Commit graph

19690 commits

Author SHA1 Message Date
Hanno Becker
63eb28c728 Use separate counters for 8-fold and single multiplication steps
Compilers are likely to generate shorter assembly for loops of the
form `while( cnt-- ) { ... }` rather than
`for( ; count >= X; count -= X ) { ... }`. (E.g. the latter needs
a subtract+compare+branch after each loop, while the former only
needs decrement+branch).

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-17 06:16:03 +01:00
Hanno Becker
eacf3b9eb4 Simplify organization of inline assembly for bignum
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-17 06:16:03 +01:00
Gilles Peskine
5bd0b51048 Use terse output from lsof
This both simplifies parsing a little, and suppresses warnings. Suppressing
warnings is both good and bad: on the one hand it resolves problems such as
https://github.com/Mbed-TLS/mbedtls/issues/5731, on the other hand it may
hide clues as to why lsof wouldn't be working as expected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:34:23 +02:00
Gilles Peskine
a841c2a20f test_cmake_out_of_source: run an ssl-opt test case that exists
component_test_cmake_out_of_source was running the ssl-opt.sh test case
"Fallback SCSV: beginning of list", but this test case was removed in Mbed
TLS 3.0, so ssl-opt.sh was running nothing, which is not an effective test.
In 2.x, the test case was chosen because it uses an additional auxiliary
program tests/scripts/tcp_client.pl. This auxiliary program is no longer
used. So instead, run at least one test case that's sure to exist.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:31:25 +02:00
Gilles Peskine
7393ec5ccf test_cmake_out_of_source: validate that ssl-opt passed
If the ssl-opt test case was skipped, the test was ineffective.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:30:24 +02:00
Gilles Peskine
09dc05b880
Merge pull request #5635 from gilles-peskine-arm/psa-test-op-fail
PSA: systematically test operation failure
2022-04-15 10:52:47 +02:00
Manuel Pégourié-Gonnard
63ed7cbf36
Merge pull request #5701 from hanno-arm/mpi_mul_hlp
Make size of output in mpi_mul_hlp() explicit
2022-04-15 10:09:06 +02:00
Glenn Strauss
8315811ea7 Remove restrictive proto ver negotiation checks
Overly restrictive protocol version negotiation checks might be
"version intolerant".  TLS 1.3 and DTLS 1.3 move the version to
the "supported_versions" ClientHello extension.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
bbdc83b55b Use mbedtls_ssl_protocol_version in public structs
Use mbedtls_ssl_protocol_version in public structs, even when doing
so results in a binary-incompatible change to the public structure

(PR feedback from @ronald-cron-arm)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
59b0d54ba0 Convert tests to use mbedtls_ssl_conf_(min|max)_tls_version()
Replace use of mbedtls_ssl_conf_(min/max)_version()

(PR feedback from @ronald-cron-arm)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
d09b343ffc Deprecate mbedtls_ssl_conf_(min/max)_version()
Deprecate mbedtls_ssl_conf_max_version()
Replaced with mbedtls_ssl_conf_max_tls_version()

Deprecate mbedtls_ssl_conf_min_version()
Replaced with mbedtls_ssl_conf_min_tls_version()

(PR feedback from @ronald-cron-arm)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
39e624ca76 Convert tests to use MBEDTLS_SSL_VERSION_TLS1_*
(PR feedback from @ronald-cron-arm)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
cd78df6aa4 handshake->min_minor_ver to ->min_tls_version
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
041a37635b Remove some tls_ver < MBEDTLS_SSL_VERSION_TLS1_2 checks
mbedtls no longer supports earlier TLS protocol versions

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
e3af4cb72a mbedtls_ssl_(read|write)_version using tls_version
remove use of MBEDTLS_SSL_MINOR_VERSION_*
remove use of MBEDTLS_SSL_MAJOR_VERSION_*
(only remaining use is in tests/suites/test_suite_ssl.data)

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:14 -04:00
Glenn Strauss
60bfe60d0f mbedtls_ssl_ciphersuite_t min_tls_version,max_tls_version
Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible, as the struct is now smaller.

Reduce size of mbedtls_ssl_ciphersuite_t

members are defined using integral types instead of enums in
order to pack structure and reduce memory usage by internal
ciphersuite_definitions[]

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:40:12 -04:00
Glenn Strauss
2dfcea2b9d mbedtls_ssl_config min_tls_version, max_tls_version
Store the TLS version in tls_version instead of major, minor version num

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is not compatible on little-endian platforms,
but is compatible on big-endian platforms.  For systems supporting
only TLSv1.2, the underlying values are the same (=> 3).

New setter functions are more type-safe,
taking argument as enum mbedtls_ssl_protocol_version:
mbedtls_ssl_conf_max_tls_version()
mbedtls_ssl_conf_min_tls_version()

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:39:43 -04:00
Glenn Strauss
da7851c825 Rename mbedtls_ssl_session minor_ver to tls_version
Store the TLS version instead of minor version number in tls_version.

Note: struct member size changed from unsigned char to uint16_t
Due to standard structure padding, the structure size does not change
unless alignment is 1-byte (instead of 2-byte or more)

Note: existing application use which accesses the struct member
(using MBEDTLS_PRIVATE) is compatible on little-endian platforms,
but not compatible on big-endian platforms.  The enum values for
the lower byte of MBEDTLS_SSL_VERSION_TLS1_2 and of
MBEDTLS_SSL_VERSION_TLS1_3 matches MBEDTLS_SSL_MINOR_VERSION_3 and
MBEDTLS_SSL_MINOR_VERSION_4, respectively.

Note: care has been taken to preserve serialized session format,
which uses only the lower byte of the TLS version.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:23:57 -04:00
Glenn Strauss
07c641605e Rename mbedtls_ssl_transform minor_ver to tls_version
Store the TLS version in tls_version instead of minor version number.

Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 15:23:54 -04:00
Glenn Strauss
dff84620a0 Unify internal/external TLS protocol version enums
Signed-off-by: Glenn Strauss <gstrauss@gluelogic.com>
2022-04-14 13:45:20 -04:00
Anton Komlev
ca947a4afa Fix Windows build host detection
Signed-off-by: Anton Komlev <anton.komlev@arm.com>
2022-04-14 15:22:11 +01:00
Andrzej Kurek
83e60eef4d tests: fix bitflip comment
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-14 08:51:41 -04:00
Gilles Peskine
473d585abf
Merge pull request #5006 from JoeSubbiani/CleanCompat.sh2_dev
clean up compat.sh
2022-04-14 14:04:33 +02:00
Hanno Becker
3577131bb4 Reintroduce trimming of input in mbedtls_mpi_mul_int()
Removing the trimming has significant memory impact. While it is clearly what
we want to do eventually for constant-time'ness, it should be fixed alongside
a strategy to contain the ramifications on memory usage.

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2022-04-14 11:52:11 +01:00
Gilles Peskine
e2c342b9bf Don't test with all-but-one elliptic curves
`curves.pl` (invoked by `all.sh test_depends_curves`, and
`all.sh test_depends_curves_psa`) currently runs two series of tests:
* For each curve, test with only that curve enabled.
* For each curve, test with all curves but that one.

Originally this script was introduced to validate test dependencies, and for
that all-but-one gives better results because it handles test cases that
require multiple curves. Then we extended the script to also test with a
single curve, which matches many real-world setups and catches some product
bugs. Single-curve testing also validates test dependencies in a more
limited way.

Remove all-but-one curve testing, because it doesn't add much to the test
coverage. Mainly, this means that we now won't detect if a test case
declares two curve dependencies but actually also depends on a third. This
is an acceptable loss.

The trigger for removing all-but-one curve testing is that this will make
the job take only about half as long, and the length of the job was a bit of
a problem. Resolves #5729.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-14 12:00:17 +02:00
Neil Armstrong
769dc05597 Remove bad dependency on MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED for ecdh_ctx guard
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-14 09:56:24 +02:00
Manuel Pégourié-Gonnard
636b5f10da Add comment in compat.sh about callers
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:21:56 +02:00
Manuel Pégourié-Gonnard
9473229996 Fix compat.sh invocation in basic-built-test.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:21:38 +02:00
Gilles Peskine
5417d48044 Remove mostly-redundant test build
component_test_CID_no_debug was added specifically to be a non-regression
test for https://github.com/Mbed-TLS/mbedtls/issues/3998. Running compat.sh
in the newly introduced config-ccm-psk-dtls1_2.h is also a non-regression
test for that bug. Therefore component_test_CID_no_debug is redundant for
its primary purpose.

Of course every configuration is different, but the additional coverage from
component_test_CID_no_debug is minimal, unlike config-ccm-psk-dtls1_2.h
which is a plausible real-world configuration.

In mbedtls-2.28, component_test_CID_no_debug was never added, and running
the unit tests in that configuration does not trigger the #3998 bug, only
compat.sh does. So, rather than backport component_test_CID_no_debug to
2.28.2, I am removing it from 3.2.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 22:47:17 +02:00
Gilles Peskine
2ecf4ff349 Restore explicit version requirement on 1.3 HelloRetryRequest tests
A concurrent branch changes the way the test cases run to no longer use
force_version=tls13, so the automatic version requirement detection will no
longer work after that branch is merged. Therefore, keep the manual
requirement (at least until automatic detection gets smarter).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 19:08:38 +02:00
Gilles Peskine
70b8a69b20 Add changelog entry for #3998 fix
The fix was in https://github.com/ARMmbed/mbedtls/pull/4989.
We forgot to add a changelog entry.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 16:14:01 +02:00
Gilles Peskine
c912673f8d Automatically detect protocol version requirement from force_version
When the client or server uses a specific protocol version, automatically
require that version to be enabled at compile time.

An explicit call is still needed in test cases that require a specific
protocol version (due to analyzing version-specific behavior, or checking
the version in logs), but do not force that specific protocol version, or that
force a specific version only on the openssl/gnutls side.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 16:14:01 +02:00
Neil Armstrong
282750215c Remove PSA only code from non-PSA code block code in ssl_write_client_key_exchange()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 15:05:11 +02:00
Neil Armstrong
11d4945248 Simplify compile-time PSA/non-PSA ECDH(E) code in ssl_write_client_key_exchange()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 15:03:43 +02:00
Neil Armstrong
1f198d8dee Simplify by moving ssl_check_server_ecdh_params in the ECDHE non-PSA compile-time block
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 15:02:30 +02:00
Neil Armstrong
913b364a52 Simplify compile-time PSA/non-PSA ECDH(E) code in ssl_parse_client_key_exchange()
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 14:59:48 +02:00
Neil Armstrong
999930e447 Add RSA PK Wrapped Sign ext tests
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 14:55:17 +02:00
Gilles Peskine
740b734f25 Move ticket, alpn detection into maybe_requires_ciphersuite_enabled
No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:32:46 +02:00
Gilles Peskine
b898b3df90 Prepare to generalize maybe_requires_ciphersuite_enabled
Rename maybe_requires_ciphersuite_enabled() to detect_required_features()
and refactor its code a little. No intended behavior change. In subsequent
commits, this function will detect other requirements in a similar way.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:32:46 +02:00
Neil Armstrong
a4dbfddba2 Add DHE-RSA Opaque PK key tests variants in ssl-opt.sh
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:49:25 +02:00
Neil Armstrong
3e9a142017 Add RSA Opaque PK key tests variants in ssl-opt.sh
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:49:25 +02:00
Neil Armstrong
f0b1271a42 Support RSA Opaque PK keys in ssl_server2
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:49:25 +02:00
Manuel Pégourié-Gonnard
296787f75c Rm DES from invocations of compat.sh
It no longer makes sense, either in -e or -f: those ciphersuites have
been removed anyway.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-13 10:45:10 +02:00
Manuel Pégourié-Gonnard
4111b73d8f Update comment and default exclude
- comments about (3)DES were inconsistent (one saying "keep 3DES" and
the other "exclude it")
- we don't have any DES or 3DES ciphersuite anyway, so no need to
exclude them or comment about it
- while at it, fix comment about ARIA: it's in the default config now

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-13 10:45:10 +02:00
Joe Subbiani
32df1450f1 Order ciphersuite names alphabetically
The ciphers were originally separated by the version conditions, and the spacing
was retained in case it was required later. It has been decided it would be better
to have an unbroken list in alphabetically order to quickly locate ciphers when
necessary

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2022-04-13 10:45:08 +02:00
Joe Subbiani
f05fae0f7a Remove unsupported ciphersuites
Remove ciphersuites that are no longer supported.
running ./test/compat.sh -e '^$' -p mbedtls no longer skips any tests

Fixes #4818

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2022-04-13 10:41:43 +02:00
Joe Subbiani
9f84761c66 Removed redundant mode checks
As anything below (D)TLS 1.2 is no longer supported, checks for the
minor version will always be true, and have therefore been removed

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2022-04-13 10:40:49 +02:00
Neil Armstrong
6ce6dd9bd7 Add Test generating certificates using an opaque EC key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:32:03 +02:00
Neil Armstrong
98f899c7a5 Test generating certificates using an opaque RSA key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:31:38 +02:00
Neil Armstrong
9fb9203182 Test generating CSRs using an opaque RSA key
Signed-off-by: Neil Armstrong <narmstrong@baylibre.com>
2022-04-13 10:31:08 +02:00