Commit graph

21284 commits

Author SHA1 Message Date
Jerry Yu
fe52e55301 redirect stderr output in ubuntu22.04
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-12 09:53:37 +00:00
Jerry Yu
e36397d13b add tests for psk_key_exchange_mode
To confirm, psk_key_exchange_modes were received and
parsed.

Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-12 09:53:36 +00:00
Jerry Yu
e19e3b9eb8 Add psk_key_exchange_modes parser
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-07-12 09:53:35 +00:00
Paul Elliott
869298bffe Add 3.2.1 Changelog
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-12 10:51:55 +01:00
Paul Elliott
cd08ba0326 Bump version to 3.2.1
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-12 10:51:55 +01:00
Dave Rodgman
c2a9387110 Add missing library/psa_crypto_driver_wrappers.c
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-07-12 10:51:55 +01:00
Dave Rodgman
185d24ba0e Revert "Revert "Add generated files for 3.2.0 release""
This reverts commit 7adb8cbc0e.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-12 10:51:44 +01:00
Manuel Pégourié-Gonnard
af8cf5c04e Add a partial plan towards G5
Strategy for dependencies inside libmbecrypto, in particular in the PSA
Crypto core, are outside the scope of the present study.

Note: PR 6065, referenced in a few places, is the one that also
introduces the present commit. It kicks of the work towards G5 in parts
of the code governed by MBEDTLS_USE_PSA_CRYPTO.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
c0d78e9e69 Remove outdated paragraphs about G5
- lack of support for PSA_CRYPTO_CONFIG is not really a reason not to
enable MBEDTLS_USE_PSA_CRYPTO by default - while it's true that
currently X.509/TLS do not behave as expected when PSA_CRYPTO_CONFIG and
MBEDTLS_USE_PSA_CRYPTO are both enabled, it's no worse than when
MBEDTLS_USE_PSA_CRYPTO is disabled.
- as a consequence of removing the paragraph mentioned above, the
sub-section about PSA_CRYPTO_CONFIG no longer belongs in the
"compile-time option" section. Also, it's superseded by the study work
that happened in the meantime (of which this PR is part). So let's
remove it, and the new commit will add something more up-to-date
instead.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
481846c82f General update of PSA strategy documentation
Not related to the changes in this PR, except in the next commit I'll
update the strategy document for changes in this PR and to outline
likely follow-ups, and while looking at the document I noticed a few
things that needed updated, so here there are in their own commit.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
7b0825d180 Build with SHA-256 accelerated too
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
f0f63bc1b6 Test without MD_C
test_suite_pk still passes, with the same number of skipped tests as in
the default config minus PKCS#1v2.1

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
bbd0dc6cbd Fix hash-specific dependencies of test_suite_pk
Applied:

    sed -i -f use_psa_hash.sed tests/suites/test_suite_pk.*

with use_psa_hash.sed as follows:

    s/MBEDTLS_MD5_C/MBEDTLS_USE_PSA_WANT_ALG_MD5/g
    s/MBEDTLS_RIPEMD160_C/MBEDTLS_USE_PSA_WANT_ALG_RIPEMD160/g
    s/MBEDTLS_SHA1_C/MBEDTLS_USE_PSA_WANT_ALG_SHA_1/g
    s/MBEDTLS_SHA224_C/MBEDTLS_USE_PSA_WANT_ALG_SHA_224/g
    s/MBEDTLS_SHA256_C/MBEDTLS_USE_PSA_WANT_ALG_SHA_256/g
    s/MBEDTLS_SHA384_C/MBEDTLS_USE_PSA_WANT_ALG_SHA_384/g
    s/MBEDTLS_SHA512_C/MBEDTLS_USE_PSA_WANT_ALG_SHA_512/g

With this commit, test_suite_pk achieves parity between:

- crypto_full minus PKCS#1v2.1
- same minus MD (from all.sh's test_crypto_full_no_md)

and between:

- default config plus use_psa minus PKCS#1v2.1
- same with accelerators (test_psa_crypto_config_accel_hash_use_psa)

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
abcfa90276 PK test functions don't depend on software SHA-256
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
2d08ea49c8 Some PK test functions no longer depend on MD
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
043c8c5de8 Add USE_PSA version of PK test functions
While at it, also fix buffer size for functions that already depend on
USE_PSA: it should be PSA_HASH_MAX_SIZE for functions that always use
PSA, and the new macro MBEDTLS_USE_PSA_MD_MAX_SIZE for functions that
use it or not depending on USE_PSA.

The only case where MBEDTLS_MD_MAX_SIZE is OK is when the function
always uses MD - currently this is the case with
pk_sign_verify_restart() as it is incompatible with USE_PSA anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
bab73ab842 Loosen guards in mbedtls_psa_translate_md()
Depending only of our software implementation was too strict. The
function can be useful when only the PSA implementation is available,
since oftentimes the algorithm will still be expressed as an md_type for
legacy reasons.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:20 +02:00
Manuel Pégourié-Gonnard
5508673832 Add helper macros for dependencies based on USE_PSA
For now in an internal header as it's the safest option and that way we
can change whenever we want.

Later on if we think the macros can be useful to applications as well then we
can move them to a public location.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
525add631e Add component with accelerated hashes and USE_PSA
Currently the test suites are passing because a lot of tests
functions/cases explicitly depend on SHAxxx_C, resulting in them being
skipped in this build. The goal of the next few commits is going to make
them pass and achieve test parity with a non-accelerated build for
selected modules.

Note: compared to the previous component, I'm using 'make tests' not
'make' (ie not building program) because I'm betting build failures
(some header not found) in programs which are not my interest atm.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
97ab2a3ae2 Clean up two accel tests in all.sh
- TLS versions earlier than 1.2 have been removed
- fix a copy-paste typo

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
46a295422d Build and test RSA PKCS#1v1.5 without MD
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
e496c6273e Sort out MD dependencies in RSA tests
When MD is only used to compute a size, use md_internal.h instead.

When it's actually used to compute a hash, mark the test function as
depending on it. This is probably suboptimal in the long run, and we
might want to either adapt the code so that it can use PSA Crypto
instead, or just pre-compute the hash in the test data.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
3f4778995e Rm dependency on MD in psa_crypto_rsa.c
The previous commit made the PKCS#1v1.5 part of rsa.c independent from
md.c, but there was still a dependency in the corresponding part in PSA.
This commit removes it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
fe2b9b5397 Make mbedtls_oid_get_md_alg() always available
This is a step towards building with RSA PKCS#1v1.5 without MD.

Also loosen guards around oid data: the OID definitions clearly don't
depend on our software implementation.

We could simply have no dependency as this is just data. But for the
sake of code size, let's have some guards so that people who don't use
MD5, SHA1 or RIPEMD160 don't have to pay the price for them.

Note: this is used for RSA (PKCS#v1.5) signatures among other things, an
area that is not influenced by USE_PSA, so the guards should not depend
on it either.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:19 +02:00
Manuel Pégourié-Gonnard
f493f2ad1d Use md_internal_get_size() in rsa.c
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard
3356b89b64 Add missing guard around call to MD
PKCS#1 v1.5 mostly does not need hash operations. This is a first step
towards allowing builds with PKCS#1 v1.5 only (no v2.1) without MD.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard
b86279fc63 Build and test PK without MD
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard
6a0a160f99 Avoid a dependency on MD in test_suite_pk
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard
a370e06e30 Avoid dependency of PK on MD
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Manuel Pégourié-Gonnard
d8a298e1fc Add internal MD size getter
Modules / tests that only need to get the size of a hash from its type,
without actually computing a hash, need not depend on MD_C.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-07-12 11:11:18 +02:00
Zhangsen Wang
91385121b9 delete openssl version requirement for openssl client, because the bug only occurs on openssl server
Signed-off-by: Zhangsen Wang <zhangsen.wang@arm.com>
2022-07-12 01:56:57 +00:00
Paul Elliott
6dc7cdfdd1
Merge pull request #959 from paul-elliott-arm/merge-into-3.2.0
Merge 3.2.0 into development
2022-07-11 20:01:18 +01:00
Paul Elliott
7adb8cbc0e Revert "Add generated files for 3.2.0 release"
This reverts commit cb21f2eab3.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 18:18:30 +01:00
Paul Elliott
3aef7670b7
Merge pull request #957 from paul-elliott-arm/mbedtls-3.2.0rc0-pr
Mbedtls 3.2.0rc0 PR
2022-07-11 15:45:03 +01:00
Paul Elliott
cb21f2eab3 Add generated files for 3.2.0 release
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 13:56:01 +01:00
Paul Elliott
f14b742689 Update BRANCHES.md for 3.2.0 release
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 13:56:01 +01:00
Paul Elliott
20362cd1ca Bump library and so versions for 3.2.0 release
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 13:56:01 +01:00
Paul Elliott
2238eed2d9 Update Changelog for 3.2.0 release
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 13:55:59 +01:00
Paul Elliott
2089fd0ea9 Rename Changelog entries that don't have .txt extension
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 13:52:54 +01:00
Paul Elliott
237c87ba0e Add missing Changelog entries
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 13:52:28 +01:00
Paul Elliott
f518f81d41 Ensure return for mbedtls_ssl_write_alpn_ext() is checked
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 12:37:47 +01:00
Dave Rodgman
ca9556bff1 Fix case of Mbed TLS in assemble_changelog.py
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2022-07-11 11:39:21 +01:00
Paul Elliott
9a8d78419f Fixup test tls13_server_certificate_msg_invalid_vector_len
The parameters for init_handshake_options had changed on the development
branch after this test was created, so fixing up this test in order to
correct build failures after merge.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-11 11:34:14 +01:00
Paul Elliott
20ccd6e8bb Merge remote-tracking branch 'origin/development' into mbedtls-3.2.0rc2-pr
Merge missing commits from development into release
2022-07-11 11:29:32 +01:00
Ronald Cron
ce7d76e2ee Merge remote-tracking branch 'mbedtls-restricted/development-restricted' into mbedtls-3.2.0rc0-pr 2022-07-11 10:22:37 +02:00
Paul Elliott
a343d34f0d
Merge pull request #6077 from paul-elliott-arm/fix_generate_debug_helpers_pylint
Fix formatting of generate_ssl_debug_helpers.py
2022-07-08 22:28:41 +01:00
Paul Elliott
4a49651860 Fix formatting of generate_ssl_debug_helpers.py
Satisfy pylint formatting errors

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-08 20:45:39 +01:00
Dave Rodgman
391e33ac93
Merge pull request #6076 from paul-elliott-arm/fix_generate_debug_helpers
Fix generation of ssl_debug_helpers
2022-07-08 17:55:51 +01:00
Paul Elliott
fe9d43c21d Fix generation of ssl_debug_helpers
File was being generated with tabs rather than spaces which breaks
release builds

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-07-08 17:27:25 +01:00
Paul Elliott
6e80e09bd1
Merge pull request #5915 from AndrzejKurek/cid-resumption-clash
Fix DTLS 1.2 session resumption
2022-07-06 15:03:36 +01:00