Commit graph

23212 commits

Author SHA1 Message Date
Gilles Peskine
52a7aeebf3
Merge pull request #6834 from gilles-peskine-arm/code-style-files
code_style.py: Support restyling only the specified files
2023-01-19 12:26:01 +01:00
Gilles Peskine
bb3814c7a8 Reject key agreement chained with PSA_ALG_TLS12_ECJPAKE_TO_PMS
The key derivation algorithm PSA_ALG_TLS12_ECJPAKE_TO_PMS cannot be
used on a shared secret from a key agreement since its input must be
an ECC public key. Reject this properly.

This is tested by test_suite_psa_crypto_op_fail.generated.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:23 +01:00
Gilles Peskine
f6c6b64be2 A key agreement cannot be chained with PSA_ALG_TLS12_ECJPAKE_TO_PMS
Test accordingly.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:20 +01:00
Gilles Peskine
2566679eb8 Add metadata test case for PSA_ALG_TLS12_ECJPAKE_TO_PMS
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:20 +01:00
Gilles Peskine
4db02f2324 Add SECRET input validation test cases for PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:19 +01:00
Gilles Peskine
763ffdd2a6 Add metadata test case for PSA_ALG_CCM_STAR_NO_TAG
The following shell command (requiring GNU grep) looks for algorithms and
key types, as well as IS and GET macros, that lack metadata tests:
```
for x in $(grep -Pho '(?<=^#define )PSA_(ALG|KEY_TYPE)_(?!CATEGORY_|NONE\b|\w+_(BASE|FLAG|MASK|CASE))\w+' include/psa/crypto_values.h include/psa/crypto_extra.h); do grep -qw $x tests/suites/test_suite_psa_crypto_metadata.* || echo $x; done
```

This may have false negatives: it only checks that the constants are
mentioned at least once, not that the tests are written correctly.

This has false positives:
* Types and algorithms that Mbed TLS does not support.
* PSA_ALG_ECDSA_IS_DETERMINISTIC, PSA_ALG_DSA_IS_DETERMINISTIC are peculiar
  auxiliary macros that only apply to very specific algorithms and aren't
  tested like the other IS macros.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:19 +01:00
Gilles Peskine
bba2630549 Add ECJPAKE secret input types to psa/crypto_config.h
Add PSA_WANT_KEY_TYPE_PASSWORD and PSA_WANT_KEY_TYPE_PASSWORD_HASH to
psa/crypto_config.h, since the types PSA_KEY_TYPE_PASSWORD and
PSA_KEY_TYPE_PASSWORD_HASH are used by ECJPAKE.

The two key types are always enabled, like PSA_KEY_TYPE_DERIVE.

Add the key types to the metadata test suite as well.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:19 +01:00
Gilles Peskine
cafda872f3 Fix documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:18 +01:00
Gilles Peskine
72f41562f2 Refactoring: new method Algorithm.is_valid_for_operation
No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:18 +01:00
Gilles Peskine
ecaa7ca507 Add missing supported algorithm to psa/crypto_config.h
The following shell command lists features that seem to be supported, but
are missing from include/psa/crypto_config.h:
```
for x in $(grep -ho -Ew '(PSA_WANT|MBEDTLS_PSA_BUILTIN)_\w+_\w+' library/psa_crypto*.c | sed 's/^MBEDTLS_PSA_BUILTIN/PSA_WANT/' | sort -u); do grep -qw $x include/psa/crypto_config.h || echo $x; done
```
This looks for PSA_WANT_<kind>_<thing> macros that gate a part of the
library, as well as their MBEDTLS_PSA_BUILTIN_<kind>_<thing> counterparts.
This is not necessarily a complete list of identifiers that must appear
in the config file, since a few features are not gated.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:18 +01:00
Gilles Peskine
0e9e4422ab NotSupported is specifically about key types
Rename NotSupported to KeyTypeNotSupported, because it's only about testing
key management. For algorithms, not-supported is handled by OpFail.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-01-19 12:11:17 +01:00
Gabor Mezei
7e14c66c4d
Fix lint issues
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-18 10:56:13 +01:00
Aaron M. Ucko
af67d2c1cf mbedtls_mpi_sub_abs: Skip memcpy when redundant (#6701).
In some contexts, the output pointer may equal the first input
pointer, in which case copying is not only superfluous but results in
"Source and destination overlap in memcpy" errors from Valgrind (as I
observed in the context of ecp_double_jac) and a diagnostic message
from TrustInSoft Analyzer (as Pascal Cuoq reported in the context of
other ECP functions called by cert-app with a suitable certificate).

Signed-off-by: Aaron M. Ucko <ucko@ncbi.nlm.nih.gov>
2023-01-17 11:52:22 -05:00
Ronald Cron
340d4c80af
Merge pull request #6616 from lpy4105/6551-tls13-SessionTicket-kex-change-check
This PR needs some change logs but there is a follow-up PR (issue #6935) that would change the change logs we would had here thus we will do them all while working on #6935.
2023-01-17 16:48:27 +00:00
Andrzej Kurek
714ae6551e Add missing key exchange requirements to test_suite_ssl
Some of the tests use mbedtls_test_cli_key_rsa_der and
mbedtls_test_cli_crt_rsa_der, and these can be used with
specific ciphersuites.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-01-17 10:38:11 -05:00
Andrzej Kurek
1ff7336e2c depends.py: enable key exchange tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2023-01-17 10:38:10 -05:00
Gabor Mezei
a38db2a55b
Add missing inlcude
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 16:34:49 +01:00
Gabor Mezei
aec3eea064
Fix pylint issues
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 16:34:24 +01:00
Gabor Mezei
c83f792c18
Add documentation
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 13:28:06 +01:00
Gabor Mezei
3c6f89b46a
Add generated test for ecp quasi-reduction
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 13:16:47 +01:00
Gabor Mezei
308132f641
Add test generation support for the ecp module
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 13:16:46 +01:00
Gabor Mezei
65fc9f78d4
Add tests for ecp quasi-reduction
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 13:16:46 +01:00
Gabor Mezei
9684d4dc58
Add quasi-reduction function for ecp
Signed-off-by: Gabor Mezei <gabor.mezei@arm.com>
2023-01-17 13:16:46 +01:00
Yanray Wang
57ae192b13 Fix failure in Travis CI
Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-17 15:14:06 +08:00
Yanray Wang
20fa2ae220 Redesign translation of cipher suite names in compat.sh
Move translation of cipher suite names after filter_ciphersuites
so that filter is based on standard cipher suite names.
Furthermore, an additional flag is passed to run_client to
determine the type of translation of cipher suite names.
Therefore, client receives cipher suite names based on
its naming convention but the reporting output is still
the standard cipher suite names.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-17 15:11:46 +08:00
Yanray Wang
ee97f05d35 Translate cipher suite names based on standard naming convention
With this commit, translate_ciphers.py would be based on standard
cipher suite names instead of MbedTLS naming convention.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-17 14:56:37 +08:00
Yanray Wang
d5f99e49e0 Change cipher suite names to standard names in compat.sh
Since there is a plan to report and filter all cipher suite names
consistently, cipher suite names in compat.sh are changed to the
standard naming convention.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-17 14:55:58 +08:00
Mihir Raj Singh
432cacf5c2 bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_neg()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-17 11:25:26 +05:30
Mihir Raj Singh
b0354c5b71 bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_from_mont_rep()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:11:18 +05:30
Mihir Raj Singh
37ece7292a bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_to_mont_rep()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:10:40 +05:30
Mihir Raj Singh
01e861ff9e bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_write()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:10:00 +05:30
Mihir Raj Singh
cd17ff0354 bignum_mod_raw: Renamed m -> N in mbedtls_mpi_mod_raw_read()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:09:12 +05:30
Mihir Raj Singh
a43290d556 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_write()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:08:17 +05:30
Mihir Raj Singh
fdc314b6fe bignum_mod: Renamed m -> N in mbedtls_mpi_mod_read()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:06:16 +05:30
Mihir Raj Singh
928a07ba49 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_modulus_free
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:04:37 +05:30
Mihir Raj Singh
f438ad1ab9 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_modulus_setup()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:03:06 +05:30
Mihir Raj Singh
b6fa940fc4 bignum_mod: Renamed m -> N in mbedtls_mpi_mod_modulus_init()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:02:04 +05:30
Mihir Raj Singh
b13a58938a bignum_mod: Renamed m -> N in mbedtls_mpi_mod_residue_setup()
Signed-off-by: Mihir Raj Singh <mihirrajsingh123@gmail.com>
2023-01-16 23:01:25 +05:30
Aditya Deshpande
0584df4131 Minor changes to account for CodeParser.parse_identifiers being used in list_internal_identifiers.py
Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-01-16 16:36:31 +00:00
Dave Rodgman
461b8254d0
Merge pull request #6865 from scop/patch-1
Use `grep -E` instead of `egrep`
2023-01-16 15:21:24 +00:00
Aditya Deshpande
dd8ac67792 Update check_names.py so that identifiers in excluded files are still compared against the output of nm.
This fixes the issue where excluding a file containing identifiers from checks would cause check_symbols_in_header to fail.

Signed-off-by: Aditya Deshpande <aditya.deshpande@arm.com>
2023-01-16 14:57:48 +00:00
Pengyu Lv
9b84ea75de remove ssl_tls13_has_compat_ticket_flags
This content of the function is moved to
ssl_tls13_has_configured_ticket.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 14:08:23 +08:00
Pengyu Lv
2bfd716293 simplify test case dependencies and test commands
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 13:44:10 +08:00
Pengyu Lv
e2f1dbf5ae update docs of ssl_client2 and improve code format
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 12:38:12 +08:00
Pengyu Lv
4938a566bf refine ticket_flags printing helper
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 11:28:49 +08:00
Pengyu Lv
acecf9c95b make ticket_flags param types consistent
When ticket_flags used as parameter, use unsigned int,
instead of uint8_t or mbedtls_ssl_tls13_ticket_flags.Also
remove the definition of mbedtls_ssl_tls13_ticket_flags.

Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-01-16 11:23:24 +08:00
Dave Rodgman
74d6e59e15
Merge pull request #6927 from tom-cosgrove-arm/allow-more-than-255-errors-in-compat-and-all-sh 2023-01-14 11:19:20 +00:00
Tom Cosgrove
fc0e79e70f Have compat.sh and ssl-opt.sh not return success for > 255 errors
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2023-01-13 12:13:41 +00:00
Yanray Wang
128859725a Redirect stdout/stderr to SRV_OUT
Under Ubuntu-22.04, wait command prints out Terminated message.
Therefore server process is handled with identical ways like other
processes in compat.sh. In addition, PROCESS_ID is renamed as
SRV_PID to improve code readability.

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-13 11:58:11 +08:00
Yanray Wang
05f940b255 Remove Terminated message from stdout
Under Ubuntu-22.04, wait command prints out Terminated message
if the process has been killed by kill command. This messes up
the output in compat.sh

Signed-off-by: Yanray Wang <yanray.wang@arm.com>
2023-01-13 11:54:59 +08:00