtls_ct_base64_dec_value( unsigned char c ); #endif /* MBEDTLS_BASE64_C */ -#if defined(MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC) +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) /** Conditional memcpy without branches. * @@ -321,7 +321,7 @@ int mbedtls_ct_hmac( mbedtls_md_context_t *ctx, unsigned char *output ); #endif /* MBEDTLS_USE_PSA_CRYPTO */ -#endif /* MBEDTLS_SSL_SOME_SUITES_USE_TLS_CBC */ +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ #if defined(MBEDTLS_PKCS1_V15) && defined(MBEDTLS_RSA_C) && !defined(MBEDTLS_RSA_ALT) From a82290b7271a3cd489e62a0f98d24622dbbf4bbe Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:41:12 +0200 Subject: [PATCH 03/23] Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions Both functions are calling mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions. These functions are guarded with MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C flags - make it consistent. As a result ssl_server2 won't build now with MBEDTLS_SSL_SESSION_TICKETS enabled (mbedtls_cipher_auth_[encrypt/decrypt]_ext() functions not available). Mark MBEDTLS_SSL_SESSION_TICKETS as dependent on MBEDTLS_CIPHER_MODE_AEAD || MBEDTLS_NIST_KW_C and disable MBEDTLS_SSL_SESSION_TICKETS in stream cipher only build. Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 3 +++ library/ssl_ticket.c | 7 ++++++- tests/scripts/all.sh | 1 + 3 files changed, 10 insertions(+), 1 deletion(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 10387061a..1874e51cb 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -962,6 +962,9 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && !( defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) ) +#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" +#endif /* Reject attempts to enable options that have been removed and that could diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 359686afa..5398c3970 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -114,6 +114,7 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx, /* * Rotate/generate keys if necessary */ +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) { @@ -150,6 +151,7 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) #endif /* MBEDTLS_HAVE_TIME */ return( 0 ); } +#endif /* * Rotate active session ticket encryption key @@ -293,7 +295,7 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, * The key_name, iv, and length of encrypted_state are the additional * authenticated data. */ - +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) int mbedtls_ssl_ticket_write( void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, @@ -390,7 +392,9 @@ cleanup: return( ret ); } +#endif +#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) /* * Select key based on name */ @@ -517,6 +521,7 @@ cleanup: return( ret ); } +#endif /* * Free context diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 862b8822b..64290544f 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1296,6 +1296,7 @@ component_test_crypto_default_stream_cipher_only () { scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS # Enable stream(null) cipher only scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER From 6f29a6c4b46a6aab2c5cb51e55e55292227e4483 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:49:21 +0200 Subject: [PATCH 04/23] test_suite_cipher.function: always include aes.h It is done to have MBEDTLS_ERR_AES_INVALID_INPUT_LENGTH macro available (used in tests) Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_cipher.function | 3 --- 1 file changed, 3 deletions(-) diff --git a/tests/suites/test_suite_cipher.function b/tests/suites/test_suite_cipher.function index 37468df71..af617fc56 100644 --- a/tests/suites/test_suite_cipher.function +++ b/tests/suites/test_suite_cipher.function @@ -1,9 +1,6 @@ /* BEGIN_HEADER */ #include "mbedtls/cipher.h" - -#if defined(MBEDTLS_AES_C) #include "mbedtls/aes.h" -#endif #if defined(MBEDTLS_GCM_C) #include "mbedtls/gcm.h" From 4c49927bad54a255507872701815968453741dfc Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 27 Sep 2022 13:55:37 +0200 Subject: [PATCH 05/23] Fix unused variables warnings in default + stream cipher only build Signed-off-by: Przemek Stekiel --- library/psa_crypto.c | 1 + library/ssl_msg.c | 2 ++ 2 files changed, 3 insertions(+) diff --git a/library/psa_crypto.c b/library/psa_crypto.c index 4a0bd8331..e45b5d70a 100644 --- a/library/psa_crypto.c +++ b/library/psa_crypto.c @@ -3592,6 +3592,7 @@ static psa_status_t psa_aead_check_nonce_length( psa_algorithm_t alg, break; #endif /* PSA_WANT_ALG_CHACHA20_POLY1305 */ default: + (void) nonce_length; return( PSA_ERROR_NOT_SUPPORTED ); } diff --git a/library/ssl_msg.c b/library/ssl_msg.c index dbef29b3f..06194bd2d 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1124,7 +1124,9 @@ int mbedtls_ssl_decrypt_buf( mbedtls_ssl_context const *ssl, mbedtls_ssl_transform *transform, mbedtls_record *rec ) { +#if defined(MBEDTLS_SSL_SOME_SUITES_USE_CBC) || defined(MBEDTLS_CIPHER_MODE_AEAD) size_t olen; +#endif /* MBEDTLS_SSL_SOME_SUITES_USE_CBC || MBEDTLS_CIPHER_MODE_AEAD */ mbedtls_ssl_mode_t ssl_mode; int ret; From d582a01073ce8db8698e28cc92430ca283eb7dcf Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 28 Sep 2022 07:59:01 +0200 Subject: [PATCH 06/23] Make MBEDTLS_SSL_CONTEXT_SERIALIZATION dependent on AEAD Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 3 +++ tests/scripts/all.sh | 1 + 2 files changed, 4 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1874e51cb..bbace7a3c 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -966,6 +966,9 @@ #error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !defined(MBEDTLS_CIPHER_MODE_AEAD) +#error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" +#endif /* Reject attempts to enable options that have been removed and that could * cause a build to succeed but with features removed. */ diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 64290544f..124889d1d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1297,6 +1297,7 @@ component_test_crypto_default_stream_cipher_only () { scripts/config.py unset MBEDTLS_CMAC_C scripts/config.py unset MBEDTLS_NIST_KW_C scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION # Enable stream(null) cipher only scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER From e31ba83675e59926a073e36bf694ecf448906395 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 28 Sep 2022 09:44:58 +0200 Subject: [PATCH 07/23] Use basic symbols instead MBEDTLS_CIPHER_MODE_AEAD in check config Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index bbace7a3c..fa56eb709 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -962,11 +962,11 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && !( defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) ) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) || defined(MBEDTLS_NIST_KW_C) ) #error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !defined(MBEDTLS_CIPHER_MODE_AEAD) +#if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) #error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" #endif From 9550c0575773bccb4c252f2efc0e7259a5cc79b6 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 28 Sep 2022 09:51:55 +0200 Subject: [PATCH 08/23] Add component to build and test full config with stream cipher only Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 124889d1d..7cab8caae 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1277,6 +1277,7 @@ component_test_crypto_full_no_cipher () { component_test_crypto_default_stream_cipher_only () { msg "build: default with only stream cipher" + scripts/config.py crypto_full # Disable all ciphers # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C scripts/config.py unset MBEDTLS_GCM_C @@ -1307,6 +1308,38 @@ component_test_crypto_default_stream_cipher_only () { make test } +component_test_crypto_full_stream_cipher_only () { + msg "build: full with only stream cipher" + + # Disable all ciphers + # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_DES_C + # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Indirect dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + + # Enable stream(null) cipher only + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER + make + + msg "test: full with only stream cipher" + make test +} component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" From b0de1c040bf12c7fd8b9a4e6dbcfccff8aac8f2c Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 28 Sep 2022 10:23:22 +0200 Subject: [PATCH 09/23] Add components to build and test default/full config with legacy-ccm cipher only Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 69 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 69 insertions(+) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7cab8caae..1f664baf9 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1341,6 +1341,75 @@ component_test_crypto_full_stream_cipher_only () { make test } +component_test_crypto_default_cbc_legacy_cipher_only () { + msg "build: default with only CBC-legacy cipher" + + # Disable all ciphers + # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_DES_C + # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Indirect dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + + # Enable CBC-legacy cipher only + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + scripts/config.py set MBEDTLS_AES_C + make + + msg "test: default with only CBC-legacy cipher" + make test +} + +component_test_crypto_full_cbc_legacy_cipher_only () { + msg "build: full with only CBC-legacy cipher" + + scripts/config.py crypto_full + # Disable all ciphers + # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_DES_C + # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Indirect dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + + # Enable CBC-legacy cipher only + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + scripts/config.py set MBEDTLS_AES_C + make + + msg "test: full with only CBC-legacy cipher" + make test +} + component_test_psa_external_rng_use_psa_crypto () { msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" scripts/config.py full From 0cc3466c9e9d38e1c459415aef9d69d36ead5d9d Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 28 Sep 2022 12:06:57 +0200 Subject: [PATCH 10/23] Change testing strategy to default + one cypher only (psa/no psa) In full config TLS 1.2 is disabled. Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 89 ++++++++++++++++++++++++++++++++++++++++---- 1 file changed, 81 insertions(+), 8 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 1f664baf9..412885fd7 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1277,7 +1277,6 @@ component_test_crypto_full_no_cipher () { component_test_crypto_default_stream_cipher_only () { msg "build: default with only stream cipher" - scripts/config.py crypto_full # Disable all ciphers # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C scripts/config.py unset MBEDTLS_GCM_C @@ -1308,9 +1307,10 @@ component_test_crypto_default_stream_cipher_only () { make test } -component_test_crypto_full_stream_cipher_only () { - msg "build: full with only stream cipher" +component_test_crypto_default_stream_cipher_only_use_psa () { + msg "build: deafult with only stream cipher use psa" + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO # Disable all ciphers # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C scripts/config.py unset MBEDTLS_GCM_C @@ -1337,7 +1337,7 @@ component_test_crypto_full_stream_cipher_only () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER make - msg "test: full with only stream cipher" + msg "test: deafult with only stream cipher use psa" make test } @@ -1375,10 +1375,10 @@ component_test_crypto_default_cbc_legacy_cipher_only () { make test } -component_test_crypto_full_cbc_legacy_cipher_only () { - msg "build: full with only CBC-legacy cipher" +component_test_crypto_deafult_cbc_legacy_cipher_only_use_psa () { + msg "build: default with only CBC-legacy cipher use psa" - scripts/config.py crypto_full + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO # Disable all ciphers # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C scripts/config.py unset MBEDTLS_GCM_C @@ -1406,7 +1406,80 @@ component_test_crypto_full_cbc_legacy_cipher_only () { scripts/config.py set MBEDTLS_AES_C make - msg "test: full with only CBC-legacy cipher" + msg "test: default with only CBC-legacy cipher use psa" + make test +} + +component_test_crypto_default_cbc_legacy_cbc_etm_cipher_only () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers" + + # Disable all ciphers + # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_DES_C + # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Indirect dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + + # Enable CBC-legacy cipher only + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + scripts/config.py set MBEDTLS_AES_C + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + + make + + msg "test: default with only CBC-legacy and CBC-EtM ciphers" + make test +} + +component_test_crypto_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { + msg "build: full with only CBC-legacy and CBC-EtM ciphers use psa" + + scripts/config.py set MBEDTLS_USE_PSA_CRYPTO + # Disable all ciphers + # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + scripts/config.py unset MBEDTLS_GCM_C + scripts/config.py unset MBEDTLS_CCM_C + scripts/config.py unset MBEDTLS_CHACHAPOLY_C + # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC + scripts/config.py unset MBEDTLS_AES_C + scripts/config.py unset MBEDTLS_CAMELLIA_C + scripts/config.py unset MBEDTLS_ARIA_C + scripts/config.py unset MBEDTLS_DES_C + # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC + # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Indirect dependencies + scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_CMAC_C + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + + # Enable CBC-legacy cipher only + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + scripts/config.py set MBEDTLS_AES_C + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + + make + + msg "test: full with only CBC-legacy and CBC-EtM ciphers use psa" make test } From 68db0d2f67a4e2ed7ae2fc0c6614dfd0a0ea3b76 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Sep 2022 08:32:25 +0200 Subject: [PATCH 11/23] Optimize one cipher only components and adapt nemes Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 126 +++++++++++++------------------------------ 1 file changed, 38 insertions(+), 88 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 412885fd7..6dbd365ce 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1274,24 +1274,19 @@ component_test_crypto_full_no_cipher () { make test } -component_test_crypto_default_stream_cipher_only () { +component_test_tls1_2_default_stream_cipher_only () { msg "build: default with only stream cipher" - # Disable all ciphers - # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_DES_C - # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_CMAC_C @@ -1299,33 +1294,26 @@ component_test_crypto_default_stream_cipher_only () { scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Enable stream(null) cipher only - scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER make msg "test: default with only stream cipher" make test } -component_test_crypto_default_stream_cipher_only_use_psa () { +component_test_tls1_2_default_stream_cipher_only_use_psa () { msg "build: deafult with only stream cipher use psa" scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable all ciphers - # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + # Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_DES_C - # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) - scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER + # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) + scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_CMAC_C @@ -1333,31 +1321,24 @@ component_test_crypto_default_stream_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Enable stream(null) cipher only - scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER make msg "test: deafult with only stream cipher use psa" make test } -component_test_crypto_default_cbc_legacy_cipher_only () { +component_test_tls1_2_default_cbc_legacy_cipher_only () { msg "build: default with only CBC-legacy cipher" - # Disable all ciphers - # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_DES_C - # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_CTR_DRBG_C @@ -1366,33 +1347,25 @@ component_test_crypto_default_cbc_legacy_cipher_only () { scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Enable CBC-legacy cipher only - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - scripts/config.py set MBEDTLS_AES_C make msg "test: default with only CBC-legacy cipher" make test } -component_test_crypto_deafult_cbc_legacy_cipher_only_use_psa () { +component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { msg "build: default with only CBC-legacy cipher use psa" scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable all ciphers - # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_DES_C - # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_CTR_DRBG_C @@ -1401,32 +1374,24 @@ component_test_crypto_deafult_cbc_legacy_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Enable CBC-legacy cipher only - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - scripts/config.py set MBEDTLS_AES_C make msg "test: default with only CBC-legacy cipher use psa" make test } -component_test_crypto_default_cbc_legacy_cbc_etm_cipher_only () { +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { msg "build: default with only CBC-legacy and CBC-EtM ciphers" - # Disable all ciphers - # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_DES_C - # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_CTR_DRBG_C @@ -1435,35 +1400,25 @@ component_test_crypto_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Enable CBC-legacy cipher only - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - scripts/config.py set MBEDTLS_AES_C - scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC - make msg "test: default with only CBC-legacy and CBC-EtM ciphers" make test } -component_test_crypto_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { +component_test_tls1_2_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { msg "build: full with only CBC-legacy and CBC-EtM ciphers use psa" scripts/config.py set MBEDTLS_USE_PSA_CRYPTO - # Disable all ciphers - # AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C + # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) scripts/config.py unset MBEDTLS_GCM_C scripts/config.py unset MBEDTLS_CCM_C scripts/config.py unset MBEDTLS_CHACHAPOLY_C - # CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) - scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC - scripts/config.py unset MBEDTLS_AES_C - scripts/config.py unset MBEDTLS_CAMELLIA_C - scripts/config.py unset MBEDTLS_ARIA_C - scripts/config.py unset MBEDTLS_DES_C - # CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) - scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC - # stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER) + # Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES)) + scripts/config.py set MBEDTLS_CIPHER_MODE_CBC + # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) + scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC + # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_CTR_DRBG_C @@ -1472,11 +1427,6 @@ component_test_crypto_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - # Enable CBC-legacy cipher only - scripts/config.py set MBEDTLS_CIPHER_MODE_CBC - scripts/config.py set MBEDTLS_AES_C - scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC - make msg "test: full with only CBC-legacy and CBC-EtM ciphers use psa" From a891a091a33dd5f47a2c9326280fb7aca86cfbf6 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Sep 2022 09:53:20 +0200 Subject: [PATCH 12/23] test_suite_cmac.data: fix bug: use cipher type instead cipher id Signed-off-by: Przemek Stekiel --- tests/suites/test_suite_cmac.data | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/tests/suites/test_suite_cmac.data b/tests/suites/test_suite_cmac.data index 70b7609e4..5956a6981 100644 --- a/tests/suites/test_suite_cmac.data +++ b/tests/suites/test_suite_cmac.data @@ -22,15 +22,15 @@ mbedtls_cmac_setkey:MBEDTLS_CIPHER_DES_EDE3_ECB:192:0 CMAC init #5 AES-224: bad key size depends_on:MBEDTLS_AES_C -mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_AES:224:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA +mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_128_ECB:224:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC init #6 AES-0: bad key size depends_on:MBEDTLS_AES_C -mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_AES:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA +mbedtls_cmac_setkey:MBEDTLS_CIPHER_AES_128_ECB:0:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC init #7 Camellia: wrong cipher depends_on:MBEDTLS_CAMELLIA_C -mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA +mbedtls_cmac_setkey:MBEDTLS_CIPHER_CAMELLIA_192_ECB:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA CMAC Single Blocks #1 - Empty block, no updates mbedtls_cmac_multiple_blocks:MBEDTLS_CIPHER_AES_128_ECB:"2b7e151628aed2a6abf7158809cf4f3c":128:16:"":-1:"":-1:"":-1:"":-1:"bb1d6929e95937287fa37d129b756746" From 8d4b24102883315d32135af4e30f5857ee14c582 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Sep 2022 10:13:40 +0200 Subject: [PATCH 13/23] Remove redundant indirect dependencies after optimizing setup for one cipher components Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 24 ------------------------ 1 file changed, 24 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 6dbd365ce..94a84a11d 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1288,10 +1288,6 @@ component_test_tls1_2_default_stream_cipher_only () { # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION make @@ -1315,10 +1311,6 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION make @@ -1341,10 +1333,6 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION make @@ -1368,10 +1356,6 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION make @@ -1394,10 +1378,6 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION make @@ -1421,10 +1401,6 @@ component_test_tls1_2_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_CMAC_C - scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION make From ce5b68c7a304ad5c9b15613925ae47f0b923ae15 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Sep 2022 10:21:59 +0200 Subject: [PATCH 14/23] Revert "Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_parse() functions" This reverts commit a82290b7271a3cd489e62a0f98d24622dbbf4bbe. Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 4 ---- library/ssl_ticket.c | 7 +------ 2 files changed, 1 insertion(+), 10 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index fa56eb709..63c2f4f9a 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -962,10 +962,6 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) || defined(MBEDTLS_NIST_KW_C) ) -#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) #error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" #endif diff --git a/library/ssl_ticket.c b/library/ssl_ticket.c index 5398c3970..359686afa 100644 --- a/library/ssl_ticket.c +++ b/library/ssl_ticket.c @@ -114,7 +114,6 @@ static int ssl_ticket_gen_key( mbedtls_ssl_ticket_context *ctx, /* * Rotate/generate keys if necessary */ -#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) { @@ -151,7 +150,6 @@ static int ssl_ticket_update_keys( mbedtls_ssl_ticket_context *ctx ) #endif /* MBEDTLS_HAVE_TIME */ return( 0 ); } -#endif /* * Rotate active session ticket encryption key @@ -295,7 +293,7 @@ int mbedtls_ssl_ticket_setup( mbedtls_ssl_ticket_context *ctx, * The key_name, iv, and length of encrypted_state are the additional * authenticated data. */ -#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) + int mbedtls_ssl_ticket_write( void *p_ticket, const mbedtls_ssl_session *session, unsigned char *start, @@ -392,9 +390,7 @@ cleanup: return( ret ); } -#endif -#if defined(MBEDTLS_CIPHER_MODE_AEAD) || defined(MBEDTLS_NIST_KW_C) /* * Select key based on name */ @@ -521,7 +517,6 @@ cleanup: return( ret ); } -#endif /* * Free context From 48a6a666a00661f618d7f5241ddc20af8d433112 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Thu, 29 Sep 2022 15:22:01 +0200 Subject: [PATCH 15/23] Add ssl-opt tls 1.2 tests for single cipher builds Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 24 +++++++++++++++++++++--- 1 file changed, 21 insertions(+), 3 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 94a84a11d..60cd7b305 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1289,6 +1289,7 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make @@ -1312,6 +1313,7 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make @@ -1334,11 +1336,15 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make msg "test: default with only CBC-legacy cipher" make test + + msg "test: default with only CBC-legacy cipher - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" } component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { @@ -1357,11 +1363,15 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make msg "test: default with only CBC-legacy cipher use psa" make test + + msg "test: default with only CBC-legacy cipher use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" } component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { @@ -1379,15 +1389,19 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make msg "test: default with only CBC-legacy and CBC-EtM ciphers" make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" } -component_test_tls1_2_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { - msg "build: full with only CBC-legacy and CBC-EtM ciphers use psa" +component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { + msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" scripts/config.py set MBEDTLS_USE_PSA_CRYPTO # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) @@ -1402,11 +1416,15 @@ component_test_tls1_2_full_cbc_legacy_cbc_etm_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Indirect dependencies scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION + scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make - msg "test: full with only CBC-legacy and CBC-EtM ciphers use psa" + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa" make test + + msg "test: default with only CBC-legacy and CBC-EtM ciphers use psa - ssl-opt.sh (subset)" + tests/ssl-opt.sh -f "TLS 1.2" } component_test_psa_external_rng_use_psa_crypto () { From 460192ee19a9d83292c464cb754513aa8a3c64d0 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 3 Oct 2022 08:55:29 +0200 Subject: [PATCH 16/23] Fix and sync configuration file and configuration verifiation Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 5 +++++ include/mbedtls/mbedtls_config.h | 5 +++++ 2 files changed, 10 insertions(+) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 63c2f4f9a..54bed2fe9 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -962,6 +962,11 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ + !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) || defined(MBEDTLS_NIST_KW_C) ) +#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) #error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 9e8ae37c7..bde948d54 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1380,6 +1380,8 @@ * saved after the handshake to allow for more efficient serialization, so if * you don't need this feature you'll save RAM by disabling it. * + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C + * * Comment to disable the context serialization APIs. */ #define MBEDTLS_SSL_CONTEXT_SERIALIZATION @@ -1701,6 +1703,9 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C or + * MBEDTLS_NIST_KW_C + * * Comment this macro to disable support for SSL session tickets */ #define MBEDTLS_SSL_SESSION_TICKETS From 6a5cc74cc4dc424650368596bf9dc0614cdd73f3 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 3 Oct 2022 09:04:16 +0200 Subject: [PATCH 17/23] Fix typos and comments Signed-off-by: Przemek Stekiel --- tests/scripts/all.sh | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 60cd7b305..7f83314a4 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1287,7 +1287,7 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER - # Indirect dependencies + # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS @@ -1295,10 +1295,12 @@ component_test_tls1_2_default_stream_cipher_only () { msg "test: default with only stream cipher" make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. } component_test_tls1_2_default_stream_cipher_only_use_psa () { - msg "build: deafult with only stream cipher use psa" + msg "build: default with only stream cipher use psa" scripts/config.py set MBEDTLS_USE_PSA_CRYPTO # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) @@ -1311,14 +1313,16 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER - # Indirect dependencies + # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS make - msg "test: deafult with only stream cipher use psa" + msg "test: default with only stream cipher use psa" make test + + # Not running ssl-opt.sh because most tests require a non-NULL ciphersuite. } component_test_tls1_2_default_cbc_legacy_cipher_only () { @@ -1334,7 +1338,7 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Indirect dependencies + # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS @@ -1361,7 +1365,7 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Indirect dependencies + # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS @@ -1387,7 +1391,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Indirect dependencies + # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS @@ -1414,7 +1418,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER - # Indirect dependencies + # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS From 0957e7bfc5fe1a99c9d9e9a22e0e3f8b1a99b01b Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 3 Oct 2022 11:39:02 +0200 Subject: [PATCH 18/23] Rmove MBEDTLS_NIST_KW_C dependency from MBEDTLS_SSL_TICKET_C Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 2 +- include/mbedtls/mbedtls_config.h | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 54bed2fe9..1bbbb4046 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -963,7 +963,7 @@ #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) || defined(MBEDTLS_NIST_KW_C) ) + !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) #error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index bde948d54..e45d395bc 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1703,8 +1703,7 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * - * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C or - * MBEDTLS_NIST_KW_C + * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C * * Comment this macro to disable support for SSL session tickets */ From e32cd44490b5e26321b1c13a89645207470b2fda Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Wed, 5 Oct 2022 09:46:35 +0200 Subject: [PATCH 19/23] Add changelog entry: tls 1.2 builds with single encryption type Signed-off-by: Przemek Stekiel --- ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt | 3 +++ 1 file changed, 3 insertions(+) create mode 100644 ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt new file mode 100644 index 000000000..d24f32c28 --- /dev/null +++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix bugs to enable TLS 1.2 builds with + single encryption type + tests From 52a428b824c544125753c651ca97c49f17d9a515 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 08:47:13 +0200 Subject: [PATCH 20/23] Fix MBEDTLS_SSL_TICKET_C, MBEDTLS_SSL_SESSION_TICKETS dependencies Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 10 +++++----- include/mbedtls/mbedtls_config.h | 5 ++--- tests/scripts/all.sh | 12 ++++++------ 3 files changed, 13 insertions(+), 14 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 1bbbb4046..52ada44e6 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -874,6 +874,11 @@ #error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif +#if defined(MBEDTLS_SSL_TICKET_C) && \ + !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) +#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" +#endif + #if defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) && \ MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH >= 256 #error "MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH must be less than 256" @@ -962,11 +967,6 @@ #error "MBEDTLS_SSL_VARIABLE_BUFFER_LENGTH defined, but not all prerequisites" #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) && \ - !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) -#error "MBEDTLS_SSL_SESSION_TICKETS defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION) && !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) #error "MBEDTLS_SSL_CONTEXT_SERIALIZATION defined, but not all prerequisites" #endif diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index e45d395bc..23e601b32 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1703,8 +1703,6 @@ * tickets, including authenticated encryption and key management. Example * callbacks are provided by MBEDTLS_SSL_TICKET_C. * - * Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C - * * Comment this macro to disable support for SSL session tickets */ #define MBEDTLS_SSL_SESSION_TICKETS @@ -3056,7 +3054,8 @@ * Module: library/ssl_ticket.c * Caller: * - * Requires: MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO + * Requires: (MBEDTLS_CIPHER_C || MBEDTLS_USE_PSA_CRYPTO) && + * (MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C) */ #define MBEDTLS_SSL_TICKET_C diff --git a/tests/scripts/all.sh b/tests/scripts/all.sh index 7f83314a4..dade439fe 100755 --- a/tests/scripts/all.sh +++ b/tests/scripts/all.sh @@ -1289,7 +1289,7 @@ component_test_tls1_2_default_stream_cipher_only () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C make @@ -1315,7 +1315,7 @@ component_test_tls1_2_default_stream_cipher_only_use_psa () { scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C make @@ -1340,7 +1340,7 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C make @@ -1367,7 +1367,7 @@ component_test_tls1_2_deafult_cbc_legacy_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C make @@ -1393,7 +1393,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C make @@ -1420,7 +1420,7 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only_use_psa () { scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER # Modules that depend on AEAD scripts/config.py unset MBEDTLS_SSL_CONTEXT_SERIALIZATION - scripts/config.py unset MBEDTLS_SSL_SESSION_TICKETS + scripts/config.py unset MBEDTLS_SSL_TICKET_C make From 68a01a6720b12ec059df7b8f7a5861a5261c7a5e Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 11:31:58 +0200 Subject: [PATCH 21/23] Fix session tickets related build flags in fuzz_server and ssl_server2 Signed-off-by: Przemek Stekiel --- programs/fuzz/fuzz_server.c | 8 ++++---- programs/ssl/ssl_server2.c | 10 +++++----- 2 files changed, 9 insertions(+), 9 deletions(-) diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 3d11d474c..95f43b8ff 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -42,7 +42,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_ssl_config conf; mbedtls_ctr_drbg_context ctr_drbg; mbedtls_entropy_context entropy; -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_context ticket_ctx; #endif unsigned char buf[4096]; @@ -89,7 +89,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { } mbedtls_ssl_init( &ssl ); mbedtls_ssl_config_init( &conf ); -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_init( &ticket_ctx ); #endif @@ -114,7 +114,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { mbedtls_ssl_conf_alpn_protocols( &conf, alpn_list ); } #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) if( options & 0x4 ) { if( mbedtls_ssl_ticket_setup( &ticket_ctx, @@ -173,7 +173,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) { } exit: -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free( &ticket_ctx ); #endif mbedtls_entropy_free( &entropy ); diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index a129de65e..9f767c9f5 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -49,7 +49,7 @@ int main( void ) #include "mbedtls/ssl_cache.h" #endif -#if defined(MBEDTLS_SSL_TICKET_C) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) #include "mbedtls/ssl_ticket.h" #endif @@ -1404,7 +1404,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_context cache; #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_context ticket_ctx; #endif #if defined(SNI_OPTION) @@ -1495,7 +1495,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_init( &cache ); #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_init( &ticket_ctx ); #endif #if defined(MBEDTLS_SSL_ALPN) @@ -2914,7 +2914,7 @@ int main( int argc, char *argv[] ) mbedtls_ssl_cache_set ); #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) if( opt.tickets != MBEDTLS_SSL_SESSION_TICKETS_DISABLED ) { if( ( ret = mbedtls_ssl_ticket_setup( &ticket_ctx, @@ -4210,7 +4210,7 @@ exit: #if defined(MBEDTLS_SSL_CACHE_C) mbedtls_ssl_cache_free( &cache ); #endif -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free( &ticket_ctx ); #endif #if defined(MBEDTLS_SSL_COOKIE_C) From 1f02c6c25e29875bb324866d37231a6f2cc9f326 Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Mon, 10 Oct 2022 11:41:30 +0200 Subject: [PATCH 22/23] Reword change log entry Signed-off-by: Przemek Stekiel --- ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt index d24f32c28..bac491026 100644 --- a/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt +++ b/ChangeLog.d/fix_build_tls1_2_with_single_encryption_type.txt @@ -1,3 +1,4 @@ Bugfix - * Fix bugs to enable TLS 1.2 builds with - single encryption type + tests + * Fix bugs and missing dependencies when + building and testing configurations with + only one encryption type enabled in TLS 1.2. From d61a4d3d1ababed6c9c7e9bd52e9443fe6b86b8f Mon Sep 17 00:00:00 2001 From: Przemek Stekiel Date: Tue, 11 Oct 2022 09:40:40 +0200 Subject: [PATCH 23/23] Fix missing guard and double-space Signed-off-by: Przemek Stekiel --- include/mbedtls/check_config.h | 2 +- programs/ssl/ssl_server2.c | 6 +++--- 2 files changed, 4 insertions(+), 4 deletions(-) diff --git a/include/mbedtls/check_config.h b/include/mbedtls/check_config.h index 52ada44e6..6997ffde6 100644 --- a/include/mbedtls/check_config.h +++ b/include/mbedtls/check_config.h @@ -876,7 +876,7 @@ #if defined(MBEDTLS_SSL_TICKET_C) && \ !( defined(MBEDTLS_GCM_C) || defined(MBEDTLS_CCM_C) || defined(MBEDTLS_CHACHAPOLY_C) ) -#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" +#error "MBEDTLS_SSL_TICKET_C defined, but not all prerequisites" #endif #if defined(MBEDTLS_SSL_TLS1_3_TICKET_NONCE_LENGTH) && \ diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 9f767c9f5..fc19c8efc 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -283,7 +283,7 @@ int main( void ) #else #define USAGE_CA_CALLBACK "" #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */ -#if defined(MBEDTLS_SSL_SESSION_TICKETS) +#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) #define USAGE_TICKETS \ " tickets=%%d default: 1 (enabled)\n" \ " ticket_rotate=%%d default: 0 (disabled)\n" \ @@ -291,7 +291,7 @@ int main( void ) " ticket_aead=%%s default: \"AES-256-GCM\"\n" #else #define USAGE_TICKETS "" -#endif /* MBEDTLS_SSL_SESSION_TICKETS */ +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */ #define USAGE_EAP_TLS \ " eap_tls=%%d default: 0 (disabled)\n" @@ -1406,7 +1406,7 @@ int main( int argc, char *argv[] ) #endif #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_context ticket_ctx; -#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */ #if defined(SNI_OPTION) sni_entry *sni_info = NULL; #endif