Commit Graph

14314 Commits

Author SHA1 Message Date
Ron Eldor
3c6a44bed8 Add interop tests
Add some interoperability tests with openssl and gnutls, in ssl-opts.sh.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
311b95aafe Fix compilation errors
Fix compilation errors when `MBEDTLS_DTLS_SRTP` not set
1. Add file missed in previous commmit.
2. In sample applications, set `DFL_FORCE_SRTP_PROFILE` to 0.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
b465539476 Add tests and code to support
1. Add DTLS-SRTP tests in `ssl-opts.sh`
2. Add logs for the tests to filter.
3. Add function to get the profile informations.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
1c399bdffe Set authmode to optional, if not set
Set authmode to `MBEDTLS_SSL_VERIFY_REQUIRED` when using dtls-srtp,
in case authmode was not set. This is to support self signed certificates
received by the server, which is the case with webRTC. Certificate fingerprints
are verified outside the dtls stack, as defined in RFC 5763.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
12c6eaddd5 Fix mki issues
1. Set correct mki from the `use_srtp` extension.
2. Use mki value received from the client as the mki used by server.
3. Use `mbedtls_ssl_dtls_srtp_set_mki_value()` as a client API only.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
6ea64518ad Add dtls-srtp to client and server examples
Add dtls-srtp to `ssl_client2` and `ssl_server2` examples,
for reference and for allowing in tests.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
9d36d311e3 Fix failure in ssl-opts.sh
Return a debg message that was removed in previous commit,
Whic is searched in the ssl-opts.sh test.

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
4cbe69332a Add ChangeLog
Add ChangLog item, describing the feature

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
57cc70ec81 Enforce SRTP mandatory HS messages
Enforce CertificateRequest, client and server Certificates, and
CertificateVerify messages, which are mandatory in DTLS-SRTP,
as defined in RFC 5764 section 4.1

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
9e9096476e Fix doxygen script errors
Fix errors raised by doxygen.sh test script

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
349877e948 Fix idetifier check script error
Fix script error for identifier check

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
a37326abb1 Make keyu material length in \ out
Make the key material length in mbedtls_ssl_get_dtls_srtp_key_material
to be in\out, like it is done all over the library

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
591f162bed support mki value
Add support mki value in the DTLS-SRTP

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Ron Eldor
3adb9928f3 Add mki value and some review comments
1. Add check for prerequisites in check_config.h
2. Add mki value to use_srtp extension
3. address some review comments

Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
34790789b6 Remove compilation warning
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
701984d300 Comply with mbedtls naming rules
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
c28f1f600e Fix typos in documentation
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
2d9470be76 Improve DTLS SRTP API with a dedicated function to get generated keys
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
bbc057af73 Move available dtls srtp profile list to ssl_config
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Johan Pascal
b62bb51aff Add RFC5764 - SRTP key generation during DTLS handshake
Signed-off-by: Johan Pascal <johan.pascal@belledonne-communications.com>
2020-10-29 01:14:49 +01:00
Gilles Peskine
935b4f96f9
Merge pull request #3407 from RcColes/development
Increase compatibility with external cmake
2020-10-28 12:29:14 +01:00
Gilles Peskine
ce3ec6ffd6 Unify the sections on key creation
Now that transparent drivers have an "import_key" entry point, the key
creation interfaces for transparent drivers and opaque drivers are
very similar. Unify the sections that describe their behavior,
including key validation and key size determination.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-10-27 18:31:50 +01:00
Gilles Peskine
2d0b7231f7
Merge pull request #3712 from jdurkop/psa-crypto-config-ecdsa-3670
Introduce MBEDTLS_PSA_CRYPTO_CONFIG and use it for ECDSA
2020-10-27 17:40:04 +01:00
Fredrik Strupe
d61ed3c52f PSA Crypto: Add zero-length input test vectors for ChaChaPoly
Signed-off-by: Fredrik Strupe <fredrik.strupe@silabs.com>
2020-10-27 14:11:53 +01:00
John Durkop
f87e3aea16 Update guards in PSA crypto library for ECDSA and DETERMINISTIC support
In the PSA crypto library, the code for verification of ECDSA is the same for
both MBEDTLS_PSA_BUILTIN_ALG_ECDSA and
MBEDTLS_PSA_BUILTIN_ALG_DETERMINISTIC_ECDSA. So, the guards should allow for
either one to enable the code blocks. The original implementation only had
the check for ECDSA. In order to make this work, config_psa.h was updated
to ensure when MBEDTLS_CRYPTO_CONFIG is disabled, the setting for DETERMINISTIC
is only updated if MBEDTLS_ECDSA_C is also enabled.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-26 15:25:23 -07:00
Gilles Peskine
12760595e7 Replace validate_key by import_key
When importing a transparent key, the key needs to be not only
validated, but also possibly converted, if it is not already in the
canonical representation. So change the validate_key entry point to an
import_key entry point.

Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
2020-10-26 18:07:01 +01:00
John Durkop
e7012c7725 Cleaned up test_psa_crypto_config_no_driver based on review comments
Removed comment referencing test driver header path and the inclusion of
the test driver directory from the build since it is not required
for that test.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-26 09:55:01 -07:00
John Durkop
36a82e5a6b Ensure MBEDTLS_ECDSA_C is set when DETERMINISTIC_ECDSA is used
Ensure that MBEDTLS_ECDSA_C is set when PSA_WANT_ALG_DETERMINISTIC_ECDSA
is requested. Also added MBEDTLS_ECDSA_C to the requirements comment in
config.h for MBEDTLS_ECDSA_DETERMINISTIC.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-26 09:39:05 -07:00
Steven Cooreman
3ea0ce450f Separate 'import' from 'load into slot'
Now that there's a validate_key entry point for drivers, it becomes
much more important to separate the import action (where a key needs
to be validated) from the load action (where a key has been
previously validated, and thus re-validating it would be a waste of
time).

This also exposes why not storing the 'bits' attribute persistently
was a bad idea. The only reason there's a rather large function to
detect bit size is because loading from persistent storage requires
it.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Steven Cooreman
f7cebd4a2b Add internal helper function to load prevalidated key material
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Steven Cooreman
0452476eac Implement, plug in and test validate_key driver entry point
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Steven Cooreman
398aee5742 Rework psa_copy_key_material
There's no need for calling export-and-import when the key is
guaranteed to have been stored in export representation.

Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-26 16:41:37 +01:00
Gilles Peskine
01fc209969
Merge pull request #3748 from torstenes/3740_PSA_key_storage_systematically_store_bits
Changes PSA key storage format to include key bits
2020-10-26 15:33:58 +01:00
Gilles Peskine
db8298ca61
Merge pull request #3802 from peter-toft-greve/minimum_cmake
Update mimimum required cmake version
2020-10-26 14:36:08 +01:00
Gilles Peskine
eca1855147
Merge pull request #3814 from stevew817/bugfix/cpp_guard
Add missing bracket for CPP guard
2020-10-26 14:26:41 +01:00
gabor-mezei-arm
95db3012c8
Make the aes xts methods independent from MBEDTLS_AES_SETKEY_DEC_ALT
This is fix for the MBEDTLS_AES_SETKEY_DEC_ALT macro switch is including the aes xts methods
and building with a custom mbedtls_aes_setkey_dec function will disable the aes xts methods.
The fix is separating the aes xts methods and the MBEDTLS_AES_SETKEY_DEC_ALT can only
switch the presence of the mbedtls_aes_setkey_dec function.

Signed-off-by: gabor-mezei-arm <gabor.mezei@arm.com>
2020-10-26 11:52:05 +01:00
Torstein Nesse
821f291d77 Ensure that all test vectors only contain one error.
Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>
2020-10-24 09:46:49 +02:00
John Durkop
8ac0b80e9b Rename test_psa_want_ecdsa_disabled_softare
Changed the test name from test_ to build_ to better reflect
what the test is currently performing.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-23 01:32:15 -07:00
John Durkop
4377bf7479 Added new PSA crypto config test with no test driver
Added a new test to all.sh to confirm that using MBEDTLS_PSA_CRYPTO_CONFIG
with no test driver and the library is configured with normal configurations
that the test works.

Minor updates to other PSA crypto tests to cleanup msg output for consistency.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-23 01:26:57 -07:00
John Durkop
6dff93ff9b Ensure dependent features also included by config_psa.h
When the PSA crypto features need to be setup based on the
PSA_WANT_xxx macros, the dependent features also need to be
enabled. This change corrects that for the MBEDTLS_ECDSA_DETERMINISTIC.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-23 01:22:58 -07:00
John Durkop
28baa1f141 Fixed test_psa_want_ecdsa_disabled_software to use proper macros
Updated the test_psa_want_ecdsa_disabled_software to enable and disable
the correct macros to accomplish the desired test. The previous version
left out the disabling of additional macros to ensure items related
to MBEDTLS_ECDSA_C were also unset. The test was also missing the setting
of the accelerators MBEDTLS_PSA_ACCEL_ALG_ECDSA and DETERMINISTIC_ECDSA.

With the accelerators enabled the test portion had to be temporarily
disabled until the accelerator code is completed so the test will work
properly.

Updated the signature driver source to fix a compiler warning when
MBEDTLS_ECDSA_C is unset.

Signed-off-by: John Durkop <john.durkop@fermatsoftware.com>
2020-10-23 00:51:52 -07:00
Janos Follath
da9f92c2b2
Merge pull request #3805 from hanno-arm/check_dtls_timers_only_once
Check presence of DTLS retransmission timers only once
2020-10-22 14:29:16 +01:00
Torstein Nesse
ce1494b6ee Update ChangeLog.d/systematically_store_bit_size_3740.txt
Signed-off-by: Torstein Nesse <torstein.nesse@silabs.com>

Co-authored-by: Gilles Peskine <gilles.peskine@arm.com>
2020-10-22 12:12:22 +02:00
Steven Cooreman
88ebb2d7d0 Include public and public-ish PSA headers in CPP check
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-22 11:55:50 +02:00
Steven Cooreman
8c31025310 Add missing bracket for CPP guard
Signed-off-by: Steven Cooreman <steven.cooreman@silabs.com>
2020-10-22 10:43:45 +02:00
Peter Toft
70e2062218 Updated minimum cmake requirement down to 2.8.12
* As described in issue #3801 the upcoming cmake 3.19
  will not support cmake 2.6 any more
* This PR updates the mimimum required cmake version
  to 2.8.12, which will not give a warning with cmake 3.19
  but still compatible with MbedTLS support of RHEL/CentOS 7 LTS
* Adding ChangeLog.d/bugfix_PR3802.txt

Signed-off-by: Peter Toft <peter.toft@dirac.com>
2020-10-22 10:43:40 +02:00
Gilles Peskine
1b275cc5d0
Merge pull request #3772 from frestr/bugfix/ccm_add_length
Fix additional data length field check for CCM
2020-10-21 22:31:48 +02:00
Gilles Peskine
176fca03b4
Merge pull request #3793 from daverodgman/ccm_test_memory_fix
Fix memory allocation in ccm tests
2020-10-21 22:30:50 +02:00
Gilles Peskine
ec32a74024
Merge pull request #3799 from d3zd3z/fixchar
Fix ssl_context_info handling of EOF (build failure if char is unsigned)
2020-10-21 22:30:15 +02:00
Gilles Peskine
b7eaa77e2a
Merge pull request #3743 from stevew817/bugfix/use_ecdh_key_in_streamlined_derivation
Fix PSA crypto inconsistencies in agreement+derivation
2020-10-21 13:25:21 +02:00