31001 Commits

Author SHA1 Message Date
Gilles Peskine
d2f191adb0 Document that there is now an error for dangerous inclusions
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-29 09:44:20 +02:00
Gilles Peskine
690fb5e0b0 Warn if mbedtls_config.h is included manually
Some projects using Mbed TLS have migrated their configuration
file (config.h -> mbedtls_config.h, or MBEDTLS_CONFIG_FILE) from Mbed TLS
2.x, and kept including check_config.h. This is unnecessary since Mbed TLS
3.0, and increasingly in 3.x it may report spurious errors because the
configuration adjustments have not been done yet.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-29 09:44:20 +02:00
Gilles Peskine
0b8ece6beb Error out if *adjust* headers are included manually
Some projects using Mbed TLS have migrated their configuration
file (config.h -> mbedtls_config.h, or MBEDTLS_CONFIG_FILE) from Mbed TLS
2.x, and kept including check_config.h. This is unnecessary since Mbed TLS
3.0, and increasingly in 3.x it may report spurious errors because the
configuration adjustments have not been done yet. This has led some
projects to include configuration adjustment headers manually, but only
partially or in the wrong order, which can result in silent inconsistencies.
Error out if this happens, with a message mentioning check_config.h since
that's the likely root cause.

```
perl -i -pe '$name = $ARGV; $name =~ s!include/!!; $name =~ s!_adjust_.*!_adjust_*.h!; $_ .= "\n#if !defined(MBEDTLS_CONFIG_FILES_READ)\n#error \"Do not include $name manually! This can lead to problems, \" \\\n    \"up to and including runtime errors such as buffer overflows. \" \\\n    \"If you're trying to fix a complaint from check_config.h, just remove it \" \\\n    \"from your configuration file: since Mbed TLS 3.0, it is included \" \\\n    \"automatically at the right time.\"\n#endif /* !MBEDTLS_CONFIG_FILES_READ */\n" if /^#define .*_H$/' include/*/*adjust*.h
```

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-29 09:44:20 +02:00
Gilles Peskine
d33eb55cce Macros to indicate the finalization level of the configuration
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-29 09:44:20 +02:00
Gilles Peskine
fef877f51f Belated changelog entry for not including check_config.h
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-29 09:44:20 +02:00
Gilles Peskine
975e74cb1f Document check-config.h and *adjust*.h as internal headers
Including *adjust*.h directly is likely to cause them to be applied at the
wrong time, resulting in an invalid or unintended configuration.

Including check_config.h at the wrong time is likely to cause spurious
errors.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-29 09:44:20 +02:00
Ronald Cron
680bee45ca Update framework submodule to the merge of PR
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-28 18:33:42 +02:00
Bence Szépkúti
e3abb6a148
Merge pull request from davidhorstmann-arm/move-mbedtls-dev-to-framework
Move `mbedtls_dev` to framework submodule
2024-05-28 15:50:47 +00:00
Tom Cosgrove
38f6c86724 Remove unnecessary blank lines at top of functions in psa_ff_server.c
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-05-28 14:31:48 +03:00
Tom Cosgrove
9919543f5c Only print PSA crypto sim server messages when DEBUG defined
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-05-28 14:31:48 +03:00
Tom Cosgrove
f69445ccaf Fix sending a response of more than 184 bytes in psa_ff_server.c:psa_write()
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-05-28 14:31:48 +03:00
Tom Cosgrove
bdc4c2d750 Fix PSA sim test awk script by removing extra $
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-05-28 14:31:48 +03:00
Tom Cosgrove
0a57a253cc Fix psa_ff_server.c to calculate the amount of data from client correctly
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-05-28 14:31:48 +03:00
Tom Cosgrove
b7e5f31e2a Replace final sprintf() with snprintf() in psa_ff_server.c
Signed-off-by: Tom Cosgrove <tom.cosgrove@arm.com>
2024-05-28 14:31:48 +03:00
Ronald Cron
a7ec5c888c Update framework submodule to the merge of
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-27 17:48:53 +02:00
Valerio Setti
a37ea269a9 adjust_legacy_crypto: enable CIPHER_C when PSA CMAC is builtin
psa_crypto_mac.c uses mbedtls_cipher_xxx() functions to perform
CMAC operations. Therefore we need to enable CIPHER_C when
PSA CMAC is builtin.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-05-24 14:37:05 +02:00
Gilles Peskine
c7569a8c4b
Merge pull request from gilles-peskine-arm/analyze_outcomes-generate_files
Generate test data before coverage analysis
2024-05-23 12:08:15 +00:00
Gilles Peskine
39c5207d79 ssl-opt.sh, compat.sh: Error out if not executing any tests
Alert if all tests are filtered out or skipped: that probably indicates a
test script that set up an unintended configuration or an overly strict
filter. You can pass `--min 0` to bypass this check. You can pass `--min`
with a larger value to require that many test cases to run.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-23 13:38:26 +02:00
Ronald Cron
f5473a0260
Merge pull request from Ryan-Everett-arm/crypto-config-test_ref_configs
Update the reference configs to use `MBEDTLS_PSA_CRYPTO_CONFIG`
2024-05-23 05:58:55 +00:00
Gilles Peskine
2ad2f3207e Pacify pylint
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-22 09:35:11 +02:00
Gilles Peskine
78ae4f6fe1 Generate test data before coverage analysis
Fixes .

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2024-05-21 20:26:18 +02:00
Tom Cosgrove
df1bfec990
Merge pull request from valeriosetti/issue8963
Add client-server build to all.sh
2024-05-20 07:14:37 +00:00
Turiiya
27098b458b fix typo
Signed-off-by: Turiiya <34311583+ttytm@users.noreply.github.com>
2024-05-18 18:08:12 +02:00
Thomas Daubney
a8004f27b7 Add additional CCM unset
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-05-17 14:48:47 +01:00
Thomas Daubney
8f83ba08e2 Change the way CBC is set
Signed-off-by: Thomas Daubney <thomas.daubney@arm.com>
2024-05-17 14:44:15 +01:00
Ronald Cron
b30cd3bb8f Improve test-ref-configs.pl
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-17 14:34:11 +02:00
Ronald Cron
ca6b1e9df3 Adjust crypto-config-thread.h
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-17 14:34:11 +02:00
Ronald Cron
b48c8704e6 Fix crypto_adjust_config_dependencies.h documentation
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-17 14:34:11 +02:00
Ronald Cron
c4c8bdf32e Fix PBKDF2_AES_CMAC_PRF_128 dependencies
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-17 14:34:06 +02:00
Ronald Cron
97f0ea7611 Fix the resolution of dependencies on HMAC
The Mbed TLS implementations of ALG_TLS12_PRF,
ALG_TLS12_PSK_TO_MS, ALG_HKDF, ALG_HKDF_EXTRACT,
ALG_HKDF_EXPAND and ALG_PBKDF2 rely on HMAC
operations through the driver interface. Thus
if one of these algorithms is enabled and not
accelerated, we need ALG_HMAC to be enabled
(PSA_WANT_ALG_HMAC and PSA_WANT_KEY_TYPE_HMAC
defined). As HMAC operations occur through
the driver interface, HMAC operations can be
accelerated even if the caller algorithm
is not.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-17 14:33:44 +02:00
Valerio Setti
1f3c99c774 psa_autogen.py: improve management of output files
While at this, fix also Makefile so that "make clean" does not
complain if some of the files to be cancelled do not exist.

Signed-off-by: Valerio Setti <valerio.setti@nordicsemi.no>
2024-05-16 16:13:38 +02:00
Ronald Cron
1f95ede98c Fix "maybe-uninitialized" warning with GCC 11.3
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
a33a824d8a Resolve PBKDF2_AES_CMAC_PRF_128 dependencies
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
b0c96f47e7 Resolve some HMAC dependencies automatically
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
b3a400b9bd config-suite-b: Enable EC with PSA_WANT
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
b16e1c2c2f Remove direct enablement of MBEDTLS_CIPHER/MD_C
Kept MD in thread config as needed for
HMAC_DRBG.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
4de85396cf Enable MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO
Enable MBEDTLS_PSA_CRYPTO_C and MBEDTLS_USE_PSA_CRYPTO
is reference configurations as we are working towards
removing (always on) them.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
4dd6631aac test-ref-configs.pl: Detect automatically test with USE_PSA enabled
Change the way we decide if for a given
configuration we need to run tests with
and without MBEDTLS_USE_PSA_CRYPTO enabled.
That makes the script suitable for 3.6 and
development branch.

Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ronald Cron
640276268d Fix compat.sh filters
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
21eaa77ba8 Address ccm-psk-tls1_2 comments
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
0855b26a80 Address thread comments
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
2abd658030 Address symmetric-only comments
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
c3051572ca Address suite-b comments
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
44d7ddf82f In suite-b move definition of MBEDTLS_PSA_CRYPTO_CONFIG_FILE
Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
4540cd3429 Add a crypto config file for suite-b
Also converts legacy symbols into their PSA equivalents.
When PSA is defined this does not change the compiled code

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
0a0393e8bd Use crypto config for ccm-psk-dtls1_2.h
Convert legacy symbols to their PSA equivalents.
This does not change code compiled when this config is active with PSA
enabled

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:03 +02:00
Ryan Everett
ab5ec9d3a4 Add a crypto config file for ccm-psk-tls1_2.h
Also convert legacy symbols to their PSA equivalents.
This does not change code compiled when this config is active with PSA
enabled

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:02 +02:00
Ryan Everett
d3b11571e2 Add a crypto-config file for symmetric-only
Replaces legacy symbols with the PSA equivalents.
This doesn't change the code generated when this config is active

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:02 +02:00
Ryan Everett
885ea8db8f Add a crypto config file for config-thread
This file consists of PSA symbols which are defined
if and only if the original config was set

Signed-off-by: Ryan Everett <ryan.everett@arm.com>
2024-05-16 08:12:02 +02:00
Gilles Peskine
bdce65700e
Merge pull request from gilles-peskine-arm/ssl-opt-server2-detection
Fix skipped tests in configurations without RSA
2024-05-15 12:06:31 +00:00