Merge pull request #8508 from valeriosetti/issue6323

[G3] Driver-only cipher+aead: TLS: ssl-opt.sh
2025-02-21 15:41:00 +00:00 · 2023-11-14 11:39:06 +00:00 · 2023-11-14 11:39:06 +00:00 · 752dd39a69
commit 752dd39a69
parent cf582df426 04c85e146c
5 changed files with 129 additions and 38 deletions
--- a/include/mbedtls/ssl.h
+++ b/include/mbedtls/ssl.h
@ -600,6 +600,26 @@
 #define MBEDTLS_TLS_EXT_RENEGOTIATION_INFO      0xFF01
 /* Some internal helpers to determine which keys are availble. */
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
 #define MBEDTLS_SSL_HAVE_AES
 #endif
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
 #define MBEDTLS_SSL_HAVE_CAMELLIA
 #endif
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
 #define MBEDTLS_SSL_HAVE_ARIA
 #endif
 /* Some internal helpers to determine which operation modes are availble. */
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
 #define MBEDTLS_SSL_HAVE_CBC
 #endif
 /*
 * Size defines
 */
@ -613,7 +633,7 @@
 */
 #if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
    defined(MBEDTLS_SSL_SESSION_TICKETS) && \
-    defined(MBEDTLS_AES_C) && defined(MBEDTLS_GCM_C) && \
+    defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) && \
    defined(MBEDTLS_MD_CAN_SHA384)
 #define MBEDTLS_PSK_MAX_LEN 48 /* 384 bits */
 #else
--- a/library/ssl_misc.h
+++ b/library/ssl_misc.h
@ -249,26 +249,6 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
 * counter (8) + header (5) + IV(16) + MAC (16-48) + padding (0-256).
 */
 /* Some internal helpers to determine which keys are availble. */
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
 #define MBEDTLS_SSL_HAVE_AES
 #endif
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CAMELLIA_C)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_CAMELLIA))
 #define MBEDTLS_SSL_HAVE_CAMELLIA
 #endif
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_ARIA_C)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_ARIA))
 #define MBEDTLS_SSL_HAVE_ARIA
 #endif
 /* Some internal helpers to determine which operation modes are availble. */
 #if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
    (defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
 #define MBEDTLS_SSL_HAVE_CBC
 #endif
 #if defined(MBEDTLS_SSL_PROTO_TLS1_2)
 /* This macro determines whether CBC is supported. */
--- a/programs/ssl/ssl_server2.c
+++ b/programs/ssl/ssl_server2.c
@ -281,18 +281,11 @@ int main(void)
 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
 #if defined(MBEDTLS_CIPHER_C)
 #define USAGE_TICKETS                                       \
    "    tickets=%%d          default: 1 (enabled)\n"       \
    "    ticket_rotate=%%d    default: 0 (disabled)\n"      \
    "    ticket_timeout=%%d   default: 86400 (one day)\n"   \
    "    ticket_aead=%%s      default: \"AES-256-GCM\"\n"
 #else /* MBEDTLS_CIPHER_C */
 #define USAGE_TICKETS                                       \
    "    tickets=%%d          default: 1 (enabled)\n"       \
    "    ticket_rotate=%%d    default: 0 (disabled)\n"      \
    "    ticket_timeout=%%d   default: 86400 (one day)\n"
 #endif /* MBEDTLS_CIPHER_C */
 #else /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
 #define USAGE_TICKETS ""
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
@ -1463,6 +1456,42 @@ int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
 }
 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */
 int parse_cipher(char *buf)
 {
    if (strcmp(buf, "AES-128-CCM")) {
        return MBEDTLS_CIPHER_AES_128_CCM;
    } else if (strcmp(buf, "AES-128-GCM")) {
        return MBEDTLS_CIPHER_AES_128_GCM;
    } else if (strcmp(buf, "AES-192-CCM")) {
        return MBEDTLS_CIPHER_AES_192_CCM;
    } else if (strcmp(buf, "AES-192-GCM")) {
        return MBEDTLS_CIPHER_AES_192_GCM;
    } else if (strcmp(buf, "AES-256-CCM")) {
        return MBEDTLS_CIPHER_AES_256_CCM;
    } else if (strcmp(buf, "ARIA-128-CCM")) {
        return MBEDTLS_CIPHER_ARIA_128_CCM;
    } else if (strcmp(buf, "ARIA-128-GCM")) {
        return MBEDTLS_CIPHER_ARIA_128_GCM;
    } else if (strcmp(buf, "ARIA-192-CCM")) {
        return MBEDTLS_CIPHER_ARIA_192_CCM;
    } else if (strcmp(buf, "ARIA-192-GCM")) {
        return MBEDTLS_CIPHER_ARIA_192_GCM;
    } else if (strcmp(buf, "ARIA-256-CCM")) {
        return MBEDTLS_CIPHER_ARIA_256_CCM;
    } else if (strcmp(buf, "ARIA-256-GCM")) {
        return MBEDTLS_CIPHER_ARIA_256_GCM;
    } else if (strcmp(buf, "CAMELLIA-128-CCM")) {
        return MBEDTLS_CIPHER_CAMELLIA_128_CCM;
    } else if (strcmp(buf, "CAMELLIA-192-CCM")) {
        return MBEDTLS_CIPHER_CAMELLIA_192_CCM;
    } else if (strcmp(buf, "CAMELLIA-256-CCM")) {
        return MBEDTLS_CIPHER_CAMELLIA_256_CCM;
    } else if (strcmp(buf, "CHACHA20-POLY1305")) {
        return MBEDTLS_CIPHER_CHACHA20_POLY1305;
    }
    return MBEDTLS_CIPHER_NONE;
 }
 int main(int argc, char *argv[])
 {
    int ret = 0, len, written, frags, exchanges_left;
@ -2143,18 +2172,13 @@ usage:
            if (opt.ticket_timeout < 0) {
                goto usage;
            }
-        }
+        } else if (strcmp(p, "ticket_aead") == 0) {
-#if defined(MBEDTLS_CIPHER_C)
+            opt.ticket_aead = parse_cipher(q);
        else if (strcmp(p, "ticket_aead") == 0) {
            const mbedtls_cipher_info_t *ci = mbedtls_cipher_info_from_string(q);
-            if (ci == NULL) {
+            if (opt.ticket_aead == MBEDTLS_CIPHER_NONE) {
                goto usage;
            }
-            opt.ticket_aead = mbedtls_cipher_info_get_type(ci);
+        } else if (strcmp(p, "cache_max") == 0) {
        }
 #endif
        else if (strcmp(p, "cache_max") == 0) {
            opt.cache_max = atoi(q);
            if (opt.cache_max < 0) {
                goto usage;
--- a/tests/scripts/all.sh
+++ b/tests/scripts/all.sh
@ -3702,7 +3702,7 @@ common_psa_crypto_config_accel_cipher_aead() {
 # are meant to be used together in analyze_outcomes.py script in order to test
 # driver's coverage for ciphers and AEADs.
 component_test_psa_crypto_config_accel_cipher_aead () {
-    msg "test: crypto config with accelerated cipher and AEAD"
+    msg "build: crypto config with accelerated cipher and AEAD"
    loc_accel_list="ALG_ECB_NO_PADDING ALG_CBC_NO_PADDING ALG_CBC_PKCS7 ALG_CTR ALG_CFB \
                    ALG_OFB ALG_XTS ALG_STREAM_CIPHER \
@ -3758,13 +3758,22 @@ component_test_psa_crypto_config_accel_cipher_aead () {
    msg "test: crypto config with accelerated cipher and AEAD"
    make test
    msg "ssl-opt: crypto config with accelerated cipher and AEAD"
    tests/ssl-opt.sh
 }
 component_test_psa_crypto_config_reference_cipher_aead () {
    msg "build: crypto config with non-accelerated cipher and AEAD"
    common_psa_crypto_config_accel_cipher_aead
    make
    msg "test: crypto config with non-accelerated cipher and AEAD"
    make test
    msg "ssl-opt: crypto config with non-accelerated cipher and AEAD"
    tests/ssl-opt.sh
 }
 component_test_aead_chachapoly_disabled() {
--- a/tests/ssl-opt.sh
+++ b/tests/ssl-opt.sh
@ -368,6 +368,34 @@ requires_ciphersuite_enabled() {
    esac
 }
 requires_cipher_enabled() {
    KEY_TYPE=$1
    MODE=${2:-}
    if is_config_enabled MBEDTLS_USE_PSA_CRYPTO; then
        case "$KEY_TYPE" in
            CHACHA20)
                requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305
                requires_config_enabled PSA_WANT_KEY_TYPE_CHACHA20
                ;;
            *)
                requires_config_enabled PSA_WANT_ALG_${MODE}
                requires_config_enabled PSA_WANT_KEY_TYPE_${KEY_TYPE}
                ;;
        esac
    else
        case "$KEY_TYPE" in
            CHACHA20)
                requires_config_enabled MBEDTLS_CHACHA20_C
                requires_config_enabled MBEDTLS_CHACHAPOLY_C
                ;;
            *)
                requires_config_enabled MBEDTLS_${MODE}_C
                requires_config_enabled MBEDTLS_${KEY_TYPE}_C
                ;;
        esac
    fi
 }
 # Automatically detect required features based on command line parameters.
 # Parameters are:
 # - $1 = command line (call to a TLS client or server program)
@ -2090,6 +2118,11 @@ run_test    "key size: TLS-ECDHE-ECDSA-WITH-AES-128-CCM-8" \
            -c "Key size is 128"
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_MD_CAN_MD5
 # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
 # module does not support PSA dispatching so we need builtin support.
 requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_config_enabled MBEDTLS_AES_C
 requires_hash_alg SHA_256
 run_test    "TLS: password protected client key" \
            "$P_SRV force_version=tls12 auth_mode=required" \
@ -2097,6 +2130,11 @@ run_test    "TLS: password protected client key" \
            0
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_MD_CAN_MD5
 # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
 # module does not support PSA dispatching so we need builtin support.
 requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_config_enabled MBEDTLS_AES_C
 requires_hash_alg SHA_256
 run_test    "TLS: password protected server key" \
            "$P_SRV crt_file=data_files/server5.crt key_file=data_files/server5.key.enc key_pwd=PolarSSLTest" \
@ -2105,6 +2143,11 @@ run_test    "TLS: password protected server key" \
 requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
 requires_config_enabled MBEDTLS_RSA_C
 requires_config_enabled MBEDTLS_MD_CAN_MD5
 # server5.key.enc is in PEM format and AES-256-CBC crypted. Unfortunately PEM
 # module does not support PSA dispatching so we need builtin support.
 requires_config_enabled MBEDTLS_CIPHER_MODE_CBC
 requires_config_enabled MBEDTLS_AES_C
 requires_hash_alg SHA_256
 run_test    "TLS: password protected server key, two certificates" \
            "$P_SRV force_version=tls12\
@ -3833,6 +3876,7 @@ run_test    "Session resume using tickets: openssl client" \
            -s "session successfully restored from ticket" \
            -s "a session has been resumed"
 requires_cipher_enabled "AES" "GCM"
 run_test    "Session resume using tickets: AES-128-GCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-GCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3847,6 +3891,7 @@ run_test    "Session resume using tickets: AES-128-GCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "AES" "GCM"
 run_test    "Session resume using tickets: AES-192-GCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-GCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3861,6 +3906,7 @@ run_test    "Session resume using tickets: AES-192-GCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "AES" "CCM"
 run_test    "Session resume using tickets: AES-128-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-128-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3875,6 +3921,7 @@ run_test    "Session resume using tickets: AES-128-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "AES" "CCM"
 run_test    "Session resume using tickets: AES-192-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-192-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3889,6 +3936,7 @@ run_test    "Session resume using tickets: AES-192-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "AES" "CCM"
 run_test    "Session resume using tickets: AES-256-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=AES-256-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3903,6 +3951,7 @@ run_test    "Session resume using tickets: AES-256-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "CAMELLIA" "CCM"
 run_test    "Session resume using tickets: CAMELLIA-128-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-128-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3917,6 +3966,7 @@ run_test    "Session resume using tickets: CAMELLIA-128-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "CAMELLIA" "CCM"
 run_test    "Session resume using tickets: CAMELLIA-192-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-192-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3931,6 +3981,7 @@ run_test    "Session resume using tickets: CAMELLIA-192-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "CAMELLIA" "CCM"
 run_test    "Session resume using tickets: CAMELLIA-256-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=CAMELLIA-256-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3945,6 +3996,7 @@ run_test    "Session resume using tickets: CAMELLIA-256-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "ARIA" "GCM"
 run_test    "Session resume using tickets: ARIA-128-GCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-GCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3959,6 +4011,7 @@ run_test    "Session resume using tickets: ARIA-128-GCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "ARIA" "GCM"
 run_test    "Session resume using tickets: ARIA-192-GCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-GCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3973,6 +4026,7 @@ run_test    "Session resume using tickets: ARIA-192-GCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "ARIA" "GCM"
 run_test    "Session resume using tickets: ARIA-256-GCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-GCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -3987,6 +4041,7 @@ run_test    "Session resume using tickets: ARIA-256-GCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "ARIA" "CCM"
 run_test    "Session resume using tickets: ARIA-128-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-128-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4001,6 +4056,7 @@ run_test    "Session resume using tickets: ARIA-128-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "ARIA" "CCM"
 run_test    "Session resume using tickets: ARIA-192-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-192-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4015,6 +4071,7 @@ run_test    "Session resume using tickets: ARIA-192-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "ARIA" "CCM"
 run_test    "Session resume using tickets: ARIA-256-CCM" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=ARIA-256-CCM" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \
@ -4029,6 +4086,7 @@ run_test    "Session resume using tickets: ARIA-256-CCM" \
            -s "a session has been resumed" \
            -c "a session has been resumed"
 requires_cipher_enabled "CHACHA20"
 run_test    "Session resume using tickets: CHACHA20-POLY1305" \
            "$P_SRV debug_level=3 tickets=1 ticket_aead=CHACHA20-POLY1305" \
            "$P_CLI force_version=tls12 debug_level=3 tickets=1 reconnect=1" \