From fef912c30be7185fe711437b41af2642b2f14b8f Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 20 Sep 2024 16:07:09 +0200 Subject: [PATCH 1/6] Test partial ECC creation support: switch to MBEDTLS_USE_PSA_CRYPTO With PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE disabled, test TLS 1.3 and USE_PSA TLS 1.2. With PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_GENERATE disabled, just test crypto, because the TLS code needs that to generate ephemeral ECDH keys but this is not tracked properly (the ephemeral ECDH code is only gated on having ECDH). Signed-off-by: Gilles Peskine --- .../components-configuration-crypto.sh | 26 +++++++++++-------- 1 file changed, 15 insertions(+), 11 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 68de6bbc20..0fa69b0ca0 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -1495,17 +1495,17 @@ component_test_tfm_config_no_p256m () { # - component_test_psa_ecc_key_pair_no_generate # The goal is to test with all PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy symbols # enabled, but one. Input arguments are as follows: -# - $1 is the key type under test, i.e. ECC/RSA/DH -# - $2 is the key option to be unset (i.e. generate, derive, etc) +# - $1 is the configuration to start from +# - $2 is the key type under test, i.e. ECC/RSA/DH +# - $3 is the key option to be unset (i.e. generate, derive, etc) build_and_test_psa_want_key_pair_partial () { - key_type=$1 - unset_option=$2 + base_config=$1 + key_type=$2 + unset_option=$3 disabled_psa_want="PSA_WANT_KEY_TYPE_${key_type}_KEY_PAIR_${unset_option}" - msg "build: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 + msg "build: $base_config - ${disabled_psa_want}" + scripts/config.py "$base_config" # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in # crypto_config.h so we just disable the one we don't want. @@ -1513,16 +1513,20 @@ build_and_test_psa_want_key_pair_partial () { make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}" + msg "test: $base_config - ${disabled_psa_want}" make test } component_test_psa_ecc_key_pair_no_derive () { - build_and_test_psa_want_key_pair_partial "ECC" "DERIVE" + build_and_test_psa_want_key_pair_partial full "ECC" "DERIVE" } component_test_psa_ecc_key_pair_no_generate () { - build_and_test_psa_want_key_pair_partial "ECC" "GENERATE" + # TLS needs ECC key generation whenever ephemeral ECDH is enabled. + # We don't have proper guards for configurations with ECC key generation + # disabled (https://github.com/Mbed-TLS/mbedtls/issues/9481). Until + # then (if ever), just test the crypto part of the library. + build_and_test_psa_want_key_pair_partial crypto_full "ECC" "GENERATE" } config_psa_crypto_accel_rsa () { From 8fd211736084f601b9a42d0f66014dc5300a3336 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 20 Sep 2024 17:42:10 +0200 Subject: [PATCH 2/6] Remove !MBEDTLS_USE_PSA_CRYPTO test cases that have a USE_PSA alternate Signed-off-by: Gilles Peskine --- tests/suites/test_suite_x509parse.data | 4 ---- tf-psa-crypto/tests/suites/test_suite_pk.data | 4 ---- 2 files changed, 8 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 15380b0a2f..d962f34b60 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -899,10 +899,6 @@ X509 CRT verification #67 (Valid, RSASSA-PSS, all defaults) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_1 x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" -X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, !USE_PSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:!MBEDTLS_USE_PSA_CRYPTO -x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":MBEDTLS_ERR_X509_CERT_VERIFY_FAILED:MBEDTLS_X509_BADCERT_NOT_TRUSTED:"compat":"NULL" - X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA) depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" diff --git a/tf-psa-crypto/tests/suites/test_suite_pk.data b/tf-psa-crypto/tests/suites/test_suite_pk.data index b76a2e440b..6e3d5f43b8 100644 --- a/tf-psa-crypto/tests/suites/test_suite_pk.data +++ b/tf-psa-crypto/tests/suites/test_suite_pk.data @@ -526,10 +526,6 @@ Verify ext RSA #4 (PKCS1 v2.1, salt_len = max, OK) depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_256 pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:94:128:0 -Verify ext RSA #5a (PKCS1 v2.1, wrong salt_len) !USE_PSA -depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_256:!MBEDTLS_USE_PSA_CRYPTO -pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:MBEDTLS_ERR_RSA_INVALID_PADDING - Verify ext RSA #5b (PKCS1 v2.1, wrong salt_len) USE_PSA depends_on:MBEDTLS_PKCS1_V21:PSA_WANT_ALG_SHA_256:MBEDTLS_USE_PSA_CRYPTO pk_rsa_verify_ext_test_vec:"c0719e9a8d5d838d861dc6f675c899d2b309a3a65bb9fe6b11e5afcbf9a2c0b1":MBEDTLS_MD_SHA256:1024:"00dd118a9f99bab068ca2aea3b6a6d5997ed4ec954e40deecea07da01eaae80ec2bb1340db8a128e891324a5c5f5fad8f590d7c8cacbc5fe931dafda1223735279461abaa0572b761631b3a8afe7389b088b63993a0a25ee45d21858bab9931aedd4589a631b37fcf714089f856549f359326dd1e0e86dde52ed66b4a90bda4095":"010001":"0d2bdb0456a3d651d5bd48a4204493898f72cf1aaddd71387cc058bc3f4c235ea6be4010fd61b28e1fbb275462b53775c04be9022d38b6a2e0387dddba86a3f8554d2858044a59fddbd594753fc056fe33c8daddb85dc70d164690b1182209ff84824e0be10e35c379f2f378bf176a9f7cb94d95e44d90276a298c8810f741c9":MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256:32:128:0 From 43b4264cd8116538c48f46af362e284cbdd000e9 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sat, 21 Sep 2024 20:00:44 +0200 Subject: [PATCH 3/6] Enable MBEDTLS_USE_PSA_CRYPTO by default Signed-off-by: Gilles Peskine --- include/mbedtls/mbedtls_config.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index 80009c043b..d831c8d5fe 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -1955,7 +1955,7 @@ * * Uncomment this to enable internal use of PSA Crypto and new associated APIs. */ -//#define MBEDTLS_USE_PSA_CRYPTO +#define MBEDTLS_USE_PSA_CRYPTO /** * \def MBEDTLS_PSA_CRYPTO_CONFIG From d2da02b1ce13ac80d7cc65fe6c8a23c8398b717b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Sun, 6 Oct 2024 13:43:37 +0200 Subject: [PATCH 4/6] Remove obsolete exemptions from test case coverage Signed-off-by: Gilles Peskine --- tests/scripts/analyze_outcomes.py | 6 ------ 1 file changed, 6 deletions(-) diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index 43982ce810..9833d56cc1 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -85,12 +85,6 @@ class CoverageTask(outcome_analysis.CoverageTask): # TLS doesn't use restartable ECDH yet. # https://github.com/Mbed-TLS/mbedtls/issues/7294 re.compile(r'EC restart:.*no USE_PSA.*'), - # It seems that we don't run `ssl-opt.sh` with - # `MBEDTLS_USE_PSA_CRYPTO` enabled but `MBEDTLS_SSL_ASYNC_PRIVATE` - # disabled. - # https://github.com/Mbed-TLS/mbedtls/issues/9581 - 'Opaque key for server authentication: invalid key: decrypt with ECC key, no async', - 'Opaque key for server authentication: invalid key: ecdh with RSA key, no async', ], 'test_suite_config.mbedtls_boolean': [ # https://github.com/Mbed-TLS/mbedtls/issues/9583 From 99c34238e2afb9051671e3a986b112982fa42794 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Oct 2024 18:01:49 +0200 Subject: [PATCH 5/6] Changelog entry for MBEDTLS_USE_PSA_CRYPTO always enabled Signed-off-by: Gilles Peskine --- ChangeLog.d/psa-always-on.txt | 9 +++++++++ 1 file changed, 9 insertions(+) create mode 100644 ChangeLog.d/psa-always-on.txt diff --git a/ChangeLog.d/psa-always-on.txt b/ChangeLog.d/psa-always-on.txt new file mode 100644 index 0000000000..49edb3ed22 --- /dev/null +++ b/ChangeLog.d/psa-always-on.txt @@ -0,0 +1,9 @@ +Default behavior changes + * The PK, X.509, PKCS7 and TLS modules now always use the PSA subsystem + to perform cryptographic operations, with a few exceptions documented + in docs/use-psa-crypto.md. This corresponds to the behavior of + Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. In effect, + MBEDTLS_USE_PSA_CRYPTO is now always enabled. + * psa_crypto_init() must be called before performing any cryptographic + operation, including indirect requests such as parsing a key or + certificate or starting a TLS handshake. From 3982898c3ab6ad802a35f61d47d90e19f93f9e89 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Fri, 20 Sep 2024 15:58:57 +0200 Subject: [PATCH 6/6] Remove legacy components with an equivalent USE_PSA component Remove all.sh components that explicitly disable MBEDTLS_USE_PSA_CRYPTO, and for which there is another component with MBEDTLS_USE_PSA_CRYPTO enabled that does the same or more testing. Signed-off-by: Gilles Peskine --- .../components-configuration-crypto.sh | 75 ------------------- tests/scripts/components-sanitizers.sh | 54 ------------- 2 files changed, 129 deletions(-) diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 0fa69b0ca0..4d53e5cc75 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -102,29 +102,6 @@ component_test_rsa_no_crt () { tests/context-info.sh } -component_test_no_ctr_drbg_classic () { - msg "build: Full minus CTR_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus CTR_DRBG, classic crypto - main suites" - make test - - # In this configuration, the TLS test programs use HMAC_DRBG. - # The SSL tests are slow, so run a small subset, just enough to get - # confidence that the SSL code copes with HMAC_DRBG. - msg "test: Full minus CTR_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private.*delay=\|tickets enabled on server' - - msg "test: Full minus CTR_DRBG, classic crypto - compat.sh (subset)" - tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL -} - component_test_no_ctr_drbg_use_psa () { msg "build: Full minus CTR_DRBG, PSA crypto in TLS" scripts/config.py full @@ -147,34 +124,6 @@ component_test_no_ctr_drbg_use_psa () { tests/compat.sh -m tls12 -t 'ECDSA PSK' -V NO -p OpenSSL } -component_test_no_hmac_drbg_classic () { - msg "build: Full minus HMAC_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: Full minus HMAC_DRBG, classic crypto - main suites" - make test - - # Normally our ECDSA implementation uses deterministic ECDSA. But since - # HMAC_DRBG is disabled in this configuration, randomized ECDSA is used - # instead. - # Test SSL with non-deterministic ECDSA. Only test features that - # might be affected by how ECDSA signature is performed. - msg "test: Full minus HMAC_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default\|SSL async private: sign' - - # To save time, only test one protocol version, since this part of - # the protocol is identical in (D)TLS up to 1.2. - msg "test: Full minus HMAC_DRBG, classic crypto - compat.sh (ECDSA)" - tests/compat.sh -m tls12 -t 'ECDSA' -} - component_test_no_hmac_drbg_use_psa () { msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" scripts/config.py full @@ -202,30 +151,6 @@ component_test_no_hmac_drbg_use_psa () { tests/compat.sh -m tls12 -t 'ECDSA' } -component_test_psa_external_rng_no_drbg_classic () { - msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto in TLS" - scripts/config.py full - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 - scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C - scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED - scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT - scripts/config.py unset MBEDTLS_CTR_DRBG_C - scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG - # When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG, - # the SSL test programs don't have an RNG and can't work. Explicitly - # make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG. - make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites" - make test - - msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - ssl-opt.sh (subset)" - tests/ssl-opt.sh -f 'Default' -} - component_test_psa_external_rng_no_drbg_use_psa () { msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" scripts/config.py full diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh index a3c150b463..e872af0c9f 100644 --- a/tests/scripts/components-sanitizers.sh +++ b/tests/scripts/components-sanitizers.sh @@ -37,26 +37,6 @@ skip_all_except_given_suite () { export SKIP_TEST_SUITES } -component_test_memsan_constant_flow () { - # This tests both (1) accesses to undefined memory, and (2) branches or - # memory access depending on secret values. To distinguish between those: - # - unset MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - does the failure persist? - # - or alternatively, change the build type to MemSanDbg, which enables - # origin tracking and nicer stack traces (which are useful for debugging - # anyway), and check if the origin was TEST_CF_SECRET() or something else. - msg "build: cmake MSan (clang), full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" - scripts/config.py full - scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - scripts/config.py unset MBEDTLS_AESNI_C # memsan doesn't grok asm - scripts/config.py unset MBEDTLS_HAVE_ASM - CC=clang cmake -D CMAKE_BUILD_TYPE:String=MemSan . - make - - msg "test: main suites (full minus MBEDTLS_USE_PSA_CRYPTO, Msan + constant flow)" - make test -} - component_test_memsan_constant_flow_psa () { # This tests both (1) accesses to undefined memory, and (2) branches or # memory access depending on secret values. To distinguish between those: @@ -76,39 +56,6 @@ component_test_memsan_constant_flow_psa () { make test } -component_release_test_valgrind_constant_flow () { - # This tests both (1) everything that valgrind's memcheck usually checks - # (heap buffer overflows, use of uninitialized memory, use-after-free, - # etc.) and (2) branches or memory access depending on secret values, - # which will be reported as uninitialized memory. To distinguish between - # secret and actually uninitialized: - # - unset MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - does the failure persist? - # - or alternatively, build with debug info and manually run the offending - # test suite with valgrind --track-origins=yes, then check if the origin - # was TEST_CF_SECRET() or something else. - msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO with constant flow testing" - scripts/config.py full - scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO - skip_suites_without_constant_flow - cmake -D CMAKE_BUILD_TYPE:String=Release . - make - - # this only shows a summary of the results (how many of each type) - # details are left in Testing//DynamicAnalysis.xml - msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, valgrind + constant flow)" - make memcheck - - # Test asm path in constant time module - by default, it will test the plain C - # path under Valgrind or Memsan. Running only the constant_time tests is fast (<1s) - msg "test: valgrind asm constant_time" - skip_all_except_given_suite test_suite_constant_time - cmake -D CMAKE_BUILD_TYPE:String=Release . - make clean - make - make memcheck -} - component_release_test_valgrind_constant_flow_no_asm () { # This tests both (1) everything that valgrind's memcheck usually checks # (heap buffer overflows, use of uninitialized memory, use-after-free, @@ -122,7 +69,6 @@ component_release_test_valgrind_constant_flow_no_asm () { msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing" scripts/config.py full scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND - scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_HAVE_ASM skip_suites_without_constant_flow