Commit graph

1070 commits

Author SHA1 Message Date
Gilles Peskine
eda1b1f744
Merge pull request #7921 from valeriosetti/issue7613
TLS: Clean up ECDSA dependencies
2023-09-20 12:47:55 +00:00
Manuel Pégourié-Gonnard
f299efdb96 Improve a comment
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2023-09-18 11:19:04 +02:00
Valerio Setti
36344cecbd ssl-opt: remove redundant requirement for RSA_C
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-11 09:37:14 +02:00
Valerio Setti
4f577f3e51 ssl-opt: add RSA_C requirement when RSA encryption is used in certificate
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-11 06:35:23 +02:00
Valerio Setti
726ffbf642 ssl-opt: don't assume TLS 1.3 usage for external tool that don't have support
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-08-03 09:15:34 +02:00
Gilles Peskine
b387fcf59b Adapt names (curves -> groups) in a separately added test case
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2023-07-11 09:19:13 +02:00
Dave Rodgman
e183ecef3d
Merge pull request #7136 from yanrayw/5692-record-compatsh-test-cases
Record the outcome of each test case in compat.sh
2023-07-10 12:08:32 +01:00
Manuel Pégourié-Gonnard
5c41ae867b
Merge pull request #7887 from ronald-cron-arm/fix-hrr-in-psk-kem
tls13: server: Fix spurious HRR
2023-07-10 09:58:13 +02:00
Ronald Cron
8a74f07c2a tls13: server: Fix spurious HRR
If the server during a TLS 1.3 handshake selects
the PSK key exchange mode, it does not matter
if it did not find in the key share extension
a key share for a group it supports. Such a
key share is used and necessary only in the
case of the ephemeral or PSK ephemeral key
exchange mode. This is a possible scenario in
the case of a server that supports only the PSK
key exchange mode and a client that also
supports a key exchange mode with ephemeral keys.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-07-07 15:53:12 +02:00
Przemek Stekiel
45255e4c71 Adapt names (curves -> groups)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-07-05 09:26:26 +02:00
Przemek Stekiel
3484db4ce7 Change ffdh testing strategy
- Full tests generated by script only for ffdhe2048 group
- Single G->m and m->G exchange test for each other group

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-28 13:31:38 +02:00
Przemek Stekiel
7dda271c1d Fix description of functions
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-28 09:16:08 +02:00
Przemek Stekiel
c31a798f45 Replace MBEDTLS_ECDH_C dependency in ssl-opt tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-27 10:58:50 +02:00
Przemek Stekiel
8bfe897ab0 Add ssl-opt functions to check openssl with ffdh support and openssl ephemeral key exchange
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-26 16:33:00 +02:00
Przemek Stekiel
1f5c2ba495 Add missing ECDH dependencies in ssl-opt tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-15 17:07:16 +02:00
Przemek Stekiel
a53dca125e Limit number ffdh test cases (ffdhe2048, ffdhe8192)
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-14 20:53:09 +02:00
Przemek Stekiel
422ab1f835 Add FFDH tests to ssl-opt
Add FFDH support to the test case generator script: generate_tls13_compat_tests.py.
Add dependency for openssl as FFDH is supported from version 3.0.

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-14 11:04:28 +02:00
Przemek Stekiel
75a5a9c205 Code cleanup
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-13 09:57:23 +02:00
Przemek Stekiel
316c19ef93 Adapt guards, dependencies + optimizations
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>

Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-06 12:31:09 +02:00
Przemek Stekiel
5e2f816c39 Fix test configs
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-06 12:31:08 +02:00
Przemek Stekiel
250b9fde75 ssl-opt.sh: Add FFDH tests
Signed-off-by: Przemek Stekiel <przemyslaw.stekiel@mobica.com>
2023-06-06 12:31:08 +02:00
Tom Cosgrove
ef468ea2ba
Merge pull request #6740 from xkqian/tls13_fix_unkown_pk_type
Remove useless debug log of pk type from test cases
2023-05-05 16:14:59 +01:00
Valerio Setti
a9aafd4807 test: revert undesired debug change in ssl-opt
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 12:30:45 +02:00
Valerio Setti
6c496a1553 solve disparities for ECP_LIGHT between ref/accel
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-04-11 11:33:50 +02:00
Ronald Cron
c564938180 Add downgrade protection mechanism
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:32:05 +02:00
Ronald Cron
1a353ea4b8 ssl-opt.sh: Improve description of server negotiation tests
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:18 +02:00
Ronald Cron
d120bd646c ssl-opt.sh: Add version selection by the server tests
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:18 +02:00
Ronald Cron
50ae84ed97 ssl-opt.sh: Remove some unnecessary forcing of TLS 1.3
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:18 +02:00
Ronald Cron
097ba146e7 tls: srv: Set hybrid TLS 1.2/1.3 as default configuration
Set hybrid TLS 1.2/1.3 as default server
configuration if both TLS 1.2 and TLS 1.3
are enabled at build time.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:18 +02:00
Ronald Cron
f95d169d60 ssl-opt.sh: Force TLS 1.2 on TLS 1.2 specific tests
Force TLS 1.2 on TLS 1.2 specific tests in
preparation of TLS 1.3 being the default
protocol version when both TLS 1.2 and
TLS 1.3 are enabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:17 +02:00
Ronald Cron
fd4c6afcb4 ssl-opt.sh: Force TLS 1.2 version
Force TLS 1.2 version on tests related to
MBEDTLS_SSL_ASYNC_PRIVATE, CA callback and
MBEDTLS_SSL_MAX_FRAGMENT_LENGTH. Those
SSL options are not supported in TLS 1.3
for the time being. Thus force TLS 1.2
version in preparation of TLS 1.3 being
the default protocol version when both
TLS 1.2 and TLS 1.3 are enabled.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:17 +02:00
Ronald Cron
92dca39196 ssl-opt.sh: Extend scope of some tests to TLS 1.3
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:17 +02:00
Ronald Cron
0aa1b8843f ssl-opt.sh: Remove unnecessary explicit MBEDTLS_SSL_PROTO_TLS1_2 dep
Remove unnecessary explicit MBEDTLS_SSL_PROTO_TLS1_2
dependency if TLS 1.2 version is forced or a TLS 1.2
cipher suite is forced (as TLS 1.2 cipher suites are
available if and only if TLS 1.2 is enabled and
cipher suite availability is check automatically).

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:17 +02:00
Ronald Cron
65f9029741 ssl-opt.sh: Remove unnecessary TLS 1.3 forcing on client side
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:17 +02:00
Ronald Cron
c341ad717e ssl-opt.sh: Remove dummy TLS 1.3 kex modes tests
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2023-04-06 10:26:17 +02:00
Paul Elliott
d01a3bca05 Merge tag 'v3.4.0' into mbedtls-3.4.0_mergeback
Mbed TLS 3.4.0
2023-03-27 18:09:49 +01:00
Paul Elliott
f1eb5e2a04 Merge branch 'development-restricted' into mbedtls-3.4.0rc0-pr
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-21 15:35:17 +00:00
Valerio Setti
2f8eb62946 ssl-opt: remove leftover debug commands and fix comment
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-20 14:02:07 +01:00
Valerio Setti
6ba247c236 ssl-opt: solve errors in ECDH reference tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-20 14:00:51 +01:00
Dave Rodgman
0e2b06a1ce
Merge pull request #7083 from KloolK/record-size-limit/parsing
Add parsing for Record Size Limit extension in TLS 1.3
2023-03-17 10:18:34 +00:00
Paul Elliott
646ee7ec2e Fix CI build after repo merge conflict
After merging the driver only ECDSA work, a conflict arose between that and
the previous work re-ordering the ciphersuite preference list. We can remove
the breaking requirement on this test, as this requirement is now auto-detected
when the server5 crt is used in the server's command line.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-16 17:10:34 +00:00
Gilles Peskine
2a44ac245f
Merge pull request #7217 from lpy4105/issue/6840/add-cache-entry-removal-api
ssl_cache: Add cache entry removal api
2023-03-15 15:38:06 +01:00
Jan Bruckner
151f64283f Add parsing for Record Size Limit extension in TLS 1.3
Fixes #7007

Signed-off-by: Jan Bruckner <jan@janbruckner.de>
2023-03-14 08:41:25 +01:00
Paul Elliott
e4622a3436 Merge remote-tracking branch 'development/development' into development-restricted
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2023-03-13 17:49:32 +00:00
Valerio Setti
e7f896d73f fix extra whitespaces
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-13 13:55:28 +01:00
Valerio Setti
80318d2775 ssl-opt: automatically detect requirements when using certs in dir-maxpath
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-13 12:26:42 +01:00
Valerio Setti
77588e9451 ssl-opt: uniformize requirements in tests
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-13 12:00:10 +01:00
Pengyu Lv
62ed1aa316 ssl-opt: Add test for cache entry removal
Signed-off-by: Pengyu Lv <pengyu.lv@arm.com>
2023-03-13 09:28:17 +08:00
valerio
f27472b128 ssl-opt: enable test and fix failures for reference ECDH + USE_PSA"
Signed-off-by: valerio <valerio.setti@nordicsemi.no>
2023-03-09 16:20:38 +01:00
Valerio Setti
1470ce3eba fix typos
Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2023-03-08 16:50:12 +01:00