Commit Graph

16554 Commits

Author SHA1 Message Date
Gilles Peskine
06d5a3226b Remove obsolete MBEDTLS_xxx dependencies
This file had temporary MBEDTLS_xxx dependencies because it was created when
support for PSA_WANT_xxx was still incomplete. Switch to the PSA_WANT_xxx
dependencies

This fixes the bug that "PSA storage read: AES-GCM+CTR" was never executed
because there was a typo in a dependency.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-21 19:26:50 +02:00
Ronald Cron
1d2109041b
Merge pull request #4480 from gilles-peskine-arm/psa-storage-format-test-strategy-20210511
Backport 2.x: Updates to the storage format test strategy after starting implementation
2021-07-15 15:15:48 +02:00
Joe Subbiani
50536429a7 Remove trailing whitespace
Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-07-15 09:02:43 +01:00
Joe Subbiani
c9eb8581a4 Simplify the test and description
Previously the check was convoluted. This has been simplified
and given a more appropriate suggestion as per gilles suggestion

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-07-14 15:32:29 +01:00
Yuto Takano
b2c454cece Add ChangeLog entry for reserved identifier replacments
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:32:18 +01:00
Yuto Takano
284857ee55 Replace _RR with prec_RR to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:30:34 +01:00
Yuto Takano
bc6eaf7976 Replace _B with B to prevent reserved identifier clashes
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-14 14:29:53 +01:00
Joe Subbiani
bd5cc3a0be Add test in block_cipher_key_type test case
The test case uses a bit shift to check that the block
size is a power of 2

Fixes #4228

Signed-off-by: Joe Subbiani <joe.subbiani@arm.com>
2021-07-09 12:17:49 +01:00
Yuto Takano
7187953fc5 Raise max_content_len constraint by one in Connection ID tests
- Also incorporates the grammar fix commit in the development branch

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
a49124e528 Add content length constraint to tests that use max_frag_len
Includes:
- handshake memory tests
- Connection ID (MFL) tests
- DTLS fragmenting tests
- SSLv3 with extensions test (backport only)

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
8a693efe9b Move repetitive equality check to requires_config_value_equals
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
ccdd25cbc5 Reword and add explanatory comments for MAX_IM_CA tests
- Reword the comment on config.h to suggest that
  `MAX_INTERMEDIATE_CA` may not exist in the config.
- Add a comment explaining why the tests are more restrictive
  than necessary.

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
bec7cf762d Use requires_max_content_len, add check in Renegotiation
- Abstract out repetitive checks for IN and OUT content lens
- Remove unclear comment and redundant echo
- Add content length constraints in Renegotiation with fragment length test

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
ab9e433376 Add space between command substitution braces and content
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
d448545d2a Add MAX_IM_CA requirement to int_max+1 chain as well
Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
05d43f49a1 Remove hard exit with MAX_INTERMEDIATE_CA in ssl-opt.sh
- Replace last remaining dependency on config.py with query_config
- Replace hard exit with `requires_config_value_at_least` and
  `requires_config_value_at_most` to maintain the same effect

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Yuto Takano
18ddccc417 Remove hard exit in ssh-opt.sh, replace with requires functions
- Replace calls to config.py for MAX_IN_LEN and MAX_OUT_LEN with
  `get_config_value_or_default`
- Remove hard exit when MAX_IN/OUT_LEN < 4096, replace with
  `requires_config_value_at_least`

Signed-off-by: Yuto Takano <yuto.takano@arm.com>
2021-07-09 11:33:39 +01:00
Gilles Peskine
8de3633c65
Merge pull request #4762 from mpg/fix-overly-aggressive-udp-proxy-2.x
[Backport 2.x] Fix bug with UDP proxy not forwarding enough
2021-07-09 11:57:52 +02:00
Manuel Pégourié-Gonnard
14134281df Fix bug with UDP proxy not forwarding enough
We previously introduced a safety check ensuring that if a datagram had
already been dropped twice, it would no longer be dropped or delayed
after that.

This missed an edge case: if a datagram is dropped once, it can be
delayed any number of times. Since "delay" is not defined in terms of
time (x seconds) but in terms of ordering with respect to other messages
(will be forwarded after the next message is forwarded), depending on
the RNG results this could result in an endless loop where all messages
are delayed until the next, which is itself delayed, etc. and no message
is ever forwarded.

The probability of this happening n times in a row is (1/d)^n, where d
is the value passed as delay=d, so for delay=5 and n=5 it's around 0.03%
which seems small but we still happened on such an occurrence in real
life:

    tests/ssl-opt.sh --seed 1625061502 -f 'DTLS proxy: 3d, min handshake, resumption$'

results (according to debug statements added for the investigation) in
the ClientHello of the second handshake being dropped once then delayed
5 times, after which the client stops re-trying and the test fails for
no interesting reason.

Make sure this doesn't happen again by putting a cap on the number of
times we fail to forward a given datagram immediately.

Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-07-08 12:42:59 +02:00
Manuel Pégourié-Gonnard
dcb3479701
Merge pull request #4761 from mpg/fix-memleak-in-ssl-test-2.x
[backport 2.x] Fix memory leak on failure path in test code
2021-07-08 12:34:30 +02:00
Paul Elliott
7fe62cc88b Fix divide by zero if macro used with wrong key
If PSA_CIPHER_ENCRYPT_OUTPUT_SIZE was called on a non symmetric key,
then a divide by zero could happen, as PSA_CIPHER_BLOCK_LENGTH will
return 0 for such a key, and PSA_ROUND_UP_TO_MULTIPLE will divide by
the block length.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-08 11:28:15 +01:00
Manuel Pégourié-Gonnard
87e8b5ccaa Use distinct variables for distinct purposes
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-07-08 10:30:38 +02:00
Manuel Pégourié-Gonnard
40e26b2600 Fix memory leak on failure path in test code
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
2021-07-08 10:30:38 +02:00
Gilles Peskine
008cd0c4d8
Merge pull request #4757 from gilles-peskine-arm/generate_psa_tests-speedup-2.27
Backport 2.x: Speed up the generation of storage format test cases
2021-07-07 15:27:21 +02:00
Dave Rodgman
e1a97cb3eb
Merge pull request #847 from ARMmbed/mbedtls-2.27.0_merge_into_release
Mbedtls 2.27.0 merge into release
2021-07-07 11:18:19 +01:00
Gilles Peskine
3008c58df9 Speed up the generation of storage format test cases
Restore the optimization done in
 HEAD^{/Speed up the generation of storage format test cases}
which was lost during refactoring made when adding support for
implicit usage flags.

There are still more than one call to the C compiler, but the extra
calls are only for some key usage test cases.

This is an internal refactoring. This commit does not change the
output of generate_psa_tests.py

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-07-06 21:08:46 +02:00
Dave Rodgman
f71e287808
Merge pull request #843 from paul-elliott-arm/mbedtls-2.27.0rc0-pr
Mbedtls 2.27.0rc0 pr
2021-07-06 12:59:58 +01:00
Dave Rodgman
4614cb175d Fix Changelog indentation
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-07-05 18:50:01 +01:00
Dave Rodgman
699ccf83db Fix indentation in the Changelog
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-07-05 18:10:27 +01:00
Paul Elliott
610a9cc43f Bump SO version for libmbedcrypto
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 14:59:26 +01:00
Paul Elliott
f3e1a25ef8 Revert ChangeLog change
_ALT was actually more accurate than alternative when describing
implementations in this case.

Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 14:28:53 +01:00
Paul Elliott
40d3fd389a Grammar and typo changelog cleanup
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 11:08:07 +01:00
Paul Elliott
46c0cf7dfe Actually remove compiled changelog entries
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-02 08:29:33 +01:00
Paul Elliott
3ca4892432 Update changelog to cover #4197
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 18:08:30 +01:00
Paul Elliott
d925ee0a6e Set ChangeLog version and release date
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:58:07 +01:00
Paul Elliott
bece7374ce Bump Library Version Number
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:52:07 +01:00
Paul Elliott
671233280e Build aggregated ChangeLog
Signed-off-by: Paul Elliott <paul.elliott@arm.com>
2021-07-01 17:37:55 +01:00
Paul Elliott
4128c2032e Merge remote-tracking branch 'restricted/development_2.x-restricted' into mbedtls-2.27.0rc0-pr 2021-07-01 17:26:38 +01:00
Dave Rodgman
ba940cc695
Merge pull request #4182 from gabor-mezei-arm/3258_implement_one-shot_MAC_and_cipher
[Backport 2.x] Implement one-shot cipher
2021-06-30 17:04:11 +01:00
Dave Rodgman
af9b4841fb
Merge pull request #4605 from gabor-mezei-arm/3267_sign_verify_key_policies
[Backport 2.x] Key policy extension for PSA_KEY_USAGE_SIGN/VERIFY_HASH
2021-06-30 14:51:03 +01:00
gabor-mezei-arm
e4be8a3bea
Remove obsolete comment
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:34:28 +02:00
gabor-mezei-arm
05dac4a20b
Give a better name for struct member
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-30 10:31:18 +02:00
Dave Rodgman
0a4046e9ca
Merge pull request #4736 from daverodgman/alert_bugfixes_2.x
Backport 2.x: Fix alert raised for invalid fragment length
2021-06-30 09:02:49 +01:00
Dave Rodgman
7ed75e21c9 Correct required config flag in ECJPAKE tests
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-06-29 21:15:58 +01:00
gabor-mezei-arm
252304594b
Fix minor issues
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 19:06:30 +02:00
gabor-mezei-arm
a3669ac7e7
Restoring the multi-part cipher_verify_output() testing
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 18:58:42 +02:00
Gilles Peskine
bdba86f4d5
Merge pull request #4718 from nick-child-ibm/hash_len_devel
Backport 2.x: pk.c: Ensure min hash_len in pk_hashlen_helper
2021-06-29 18:16:51 +02:00
gabor-mezei-arm
3ea27325c9
Fix pylint issue
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 17:21:21 +02:00
gabor-mezei-arm
809634d5d9
Check the return status of the functions first
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00
gabor-mezei-arm
42373bdde7
Add buffer overflow check
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-06-29 16:49:51 +02:00