Test TLS 1.2 builds with each encryption type

[mprse]

Description

Resolves #6313

Status

READY

Requires Backporting

Yes/2.28
#6394

Migrations

NO

Additional comments

Any additional information that could be of interest

Todos

• null cipher
• only CBC-legacy (no EtM)
• only CBC-legacy and CBC-EtM

[mprse]

@mpg I wasn't sure if this is going in the right direction a specially part with disabling MBEDTLS_SSL_SESSION_TICKETS, so I created this work in progress PR.
Currently I am able to build default configuration with stream cipher only, but still one test is failing:

DTLS Handshake with serialization, tls1_2 ......................... FAILED
  mbedtls_ssl_context_save( &(server.ssl), NULL, 0, &context_buf_len ) == MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL
  at step 1, line 2303, suites/test_suite_ssl.function
  lhs = 0xffffffffffff8f00 = -28928
  rhs = 0xffffffffffff9600 = -27136

It is failing because mbedtls_ssl_context_save() function returns MBEDTLS_ERR_SSL_BAD_INPUT_DATA due to the fillowing check:

mbedtls/library/ssl_tls.c

Lines 3807 to 3812 in 5596c74

	/* We must be using an AEAD ciphersuite */
	if( mbedtls_ssl_transform_uses_aead( ssl->transform ) != 1 )
	{
	MBEDTLS_SSL_DEBUG_MSG( 1, ( "Only AEAD ciphersuites supported" ) );
	return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA );
	}

I assume that the check fails correctly as AEAD is disabled, so probably this test should be skipped.
The condition to check AEAD is also unclear to me (is MBEDTLS_SSL_SOME_SUITES_USE_MAC guard correct):

mbedtls/library/ssl_misc.h

Lines 1041 to 1050 in 5596c74

	static inline int mbedtls_ssl_transform_uses_aead(
	const mbedtls_ssl_transform *transform )
	{
	#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
	return( transform->maclen == 0 && transform->taglen != 0 );
	#else
	(void) transform;
	return( 1 );
	#endif
	}

[gilles-peskine-arm]

I assume that the check fails correctly as AEAD is disabled, so probably this test should be skipped.

Right, it makes sense that mbedtls_ssl_context_save returns a “I can't do this at all” error in this situation, which has precedence over the usual “I could do this if the buffer was bigger”. Since handshake serialization is only implemented with AEAD, there should probably be a requirement in check_config.h (and then MBEDTLS_SSL_CONTEXT_SERIALIZATION should be disabled in this non-AEAD build).

is MBEDTLS_SSL_SOME_SUITES_USE_MAC guard correct

Looks correct to me: all supported cipher suites either have a MAC or an AEAD tag (we don't implement the NULL_NULL cipher suite which has no security at all, only cipher suites with authentication but where the encryption may be NULL). If there are MAC cipher suites in the build then we check whether the selected cipher suite uses AEAD; if there are no MAC cipher suites then the selected cipher suite must be AEAD.

[mpg]

Just a first quick review for early feedback.

[mpg]

Naming: I'm not sure "crypto" is meaningful here. Since this test (and the other two that are coming) are motivated by the risk for issues with TLS 1.2 when only one of its encryption modes is active, I think tls1_2 would make more sense.

[mpg]

I don't think you need to disable all those ciphers, just disabling CIPHER_MODE_CBC is enough. I think also disabling the ciphers just add clutter (especially with things that depend on AES).

[mpg]

I find it potentially confusing that unset this here and set is a few lines below.

[mprse]

While addressing review comments and optimizing components setup I encountered strange failure:

CMAC init #7 Camellia: wrong cipher ............................... FAILED
  ( cipher_info = mbedtls_cipher_info_from_type( cipher_type ) ) != NULL
  at line 112, suites/test_suite_cmac.function

Test case:

mbedtls/tests/suites/test_suite_cmac.data

Lines 31 to 33 in 77c691f

	CMAC init #7 Camellia: wrong cipher
	depends_on:MBEDTLS_CAMELLIA_C
	mbedtls_cmac_setkey:MBEDTLS_CIPHER_ID_CAMELLIA:128:MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA

MBEDTLS_CIPHER_ID_CAMELLIA is cipher id and it is used as cipher type? This is wrong usage. It is probably done to achieve MBEDTLS_ERR_CIPHER_BAD_INPUT_DATA returned by mbedtls_cipher_cmac(), but now mbedtls_cipher_info_from_type() fails.
MBEDTLS_CIPHER_ID_CAMELLIA is treated as MBEDTLS_CIPHER_AES_128_CBC which in stream cipher only config is disabled.

The test case description says CMAC init #7 Camellia: wrong cipher , but it is unclear to me that we are testing here.

[mpg]

Ah, each time we add tests we uncover new and in this case pretty unexpected bugs!

I think test cases 5 to 7 are wrong in that they use a cipher ID where a cipher type is expected, as you say. I think cases 5 and 6 should use MBEDTLS_CIPHER_AES_128_ECB and case 7 should use MBEDTLS_CIPHER_CAMELLIA_128_ECB - this test is about checking that only AES and 3DES are accepted (because CMAC is defined by NIST, and AES and 3DES are the only NIST-approved block ciphers).

[mpg]

LGTM

[AndrzejKurek]

Minor: double space

[AndrzejKurek]

Ifdef at line 286 - missing MBEDTLS_SSL_TICKET_C

[mpg]

@mprse I believe it's about the guards around USAGE_TICKETS near the top of the file. It's not a major issue (the worst that will happen is that the usage message will mention options that are not actually available in some configs), but not that Andrzej spotted it, we might as well fix it.

[mprse]

Yup. I hope it is ok now (force-pushed the last commit).

[AndrzejKurek]

Please fix the missing ifdef around the usage text.

[mpg]

LGTM

[mprse]

This one together with backport seems to be ready for merge, but I'm not sure about the CI. There is windows build failure, but looks unrelated.

[gilles-peskine-arm]

The Windows failure on OpenCI is an infrastructure glitch and the armcc failure is a known infrastructure issue. The Arm CI passed so this PR has passed the CI.