Commit Graph

5531 Commits

Author SHA1 Message Date
Manuel Pégourié-Gonnard
5aeb61ccb4 Improve readability and relevance of values
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-22 10:38:38 +02:00
Manuel Pégourié-Gonnard
bcaba030ec Expand negative coverage of ECDSA verification
Motivated by CVE-2022-21449, to which we're not vulnerable, but we
didn't have a test for it. Now we do.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-22 10:38:38 +02:00
Gilles Peskine
35de7b013a
Merge pull request #5741 from gilles-peskine-arm/depends-curves-positive-only-2.28
Backport 2.28: Don't test with all-but-one elliptic curves
2022-04-21 12:34:47 +02:00
Gilles Peskine
f7a101af3c
Merge pull request #5730 from gilles-peskine-arm/ssl-opt-auto-psk-2.28
Backport 2.28: Run ssl-opt.sh in more reduced configurations
2022-04-21 12:03:43 +02:00
Gilles Peskine
36019d5182 Use terse output from lsof
This both simplifies parsing a little, and suppresses warnings. Suppressing
warnings is both good and bad: on the one hand it resolves problems such as
https://github.com/Mbed-TLS/mbedtls/issues/5731, on the other hand it may
hide clues as to why lsof wouldn't be working as expected.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:21:38 +02:00
Gilles Peskine
e8133cbecc test_cmake_out_of_source: validate that ssl-opt passed
If the ssl-opt test case was skipped, the test was ineffective.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-16 11:21:38 +02:00
Gilles Peskine
719a652834 Fix REMOVE_ARC4 test case dependencies
When ARC4 ciphersuites are compiled in, but removed from the default list,
requires_ciphersuite_enabled does not consider them to be enabled. Therefore
test cases for MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which must run in such
configurations, must not use requires_ciphersuite_enabled.

Instead, require the corresponding cryptographic mechanisms. In addition,
for the test case "RC4: both enabled", bypass the automatic ciphersuite
support detection based on force_ciphersuite= that would otherwise cause
this test case to be skipped. (This automatic detection doesn't cause the
negative tests to be skipped because it has an exception whenthe handshake
is supposed to fail.)

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 20:10:37 +02:00
Gilles Peskine
add21ad967 Fix typo in config symbol
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 15:14:58 +02:00
Andrzej Kurek
96bf3d13f3 Add missing MBEDTLS_ECP_C dependency
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 07:35:16 -04:00
Andrzej Kurek
9cb14d4ce2 tests: fix bitflip comment
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 07:02:24 -04:00
Andrzej Kurek
ee9488d3f0 Prefer TEST_EQUAL over TEST_ASSERT in test suites
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 07:02:20 -04:00
Gilles Peskine
6dd489cb15 raw_key_agreement_fail: Add a nominal run
Ensure that the nominal run works properly, so that it's apparent that the
injected failure is responsible for the failure of the handshake.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-15 07:02:16 -04:00
Gilles Peskine
703a88916b Remove redundant empty slot count check
USE_PSA_DONE() already checks that there are no used key slots.

The call to TEST_ASSERT() wouldn't have worked properly on failure anyway,
since it would jump back to the exit label.

Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 07:02:11 -04:00
Andrzej Kurek
86029e04b4 Remove RSA & DTLS dependency in raw key agreement test
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 07:02:00 -04:00
Andrzej Kurek
99f6778b60 Change the bit to flip to guarantee failure
For weistrass curves the pair is encoded as 0x04 || x || y.
Flipping one of the bits in the first byte should be a sure failure.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 06:46:06 -04:00
Andrzej Kurek
2582ba3a52 Change the number of expected free key slots
Development TLS code now uses PSA to generate an
ECDH private key. Although this would not be required
in 2.28 branch, it is backported for compatibility.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 06:46:03 -04:00
Andrzej Kurek
577939a268 Tests: add missing requirements for the raw key agreement test
SECP384R1 is needed for the default loaded
certificate.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 06:45:59 -04:00
Andrzej Kurek
8985e1ff80 Update raw key agreement test dependencies
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 06:45:55 -04:00
Andrzej Kurek
b4eedf7a23 Test failing raw_key_agreement in ssl mock tests
Force a bitflip in server key to make the raw key
agreement fail, and then verify that no key slots
are left open at the end. Use a Weierstrass curve
to have a high chance of failure upon encountering
such bitflip.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 06:45:45 -04:00
Andrzej Kurek
535cd1790b Add a curves argument to mocked ssl tests
This will be used to force a curve in certain tests
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
2022-04-15 06:12:31 -04:00
Gilles Peskine
a16d8fcee9
Merge pull request #5697 from gilles-peskine-arm/psa-test-op-fail-2.28
Backport 2.28: PSA: systematically test operation failure
2022-04-15 10:52:50 +02:00
Gilles Peskine
2f8b09c725 Don't test with all-but-one elliptic curves
`curves.pl` (invoked by `all.sh test_depends_curves`, and
`all.sh test_depends_curves_psa`) currently runs two series of tests:
* For each curve, test with only that curve enabled.
* For each curve, test with all curves but that one.

Originally this script was introduced to validate test dependencies, and for
that all-but-one gives better results because it handles test cases that
require multiple curves. Then we extended the script to also test with a
single curve, which matches many real-world setups and catches some product
bugs. Single-curve testing also validates test dependencies in a more
limited way.

Remove all-but-one curve testing, because it doesn't add much to the test
coverage. Mainly, this means that we now won't detect if a test case
declares two curve dependencies but actually also depends on a third. This
is an acceptable loss.

The trigger for removing all-but-one curve testing is that this will make
the job take only about half as long, and the length of the job was a bit of
a problem. Resolves #5729.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-14 14:10:34 +02:00
Manuel Pégourié-Gonnard
6abc6259d5 Add comment in compat.sh about callers
Also update comments about default versions and excludes while at it.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:29:01 +02:00
Manuel Pégourié-Gonnard
b623832176 Fix compat.sh invocation in basic-built-test.sh
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2022-04-14 09:12:10 +02:00
Gilles Peskine
6e257b0bc7 Detect requirement on DTLS_BADMAC_LIMIT
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 14:19:57 +02:00
Gilles Peskine
bcb2ab0cb3 Add a few more protocol version support requirements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
bba3b4c79a Add or fix requirements on FALLBACK_SCSV
Automatically detect when an mbedtls or openssl client enables fallback
SCSV.

For test cases with a hard-coded ClientHello with FALLBACK_SCSV, declare the
dependency manually. Remove the erroneous requirement on openssl in these
test cases.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
4b137d1bc4 Automatically detect protocol version requirement from force_version
When the client or server uses a specific protocol version, automatically
require that version to be enabled at compile time.

An explicit call is still needed in test cases that require a specific
protocol version (due to analyzing version-specific behavior, or checking
the version in logs), but do not force that specific protocol version, or that
force a specific version only on the openssl/gnutls side.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
3c985f6b70 Move ticket, alpn detection into maybe_requires_ciphersuite_enabled
No intended behavior change.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
511fdf435f Prepare to generalize maybe_requires_ciphersuite_enabled
Rename maybe_requires_ciphersuite_enabled() to detect_required_features()
and refactor its code a little. No intended behavior change. In subsequent
commits, this function will detect other requirements in a similar way.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
e70605c28e Add requirement for RC4 tests
The automatic ciphersuite detection deliberately doesn't operate on test
cases that verify that the test suite is rejected, but some RC4 test cases
only apply to configurations where the algorithm must be enabled at compile
time (otherwise the connection would fail in a different way).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
5a1b3bdc44 Make mbedtls_ssl_get_bytes_avail tests more independent
Don't depend on the default sizes in the test programs: pass explicit
request and buffer sizes.

Don't depend on MAX_CONTENT_LEN (other than it not being extremely small:
this commit assumes that it will never be less than 101).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
f2e1f47b2e set_maybe_calc_verify: $1 is intended to be auth_mode
Document that this is what it is. Don't allow made-up numerical values.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
de4cb3569e Add requirements of "Default"
The log checks require a specific hash and a specific curve.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
d5b1a30c2f Documentation improvements
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
22cc649769 Skip some DTLS reordering tests in PSK-only builds
Some DTLS reordering tests rely on certificate authentication messages. It
is probably possible to adapt them to rely on different messages, but for
now, skip them in PSK-only builds.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
64c683fd18 calc_verify is only called in some configurations
If MBEDTLS_SSL_EXTENDED_MASTER_SECRET is disabled or the feature is disabled
at runtime, and if client authentication is not used, then calc_verify is not
called, so don't require the corresponding debug trace.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
def0e147ab test-ref-configs: clarify configuration-related traces
When doing builds with PSA enabled or with debug traces enabled, convey this
in $MBEDTLS_TEST_CONFIGURATION and in the terminal logs.

This fixes a bug that the outcome file did not distinguish entries from
test cases run in a reference configuration with or without PSA.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
20e25b9012 Simplify the logic to select configurations
User-visible changes:
* With no argument, configurations are now tested in a deterministic order.
* When given arguments, configurations are now tested in the order given.
* When given arguments, if the same configuration is passed multiple times,
  it will now be tested multiple times.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
291372fd41 Add a missing requires_max_content_len
Slightly reduce the amount of data so that the test passes with 512.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:38 +02:00
Gilles Peskine
dcb13af837 ssl-opt needs debug messages
Many test cases in ssl-opt.sh need error messages (MBEDTLS_ERROR_C) or SSL
traces (MBEDTLS_DEBUG_C). Some sample configurations don't include these
options. When running ssl-opt.sh on those configurations, enable the
required options. They must be listed in the config*.h file, commented out.

Run ssl-opt in the following configurations with debug options:
ccm-psk-tls1_2, ccm-psk-dtls1_2, suite-b. Skip mini-tls1_1 for now because
it requires significant improvements to ssl-opt.sh (lots of missing
requires_xxx).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-13 11:24:13 +02:00
Gilles Peskine
89d892ffdd Adapt tests for PSK in PSK-only builds
In a PSK-only build:
* Skip tests that rely on a specific non-PSK cipher suite.
* Skip tests that exercise a certificate authentication feature.
* Pass a pre-shared key in tests that don't mind the key exchange type.

This commit only considers PSK-only builds vs builds with certificates. It
does not aim to do something useful for builds with an asymmetric key
exchange and a pre-shared key for authentication.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
111fde4ce9 Add some missing dependencies: EXTENDED_MASTER_SECRET, CACHE
This commit is not necessarily complete, but it's a step forward.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
dff48c1c65 Only run "Default" tests if the ciphersuite is enabled
These tests ensure that a certain cipher suite is in use, so they fail in
builds that lack one of the corresponding algorithms.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
df4ad90a15 ssl-opt: check for protocol version support
Skip tests that require a specific version of the protocol if that version
is disabled at compile time.

This commit only partially does the job, mostly covering tests that check
the protocol version in client or server logs. It is not intended to be
exhaustive; in particular many uses of force_version are not covered (I
think they should instead be covered automatically, but this is out of scope
of the current commit).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
4502671e0b Automatically skip tests for some absent features: tickets, ALPN
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
e5f4958c80 ssl-opt: automatically skip DTLS tests in builds without DTLS
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
8c5c2930db New sample/test configuration: small DTLS 1.2
1. Copy config-ccm-psk-tls1_2.h
2. Add DTLS support
3. Add some TLS and DTLS features that are useful in low-bandwidth,
   low-reliability networks
4. Reduce the SSL buffer to a very small size

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 21:26:36 +02:00
Gilles Peskine
03efa0b8d3 Fix ARIA support in test driver configuration
Deduce MBEDTLS_PSA_ACCEL_KEY_TYPE_ARIA for the driver build from its value
from the core build, as is done for other key types. This had not been done
correctly when adding ARIA support to the PSA subsystem.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 17:15:56 +02:00
Gilles Peskine
186331875a test_psa_crypto_config_accel_cipher: deactivate CMAC
We don't yet support all combinations of configurations. With all.sh as it
currently stands, component_test_psa_crypto_config_accel_cipher results in a
build where PSA_WANT_ALG_CMAC is disabled but CMAC operations succeed
nonetheless, going via the driver. With the systematic testing of
not-supported operations, this now results in a test failure.

The code in all.sh does not respect the principle documented in
df885c052c:

> The PSA_WANT_* macros have to be the same as the ones
> used to build the Mbed TLS library the test driver
> library is supposed to be linked to as the PSA_WANT_*
> macros are used in the definition of structures and
> macros that are shared by the PSA crypto core,
> Mbed TLS drivers and the driver test library.

Disable PSA_WANT_ALG_CMAC completely in this test component. This is not
wrong and it makes the test component pass.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2022-04-12 17:15:56 +02:00