Commit graph

21896 commits

Author SHA1 Message Date
Ronald Cron
083da8eb53 tls13: client: Improve coding style
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
70ed41754d ssl-opt.sh: Simplify TLS 1.3 dependencies
Simplify TLS 1.3 dependencies taking into
account that
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
implies that MBEDTLS_SSL_PROTO_TLS1_3 is
defined.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
5de538c9dd ssl-opt.sh: Remove requires_key_exchange_with_cert_in_tls12_enabled
Remove requires_key_exchange_with_cert_in_tls12_enabled
and use `requires_any_configs_enabled` directly instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
a2900bcd1e tls13: keys: Simplify code guard
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
9810b6d0b7 Fix kex config options documentation in tls13-support.md
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
c3f43b663e all.sh: Add components testing TLS 1.3 kex partial enablement
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
571f1ff6dc Make sure TLS 1.2 kex macros are undefined in builds without TLS 1.2
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
8328113cad ssl-opt.sh: Fix some test checks for ephemeral only kex build
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
766c0cdb1f tls13: Add missing kex guards
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
82be0d4b4d tls13: Do not use MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
de08cf3543 tls13: Do not use MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
59625848e6 ssl-opt.sh: TLS 1.3 kex: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_*ENABLED
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
73fe8df922 Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED
Introduce and use
MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED to
guard TLS code (both 1.2 and 1.3) specific
to handshakes involving PSKs.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
e68ab4f55e Introduce and use MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED
Introduce and use
MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED to
guard TLS code (both TLS 1.2 and 1.3) specific
to handshakes involving certificates.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
41a443a68d tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK.*ENABLED
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_SOME_PSK_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED to guard
code specific to one of the TLS 1.3 key exchange mode with
PSK.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
928cbd34e7 tls13: Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
Use MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED
instead of MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED to guard
code specific to the TLS 1.3 ephemeral key exchange mode.

Use it also for the dependencies of TLS 1.3 only tests
relying on ephemeral key exchange mode, but for
tests in tls13-kex-modes.sh where the change is done
later using all
MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_.*ENABLED macros.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:42:04 +02:00
Ronald Cron
d8d2ea5674 Add TLS 1.3 key exchange mode config options
Add TLS 1.3 specific configuration options
to enable/disable the support for TLS 1.3
key exchange modes.

These configurations are introduced to
move away from the aforementioned
enablement/disablement based on
MBEDTLS_KEY_EXCHANGE_xxx_ENABLED options
that relate to group of TLS 1.2
ciphersuites.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-22 14:41:57 +02:00
Andrzej Kurek
ba970be142 Fix test dependencies for cases that are PSA-based
These should be using PSA-type macros, not MBEDTLS_XXX_C.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-10-21 13:39:00 -04:00
Gilles Peskine
fc4f11b5d0 Improve test component name
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-21 19:34:54 +02:00
Gilles Peskine
a020d535ad Avoid having both test_suite_XXX.data and test_suite_XXX.*.data
Although our build scripts support that, it's annoying, because it makes
"test_suite_XXX" ambiguous between "all the data for
test_suite_XXX.function" and "just test_suite_XXX.data".

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-21 19:00:38 +02:00
Gilles Peskine
42832bd406 Don't use test_suite_mpi as an example
It just got renamed, and it's also not the most canonical example since it's
a somewhat deprecated interface. Make a different module the example.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-21 18:56:47 +02:00
Gilles Peskine
ce22066211 Rename test_suite_bignum for consistency with bignum.{h,c}
Align the name of the bignum test suite with the source module (which was
renamed from mpi.c to bignum.c in the PolarSSL 1.x days). This also brings
it into line with the test suites for the low-level bignum interfaces.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-21 18:54:43 +02:00
Gilles Peskine
abc6fbb8d7 Fix brief description
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-10-21 18:36:31 +02:00
Andrzej Kurek
ed05279e4f Comment fix
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-10-21 10:28:55 -04:00
Andrzej Kurek
d066c79d7e Add missing ECB requirements for PSA cipher aes tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-10-21 10:28:55 -04:00
Andrzej Kurek
8f26c8a0cf Fix a typo in test_suite_cipher
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-10-21 10:28:55 -04:00
Ronald Cron
89ca977128 ssl-opt.sh: Improve dependencies of some TLS 1.3 test cases
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:47:00 +02:00
Ronald Cron
bc5adf4ef8 ssl-opt.sh: Add dependencies on handshake with cert
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:47:00 +02:00
Ronald Cron
2ea36af693 ssl-opt.sh: TLS 1.3 kex: Do not use sig_algs if no cert
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:47:00 +02:00
Ronald Cron
81cd7ab492 tests: ssl: Add missing dependency on MBEDTLS_X509_CRT_PARSE_C
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:47:00 +02:00
Ronald Cron
f64cc03b09 tests: ssl: Add missing dependencies on certificate based handshake
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:47:00 +02:00
Ronald Cron
457fb7a523 tests: ssl: Fix ciphersuite identifier
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:44:45 +02:00
Ronald Cron
81378b72e8 programs: ssl: Remove dependency on TLS 1.3 for "sig_algs" option
Signature algorithms can be specified through
the sig_algs option for TLS 1.2 as well.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:40:56 +02:00
Ronald Cron
20a8e63b23 programs: ssl: Fix some mbedtls_ssl_conf_sig_algs() guards
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:36:43 +02:00
Ronald Cron
d29e13eb1b tls: Use the same function in TLS 1.2 and 1.3 to check PSK conf
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
2a87e9bf83 tls: Align set and usage check for PSK
Check that the identity length is not
zero in ssl_conf_set_psk_identity()
as it is done in
mbedtls_ssl_conf_has_static_psk().

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
fa1e04a7c4 tls13: keys: Fix PSK build only case
When deriving the handshake stage master
secret, in the case of a PSK only build,
the only possible key exchange mode is PSK
and there is no ephemeral key exchange
shared secret in that case. Thus do not
error out in that case in the first
phae of the derivation dedicated to the
shared secret.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
9a6a49c7cb tls13: keys: Fail if the group type is not ECDHE or DHE
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
b15d4d8966 tls13: keys: Fix error code
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
3b056202d3 tls13: keys: Do not use handshake->premaster
`handshake->premaster` was used to store the
(EC)DHE shared secret but in TLS 1.3 there is
no need to store it in a context.

Futhermore, `handshake->premaster` and more
specifically its sizing is TLS 1.2 specific
thus better to not use it in TLS 1.3.

Allocate a buffer to store the shared secret
instead. Allocation instead of a stack buffer
as the maintenance of the size of such buffer
is harder (new elliptic curve for ECDHE,
support for FFDHE ... ).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
4c7edb2b9b tls13: keys: Fix indentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Ronald Cron
831fee68c3 tls13: keys: Avoid input buffer copy
In mbedtls_ssl_tls13_evolve_secret() avoid
to copy the input buffer into a local buffer
as the copy is avoidable.

This also fixes a potential overflow as the
size of the local buffer was not checked when
copying into it.

With the current calls to mbedtls_ssl_tls13_evolve_secret()
no buffer overflow was expected to happen though.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2022-10-21 14:34:20 +02:00
Manuel Pégourié-Gonnard
02e2fa0f64 Make ChangeLog more visible in PR template
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-10-21 11:01:22 +02:00
Manuel Pégourié-Gonnard
0e7e47147c
Merge pull request #6447 from mprse/driver-only-hash-gap
Fix test gap in driver-only-hashes build
2022-10-21 10:32:43 +02:00
Manuel Pégourié-Gonnard
45c6792faf
Merge pull request #6385 from AndrzejKurek/depends-py-reloaded
Unified tests/scripts/depends.py - reloaded
2022-10-21 10:17:58 +02:00
Janos Follath
c6952491c1
Merge pull request #6446 from yanesca/add_split_arch_tests_to_bignum_core
Add split arch tests to bignum core
2022-10-20 18:29:33 +01:00
Tom Cosgrove
be17655b57 mbedtls_mpi_mod_modulus_init() must be called before any 'goto exit' in tests
Fixes Coverity issues 381527 and 381526.

Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2022-10-20 16:57:10 +01:00
Janos Follath
78e3c9b574 Fix style in bignum_core.py
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-10-20 12:09:30 +01:00
Janos Follath
560805d665 Fix mbedtls_mpi_core_add_if test aliasing
Signed-off-by: Janos Follath <janos.follath@arm.com>
2022-10-20 12:04:40 +01:00
Przemek Stekiel
2c95a56e13 Remove KNOWN_MBEDTLS_SUPPORTED_HASH_ALG as it is now not used anywhere
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2022-10-20 12:38:44 +02:00