Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[3.6] ssl-opt: improve PSK mode detection #9546

Merged
merged 14 commits into from
Sep 13, 2024
Merged

[3.6] ssl-opt: improve PSK mode detection #9546

merged 14 commits into from
Sep 13, 2024

Conversation

gilles-peskine-arm
Copy link
Contributor

@gilles-peskine-arm gilles-peskine-arm commented Sep 6, 2024
edited
Loading

Fix some issues in ssl-opt.sh around requirement detections, mostly related to PSK vs certificates. Prerequisite of #9541.

PR checklist

  • changelog not required because: test only
  • development PR ssl-opt: improve PSK mode detection #9556
  • framework PR ssl-opt: improve PSK mode detection mbedtls-framework#44
  • 3.6 PR here
  • 2.28 PR not required because: it's mostly about TLS 1.3 changes, and not worth backporting the few changes that aren't.
  • tests provided + check that we aren't executing fewer test cases, compared with the baseline outcomes.csv.xz (excluding ;component_release_ which are not run in the PR job). The following command lists the test cases that have changed, excluding those that used to be skipped; its output is empty. 
    wget -O d210bf73b2ff8adb237002446a520be16f8b3210.outcomes.csv.xz https://mbedtls.trustedfirmware.org/job/mbed-tls-nightly-tests/928/artifact/outcomes.csv.xz
wget -O 3.outcomes.xz https://mbedtls.trustedfirmware.org/job/mbed-tls-pr-head/job/PR-9546-head/3/artifact/outcomes.csv.xz
comm -23 <(xzcat d210bf73b2ff8adb237002446a520be16f8b3210.outcomes.csv.xz | grep -v ';component_release_' | sort) <(xzcat 3.outcomes.csv.xz | sort) | grep -v ';SKIP;'

@gilles-peskine-arm gilles-peskine-arm added component-tls needs-ci Needs to pass CI tests size-s Estimated task size: small (~2d) priority-high High priority - will be reviewed soon labels Sep 6, 2024
@gilles-peskine-arm gilles-peskine-arm mentioned this pull request Sep 6, 2024
Merged
@gilles-peskine-arm gilles-peskine-arm added needs-review Every commit must be reviewed by at least two team members, needs-reviewer This PR needs someone to pick it up for review and removed needs-ci Needs to pass CI tests labels Sep 8, 2024
@mpg mpg changed the title ssl-opt: improve PSK mode detection [3.6] ssl-opt: improve PSK mode detection Sep 9, 2024
mpg
mpg requested changes Sep 9, 2024
View reviewed changes
Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks pretty good to me, thanks for the clean-up! Other than the XXX-PSK vs PSK-XXX thing, I only have questions / requests for adding comments.

mpg
mpg previously approved these changes Sep 9, 2024
View reviewed changes
Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for addressing my comments.

@ronald-cron-arm ronald-cron-arm self-requested a review September 9, 2024 12:14
@gilles-peskine-arm gilles-peskine-arm removed the needs-reviewer This PR needs someone to pick it up for review label Sep 9, 2024
@gilles-peskine-arm gilles-peskine-arm mentioned this pull request Sep 9, 2024
Closed
ronald-cron-arm
ronald-cron-arm requested changes Sep 10, 2024
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This looks almost good to me. Minor comments and one thing I am not sure about.

@gilles-peskine-arm gilles-peskine-arm mentioned this pull request Sep 10, 2024
Merged
7 tasks
ronald-cron-arm
ronald-cron-arm previously approved these changes Sep 10, 2024
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks.

mpg
mpg previously approved these changes Sep 11, 2024
View reviewed changes
Copy link
Contributor

@mpg mpg left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks! 53907c7

@mpg mpg added approved Design and code approved - may be waiting for CI or backports needs-backports Backports are missing or are pending review and approval. and removed needs-review Every commit must be reviewed by at least two team members, labels Sep 11, 2024
@gilles-peskine-arm gilles-peskine-arm mentioned this pull request Sep 11, 2024
Merged
5 tasks
@ronald-cron-arm ronald-cron-arm mentioned this pull request Sep 11, 2024
Closed
@gilles-peskine-arm
Fix "Renegotiation: openssl server, client-initiated" with OpenSSL 3
ed8cc46 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Use CONFIGS_ENABLED instead of repeatedly calling query_compile_time_…
0bc5729 
…config

It's faster and more readable.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
ssl-opt: Fix GnuTLS PSK injection
9cd5848 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Detect more cases where certificates are required
6eff90f 
When requiring a cryptographic mechanism for the sake of certificate
authentication, also require that certificate authentication is enabled.

Setting auth_mode explicitly means that we're testing something related to
how certificate-based authentication is handled, so require a key exchange
with certificate-based authentication.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix PSK-only mode doing less than it should
5c766dc 
Don't add a certificate requirement when PSK is enabled.

Do command line requirement detection after the injection of PSK into the
command line in PSK-only mode. Otherwise certificate requirements would be
added even in PSK-only mode.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Detect PSK-only mode in TLS 1.3 as well
bbdc1a3 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Unify the two requires-key-exchange-with-certificate function
0a9f9d6 
requires_certificate_authentication was called in more places, but did not
do fine-grained analysis of key exchanges and so gave the wrong results in
some builds.

requires_key_exchange_with_cert_in_tls12_or_tls13_enabled gave the correct
result but was only used in some test cases, not in the automatic detection
code.

Remove all uses of requires_key_exchange_with_cert_in_tls12_or_tls13_enabled
because they are in fact covered by automated detection that calls
requires_certificate_authentication.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Also activate PSK-only mode when PSK-ephemeral key exchanges are avai…
d98b363 
…lable

The point of PSK-only mode is to transform certificate-based command lines
into PSK-based command lines, when the certificates are not relevant to what
is being tested. So it makes sense to do that in with PSK-ephemeral key
exchanges too.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix weirdly quoted invocations of requires_any_configs_enabled
07e24e9 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Remove unused auth_mode parameter on a PSK test case
4c1347c 
It was causing the test case to be incorrectly skipped as needing
certificate authentication.

Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Improve some comments
5838a64 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Fix detection of TLS 1.2 PSK-ephemeral key exchange modes
19c60d2 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
Documentation improvements
d57212e 
Signed-off-by: Gilles Peskine <[email protected]>
@gilles-peskine-arm
requires_certificate_authentication: prioritize TLS 1.3
cfbaffd 
When checking whether the build supports certificate authentication, check
the key exchange modes enabled in the default protocol version. This is TLS
1.3 when it's enabled.

Signed-off-by: Gilles Peskine <[email protected]>
mpg
mpg approved these changes Sep 13, 2024
View reviewed changes
Copy link
Contributor

@mpg mpg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The rebase looks good to me.

ronald-cron-arm
ronald-cron-arm approved these changes Sep 13, 2024
View reviewed changes
Copy link
Contributor

@ronald-cron-arm ronald-cron-arm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM

@gilles-peskine-arm gilles-peskine-arm added this pull request to the merge queue Sep 13, 2024
Merged via the queue into Mbed-TLS:mbedtls-3.6 with commit 78b1362 Sep 13, 2024
4 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpg mpg mpg approved these changes

@ronald-cron-arm ronald-cron-arm ronald-cron-arm approved these changes

Assignees
No one assigned
Labels
approved Design and code approved - may be waiting for CI or backports component-tls needs-backports Backports are missing or are pending review and approval. priority-high High priority - will be reviewed soon size-s Estimated task size: small (~2d)
Projects
Roadmap pull requests (new board)
Status: Done
Roadmap Board for Mbed TLS
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@gilles-peskine-arm @mpg @ronald-cron-arm