Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Test TLS 1.2 builds with each encryption type #6374

Merged
merged 23 commits into from
Oct 12, 2022
Merged

Test TLS 1.2 builds with each encryption type #6374

Changes from 1 commit
Commits
Show all changes
23 commits
Select commit Hold shift + click to select a range
11c362a
Add component to build and test default config with stream cipher only
mprse Sep 27, 2022
89ad623
Fix guards for mbedtls_ct_size_mask() and mbedtls_ct_memcpy_if_eq()
mprse Sep 27, 2022
a82290b
Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_ticket_pars…
mprse Sep 27, 2022
6f29a6c
test_suite_cipher.function: always include aes.h
mprse Sep 27, 2022
4c49927
Fix unused variables warnings in default + stream cipher only build
mprse Sep 27, 2022
d582a01
Make MBEDTLS_SSL_CONTEXT_SERIALIZATION dependent on AEAD
mprse Sep 28, 2022
e31ba83
Use basic symbols instead MBEDTLS_CIPHER_MODE_AEAD in check config
mprse Sep 28, 2022
9550c05
Add component to build and test full config with stream cipher only
mprse Sep 28, 2022
b0de1c0
Add components to build and test default/full config with legacy-ccm …
mprse Sep 28, 2022
0cc3466
Change testing strategy to default + one cypher only (psa/no psa)
mprse Sep 28, 2022
68db0d2
Optimize one cipher only components and adapt nemes
mprse Sep 29, 2022
a891a09
test_suite_cmac.data: fix bug: use cipher type instead cipher id
mprse Sep 29, 2022
8d4b241
Remove redundant indirect dependencies after optimizing setup for one…
mprse Sep 29, 2022
ce5b68c
Revert "Fix guards for mbedtls_ssl_ticket_write() and mbedtls_ssl_tic…
mprse Sep 29, 2022
48a6a66
Add ssl-opt tls 1.2 tests for single cipher builds
mprse Sep 29, 2022
460192e
Fix and sync configuration file and configuration verifiation
mprse Oct 3, 2022
6a5cc74
Fix typos and comments
mprse Oct 3, 2022
0957e7b
Rmove MBEDTLS_NIST_KW_C dependency from MBEDTLS_SSL_TICKET_C
mprse Oct 3, 2022
e32cd44
Add changelog entry: tls 1.2 builds with single encryption type
mprse Oct 5, 2022
52a428b
Fix MBEDTLS_SSL_TICKET_C, MBEDTLS_SSL_SESSION_TICKETS dependencies
mprse Oct 10, 2022
68a01a6
Fix session tickets related build flags in fuzz_server and ssl_server2
mprse Oct 10, 2022
1f02c6c
Reword change log entry
mprse Oct 10, 2022
d61a4d3
Fix missing guard and double-space
mprse Oct 11, 2022
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 32 additions & 0 deletions tests/scripts/all.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -1274,6 +1274,38 @@ component_test_crypto_full_no_cipher () {
make test
}

component_test_crypto_default_stream_cipher_only () {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Naming: I'm not sure "crypto" is meaningful here. Since this test (and the other two that are coming) are motivated by the risk for issues with TLS 1.2 when only one of its encryption modes is active, I think tls1_2 would make more sense.

msg "build: default with only stream cipher"

# Disable all ciphers
# AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
# CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia, DES))
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_AES_C
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I don't think you need to disable all those ciphers, just disabling CIPHER_MODE_CBC is enough. I think also disabling the ciphers just add clutter (especially with things that depend on AES).

scripts/config.py unset MBEDTLS_CAMELLIA_C
scripts/config.py unset MBEDTLS_ARIA_C
scripts/config.py unset MBEDTLS_DES_C
# CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)
scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I find it potentially confusing that unset this here and set is a few lines below.

# Indirect dependencies
scripts/config.py unset MBEDTLS_CTR_DRBG_C
scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_NIST_KW_C

# Enable stream(null) cipher only
scripts/config.py set MBEDTLS_CIPHER_NULL_CIPHER
make

msg "test: default with only stream cipher"
make test
mpg marked this conversation as resolved.
Show resolved Hide resolved
}


component_test_psa_external_rng_use_psa_crypto () {
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
scripts/config.py full
Expand Down