ssl-opt: improve PSK mode detection #9556
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
gilles-peskine-arm
added
component-tls
needs-ci
5 tasks
gilles-peskine-arm
added
needs-review
This was referenced Sep 11, 2024
ronald-cron-arm
previously approved these changes
Sep 13, 2024
|
I'll need to rewrite the history to amend the submodule update commit, anyway, once the framework PR is merged. How about I do that now, since the framework PR is approved and has passed the CI on both branches? |
mpg
previously approved these changes
Sep 13, 2024
mpg
removed
the
needs-review
gilles-peskine-arm
dismissed stale reviews from mpg and ronald-cron-arm
via
52584e2
gilles-peskine-arm
force-pushed
the
ssl-opt-psk-detection-development
branch
from
27c7055
to
52584e2
Compare
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…config It's faster and more readable. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When requiring a cryptographic mechanism for the sake of certificate authentication, also require that certificate authentication is enabled. Setting auth_mode explicitly means that we're testing something related to how certificate-based authentication is handled, so require a key exchange with certificate-based authentication. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Don't add a certificate requirement when PSK is enabled. Do command line requirement detection after the injection of PSK into the command line in PSK-only mode. Otherwise certificate requirements would be added even in PSK-only mode. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
requires_certificate_authentication was called in more places, but did not do fine-grained analysis of key exchanges and so gave the wrong results in some builds. requires_key_exchange_with_cert_in_tls12_or_tls13_enabled gave the correct result but was only used in some test cases, not in the automatic detection code. Remove all uses of requires_key_exchange_with_cert_in_tls12_or_tls13_enabled because they are in fact covered by automated detection that calls requires_certificate_authentication. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
…lable The point of PSK-only mode is to transform certificate-based command lines into PSK-based command lines, when the certificates are not relevant to what is being tested. So it makes sense to do that in with PSK-ephemeral key exchanges too. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It was causing the test case to be incorrectly skipped as needing certificate authentication. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When checking whether the build supports certificate authentication, check the key exchange modes enabled in the default protocol version. This is TLS 1.3 when it's enabled. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
gilles-peskine-arm
force-pushed
the
ssl-opt-psk-detection-development
branch
from
52584e2
to
e3eab32
Compare
|
I've rebased both this PR and the 3.6 one to get the latest framework updates. |
mpg
approved these changes
Sep 13, 2024
gilles-peskine-arm
added
the
approved
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Fix some issues in
ssl-opt.sharound requirement detections, mostly related to PSK vs certificates. Prerequisite of #9541.Straight forward port of #9546.
PR checklist
outcomes.csv.xz(excluding;component_release_which are not run in the PR job). The following command lists the test cases that have changed, excluding those that used to be skipped; its output is empty.