Commit graph

15498 commits

Author SHA1 Message Date
Gilles Peskine 8a55b434c2 Don't generate non-existent dependency symbols
Filter our algorithm constructors that don't have a dependency symbol
of their own.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:23 +02:00
Gilles Peskine cf70d07c8b Define dependency symbols for hashless signature algorithms
Define the dependency symbols PSA_WANT_ALG_ECDSA_ANY and
PSA_WANT_ALG_RSA_PKCS1V15_SIGN_RAW as de facto synonyms of
PSA_WANT_ALG_ECDSA and PSA_WANT_ALG_RSA_PKCS1V15_SIGN respectively: if
either one is requested, the other is set.
This makes it easier to systematically determine the dependencies of
an algorithm.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:20 +02:00
Gilles Peskine b93f854f4c Expand psa_generate_tests to support constructor arguments
In macro_collector.py, base InputsForTest on PSAMacroEnumerator rather
than PSAMacroCollector. It didn't make much sense to use
PSAMacroCollector anymore since InputsForTest didn't use anything
other than the constructor.

psa_generate_tests now generates arguments for more macros.
In particular, it now collects macro arguments from
test_suite_psa_crypto_metadata. Algorithms with parameters are now
supported.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:34:09 +02:00
Gilles Peskine ae9f14b159 Speed up the generation of storage format test cases
First build a list of all keys, then construct all the corresponding
test cases. This allows all required information to be obtained in
one go, which is a significant performance gain as the information
includes numerical values obtained by compiling a C program.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 0ba69a462e Fix KeyType with parameters passed in the name argument
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine d6d2d6a7d7 Use InputsForTest in generate_psa_tests
In generate_psa_tests, use InputsForTest rather than PSAMacroCollector
to gather values. This way, the enumeration of values to test includes
values used in metadata tests in addition to constructors parsed from
header files. This allows greater coverage of values built from
constructors with arguments. This doesn't make a difference yet, but
it will once algorithm constructors with arguments are supported in
generate_psa_tests.

Make the injection of numerical values optional. They are useful for
test_psa_constant_names, so keep them there. Don't use them for
not-supported tests: they might make sense, but the current code
wouldn't work since it doesn't know how to make up fake key material
or what dependencies to generate. Don't use them for storage tests:
they only make sense for supported values.

Don't inject 'PSA_SUCCESS': that's superfluous.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 3cf3a8ebdf Move InputsForTest to macro_collector.py
This is useful to generate PSA tests for more than constant names.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine e30ad46f91 Add type annotations
Prepare to move InputsForTest to macro_collector.py.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Gilles Peskine 4d59f01bcd Fix copypasta in documentation
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-25 19:31:21 +02:00
Ronald Cron aede2d0c52
Merge pull request #4533 from gilles-peskine-arm/host_test-int32-2.x
Backport 2.x: Fix build error in host_test.function when int32_t is not int
2021-05-21 16:02:11 +02:00
Manuel Pégourié-Gonnard 7dea07610c
Merge pull request #4289 from gilles-peskine-arm/openssl-dhparam-robustness-development
Backport 2.x: Fix SSL tests scripts with recent OpenSSL server with Diffie-Hellman
2021-05-21 10:16:18 +02:00
Manuel Pégourié-Gonnard db97b1e211
Merge pull request #4491 from netfoundry/fix-mingw-build
Backport 2.x : Use proper formatting macros when using MinGW provided stdio
2021-05-21 10:03:18 +02:00
Janos Follath d76f7ba2e1
Merge pull request #4529 from hanno-arm/ssl_session_cache_fix_backport_2x
Backport 2.x: Add session ID as an explicit parameter to SSL session cache API
2021-05-21 08:49:11 +01:00
Hanno Becker c304679c75 Add ChangeLog entry
Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-21 05:29:01 +01:00
Gilles Peskine d135b57e8c
Merge pull request #4412 from gilles-peskine-arm/undefined-reference-2.27
Backport 2.x: Fix missing compilation guard around psa_crypto_driver_wrappers.c
2021-05-20 17:20:36 +02:00
Gilles Peskine a33cb76820
Merge pull request #4493 from netfoundry/gcc11.fixes_2.x
Backport 2.x: build with gcc11
2021-05-20 15:54:20 +02:00
Gilles Peskine 05c11e3dd5
Merge pull request #4503 from gilles-peskine-arm/ciphersuite-sha384-guard-2.x
Backport 2.x: fix SHA384 guards in TLS
2021-05-19 21:13:08 +02:00
Gilles Peskine ad0e01248d Fix missing compilation guard around psa_crypto_driver_wrappers.c
Fix #4411.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 21:03:46 +02:00
Gilles Peskine c54010c3ec Split SHA-512 and SHA-384 guards for hash availability code
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:15 +02:00
Gilles Peskine fc9c07ff8f Fix unused variable with MBEDTLS_SHA512_NO_SHA384
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:13 +02:00
Gilles Peskine d2d59379ed Remove dead code under MBEDTLS_SHA512_NO_SHA384
TLS code specific to SHA-384 was gated on MBEDTLS_SHA512_C. But SHA-384 also
requires that MBEDTLS_SHA512_NO_SHA384 is not defined. This lead to dead
code in TLS when MBEDTLS_SHA512_C and MBEDTLS_SHA512_NO_SHA384 were both
defined (i.e. when SHA-512 was enabled but not SHA-384).

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:10 +02:00
Gilles Peskine 367379d7fc Fix dependencies on SHA384 cipher suites
They depended on MBEDTLS_SHA512_C only. A check for !MBEDTLS_SHA512_NO_SHA384
was missing.

Fix #4499.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:58:08 +02:00
Gilles Peskine 3d23e28ee1 Fix dependency for TLS-RSA-WITH-CAMELLIA-256-GCM-SHA384
Fix #4472

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-19 16:57:40 +02:00
Ronald Cron 7eee55e85f
Merge pull request #4527 from gilles-peskine-arm/psa-deprecated-macros-20210516
[2.x only] Remove some remaining uses of deprecated constants
ok with only one approval thus merging.
2021-05-19 14:44:37 +02:00
Dave Rodgman f6de5d99f4
Merge pull request #4537 from daverodgman/padlock-docs-fix-2.x
2.x backport: Fix docs for mbedtls_padlock_has_support
2021-05-19 12:12:39 +01:00
Gilles Peskine e14e839e1f
Merge pull request #4525 from gilles-peskine-arm/pr_4357-changelog
Backport 2.x: Add changelog entry for #4357
2021-05-19 11:58:08 +02:00
Hanno Becker 83e3671d87 Don't check ciphersuite and compression in SSL session cache lookup
Session-ID based session resumption requires that the resumed session
is consistent with the client's ClientHello in terms of choice of
ciphersuite and choice of compression.

This check was previously assumed to be performed in the session cache
implementation, which seems wrong: The session cache should be an id-based
lookup only, and protocol specific checks should be left to Mbed TLS.

This commit
- adds an explicit ciphersuite and compression consistency check after
  the SSL session cache has been queried
- removes the ciphersuite and compression consistency check from
  Mbed TLS' session cache reference implementation.

Don't use ssl_check_xxx() for functions with void return

Signed-off-by: Hanno Becker <hanno.becker@arm.com>
2021-05-19 05:09:56 +01:00
Dave Rodgman 6efa722e59 Fix docs for mbedtls_padlock_has_support
Fix a slight inaccuracy in the docs for the return value of
mbedtls_padlock_has_support.

Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
2021-05-18 19:35:24 +01:00
Gilles Peskine 47cd121d18 Fix build error when int32_t is not int
Fix a pointer mismatch when int32_t is not int, for example on Cortex-M where
in32_t is long int. Fix #4530

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-18 16:43:00 +02:00
Gilles Peskine 8ce4ab18ab
Merge pull request #4460 from gilles-peskine-arm/generate-tests-python3-make-2.x
Backport 2.x: Use Python 3 instead of Python 2 to generate test files
2021-05-18 13:30:40 +02:00
Gilles Peskine f9d0c17eaf Remove some remaining uses of deprecated constants
Deprecated constants should only be used to test them specifically.
Remove a few stragglers.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-17 22:31:15 +02:00
Gilles Peskine 6e0b043278 Add changelog entry for #4357
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-17 22:20:11 +02:00
Gilles Peskine 54650b3892
Merge pull request #4505 from d3zd3z/bp2x-posix-define
Backport 2.x: Check if feature macro is defined before define it
2021-05-17 12:09:59 +02:00
Gilles Peskine bed4e9e214
Merge pull request #4357 from gabor-mezei-arm/3267_Implement_psa_sign_message_and_verify
Implement psa_sign_message and psa_verify_message
2021-05-17 10:14:46 +02:00
gabor-mezei-arm c97b8ab0fd
Update key type name
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-14 10:11:48 +02:00
Shawn Carey 63ee881a9b avoid -Wmaybe-uninitialized when buiding with gcc11
Signed-off-by: Shawn Carey <shawn.carey@netfoundry.io>
2021-05-13 10:26:52 -04:00
Gilles Peskine bb66dac971 Fix spurious -Wstringop-overflow with GCC 11.1
A previous fix in d596ca8a1e worked with
beta versions of GCC 11, but not with the final 11.1 release.

This time, just disable the warning locally.

Fix #4130

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-13 10:20:39 -04:00
David Brown be2db1687e Add changelog for posix definition
Signed-off-by: David Brown <david.brown@linaro.org>
2021-05-12 15:00:55 -06:00
Flavio Ceolin a79c30b8f4 Check if feature macro is defined before define it
Zephyr's native posix port define _POSIX_C_SOURCE with a higher value
during the build, so when mbedTLS defines it with a different value
breaks the build.

As Zephyr is already defining a higher value is guaranteed that mbedTLS
required features will be available. So, just define it in case it was
not defined before.

[taken from Zephyr mbedtls module:
76dcd6eeca]

Signed-off-by: Flavio Ceolin <flavio.ceolin@intel.com>
Signed-off-by: David Brown <david.brown@linaro.org>
2021-05-12 15:00:48 -06:00
eugene 3239eff409 fix changelog entry
Signed-off-by: eugene <eugene.kobyakov@netfoundry.io>
2021-05-12 14:37:24 -04:00
eugene 98d2fe9f85 add changelog entry
Signed-off-by: eugene <eugene.kobyakov@netfoundry.io>
2021-05-12 12:41:13 -04:00
Ronald Cron 456d547973
Merge pull request #4486 from gilles-peskine-arm/tniessen-typos-in-header-files-2.x
Backport 2.x: Fix typos in C header files
Enough to have only one reviewer.
2021-05-12 18:22:27 +02:00
Shawn Carey 4e54f25cc6 avoid "maybe-uninitialized" and "free-nonheap-object" errors/warnings with gcc11
Signed-off-by: Shawn Carey <shawn.carey@netfoundry.io>
2021-05-12 09:37:00 -04:00
eugene 7f5cd4786a use proper formatting macros when using MinGW provided stdio
Signed-off-by: eugene <eugene.kobyakov@netfoundry.io>
2021-05-12 08:50:36 -04:00
gabor-mezei-arm f25c9767a9
Enable fallback to software implementation in psa_sign/verify_message driver
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 11:12:25 +02:00
gabor-mezei-arm c979578a83
Unify variable type and rename to be unambiguous
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 11:03:09 +02:00
gabor-mezei-arm 63c7a66320
Update documentation
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 10:49:27 +02:00
gabor-mezei-arm 41b5ec6fd2
Typo
Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2021-05-12 10:48:55 +02:00
Tobias Nießen 02b6fba7f5 Fix typos in C header files
Signed-off-by: Tobias Nießen <tniessen@tnie.de>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2021-05-12 10:39:58 +02:00
Gilles Peskine 456cde1081
Merge pull request #4479 from stevew817/backport_4247
Backport 2.x: Dispatch MAC operations through the driver interface
2021-05-11 20:21:17 +02:00