These were a mistake when backporting the change from the development
branch, where mbedtls/config.h has been renamed to mbedtls/mbedtls_config.h.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This commit fixes#1992: The documentation of mbedtls_x509_crt_profile
previously stated that the bitfield `allowed_pks` defined which signature
algorithms shall be allowed in CRT chains. In actual fact, however,
the field also applies to guard the public key of the end entity
certificate.
This commit changes the documentation to state that `allowed_pks`
applies to the public keys of all CRTs in the provided chain.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Motivated by CVE-2022-21449, to which we're not vulnerable, but we
didn't have a test for it. Now we do.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
This both simplifies parsing a little, and suppresses warnings. Suppressing
warnings is both good and bad: on the one hand it resolves problems such as
https://github.com/Mbed-TLS/mbedtls/issues/5731, on the other hand it may
hide clues as to why lsof wouldn't be working as expected.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When ARC4 ciphersuites are compiled in, but removed from the default list,
requires_ciphersuite_enabled does not consider them to be enabled. Therefore
test cases for MBEDTLS_REMOVE_ARC4_CIPHERSUITES, which must run in such
configurations, must not use requires_ciphersuite_enabled.
Instead, require the corresponding cryptographic mechanisms. In addition,
for the test case "RC4: both enabled", bypass the automatic ciphersuite
support detection based on force_ciphersuite= that would otherwise cause
this test case to be skipped. (This automatic detection doesn't cause the
negative tests to be skipped because it has an exception whenthe handshake
is supposed to fail.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Ensure that the nominal run works properly, so that it's apparent that the
injected failure is responsible for the failure of the handshake.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
USE_PSA_DONE() already checks that there are no used key slots.
The call to TEST_ASSERT() wouldn't have worked properly on failure anyway,
since it would jump back to the exit label.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
For weistrass curves the pair is encoded as 0x04 || x || y.
Flipping one of the bits in the first byte should be a sure failure.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Development TLS code now uses PSA to generate an
ECDH private key. Although this would not be required
in 2.28 branch, it is backported for compatibility.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Force a bitflip in server key to make the raw key
agreement fail, and then verify that no key slots
are left open at the end. Use a Weierstrass curve
to have a high chance of failure upon encountering
such bitflip.
Signed-off-by: Andrzej Kurek <andrzej.kurek@arm.com>
Include more curves. For example, the Brainpool curves don't have
dedicated "mod p" reduction routines, so they have a much larger number
of allocs (comparable to the NIST curves with `MBEDTLS_ECP_NIST_OPTIM`
disabled).
On the other hand, to keep the script's running time reasonable, remove
a few things:
- curves smaller than 256 bits (out of favour these days)
- window sizes larger than the default: 6 was particularly useless as
it's never selected by the current code; 5 can only be selected with
curves >= 384 and is unlikely to be used in practice as it increases
heap usage quite a lot for very little performance gain.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
Clearly the intention was to enable it, as ECDSA_C was defined, but the
benchmark also requires SHA-256 for ECDSA.
Also, specify "ecdh ecdsa" when invoking the benchmark program, in order
to avoid spurious output about SHA-256.
Signed-off-by: Manuel Pégourié-Gonnard <manuel.pegourie-gonnard@arm.com>
`curves.pl` (invoked by `all.sh test_depends_curves`, and
`all.sh test_depends_curves_psa`) currently runs two series of tests:
* For each curve, test with only that curve enabled.
* For each curve, test with all curves but that one.
Originally this script was introduced to validate test dependencies, and for
that all-but-one gives better results because it handles test cases that
require multiple curves. Then we extended the script to also test with a
single curve, which matches many real-world setups and catches some product
bugs. Single-curve testing also validates test dependencies in a more
limited way.
Remove all-but-one curve testing, because it doesn't add much to the test
coverage. Mainly, this means that we now won't detect if a test case
declares two curve dependencies but actually also depends on a third. This
is an acceptable loss.
The trigger for removing all-but-one curve testing is that this will make
the job take only about half as long, and the length of the job was a bit of
a problem. Resolves#5729.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This remark is intended for maintainers, not for users. It should not have
been in the Doxygen typeset part.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
With Doxygen 1.8.11 (as on Ubuntu 16.04), `#include` doesn't protect the
hash character enough, and Doxygen tries to link to something called
include. (Doxygen 1.8.17 doesn't have this problem.)
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Include this new section in the "full for documentation" (`realfull`)
configuration, so that these options are documented in the official
documentation build (`scripts/apidoc_full.sh`).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
