Commit graph

231 commits

Author SHA1 Message Date
Andrzej Kurek
57f58b0e65 Prefer TEST_EQUAL over TEST_ASSERT in test suites
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 16:51:03 -04:00
Gilles Peskine
b4f874d1da raw_key_agreement_fail: Add a nominal run
Ensure that the nominal run works properly, so that it's apparent that the
injected failure is responsible for the failure of the handshake.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-08 16:50:38 -04:00
Gilles Peskine
6cbc9986fb Remove redundant empty slot count check
USE_PSA_DONE() already checks that there are no used key slots.

The call to TEST_ASSERT() wouldn't have worked properly on failure anyway,
since it would jump back to the exit label.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 16:47:19 -04:00
Andrzej Kurek
28f883eba5 Remove RSA & DTLS dependency in raw key agreement test
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-08 16:46:57 -04:00
Andrzej Kurek
cb33bc5d0b Change the bit to flip to guarantee failure
For weistrass curves the pair is encoded as 0x04 || x || y.
Flipping one of the bits in the first byte should be a sure failure.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:26:39 -04:00
Andrzej Kurek
39d88d4918 Change the number of expected free key slots
TLS code now uses PSA to generate an ECDH private key.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:26:39 -04:00
Andrzej Kurek
41b7e66e61 Tests: add missing requirements for the raw key agreement test
SECP384R1 is needed for the default loaded
certificate.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:26:39 -04:00
Andrzej Kurek
cc28e9a252 Tests: add missing group termination
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:26:39 -04:00
Andrzej Kurek
65ded569e0 Update raw key agreement test dependencies
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:26:39 -04:00
Andrzej Kurek
b3427823bd Test failing raw_key_agreement in ssl mock tests
Force a bitflip in server key to make the raw key
agreement fail, and then verify that no key slots
are left open at the end. Use a Weierstrass curve
to have a high chance of failure upon encountering
such bitflip.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:24:17 -04:00
Andrzej Kurek
74394a5c39 Add a group_list argument to mocked ssl tests
This will be used to force a group list in certain tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-06 11:23:34 -04:00
Ronald Cron
0e980e8e84
Merge pull request #5640 from ronald-cron-arm/version-negotiation-2
TLS 1.2/1.3 version negotiation - 2
2022-04-01 12:29:06 +02:00
Manuel Pégourié-Gonnard
33a9d61885
Merge pull request #5638 from paul-elliott-arm/ssl_cid_accessors
Accessors to own CID within mbedtls_ssl_context
2022-04-01 11:36:00 +02:00
Manuel Pégourié-Gonnard
6a25159c69
Merge pull request #5648 from gabor-mezei-arm/5403_hkdf_use_internal_psa_implementations
HKDF 2: use internal implementations in TLS 1.3
2022-04-01 11:15:29 +02:00
Paul Elliott
02758a51df Add tls CID tests
Add tests to test tls coneection id functionality, including the new
'own cid' accessor.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-31 19:21:41 +01:00
Ronald Cron
37bdaab64f tls: Simplify the logic of the config version check and test it
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-31 09:26:58 +02:00
Manuel Pégourié-Gonnard
3304f253d7
Merge pull request #5653 from paul-elliott-arm/handshake_over
Add mbedtls_ssl_is_handshake_over()
2022-03-30 12:16:40 +02:00
Ronald Cron
f660655b84 TLS: Allow hybrid TLS 1.2/1.3 in default configurations
This implies that when both TLS 1.2 and TLS 1.3
are included in the build all the TLS 1.2 tests
using the default configuration now go through
a version negotiation on the client side.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-03-29 18:58:31 +02:00
Gabor Mezei
07732f7015
Translate from mbedtls_md_type_t to psa_algorithm_t
Do the translation as early as possible from mbedtls_md_type_t to psa_algorithm_t.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-26 17:04:19 +01:00
Gabor Mezei
5d9a1fe9e9
PSA code depends on MBEDTLS_SSL_PROTO_TLS1_3
With TLS 1.3 support MBEDTLS_PSA_CRYPTO_C is enabled so PSA support
is always enabled.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-26 15:47:15 +01:00
Manuel Pégourié-Gonnard
cefa904759
Merge pull request #5622 from paul-elliott-arm/timing_delay_accessor
Accessor for mbedtls_timing_delay_context final delay
2022-03-25 09:14:41 +01:00
Paul Elliott
42d5e51a98 Make test function name more accurate
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-24 19:41:28 +00:00
Paul Elliott
27b0d94e25 Use mbedtls_ssl_is_handshake_over()
Switch over to using the new function both internally and in tests.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-24 14:43:52 +00:00
Gabor Mezei
1e64f7a643
Use MBEDTLS_USE_PSA_CRYPTO macro guard for testing instead of MBEDTLS_PSA_CRYPTO_C
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-21 17:00:54 +01:00
Gabor Mezei
892c4aa295
Update hkdf test cases to handle PSA code
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-21 17:00:54 +01:00
Paul Elliott
b9af2db4cf Add accessor for timing final delay
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2022-03-21 15:26:19 +00:00
Manuel Pégourié-Gonnard
f4042f076b
Merge pull request #5573 from superna9999/5176-5177-5178-5179-tsl-record-hmac
TLS record HMAC
2022-03-21 11:36:44 +01:00
Neil Armstrong
8f92bf3a26 Only make PSA HMAC key exportable when NULL or CBC & not EtM in build_transforms()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-03-18 11:10:09 +01:00
Manuel Pégourié-Gonnard
8d4bc5eeb9
Merge pull request #5481 from gabor-mezei-arm/5401_implement_hkdf_extract_based_on_psa_hmac
HKDF 1a: Implement Extract in TLS 1.3 based on PSA HMAC
2022-03-17 11:55:48 +01:00
Gabor Mezei
88f3b2e502
Update old style test function parameter handling
Use data_t type for hex string parameters.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-03-16 16:53:23 +01:00
Manuel Pégourié-Gonnard
10e5cdbbbf
Merge pull request #5454 from gstrauss/cert_cb-user_data
server certificate selection callback
2022-03-10 11:51:42 +01:00
Gilles Peskine
9c656ec718 Fix unused function warning
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-26 19:56:12 +01:00
Glenn Strauss
36872dbd0b Provide means to reset handshake cert list
Extend mbedtls_ssl_set_hs_own_cert() to reset handshake cert list
if cert provided is null.  Previously, mbedtls_ssl_set_hs_own_cert()
only provided a way to append to the handshake certificate list,
without providing a way to replace the handshake certificate list.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-02-25 19:55:48 -05:00
Neil Armstrong
e858996413 Use PSA version of mbedtls_ct_hmac() in mbedtls_ssl_decrypt_buf()
Due to mbedtls_ct_hmac() implementation the decryption MAC key
must be exportable.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:17:50 +01:00
Neil Armstrong
2968d306e4 Implement mbedtls_ct_hmac() using PSA hash API
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:50 +01:00
Neil Armstrong
cf8841a076 Remove non-PSA MAC keys in mbedtls_ssl_transform when MBEDTLS_USE_PSA_CRYPTO is defined
Also remove last usage of non-PSA MAC keys in ssl_decrypt_non_etm_cbc() SSL test.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:49 +01:00
Neil Armstrong
4f091290bd Remove Obsolete SSLs tests with truncated MAC tags & NULL/CBC cipher
These tests are related to an obsolete feature removed from the library.

Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:49 +01:00
Neil Armstrong
f4cc062935 Setup MAC PSA keys in build_transforms() to pass ssl_crypt_record() with PSA crypto
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:49 +01:00
Neil Armstrong
46a1760922 Allow USE_PSA_CRYPTO for handshake TLS tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-02-25 15:16:49 +01:00
Gabor Mezei
4fded1359a
Use PSA_INIT()
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-02-21 15:47:24 +01:00
Gabor Mezei
5d7d201b87
Update test
Testing the hash length in this context is not applicable because there is no way
to specify it when calling mbedtls_psa_hkdf_extract.
Change to test invalid `alg` parameter.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-02-21 15:46:33 +01:00
Gabor Mezei
ebc9368173
typo
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-02-21 15:44:51 +01:00
Gabor Mezei
298a2d6109
Use ASSERT_ALLOC
Change the calloc functions to ASSERT_ALLOC to check the
return value of calloc as well.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-02-21 15:43:52 +01:00
Gabor Mezei
62bf024025
Make the mbedtls_psa_hkdf_extract function more PSA compatible
Change the return value to `psa_status_t`.
Add `prk_size` and `prk_len` parameters.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-02-21 15:42:57 +01:00
Gabor Mezei
73cb6f54de
Add tests for mbedtls_psa_hkdf_extrct
The tests are based on the the test of mbedtls_hkdf_extract.

Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2022-02-21 15:41:42 +01:00
Gilles Peskine
49d7ddf7f3 Serializing a context does not save the user data
The user data is typically a pointer to a data structure or a handle which
may no longer be valid after the session is restored. If the user data needs
to be preserved, let the application do it. This way, it is a conscious
decision for the application to save/restore either the pointer/handle
itself or the object it refers to.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
80dae04f24 Make user_data fields private
Add accessor functions.

Add unit tests for the accessor functions.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Gilles Peskine
1255b0de98 Positive unit testing for SSL context version functions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-02-21 15:14:01 +01:00
Paul Elliott
436b72690d
Merge pull request #5362 from yuhaoth/pr/enable-tls13-only-build
TLS1.3:Enable tls13 only build
2022-02-21 11:22:37 +00:00
Jerry Yu
baa4934e7b Add check tests
Signed-off-by: Jerry Yu <jerry.h.yu@arm.com>
2022-02-21 09:06:00 +08:00