diff --git a/CMakeLists.txt b/CMakeLists.txt index 162373182b..12ddc2738d 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -100,17 +100,6 @@ option(USE_SHARED_MBEDTLS_LIBRARY "Build Mbed TLS shared library." OFF) option(LINK_WITH_PTHREAD "Explicitly link Mbed TLS library to pthread." OFF) option(LINK_WITH_TRUSTED_STORAGE "Explicitly link Mbed TLS library to trusted_storage." OFF) -# Warning string - created as a list for compatibility with CMake 2.8 -set(CTR_DRBG_128_BIT_KEY_WARN_L1 "**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined!\n") -set(CTR_DRBG_128_BIT_KEY_WARN_L2 "**** Using 128-bit keys for CTR_DRBG limits the security of generated\n") -set(CTR_DRBG_128_BIT_KEY_WARN_L3 "**** keys and operations that use random values generated to 128-bit security\n") - -set(CTR_DRBG_128_BIT_KEY_WARNING "${WARNING_BORDER}" - "${CTR_DRBG_128_BIT_KEY_WARN_L1}" - "${CTR_DRBG_128_BIT_KEY_WARN_L2}" - "${CTR_DRBG_128_BIT_KEY_WARN_L3}" - "${WARNING_BORDER}") - # Python 3 is only needed here to check for configuration warnings. if(NOT CMAKE_VERSION VERSION_LESS 3.15.0) set(Python3_FIND_STRATEGY LOCATION) @@ -124,16 +113,6 @@ else() set(MBEDTLS_PYTHON_EXECUTABLE ${PYTHON_EXECUTABLE}) endif() endif() -if(MBEDTLS_PYTHON_EXECUTABLE) - - # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning - execute_process(COMMAND ${MBEDTLS_PYTHON_EXECUTABLE} ${CMAKE_CURRENT_SOURCE_DIR}/scripts/config.py -f ${CMAKE_CURRENT_SOURCE_DIR}/include/mbedtls/mbedtls_config.h get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY - RESULT_VARIABLE result) - if(${result} EQUAL 0) - message(WARNING ${CTR_DRBG_128_BIT_KEY_WARNING}) - endif() - -endif() # We now potentially need to link all executables against PThreads, if available set(CMAKE_THREAD_PREFER_PTHREAD TRUE) diff --git a/ChangeLog.d/10285.txt b/ChangeLog.d/10285.txt new file mode 100644 index 0000000000..2ac05ab90f --- /dev/null +++ b/ChangeLog.d/10285.txt @@ -0,0 +1,3 @@ +Removals + * Removed all public key sample programs from the programs/pkey + directory. diff --git a/ChangeLog.d/check_config.txt b/ChangeLog.d/check_config.txt new file mode 100644 index 0000000000..f9f44a4b85 --- /dev/null +++ b/ChangeLog.d/check_config.txt @@ -0,0 +1,5 @@ +Removals + * The header no longer exists. Including it + from a custom config file was no longer needed since Mbed TLS 3.0, + and could lead to spurious errors. The checks that it performed are + now done automatically when building the library. diff --git a/ChangeLog.d/fix-dependency-on-generated-files.txt b/ChangeLog.d/fix-dependency-on-generated-files.txt new file mode 100644 index 0000000000..b3e7e4e16b --- /dev/null +++ b/ChangeLog.d/fix-dependency-on-generated-files.txt @@ -0,0 +1,3 @@ +Bugfix + * Fix potential CMake parallel build failure when building both the static + and shared libraries. diff --git a/ChangeLog.d/remove-deprecated-items.txt b/ChangeLog.d/remove-deprecated-items.txt new file mode 100644 index 0000000000..855265788e --- /dev/null +++ b/ChangeLog.d/remove-deprecated-items.txt @@ -0,0 +1,11 @@ +Removals + * Remove MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. Now only the + standard version (defined in RFC 9146) of DTLS connection ID is supported. + * Remove mbedtls_ssl_conf_min_version(), mbedtls_ssl_conf_max_version(), and + the associated constants MBEDTLS_SSL_MAJOR_VERSION_x and + MBEDTLS_SSL_MINOR_VERSION_y. Use mbedtls_ssl_conf_min_tls_version() and + mbedtls_ssl_conf_max_tls_version() with MBEDTLS_SSL_VERSION_TLS1_y instead. + Note that the new names of the new constants use the TLS protocol versions, + unlike the old constants whose names are based on internal encodings. + * Remove mbedtls_ssl_conf_sig_hashes(). Use mbedtls_ssl_conf_sig_algs() + instead. diff --git a/ChangeLog.d/remove_mbedtls_pk_type.txt b/ChangeLog.d/remove_mbedtls_pk_type.txt new file mode 100644 index 0000000000..4b33d1e110 --- /dev/null +++ b/ChangeLog.d/remove_mbedtls_pk_type.txt @@ -0,0 +1,3 @@ +Removals + * Remove mbedtls_pk_type_t from the public interface and replace it with + mbedtls_pk_sigalg_t. diff --git a/ChangeLog.d/runtime-version-interface.txt b/ChangeLog.d/runtime-version-interface.txt new file mode 100644 index 0000000000..1cf42665ca --- /dev/null +++ b/ChangeLog.d/runtime-version-interface.txt @@ -0,0 +1,9 @@ +API changes + * Change the signature of the runtime version information methods that took + a char* as an argument to take zero arguments and return a const char* + instead. This aligns us with the interface used in TF PSA Crypto 1.0. + If you need to support linking against both Mbed TLS 3.x and 4.x, please + use the build-time version macros or mbedtls_version_get_number() to + determine the correct signature for mbedtls_version_get_string() and + mbedtls_version_get_string_full() before calling them. + Fixes issue #10308. diff --git a/ChangeLog.d/secp256k1-removal.txt b/ChangeLog.d/secp256k1-removal.txt new file mode 100644 index 0000000000..9933b8e7a9 --- /dev/null +++ b/ChangeLog.d/secp256k1-removal.txt @@ -0,0 +1,3 @@ +Removals + * Support for secp192k1, secp192r1, secp224k1 and secp224r1 EC curves is + removed from TLS. diff --git a/ChangeLog.d/static-ecdh-removal.txt b/ChangeLog.d/static-ecdh-removal.txt new file mode 100644 index 0000000000..94512a21f9 --- /dev/null +++ b/ChangeLog.d/static-ecdh-removal.txt @@ -0,0 +1,3 @@ +Removals + * Removed support for TLS 1.2 static ECDH key + exchanges (ECDH-ECDSA and ECDH-RSA). diff --git a/ChangeLog.d/unify-errors.txt b/ChangeLog.d/unify-errors.txt new file mode 100644 index 0000000000..f229f1bc4d --- /dev/null +++ b/ChangeLog.d/unify-errors.txt @@ -0,0 +1,7 @@ +API changes + * Make the following error codes aliases of their PSA equivalents, where + xxx is a module, e.g. X509 or SSL. + MBEDTLS_ERR_xxx_BAD_INPUT_DATA -> PSA_ERROR_INVALID_ARGUMENT + MBEDTLS_ERR_xxx_ALLOC_FAILED -> PSA_ERROR_INSUFFICIENT_MEMORY + MBEDTLS_ERR_xxx_BUFFER_TOO_SMALL -> PSA_ERROR_BUFFER_TOO_SMALL + MBEDTLS_ERR_PKCS7_VERIFY_FAIL -> PSA_ERROR_INVALID_SIGNATURE diff --git a/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt b/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt new file mode 100644 index 0000000000..e04f45a488 --- /dev/null +++ b/ChangeLog.d/x509write_crt_set_serial_raw-alignment.txt @@ -0,0 +1,3 @@ +API changes + * Change the serial argument of the mbedtls_x509write_crt_set_serial_raw + function to a const to align with the rest of the API. diff --git a/Makefile b/Makefile index a580736602..6706143a24 100644 --- a/Makefile +++ b/Makefile @@ -26,7 +26,6 @@ endif .PHONY: all no_test programs lib tests install uninstall clean test check lcov apidoc apidoc_clean all: programs tests - $(MAKE) post_build no_test: programs @@ -146,24 +145,6 @@ uninstall: done endif - -WARNING_BORDER_LONG =**********************************************************************************\n -CTR_DRBG_128_BIT_KEY_WARN_L1=**** WARNING! MBEDTLS_CTR_DRBG_USE_128_BIT_KEY defined! ****\n -CTR_DRBG_128_BIT_KEY_WARN_L2=**** Using 128-bit keys for CTR_DRBG limits the security of generated ****\n -CTR_DRBG_128_BIT_KEY_WARN_L3=**** keys and operations that use random values generated to 128-bit security ****\n - -CTR_DRBG_128_BIT_KEY_WARNING=\n$(WARNING_BORDER_LONG)$(CTR_DRBG_128_BIT_KEY_WARN_L1)$(CTR_DRBG_128_BIT_KEY_WARN_L2)$(CTR_DRBG_128_BIT_KEY_WARN_L3)$(WARNING_BORDER_LONG) - -# Post build steps -post_build: -ifndef WINDOWS - - # If 128-bit keys are configured for CTR_DRBG, display an appropriate warning - -scripts/config.py get MBEDTLS_CTR_DRBG_USE_128_BIT_KEY && ([ $$? -eq 0 ]) && \ - echo '$(CTR_DRBG_128_BIT_KEY_WARNING)' - -endif - clean: clean_more_on_top $(MAKE) -C library clean $(MAKE) -C programs clean diff --git a/README.md b/README.md index fc1536e23c..7981a0236d 100644 --- a/README.md +++ b/README.md @@ -72,7 +72,13 @@ The following tools are required: Depending on your Python installation, you may need to invoke `python` instead of `python3`. To install the packages system-wide, omit the `--user` option. * A C compiler for the host platform, for some test data. -If you are cross-compiling, you must set the `CC` environment variable to a C compiler for the host platform when generating the configuration-independent files. +The scripts that generate the configuration-independent files will look for a host C compiler in the following places (in order of preference): + +1. The `HOSTCC` environment variable. This can be used if `CC` is pointing to a cross-compiler. +2. The `CC` environment variable. +3. An executable called `cc` in the current path. + +Note: If you have multiple toolchains installed, it is recommended to set `CC` or `HOSTCC` to the intended host compiler before generating the files. Any of the following methods are available to generate the configuration-independent files: diff --git a/configs/crypto-config-ccm-psk-tls1_2.h b/configs/crypto-config-ccm-psk-tls1_2.h index 163520ed34..c2dabc28e8 100644 --- a/configs/crypto-config-ccm-psk-tls1_2.h +++ b/configs/crypto-config-ccm-psk-tls1_2.h @@ -30,7 +30,6 @@ /* Other MBEDTLS_HAVE_XXX flags irrelevant for this configuration */ #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY /* Save RAM at the expense of ROM */ diff --git a/configs/crypto-config-suite-b.h b/configs/crypto-config-suite-b.h index 0437bda3ce..4bae5a45c6 100644 --- a/configs/crypto-config-suite-b.h +++ b/configs/crypto-config-suite-b.h @@ -48,7 +48,6 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_PK_C #define MBEDTLS_PK_PARSE_C #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY diff --git a/configs/crypto-config-thread.h b/configs/crypto-config-thread.h index 5475a0af20..1b2621cf58 100644 --- a/configs/crypto-config-thread.h +++ b/configs/crypto-config-thread.h @@ -55,7 +55,6 @@ #define MBEDTLS_ASN1_PARSE_C #define MBEDTLS_ASN1_WRITE_C #define MBEDTLS_CTR_DRBG_C -#define MBEDTLS_ENTROPY_C #define MBEDTLS_HMAC_DRBG_C #define MBEDTLS_MD_C #define MBEDTLS_PK_C diff --git a/docs/4.0-migration-guide/error-codes.md b/docs/4.0-migration-guide/error-codes.md index 074acc04bb..a2744679e0 100644 --- a/docs/4.0-migration-guide/error-codes.md +++ b/docs/4.0-migration-guide/error-codes.md @@ -18,11 +18,20 @@ As a consequence, the functions `mbedtls_low_level_strerr()` and `mbedtls_high_l Many legacy error codes have been removed in favor of PSA error codes. Generally, functions that returned a legacy error code in the table below in Mbed TLS 3.6 now return the PSA error code listed on the same row. Similarly, callbacks should apply the same changes to error code, unless there has been a relevant change to the callback's interface. -| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | -| ------------------------------ | --------------------------- | +| Legacy constant (Mbed TLS 3.6) | PSA constant (Mbed TLS 4.0) | +|-----------------------------------------|---------------------------------| | `MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED` | `PSA_ERROR_CORRUPTION_DETECTED` | -| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | -| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` -| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | +| `MBEDTLS_ERR_ERROR_GENERIC_ERROR` | `PSA_ERROR_GENERIC_ERROR` | +| `MBEDTLS_ERR_NET_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_OID_BUF_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_OID_NOT_FOUND` | `PSA_ERROR_NOT_SUPPORTED` | +| `MBEDTLS_ERR_PKCS7_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_PKCS7_VERIFY_FAIL` | `PSA_ERROR_INVALID_SIGNATURE` | +| `MBEDTLS_ERR_SSL_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_SSL_BAD_INPUT_DATA` | `PSA_ERROR_INVALID_ARGUMENT` | +| `MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | +| `MBEDTLS_ERR_X509_ALLOC_FAILED` | `PSA_ERROR_INSUFFICIENT_MEMORY` | +| `MBEDTLS_ERR_X509_BUFFER_TOO_SMALL` | `PSA_ERROR_BUFFER_TOO_SMALL` | See also the corresponding section in the TF-PSA-Crypto migration guide, which lists error codes from cryptography modules. diff --git a/docs/architecture/tls13-support.md b/docs/architecture/tls13-support.md index f49e9194ba..c7b11fd1dd 100644 --- a/docs/architecture/tls13-support.md +++ b/docs/architecture/tls13-support.md @@ -118,8 +118,6 @@ Support description | MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED | n/a | - | MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED | n/a | - | MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED | n/a | | MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED | n/a | | | | | MBEDTLS_PSA_CRYPTO_C | no (1) | diff --git a/docs/requirements.txt b/docs/requirements.txt index 2287b2a72b..38499f768c 100644 --- a/docs/requirements.txt +++ b/docs/requirements.txt @@ -1,84 +1,83 @@ # -# This file is autogenerated by pip-compile with Python 3.8 +# This file is autogenerated by pip-compile with Python 3.9 # by the following command: # -# pip-compile requirements.in +# pip-compile docs/requirements.in # -alabaster==0.7.13 +alabaster==0.7.16 # via sphinx -babel==2.15.0 +babel==2.17.0 # via sphinx -breathe==4.35.0 - # via -r requirements.in -certifi==2024.7.4 +breathe==4.36.0 + # via -r docs/requirements.in +certifi==2025.8.3 # via requests -charset-normalizer==3.3.2 +charset-normalizer==3.4.3 # via requests -click==8.1.7 +click==8.1.8 # via readthedocs-cli -docutils==0.20.1 +docutils==0.21.2 # via - # breathe # sphinx # sphinx-rtd-theme -idna==3.7 +idna==3.10 # via requests imagesize==1.4.1 # via sphinx -importlib-metadata==8.0.0 +importlib-metadata==8.7.0 # via sphinx -jinja2==3.1.4 +jinja2==3.1.6 # via sphinx markdown-it-py==3.0.0 # via rich -markupsafe==2.1.5 +markupsafe==3.0.2 # via jinja2 mdurl==0.1.2 # via markdown-it-py -packaging==24.1 +packaging==25.0 # via sphinx -pygments==2.18.0 +pygments==2.19.2 # via # rich # sphinx -pytz==2024.1 - # via babel -pyyaml==6.0.1 +pyyaml==6.0.2 # via readthedocs-cli -readthedocs-cli==4 - # via -r requirements.in -requests==2.32.3 +readthedocs-cli==5 + # via -r docs/requirements.in +requests==2.32.5 # via # readthedocs-cli # sphinx -rich==13.7.1 +rich==14.1.0 # via readthedocs-cli -snowballstemmer==2.2.0 +snowballstemmer==3.0.1 # via sphinx -sphinx==7.1.2 +sphinx==7.4.7 # via # breathe # sphinx-rtd-theme # sphinxcontrib-jquery -sphinx-rtd-theme==2.0.0 - # via -r requirements.in -sphinxcontrib-applehelp==1.0.4 +sphinx-rtd-theme==3.0.2 + # via -r docs/requirements.in +sphinxcontrib-applehelp==2.0.0 # via sphinx -sphinxcontrib-devhelp==1.0.2 +sphinxcontrib-devhelp==2.0.0 # via sphinx -sphinxcontrib-htmlhelp==2.0.1 +sphinxcontrib-htmlhelp==2.1.0 # via sphinx sphinxcontrib-jquery==4.1 # via sphinx-rtd-theme sphinxcontrib-jsmath==1.0.1 # via sphinx -sphinxcontrib-qthelp==1.0.3 +sphinxcontrib-qthelp==2.0.0 # via sphinx -sphinxcontrib-serializinghtml==1.1.5 +sphinxcontrib-serializinghtml==2.0.0 # via sphinx -typing-extensions==4.12.2 - # via rich -urllib3==2.2.2 - # via requests -zipp==3.19.2 +tomli==2.2.1 + # via sphinx +urllib3==2.5.0 + # via + # readthedocs-cli + # requests +zipp==3.23.0 # via importlib-metadata diff --git a/doxygen/mbedtls.doxyfile b/doxygen/mbedtls.doxyfile index 04a4f170d0..00e64d05c9 100644 --- a/doxygen/mbedtls.doxyfile +++ b/doxygen/mbedtls.doxyfile @@ -8,6 +8,7 @@ EXTRACT_STATIC = YES CASE_SENSE_NAMES = NO INPUT = ../include input ../tf-psa-crypto/include ../tests/include/alt-dummy FILE_PATTERNS = *.h +EXCLUDE = ../tf-psa-crypto/include/mbedtls/private RECURSIVE = YES EXCLUDE_SYMLINKS = YES SOURCE_BROWSER = YES diff --git a/framework b/framework index df3307f2b4..d0d817541a 160000 --- a/framework +++ b/framework @@ -1 +1 @@ -Subproject commit df3307f2b4fe512def60886024f7be8fd1523ccd +Subproject commit d0d817541ae3f449b8cd51afc165668179659699 diff --git a/include/CMakeLists.txt b/include/CMakeLists.txt index 755efedd1c..9ea17af8b8 100644 --- a/include/CMakeLists.txt +++ b/include/CMakeLists.txt @@ -7,6 +7,12 @@ if(INSTALL_MBEDTLS_HEADERS) install(FILES ${headers} DESTINATION include/mbedtls PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ) + + file(GLOB private_headers "mbedtls/private/*.h") + + install(FILES ${private_headers} + DESTINATION include/mbedtls/private + PERMISSIONS OWNER_READ OWNER_WRITE GROUP_READ WORLD_READ) endif(INSTALL_MBEDTLS_HEADERS) # Make mbedtls_config.h available in an out-of-source build. ssl-opt.sh requires it. diff --git a/include/mbedtls/build_info.h b/include/mbedtls/build_info.h index 534f01658c..b46db36d1f 100644 --- a/include/mbedtls/build_info.h +++ b/include/mbedtls/build_info.h @@ -74,9 +74,9 @@ */ #define MBEDTLS_CONFIG_FILES_READ -#include "mbedtls/config_adjust_x509.h" +#include "mbedtls/private/config_adjust_x509.h" -#include "mbedtls/config_adjust_ssl.h" +#include "mbedtls/private/config_adjust_ssl.h" /* Indicate that all configuration symbols are set, * even the ones that are calculated programmatically. @@ -85,6 +85,4 @@ */ #define MBEDTLS_CONFIG_IS_FINALIZED -#include "mbedtls/check_config.h" - #endif /* MBEDTLS_BUILD_INFO_H */ diff --git a/include/mbedtls/debug.h b/include/mbedtls/debug.h index b6d4e27052..c293e87315 100644 --- a/include/mbedtls/debug.h +++ b/include/mbedtls/debug.h @@ -15,7 +15,7 @@ #include "mbedtls/ssl.h" #if defined(MBEDTLS_ECP_C) -#include "mbedtls/ecp.h" +#include "mbedtls/private/ecp.h" #endif #if defined(MBEDTLS_DEBUG_C) diff --git a/include/mbedtls/error.h b/include/mbedtls/error.h index 7abb00fd03..ee3d093c93 100644 --- a/include/mbedtls/error.h +++ b/include/mbedtls/error.h @@ -11,7 +11,7 @@ #define MBEDTLS_ERROR_H #include "mbedtls/build_info.h" -#include "mbedtls/error_common.h" +#include "mbedtls/private/error_common.h" #include diff --git a/include/mbedtls/mbedtls_config.h b/include/mbedtls/mbedtls_config.h index d18d0fadb8..f11bcb3fb0 100644 --- a/include/mbedtls/mbedtls_config.h +++ b/include/mbedtls/mbedtls_config.h @@ -273,54 +273,6 @@ */ #define MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - * - * Enable the ECDH-ECDSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH - * MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA - * MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 - */ -#define MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED - -/** - * \def MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - * - * Enable the ECDH-RSA based ciphersuite modes in SSL / TLS. - * - * Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH - * MBEDTLS_RSA_C - * MBEDTLS_X509_CRT_PARSE_C - * - * This enables the following ciphersuites (if other requisites are - * enabled as well): - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 - * MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 - */ -#define MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - /** * \def MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED * @@ -533,28 +485,6 @@ */ #define MBEDTLS_SSL_DTLS_CONNECTION_ID -/** - * \def MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT - * - * Defines whether RFC 9146 (default) or the legacy version - * (version draft-ietf-tls-dtls-connection-id-05, - * https://tools.ietf.org/html/draft-ietf-tls-dtls-connection-id-05) - * is used. - * - * Set the value to 0 for the standard version, and - * 1 for the legacy draft version. - * - * \deprecated Support for the legacy version of the DTLS - * Connection ID feature is deprecated. Please - * switch to the standardized version defined - * in RFC 9146 enabled by utilizing - * MBEDTLS_SSL_DTLS_CONNECTION_ID without use - * of MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT. - * - * Requires: MBEDTLS_SSL_DTLS_CONNECTION_ID - */ -#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 - /** * \def MBEDTLS_SSL_DTLS_HELLO_VERIFY * diff --git a/include/mbedtls/net_sockets.h b/include/mbedtls/net_sockets.h index 8e69bc0fb3..f4eb683d3a 100644 --- a/include/mbedtls/net_sockets.h +++ b/include/mbedtls/net_sockets.h @@ -53,7 +53,7 @@ /** Failed to get an IP address for the given hostname. */ #define MBEDTLS_ERR_NET_UNKNOWN_HOST -0x0052 /** Buffer is too small to hold the data. */ -#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL -0x0043 +#define MBEDTLS_ERR_NET_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL /** The context is invalid, eg because it was free()ed. */ #define MBEDTLS_ERR_NET_INVALID_CONTEXT -0x0045 /** Polling the net context failed. */ @@ -147,11 +147,11 @@ int mbedtls_net_bind(mbedtls_net_context *ctx, const char *bind_ip, const char * * can be NULL if client_ip is null * * \return 0 if successful, or - * MBEDTLS_ERR_NET_SOCKET_FAILED, - * MBEDTLS_ERR_NET_BIND_FAILED, - * MBEDTLS_ERR_NET_ACCEPT_FAILED, or - * MBEDTLS_ERR_NET_BUFFER_TOO_SMALL if buf_size is too small, - * MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to + * #MBEDTLS_ERR_NET_SOCKET_FAILED, + * #MBEDTLS_ERR_NET_BIND_FAILED, + * #MBEDTLS_ERR_NET_ACCEPT_FAILED, or + * #PSA_ERROR_BUFFER_TOO_SMALL if buf_size is too small, + * #MBEDTLS_ERR_SSL_WANT_READ if bind_fd was set to * non-blocking and accept() would block. */ int mbedtls_net_accept(mbedtls_net_context *bind_ctx, diff --git a/include/mbedtls/oid.h b/include/mbedtls/oid.h index 375ea60cb6..d769ff2180 100644 --- a/include/mbedtls/oid.h +++ b/include/mbedtls/oid.h @@ -11,6 +11,7 @@ #define MBEDTLS_OID_H #include "mbedtls/build_info.h" +#include "mbedtls/asn1.h" /* * Top level OID tuples diff --git a/include/mbedtls/pkcs7.h b/include/mbedtls/pkcs7.h index e9b482208e..957ca53d71 100644 --- a/include/mbedtls/pkcs7.h +++ b/include/mbedtls/pkcs7.h @@ -55,9 +55,9 @@ #define MBEDTLS_ERR_PKCS7_INVALID_CERT -0x5580 /**< The certificate tag or value is invalid or cannot be parsed. */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNATURE -0x5600 /**< Error parsing the signature */ #define MBEDTLS_ERR_PKCS7_INVALID_SIGNER_INFO -0x5680 /**< Error parsing the signer's info */ -#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA -0x5700 /**< Input invalid. */ -#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED -0x5780 /**< Allocation of memory failed. */ -#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL -0x5800 /**< Verification Failed */ +#define MBEDTLS_ERR_PKCS7_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /**< Input invalid. */ +#define MBEDTLS_ERR_PKCS7_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /**< Allocation of memory failed. */ +#define MBEDTLS_ERR_PKCS7_VERIFY_FAIL PSA_ERROR_INVALID_SIGNATURE /**< Verification Failed */ #define MBEDTLS_ERR_PKCS7_CERT_DATE_INVALID -0x5880 /**< The PKCS #7 date issued/expired dates are invalid */ /* \} name */ diff --git a/include/mbedtls/config_adjust_ssl.h b/include/mbedtls/private/config_adjust_ssl.h similarity index 92% rename from include/mbedtls/config_adjust_ssl.h rename to include/mbedtls/private/config_adjust_ssl.h index 2221e5b2e7..ee35a67c9f 100644 --- a/include/mbedtls/config_adjust_ssl.h +++ b/include/mbedtls/private/config_adjust_ssl.h @@ -1,5 +1,5 @@ /** - * \file mbedtls/config_adjust_ssl.h + * \file mbedtls/private/config_adjust_ssl.h * \brief Adjust TLS configuration * * This is an internal header. Do not include it directly. @@ -51,7 +51,6 @@ #if !defined(MBEDTLS_SSL_PROTO_DTLS) #undef MBEDTLS_SSL_DTLS_ANTI_REPLAY #undef MBEDTLS_SSL_DTLS_CONNECTION_ID -#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT #undef MBEDTLS_SSL_DTLS_HELLO_VERIFY #undef MBEDTLS_SSL_DTLS_SRTP #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE @@ -65,8 +64,6 @@ #undef MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED #undef MBEDTLS_KEY_EXCHANGE_PSK_ENABLED #undef MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED -#undef MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED -#undef MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED #undef MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED #endif @@ -79,7 +76,7 @@ #endif #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ - (defined(MBEDTLS_ECDH_C) || defined(MBEDTLS_ECDSA_C) || \ + (defined(PSA_WANT_ALG_ECDH) || defined(PSA_WANT_ALG_ECDSA) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)) #define MBEDTLS_SSL_TLS1_2_SOME_ECC #endif diff --git a/include/mbedtls/config_adjust_x509.h b/include/mbedtls/private/config_adjust_x509.h similarity index 96% rename from include/mbedtls/config_adjust_x509.h rename to include/mbedtls/private/config_adjust_x509.h index cfb2d88916..4af976666b 100644 --- a/include/mbedtls/config_adjust_x509.h +++ b/include/mbedtls/private/config_adjust_x509.h @@ -1,5 +1,5 @@ /** - * \file mbedtls/config_adjust_x509.h + * \file mbedtls/private/config_adjust_x509.h * \brief Adjust X.509 configuration * * This is an internal header. Do not include it directly. diff --git a/include/mbedtls/ssl.h b/include/mbedtls/ssl.h index 7ea0174612..02e527cdf5 100644 --- a/include/mbedtls/ssl.h +++ b/include/mbedtls/ssl.h @@ -14,8 +14,8 @@ #include "mbedtls/build_info.h" -#include "mbedtls/bignum.h" -#include "mbedtls/ecp.h" +#include "mbedtls/private/bignum.h" +#include "mbedtls/private/ecp.h" #include "mbedtls/ssl_ciphersuites.h" @@ -27,7 +27,7 @@ #include "mbedtls/md.h" #if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_ANY_ENABLED) -#include "mbedtls/ecdh.h" +#include "mbedtls/private/ecdh.h" #endif #if defined(MBEDTLS_HAVE_TIME) @@ -44,7 +44,7 @@ /** The requested feature is not available. */ #define MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE -0x7080 /** Bad input parameters to function. */ -#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA -0x7100 +#define MBEDTLS_ERR_SSL_BAD_INPUT_DATA PSA_ERROR_INVALID_ARGUMENT /** Verification of the message MAC failed. */ #define MBEDTLS_ERR_SSL_INVALID_MAC -0x7180 /** An invalid SSL record was received. */ @@ -105,7 +105,7 @@ /** Cache entry not found */ #define MBEDTLS_ERR_SSL_CACHE_ENTRY_NOT_FOUND -0x7E80 /** Memory allocation failed */ -#define MBEDTLS_ERR_SSL_ALLOC_FAILED -0x7F00 +#define MBEDTLS_ERR_SSL_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /** Hardware acceleration function returned with error */ #define MBEDTLS_ERR_SSL_HW_ACCEL_FAILED -0x7F80 /** Hardware acceleration function skipped / left alone data */ @@ -129,7 +129,7 @@ /** DTLS client must retry for hello verification */ #define MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED -0x6A80 /** A buffer is too small to receive or write a message */ -#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL -0x6A00 +#define MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL /* Error space gap */ /** No data of requested type currently available on underlying transport. */ #define MBEDTLS_ERR_SSL_WANT_READ -0x6900 @@ -229,10 +229,6 @@ /* Elliptic Curve Groups (ECDHE) */ #define MBEDTLS_SSL_IANA_TLS_GROUP_NONE 0 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 0x0012 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 0x0013 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 0x0014 -#define MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 0x0015 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 0x0016 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 0x0017 #define MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 0x0018 @@ -284,15 +280,6 @@ * Various constants */ -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -/* These are the high and low bytes of ProtocolVersion as defined by: - * - RFC 5246: ProtocolVersion version = { 3, 3 }; // TLS v1.2 - * - RFC 8446: see section 4.2.1 - */ -#define MBEDTLS_SSL_MAJOR_VERSION_3 3 -#define MBEDTLS_SSL_MINOR_VERSION_3 3 /*!< TLS v1.2 */ -#define MBEDTLS_SSL_MINOR_VERSION_4 4 /*!< TLS v1.3 */ -#endif /* MBEDTLS_DEPRECATED_REMOVED */ #define MBEDTLS_SSL_TRANSPORT_STREAM 0 /*!< TLS */ #define MBEDTLS_SSL_TRANSPORT_DATAGRAM 1 /*!< DTLS */ @@ -470,14 +457,6 @@ /** \} name SECTION: Module settings */ -/* - * Default to standard CID mode - */ -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) -#define MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 0 -#endif - /* * Length of the verify data for secure renegotiation */ @@ -649,11 +628,7 @@ #define MBEDTLS_TLS_EXT_SIG_ALG_CERT 50 /* RFC 8446 TLS 1.3 */ #define MBEDTLS_TLS_EXT_KEY_SHARE 51 /* RFC 8446 TLS 1.3 */ -#if MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 #define MBEDTLS_TLS_EXT_CID 54 /* RFC 9146 DTLS 1.2 CID */ -#else -#define MBEDTLS_TLS_EXT_CID 254 /* Pre-RFC 9146 DTLS 1.2 CID */ -#endif #define MBEDTLS_TLS_EXT_ECJPAKE_KKPP 256 /* experimental */ @@ -684,9 +659,7 @@ union mbedtls_ssl_premaster_secret { unsigned char dummy; /* Make the union non-empty even with SSL disabled */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) unsigned char _pms_ecdh[MBEDTLS_ECP_MAX_BYTES]; /* RFC 4492 5.10 */ #endif #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) @@ -891,7 +864,6 @@ typedef struct mbedtls_ssl_config mbedtls_ssl_config; /* Defined in library/ssl_misc.h */ typedef struct mbedtls_ssl_transform mbedtls_ssl_transform; typedef struct mbedtls_ssl_handshake_params mbedtls_ssl_handshake_params; -typedef struct mbedtls_ssl_sig_hash_set_t mbedtls_ssl_sig_hash_set_t; #if defined(MBEDTLS_X509_CRT_PARSE_C) typedef struct mbedtls_ssl_key_cert mbedtls_ssl_key_cert; #endif @@ -1506,10 +1478,6 @@ struct mbedtls_ssl_config { #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) - -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - const int *MBEDTLS_PRIVATE(sig_hashes); /*!< allowed signature hashes */ -#endif const uint16_t *MBEDTLS_PRIVATE(sig_algs); /*!< allowed signature algorithms */ #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ @@ -1942,7 +1910,7 @@ void mbedtls_ssl_init(mbedtls_ssl_context *ssl); * \param ssl SSL context * \param conf SSL configuration to use * - * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED if + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY if * memory allocation failed */ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, @@ -1954,7 +1922,7 @@ int mbedtls_ssl_setup(mbedtls_ssl_context *ssl, * pointers and data. * * \param ssl SSL context - * \return 0 if successful, or MBEDTLS_ERR_SSL_ALLOC_FAILED or + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY or MBEDTLS_ERR_SSL_HW_ACCEL_FAILED */ int mbedtls_ssl_session_reset(mbedtls_ssl_context *ssl); @@ -2609,14 +2577,14 @@ void mbedtls_ssl_conf_session_tickets_cb(mbedtls_ssl_config *conf, * milliseconds. * * \return 0 on success, - * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if an input is not valid. + * #PSA_ERROR_INVALID_ARGUMENT if an input is not valid. */ static inline int mbedtls_ssl_session_get_ticket_creation_time( mbedtls_ssl_session *session, mbedtls_ms_time_t *ticket_creation_time) { if (session == NULL || ticket_creation_time == NULL || session->MBEDTLS_PRIVATE(endpoint) != MBEDTLS_SSL_IS_SERVER) { - return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; + return PSA_ERROR_INVALID_ARGUMENT; } *ticket_creation_time = session->MBEDTLS_PRIVATE(ticket_creation_time); @@ -2967,8 +2935,8 @@ void mbedtls_ssl_conf_dtls_cookies(mbedtls_ssl_config *conf, * \note An internal copy is made, so the info buffer can be reused. * * \return 0 on success, - * MBEDTLS_ERR_SSL_BAD_INPUT_DATA if used on client, - * MBEDTLS_ERR_SSL_ALLOC_FAILED if out of memory. + * #PSA_ERROR_INVALID_ARGUMENT if used on client, + * #PSA_ERROR_INSUFFICIENT_MEMORY if out of memory. */ int mbedtls_ssl_set_client_transport_id(mbedtls_ssl_context *ssl, const unsigned char *info, @@ -3205,8 +3173,8 @@ int mbedtls_ssl_set_session(mbedtls_ssl_context *ssl, const mbedtls_ssl_session * \param len The size of the serialized data in bytes. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed. + * \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid. * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data * was generated in a different version or configuration of * Mbed TLS. @@ -3245,7 +3213,7 @@ int mbedtls_ssl_session_load(mbedtls_ssl_session *session, * tickets. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. + * \return #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small. * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE if the * MBEDTLS_SSL_SESSION_TICKETS configuration option is disabled * and the session is a TLS 1.3 session. @@ -3378,7 +3346,7 @@ void mbedtls_ssl_conf_tls13_key_exchange_modes(mbedtls_ssl_config *conf, * record headers. * * \return \c 0 on success. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if \p len + * \return #PSA_ERROR_INVALID_ARGUMENT if \p len * is too large. */ int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len, @@ -3391,7 +3359,7 @@ int mbedtls_ssl_conf_cid(mbedtls_ssl_config *conf, size_t len, * * \note The restrictions are enforced for all certificates in the * chain. However, signatures in the handshake are not covered - * by this setting but by \b mbedtls_ssl_conf_sig_hashes(). + * by this setting but by \b mbedtls_ssl_conf_sig_algs(). * * \param conf SSL configuration * \param profile Profile to use @@ -3525,7 +3493,7 @@ void mbedtls_ssl_conf_ca_cb(mbedtls_ssl_config *conf, * \param own_cert own public certificate chain * \param pk_key own private key * - * \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED + * \return 0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_ssl_conf_own_cert(mbedtls_ssl_config *conf, mbedtls_x509_crt *own_cert, @@ -3733,41 +3701,6 @@ void mbedtls_ssl_conf_groups(mbedtls_ssl_config *conf, const uint16_t *groups); #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) -/** - * \brief Set the allowed hashes for signatures during the handshake. - * - * \note This only affects which hashes are offered and can be used - * for signatures during the handshake. Hashes for message - * authentication and the TLS PRF are controlled by the - * ciphersuite, see \c mbedtls_ssl_conf_ciphersuites(). Hashes - * used for certificate signature are controlled by the - * verification profile, see \c mbedtls_ssl_conf_cert_profile(). - * - * \deprecated Superseded by mbedtls_ssl_conf_sig_algs(). - * - * \note This list should be ordered by decreasing preference - * (preferred hash first). - * - * \note By default, all supported hashes whose length is at least - * 256 bits are allowed. This is the same set as the default - * for certificate verification - * (#mbedtls_x509_crt_profile_default). - * The preference order is currently unspecified and may - * change in future versions. - * - * \note New minor versions of Mbed TLS may extend this list, - * for example if new curves are added to the library. - * New minor versions of Mbed TLS will not remove items - * from this list unless serious security concerns require it. - * - * \param conf SSL configuration - * \param hashes Ordered list of allowed signature hashes, - * terminated by \c MBEDTLS_MD_NONE. - */ -void MBEDTLS_DEPRECATED mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, - const int *hashes); -#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ /** * \brief Configure allowed signature algorithms for use in TLS @@ -3809,8 +3742,8 @@ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, * #MBEDTLS_ERR_SSL_CERTIFICATE_VERIFICATION_WITHOUT_HOSTNAME * for more details. * - * \return 0 if successful, #MBEDTLS_ERR_SSL_ALLOC_FAILED on - * allocation failure, #MBEDTLS_ERR_SSL_BAD_INPUT_DATA on + * \return 0 if successful, #PSA_ERROR_INSUFFICIENT_MEMORY on + * allocation failure, #PSA_ERROR_INVALID_ARGUMENT on * too long input hostname. * * Hostname set to the one provided on success (cleared @@ -3870,7 +3803,7 @@ const unsigned char *mbedtls_ssl_get_hs_sni(mbedtls_ssl_context *ssl, * \param own_cert own public certificate chain * \param pk_key own private key * - * \return 0 on success or MBEDTLS_ERR_SSL_ALLOC_FAILED + * \return 0 on success or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_ssl_set_hs_own_cert(mbedtls_ssl_context *ssl, mbedtls_x509_crt *own_cert, @@ -3999,7 +3932,7 @@ int mbedtls_ssl_set_hs_ecjpake_password_opaque(mbedtls_ssl_context *ssl, * the lifetime of the table must be at least as long as the * lifetime of the SSL configuration structure. * - * \return 0 on success, or MBEDTLS_ERR_SSL_BAD_INPUT_DATA. + * \return 0 on success, or #PSA_ERROR_INVALID_ARGUMENT. */ int mbedtls_ssl_conf_alpn_protocols(mbedtls_ssl_config *conf, const char *const *protos); @@ -4066,7 +3999,7 @@ void mbedtls_ssl_conf_srtp_mki_value_supported(mbedtls_ssl_config *conf, * (excluding the terminating MBEDTLS_TLS_SRTP_UNSET). * * \return 0 on success - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA when the list of + * \return #PSA_ERROR_INVALID_ARGUMENT when the list of * protection profiles is incorrect. */ int mbedtls_ssl_conf_dtls_srtp_protection_profiles @@ -4086,7 +4019,7 @@ int mbedtls_ssl_conf_dtls_srtp_protection_profiles * is ignored. * * \return 0 on success - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA + * \return #PSA_ERROR_INVALID_ARGUMENT * \return #MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE */ int mbedtls_ssl_dtls_srtp_set_mki_value(mbedtls_ssl_context *ssl, @@ -4114,28 +4047,6 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl mbedtls_dtls_srtp_info *dtls_srtp_info); #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -/** - * \brief Set the maximum supported version sent from the client side - * and/or accepted at the server side. - * - * See also the documentation of mbedtls_ssl_conf_min_version(). - * - * \note This ignores ciphersuites from higher versions. - * - * \note This function is deprecated and has been replaced by - * \c mbedtls_ssl_conf_max_tls_version(). - * - * \param conf SSL configuration - * \param major Major version number (#MBEDTLS_SSL_MAJOR_VERSION_3) - * \param minor Minor version number - * (#MBEDTLS_SSL_MINOR_VERSION_3 for (D)TLS 1.2, - * #MBEDTLS_SSL_MINOR_VERSION_4 for TLS 1.3) - */ -void MBEDTLS_DEPRECATED mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, - int minor); -#endif /* MBEDTLS_DEPRECATED_REMOVED */ - /** * \brief Set the maximum supported version sent from the client side * and/or accepted at the server side. @@ -4154,45 +4065,6 @@ static inline void mbedtls_ssl_conf_max_tls_version(mbedtls_ssl_config *conf, conf->MBEDTLS_PRIVATE(max_tls_version) = tls_version; } -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -/** - * \brief Set the minimum accepted SSL/TLS protocol version - * - * \note By default, all supported versions are accepted. - * Future versions of the library may disable older - * protocol versions by default if they become deprecated. - * - * \note The following versions are supported (if enabled at - * compile time): - * - (D)TLS 1.2: \p major = #MBEDTLS_SSL_MAJOR_VERSION_3, - * \p minor = #MBEDTLS_SSL_MINOR_VERSION_3 - * - TLS 1.3: \p major = #MBEDTLS_SSL_MAJOR_VERSION_3, - * \p minor = #MBEDTLS_SSL_MINOR_VERSION_4 - * - * Note that the numbers in the constant names are the - * TLS internal protocol numbers, and the minor versions - * differ by one from the human-readable versions! - * - * \note Input outside of the SSL_MAX_XXXXX_VERSION and - * SSL_MIN_XXXXX_VERSION range is ignored. - * - * \note After the handshake, you can call - * mbedtls_ssl_get_version_number() to see what version was - * negotiated. - * - * \note This function is deprecated and has been replaced by - * \c mbedtls_ssl_conf_min_tls_version(). - * - * \param conf SSL configuration - * \param major Major version number (#MBEDTLS_SSL_MAJOR_VERSION_3) - * \param minor Minor version number - * (#MBEDTLS_SSL_MINOR_VERSION_3 for (D)TLS 1.2, - * #MBEDTLS_SSL_MINOR_VERSION_4 for TLS 1.3) - */ -void MBEDTLS_DEPRECATED mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, - int minor); -#endif /* MBEDTLS_DEPRECATED_REMOVED */ - /** * \brief Set the minimum supported version sent from the client side * and/or accepted at the server side. @@ -4292,7 +4164,7 @@ void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, * MBEDTLS_SSL_MAX_FRAG_LEN_512, MBEDTLS_SSL_MAX_FRAG_LEN_1024, * MBEDTLS_SSL_MAX_FRAG_LEN_2048, MBEDTLS_SSL_MAX_FRAG_LEN_4096) * - * \return 0 if successful or MBEDTLS_ERR_SSL_BAD_INPUT_DATA + * \return 0 if successful or #PSA_ERROR_INVALID_ARGUMENT */ int mbedtls_ssl_conf_max_frag_len(mbedtls_ssl_config *conf, unsigned char mfl_code); #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */ @@ -5018,7 +4890,7 @@ int mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len); * fragment length (either the built-in limit or the one set * or negotiated with the peer), then: * - with TLS, less bytes than requested are written. - * - with DTLS, MBEDTLS_ERR_SSL_BAD_INPUT_DATA is returned. + * - with DTLS, #PSA_ERROR_INVALID_ARGUMENT is returned. * \c mbedtls_ssl_get_max_out_record_payload() may be used to * query the active maximum fragment length. * @@ -5102,7 +4974,7 @@ int mbedtls_ssl_close_notify(mbedtls_ssl_context *ssl); * \param len maximum number of bytes to read * * \return The (positive) number of bytes read if successful. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid. * \return #MBEDTLS_ERR_SSL_CANNOT_READ_EARLY_DATA if it is not * possible to read early data for the SSL context \p ssl. Note * that this function is intended to be called for an SSL @@ -5208,10 +5080,10 @@ int mbedtls_ssl_write_early_data(mbedtls_ssl_context *ssl, * * \param ssl The SSL context to query * - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * \return #PSA_ERROR_INVALID_ARGUMENT if this function is called * from the server-side. * - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if this function is called + * \return #PSA_ERROR_INVALID_ARGUMENT if this function is called * prior to completion of the handshake. * * \return #MBEDTLS_SSL_EARLY_DATA_STATUS_NOT_INDICATED if the client @@ -5260,7 +5132,7 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl); * * \note This feature is currently only available under certain * conditions, see the documentation of the return value - * #MBEDTLS_ERR_SSL_BAD_INPUT_DATA for details. + * #PSA_ERROR_INVALID_ARGUMENT for details. * * \note When this function succeeds, it calls * mbedtls_ssl_session_reset() on \p ssl which as a result is @@ -5285,15 +5157,15 @@ void mbedtls_ssl_free(mbedtls_ssl_context *ssl); * to determine the necessary size by calling this function * with \p buf set to \c NULL and \p buf_len to \c 0. However, * the value of \p olen is only guaranteed to be correct when - * the function returns #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL or + * the function returns #PSA_ERROR_BUFFER_TOO_SMALL or * \c 0. If the return value is different, then the value of * \p olen is undefined. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL if \p buf is too small. - * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed + * \return #PSA_ERROR_BUFFER_TOO_SMALL if \p buf is too small. + * \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed * while resetting the context. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if a handshake is in + * \return #PSA_ERROR_INVALID_ARGUMENT if a handshake is in * progress, or there is pending data for reading or sending, * or the connection does not use DTLS 1.2 with an AEAD * ciphersuite, or renegotiation is enabled. @@ -5366,10 +5238,10 @@ int mbedtls_ssl_context_save(mbedtls_ssl_context *ssl, * \param len The size of the serialized data in bytes. * * \return \c 0 if successful. - * \return #MBEDTLS_ERR_SSL_ALLOC_FAILED if memory allocation failed. + * \return #PSA_ERROR_INSUFFICIENT_MEMORY if memory allocation failed. * \return #MBEDTLS_ERR_SSL_VERSION_MISMATCH if the serialized data * comes from a different Mbed TLS version or build. - * \return #MBEDTLS_ERR_SSL_BAD_INPUT_DATA if input data is invalid. + * \return #PSA_ERROR_INVALID_ARGUMENT if input data is invalid. */ int mbedtls_ssl_context_load(mbedtls_ssl_context *ssl, const unsigned char *buf, @@ -5478,7 +5350,7 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf, * context_len are ignored and a 0-length context is used. * * \return 0 on success. - * \return MBEDTLS_ERR_SSL_BAD_INPUT_DATA if the handshake is not yet completed. + * \return #PSA_ERROR_INVALID_ARGUMENT if the handshake is not yet completed. * \return An SSL-specific error on failure. */ int mbedtls_ssl_export_keying_material(mbedtls_ssl_context *ssl, diff --git a/include/mbedtls/ssl_ciphersuites.h b/include/mbedtls/ssl_ciphersuites.h index b03123107c..dfd369416b 100644 --- a/include/mbedtls/ssl_ciphersuites.h +++ b/include/mbedtls/ssl_ciphersuites.h @@ -14,7 +14,7 @@ #include "mbedtls/build_info.h" #include "mbedtls/pk.h" -#include "mbedtls/cipher.h" +#include "mbedtls/private/cipher.h" #include "mbedtls/md.h" #ifdef __cplusplus @@ -37,39 +37,23 @@ extern "C" { #define MBEDTLS_TLS_PSK_WITH_NULL_SHA256 0xB0 /**< Weak! */ #define MBEDTLS_TLS_PSK_WITH_NULL_SHA384 0xB1 /**< Weak! */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA 0xC001 /**< Weak! */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA 0xC004 -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA 0xC005 - #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_NULL_SHA 0xC006 /**< Weak! */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA 0xC009 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA 0xC00A -#define MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA 0xC00B /**< Weak! */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA 0xC00E -#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA 0xC00F - #define MBEDTLS_TLS_ECDHE_RSA_WITH_NULL_SHA 0xC010 /**< Weak! */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA 0xC013 #define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA 0xC014 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256 0xC023 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384 0xC024 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 0xC025 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 0xC026 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256 0xC027 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384 0xC028 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256 0xC029 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 0xC02A /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 0xC02B /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 0xC02C /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 0xC02D /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 0xC02E /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 0xC02F /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 0xC030 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256 0xC031 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384 0xC032 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_128_CBC_SHA 0xC035 #define MBEDTLS_TLS_ECDHE_PSK_WITH_AES_256_CBC_SHA 0xC036 @@ -81,20 +65,12 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC048 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC049 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 0xC04A /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 0xC04B /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_CBC_SHA256 0xC04C /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_CBC_SHA384 0xC04D /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256 0xC04E /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384 0xC04F /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05C /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05D /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 0xC05E /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 0xC05F /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_128_GCM_SHA256 0xC060 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_ARIA_256_GCM_SHA384 0xC061 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256 0xC062 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384 0xC063 /**< TLS 1.2 */ #define MBEDTLS_TLS_PSK_WITH_ARIA_128_CBC_SHA256 0xC064 /**< TLS 1.2 */ #define MBEDTLS_TLS_PSK_WITH_ARIA_256_CBC_SHA384 0xC065 /**< TLS 1.2 */ #define MBEDTLS_TLS_PSK_WITH_ARIA_128_GCM_SHA256 0xC06A /**< TLS 1.2 */ @@ -104,21 +80,13 @@ extern "C" { #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC072 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC073 -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 0xC074 -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 0xC075 #define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC076 #define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC077 -#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256 0xC078 -#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384 0xC079 #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC086 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC087 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 0xC088 /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 0xC089 /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC08A /**< TLS 1.2 */ #define MBEDTLS_TLS_ECDHE_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC08B /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256 0xC08C /**< TLS 1.2 */ -#define MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384 0xC08D /**< TLS 1.2 */ #define MBEDTLS_TLS_PSK_WITH_CAMELLIA_128_GCM_SHA256 0xC08E /**< TLS 1.2 */ #define MBEDTLS_TLS_PSK_WITH_CAMELLIA_256_GCM_SHA384 0xC08F /**< TLS 1.2 */ @@ -163,16 +131,12 @@ typedef enum { MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA, MBEDTLS_KEY_EXCHANGE_PSK, MBEDTLS_KEY_EXCHANGE_ECDHE_PSK, - MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, MBEDTLS_KEY_EXCHANGE_ECJPAKE, } mbedtls_key_exchange_type_t; /* Key exchanges using a certificate */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) #define MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED #endif @@ -220,18 +184,6 @@ typedef enum { #define MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED #endif -/* Key exchanges using ECDH */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) -#define MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED -#endif - -/* Key exchanges that don't involve ephemeral keys */ -#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) -#define MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED -#endif - /* Key exchanges that involve ephemeral keys */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ @@ -254,8 +206,7 @@ typedef enum { #endif /* TLS 1.2 key exchanges using ECDH or ECDHE*/ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) #define MBEDTLS_KEY_EXCHANGE_SOME_ECDH_OR_ECDHE_1_2_ENABLED #endif diff --git a/include/mbedtls/version.h b/include/mbedtls/version.h index 837787bc7f..4a0b216e3b 100644 --- a/include/mbedtls/version.h +++ b/include/mbedtls/version.h @@ -32,23 +32,14 @@ extern "C" { unsigned int mbedtls_version_get_number(void); /** - * Get the version string ("x.y.z"). - * - * \param string The string that will receive the value. - * (Should be at least 9 bytes in size) + * Get a pointer to the version string ("x.y.z"). */ -void mbedtls_version_get_string(char *string); +const char *mbedtls_version_get_string(void); /** - * Get the full version string ("Mbed TLS x.y.z"). - * - * \param string The string that will receive the value. The Mbed TLS version - * string will use 18 bytes AT MOST including a terminating - * null byte. - * (So the buffer should be at least 18 bytes to receive this - * version string). + * Get a pointer to the full version string ("Mbed TLS x.y.z"). */ -void mbedtls_version_get_string_full(char *string); +const char *mbedtls_version_get_string_full(void); /** * \brief Check if support for a feature was compiled into this diff --git a/include/mbedtls/x509.h b/include/mbedtls/x509.h index b1a80e3011..f76928aa10 100644 --- a/include/mbedtls/x509.h +++ b/include/mbedtls/x509.h @@ -17,7 +17,7 @@ #include "mbedtls/pk.h" #if defined(MBEDTLS_RSA_C) -#include "mbedtls/rsa.h" +#include "mbedtls/private/rsa.h" #endif /** @@ -74,11 +74,11 @@ /** Input invalid. */ #define MBEDTLS_ERR_X509_BAD_INPUT_DATA -0x2800 /** Allocation of memory failed. */ -#define MBEDTLS_ERR_X509_ALLOC_FAILED -0x2880 +#define MBEDTLS_ERR_X509_ALLOC_FAILED PSA_ERROR_INSUFFICIENT_MEMORY /** Read/write of file failed. */ #define MBEDTLS_ERR_X509_FILE_IO_ERROR -0x2900 /** Destination buffer is too small. */ -#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL -0x2980 +#define MBEDTLS_ERR_X509_BUFFER_TOO_SMALL PSA_ERROR_BUFFER_TOO_SMALL /** A fatal error occurred, eg the chain is too long or the vrfy callback failed. */ #define MBEDTLS_ERR_X509_FATAL_ERROR -0x3000 /** \} name X509 Error codes */ diff --git a/include/mbedtls/x509_crl.h b/include/mbedtls/x509_crl.h index e59d16502d..095cb5d9a5 100644 --- a/include/mbedtls/x509_crl.h +++ b/include/mbedtls/x509_crl.h @@ -82,7 +82,7 @@ typedef struct mbedtls_x509_crl { mbedtls_x509_buf MBEDTLS_PRIVATE(sig_oid2); mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ /** Next element in the linked list of CRL. * \p NULL indicates the end of the list. diff --git a/include/mbedtls/x509_crt.h b/include/mbedtls/x509_crt.h index a3f07892f6..3352e3824a 100644 --- a/include/mbedtls/x509_crt.h +++ b/include/mbedtls/x509_crt.h @@ -15,7 +15,7 @@ #include "mbedtls/x509.h" #include "mbedtls/x509_crl.h" -#include "mbedtls/bignum.h" +#include "mbedtls/private/bignum.h" /** * \addtogroup x509_module @@ -81,7 +81,7 @@ typedef struct mbedtls_x509_crt { mbedtls_x509_buf MBEDTLS_PRIVATE(sig); /**< Signature: hash of the tbs part signed with the private key. */ mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ /** Next certificate in the linked list that constitutes the CA chain. * \p NULL indicates the end of the list. @@ -234,7 +234,7 @@ mbedtls_x509write_cert; * \param ctx Certificate context to use * \param san_list List of SAN values * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY * * \note "dnsName", "uniformResourceIdentifier", "IP address", * "otherName", and "DirectoryName", as defined in RFC 5280, @@ -610,7 +610,7 @@ int mbedtls_x509_crt_verify_info(char *buf, size_t size, const char *prefix, * other than fatal error, as a non-zero return code * immediately aborts the verification process. For fatal * errors, a specific error code should be used (different - * from MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not + * from #MBEDTLS_ERR_X509_CERT_VERIFY_FAILED which should not * be returned at this point), or MBEDTLS_ERR_X509_FATAL_ERROR * can be used if no better code is available. * @@ -826,7 +826,7 @@ int mbedtls_x509_crt_verify_with_ca_cb(mbedtls_x509_crt *crt, * that bit MAY be set. * * \return 0 is these uses of the certificate are allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the keyUsage extension * is present but does not match the usage argument. * * \note You should only call this function on leaf certificates, on @@ -845,7 +845,7 @@ int mbedtls_x509_crt_check_key_usage(const mbedtls_x509_crt *crt, * \param usage_len Length of usage_oid (eg given by MBEDTLS_OID_SIZE()). * * \return 0 if this use of the certificate is allowed, - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if not. * * \note Usually only makes sense on leaf certificates. */ @@ -952,11 +952,11 @@ void mbedtls_x509write_crt_set_version(mbedtls_x509write_cert *ctx, int version) * input buffer * * \return 0 if successful, or - * MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer + * #MBEDTLS_ERR_X509_BAD_INPUT_DATA if the provided input buffer * is too big (longer than MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) */ int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, - unsigned char *serial, size_t serial_len); + const unsigned char *serial, size_t serial_len); /** * \brief Set the validity period for a Certificate @@ -1041,7 +1041,7 @@ void mbedtls_x509write_crt_set_md_alg(mbedtls_x509write_cert *ctx, mbedtls_md_ty * \param val value of the extension OCTET STRING * \param val_len length of the value data * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, const char *oid, size_t oid_len, @@ -1057,7 +1057,7 @@ int mbedtls_x509write_crt_set_extension(mbedtls_x509write_cert *ctx, * certificate (only for CA certificates, -1 is * unlimited) * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, int is_ca, int max_pathlen); @@ -1070,7 +1070,7 @@ int mbedtls_x509write_crt_set_basic_constraints(mbedtls_x509write_cert *ctx, * * \param ctx CRT context to use * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx); @@ -1081,7 +1081,7 @@ int mbedtls_x509write_crt_set_subject_key_identifier(mbedtls_x509write_cert *ctx * * \param ctx CRT context to use * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *ctx); #endif /* PSA_WANT_ALG_SHA_1 */ @@ -1093,7 +1093,7 @@ int mbedtls_x509write_crt_set_authority_key_identifier(mbedtls_x509write_cert *c * \param ctx CRT context to use * \param key_usage key usage flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, unsigned int key_usage); @@ -1106,7 +1106,7 @@ int mbedtls_x509write_crt_set_key_usage(mbedtls_x509write_cert *ctx, * \param exts extended key usage extensions to set, a sequence of * MBEDTLS_ASN1_OID objects * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, const mbedtls_asn1_sequence *exts); @@ -1118,7 +1118,7 @@ int mbedtls_x509write_crt_set_ext_key_usage(mbedtls_x509write_cert *ctx, * \param ctx CRT context to use * \param ns_cert_type Netscape Cert Type flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_crt_set_ns_cert_type(mbedtls_x509write_cert *ctx, unsigned char ns_cert_type); diff --git a/include/mbedtls/x509_csr.h b/include/mbedtls/x509_csr.h index bed1c953e5..60a553f55d 100644 --- a/include/mbedtls/x509_csr.h +++ b/include/mbedtls/x509_csr.h @@ -55,7 +55,7 @@ typedef struct mbedtls_x509_csr { mbedtls_x509_buf sig_oid; mbedtls_x509_buf MBEDTLS_PRIVATE(sig); mbedtls_md_type_t MBEDTLS_PRIVATE(sig_md); /**< Internal representation of the MD algorithm of the signature algorithm, e.g. MBEDTLS_MD_SHA256 */ - mbedtls_pk_type_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ + mbedtls_pk_sigalg_t MBEDTLS_PRIVATE(sig_pk); /**< Internal representation of the Public Key algorithm of the signature algorithm, e.g. MBEDTLS_PK_RSA */ } mbedtls_x509_csr; @@ -263,7 +263,7 @@ void mbedtls_x509write_csr_set_md_alg(mbedtls_x509write_csr *ctx, mbedtls_md_typ * \param ctx CSR context to use * \param key_usage key usage flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY * * \note The decipherOnly flag from the Key Usage * extension is represented by bit 8 (i.e. @@ -281,7 +281,7 @@ int mbedtls_x509write_csr_set_key_usage(mbedtls_x509write_csr *ctx, unsigned cha * \param ctx CSR context to use * \param san_list List of SAN values * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY * * \note Only "dnsName", "uniformResourceIdentifier" and "otherName", * as defined in RFC 5280, are supported. @@ -296,7 +296,7 @@ int mbedtls_x509write_csr_set_subject_alternative_name(mbedtls_x509write_csr *ct * \param ctx CSR context to use * \param ns_cert_type Netscape Cert Type flags to set * - * \return 0 if successful, or MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx, unsigned char ns_cert_type); @@ -312,7 +312,7 @@ int mbedtls_x509write_csr_set_ns_cert_type(mbedtls_x509write_csr *ctx, * \param val value of the extension OCTET STRING * \param val_len length of the value data * - * \return 0 if successful, or a MBEDTLS_ERR_X509_ALLOC_FAILED + * \return 0 if successful, or a #PSA_ERROR_INSUFFICIENT_MEMORY */ int mbedtls_x509write_csr_set_extension(mbedtls_x509write_csr *ctx, const char *oid, size_t oid_len, diff --git a/library/CMakeLists.txt b/library/CMakeLists.txt index 451dbfdb7c..5b8dc80b53 100644 --- a/library/CMakeLists.txt +++ b/library/CMakeLists.txt @@ -1,5 +1,6 @@ set(src_x509 error.c + mbedtls_config.c pkcs7.c x509.c x509_create.c @@ -84,10 +85,17 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ssl_debug_helpers.py ${tls_error_headers} ) -else() - link_to_source(error.c) - link_to_source(version_features.c) - link_to_source(ssl_debug_helpers_generated.c) + + add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target + DEPENDS + ${CMAKE_CURRENT_BINARY_DIR}/error.c + ) + + add_custom_target(${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target + DEPENDS + ${CMAKE_CURRENT_BINARY_DIR}/ssl_debug_helpers_generated.c + ${CMAKE_CURRENT_BINARY_DIR}/version_features.c + ) endif() if(CMAKE_COMPILER_IS_GNUCC) @@ -165,6 +173,13 @@ if(USE_STATIC_MBEDTLS_LIBRARY) target_compile_options(${mbedtls_static_target} PRIVATE ${LIBS_C_FLAGS}) set_target_properties(${mbedtls_static_target} PROPERTIES OUTPUT_NAME mbedtls) target_link_libraries(${mbedtls_static_target} PUBLIC ${libs} ${mbedx509_static_target}) + + if(GEN_FILES) + add_dependencies(${mbedx509_static_target} + ${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target) + add_dependencies(${mbedtls_static_target} + ${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target) + endif() endif(USE_STATIC_MBEDTLS_LIBRARY) if(USE_SHARED_MBEDTLS_LIBRARY) @@ -179,6 +194,13 @@ if(USE_SHARED_MBEDTLS_LIBRARY) target_compile_options(${mbedtls_target} PRIVATE ${LIBS_C_FLAGS}) set_target_properties(${mbedtls_target} PROPERTIES VERSION 4.0.0 SOVERSION 21) target_link_libraries(${mbedtls_target} PUBLIC ${libs} ${mbedx509_target}) + + if(GEN_FILES) + add_dependencies(${mbedx509_target} + ${MBEDTLS_TARGET_PREFIX}mbedx509_generated_files_target) + add_dependencies(${mbedtls_target} + ${MBEDTLS_TARGET_PREFIX}mbedtls_generated_files_target) + endif() endif(USE_SHARED_MBEDTLS_LIBRARY) foreach(target IN LISTS target_libraries) diff --git a/library/Makefile b/library/Makefile index a880f26171..f8729344b4 100644 --- a/library/Makefile +++ b/library/Makefile @@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES) OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS) OBJS_X509= \ + mbedtls_config.o \ x509.o \ x509_create.o \ x509_crl.o \ diff --git a/include/mbedtls/check_config.h b/library/mbedtls_check_config.h similarity index 90% rename from include/mbedtls/check_config.h rename to library/mbedtls_check_config.h index 5e5a5b31db..3107c11077 100644 --- a/include/mbedtls/check_config.h +++ b/library/mbedtls_check_config.h @@ -45,7 +45,6 @@ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_192) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_K1_256) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_192) || \ - defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_224) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_256) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_384) || \ defined(MBEDTLS_PSA_ACCEL_ECC_SECP_R1_521) @@ -56,19 +55,6 @@ #endif /* not all curves accelerated */ #endif /* some curve accelerated */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) && \ - ( !defined(MBEDTLS_CAN_ECDH) || \ - !defined(PSA_HAVE_ALG_ECDSA_SIGN) || \ - !defined(MBEDTLS_X509_CRT_PARSE_C) ) -#error "MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) && \ - ( !defined(MBEDTLS_CAN_ECDH) || !defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) || \ - !defined(MBEDTLS_X509_CRT_PARSE_C) ) -#error "MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED defined, but not all prerequisites" -#endif - #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) && \ !defined(MBEDTLS_CAN_ECDH) #error "MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED defined, but not all prerequisites" @@ -151,8 +137,6 @@ #if defined(MBEDTLS_SSL_PROTO_TLS1_2) && \ !(defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) || \ defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) ) @@ -238,19 +222,6 @@ #error "MBEDTLS_SSL_CID_OUT_LEN_MAX too large (max 255)" #endif -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && \ - !defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) -#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT defined, but not all prerequisites" -#endif - -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT) && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 -#if defined(MBEDTLS_DEPRECATED_REMOVED) -#error "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" -#elif defined(MBEDTLS_DEPRECATED_WARNING) -#warning "MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT is deprecated and will be removed in a future version of Mbed TLS" -#endif -#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT && MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT != 0 */ - #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC) && \ !defined(MBEDTLS_SSL_PROTO_TLS1_2) #error "MBEDTLS_SSL_ENCRYPT_THEN_MAC defined, but not all prerequisites" diff --git a/library/mbedtls_config.c b/library/mbedtls_config.c new file mode 100644 index 0000000000..679f8e36f9 --- /dev/null +++ b/library/mbedtls_config.c @@ -0,0 +1,13 @@ +/* + * Mbed TLS configuration checks + */ +/* + * Copyright The Mbed TLS Contributors + * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + */ + +#include + +/* Consistency checks in the configuration: check for incompatible options, + * missing options when at least one of a set needs to be enabled, etc. */ +#include "mbedtls_check_config.h" diff --git a/library/ssl_ciphersuites.c b/library/ssl_ciphersuites.c index b979cad94f..39826eee66 100644 --- a/library/ssl_ciphersuites.c +++ b/library/ssl_ciphersuites.c @@ -109,46 +109,6 @@ static const int ciphersuite_preference[] = /* The ECJPAKE suite */ MBEDTLS_TLS_ECJPAKE_WITH_AES_128_CCM_8, - /* All AES-256 suites */ - MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, - MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, - MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, - MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, - MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, - MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, - - /* All CAMELLIA-256 suites */ - MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, - MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, - MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - - /* All ARIA-256 suites */ - MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, - MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, - MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, - MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, - - /* All AES-128 suites */ - MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, - MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, - MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, - MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, - MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, - MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, - - /* All CAMELLIA-128 suites */ - MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, - MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, - MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - - /* All ARIA-128 suites */ - MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, - MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, - MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, - MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, - /* The PSK suites */ MBEDTLS_TLS_PSK_WITH_CHACHA20_POLY1305_SHA256, MBEDTLS_TLS_PSK_WITH_AES_256_GCM_SHA384, @@ -178,8 +138,6 @@ static const int ciphersuite_preference[] = MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA256, MBEDTLS_TLS_ECDHE_PSK_WITH_NULL_SHA, - MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, - MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, MBEDTLS_TLS_PSK_WITH_NULL_SHA384, MBEDTLS_TLS_PSK_WITH_NULL_SHA256, MBEDTLS_TLS_PSK_WITH_NULL_SHA, @@ -467,186 +425,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_CIPHER_NULL_CIPHER */ #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) -#if defined(PSA_WANT_KEY_TYPE_AES) -#if defined(PSA_WANT_ALG_SHA_1) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) - { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA", - MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, - { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA", - MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ -#endif /* PSA_WANT_ALG_SHA_1 */ -#if defined(PSA_WANT_ALG_SHA_256) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) - { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-RSA-WITH-AES-128-CBC-SHA256", - MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ -#if defined(PSA_WANT_ALG_GCM) - { MBEDTLS_TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-RSA-WITH-AES-128-GCM-SHA256", - MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_GCM */ -#endif /* PSA_WANT_ALG_SHA_256 */ -#if defined(PSA_WANT_ALG_SHA_384) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) - { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384", - MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ -#if defined(PSA_WANT_ALG_GCM) - { MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-RSA-WITH-AES-256-GCM-SHA384", - MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_GCM */ -#endif /* PSA_WANT_ALG_SHA_384 */ -#endif /* PSA_WANT_KEY_TYPE_AES */ - -#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) -#if defined(PSA_WANT_ALG_SHA_256) - { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_CBC_SHA256, - "TLS-ECDH-RSA-WITH-CAMELLIA-128-CBC-SHA256", - MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_256 */ -#if defined(PSA_WANT_ALG_SHA_384) - { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_CBC_SHA384, - "TLS-ECDH-RSA-WITH-CAMELLIA-256-CBC-SHA384", - MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_384 */ -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ - -#if defined(PSA_WANT_ALG_GCM) -#if defined(PSA_WANT_ALG_SHA_256) - { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_128_GCM_SHA256, - "TLS-ECDH-RSA-WITH-CAMELLIA-128-GCM-SHA256", - MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_256 */ -#if defined(PSA_WANT_ALG_SHA_384) - { MBEDTLS_TLS_ECDH_RSA_WITH_CAMELLIA_256_GCM_SHA384, - "TLS-ECDH-RSA-WITH-CAMELLIA-256-GCM-SHA384", - MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_384 */ -#endif /* PSA_WANT_ALG_GCM */ -#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ - -#if defined(MBEDTLS_CIPHER_NULL_CIPHER) -#if defined(PSA_WANT_ALG_SHA_1) - { MBEDTLS_TLS_ECDH_RSA_WITH_NULL_SHA, "TLS-ECDH-RSA-WITH-NULL-SHA", - MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - MBEDTLS_CIPHERSUITE_WEAK, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_1 */ -#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */ - -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) -#if defined(PSA_WANT_KEY_TYPE_AES) -#if defined(PSA_WANT_ALG_SHA_1) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA", - MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, - { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA", - MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ -#endif /* PSA_WANT_ALG_SHA_1 */ -#if defined(PSA_WANT_ALG_SHA_256) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-CBC-SHA256", - MBEDTLS_CIPHER_AES_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ -#if defined(PSA_WANT_ALG_GCM) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, "TLS-ECDH-ECDSA-WITH-AES-128-GCM-SHA256", - MBEDTLS_CIPHER_AES_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_GCM */ -#endif /* PSA_WANT_ALG_SHA_256 */ -#if defined(PSA_WANT_ALG_SHA_384) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-CBC-SHA384", - MBEDTLS_CIPHER_AES_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ -#if defined(PSA_WANT_ALG_GCM) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, "TLS-ECDH-ECDSA-WITH-AES-256-GCM-SHA384", - MBEDTLS_CIPHER_AES_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_GCM */ -#endif /* PSA_WANT_ALG_SHA_384 */ -#endif /* PSA_WANT_KEY_TYPE_AES */ - -#if defined(PSA_WANT_KEY_TYPE_CAMELLIA) -#if defined(PSA_WANT_ALG_CBC_NO_PADDING) -#if defined(PSA_WANT_ALG_SHA_256) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256, - "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-CBC-SHA256", - MBEDTLS_CIPHER_CAMELLIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_256 */ -#if defined(PSA_WANT_ALG_SHA_384) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384, - "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384", - MBEDTLS_CIPHER_CAMELLIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_384 */ -#endif /* PSA_WANT_ALG_CBC_NO_PADDING */ - -#if defined(PSA_WANT_ALG_GCM) -#if defined(PSA_WANT_ALG_SHA_256) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256, - "TLS-ECDH-ECDSA-WITH-CAMELLIA-128-GCM-SHA256", - MBEDTLS_CIPHER_CAMELLIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_256 */ -#if defined(PSA_WANT_ALG_SHA_384) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384, - "TLS-ECDH-ECDSA-WITH-CAMELLIA-256-GCM-SHA384", - MBEDTLS_CIPHER_CAMELLIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_384 */ -#endif /* PSA_WANT_ALG_GCM */ -#endif /* PSA_WANT_KEY_TYPE_CAMELLIA */ - -#if defined(MBEDTLS_CIPHER_NULL_CIPHER) -#if defined(PSA_WANT_ALG_SHA_1) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_NULL_SHA, "TLS-ECDH-ECDSA-WITH-NULL-SHA", - MBEDTLS_CIPHER_NULL, MBEDTLS_MD_SHA1, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - MBEDTLS_CIPHERSUITE_WEAK, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif /* PSA_WANT_ALG_SHA_1 */ -#endif /* MBEDTLS_CIPHER_NULL_CIPHER */ -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ - #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) #if defined(PSA_WANT_KEY_TYPE_AES) #if defined(PSA_WANT_ALG_GCM) @@ -898,41 +676,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) - -#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384)) - { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_GCM_SHA384, - "TLS-ECDH-RSA-WITH-ARIA-256-GCM-SHA384", - MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif -#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ - defined(PSA_WANT_ALG_SHA_384)) - { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_256_CBC_SHA384, - "TLS-ECDH-RSA-WITH-ARIA-256-CBC-SHA384", - MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif -#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256)) - { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_GCM_SHA256, - "TLS-ECDH-RSA-WITH-ARIA-128-GCM-SHA256", - MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif -#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ - defined(PSA_WANT_ALG_SHA_256)) - { MBEDTLS_TLS_ECDH_RSA_WITH_ARIA_128_CBC_SHA256, - "TLS-ECDH-RSA-WITH-ARIA-128-CBC-SHA256", - MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_RSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif - -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED */ - #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) #if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384)) @@ -1024,41 +767,6 @@ static const mbedtls_ssl_ciphersuite_t ciphersuite_definitions[] = #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - -#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_384)) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384, - "TLS-ECDH-ECDSA-WITH-ARIA-256-GCM-SHA384", - MBEDTLS_CIPHER_ARIA_256_GCM, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif -#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ - defined(PSA_WANT_ALG_SHA_384)) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384, - "TLS-ECDH-ECDSA-WITH-ARIA-256-CBC-SHA384", - MBEDTLS_CIPHER_ARIA_256_CBC, MBEDTLS_MD_SHA384, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif -#if (defined(PSA_WANT_ALG_GCM) && defined(PSA_WANT_ALG_SHA_256)) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256, - "TLS-ECDH-ECDSA-WITH-ARIA-128-GCM-SHA256", - MBEDTLS_CIPHER_ARIA_128_GCM, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif -#if (defined(PSA_WANT_ALG_CBC_NO_PADDING) && \ - defined(PSA_WANT_ALG_SHA_256)) - { MBEDTLS_TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256, - "TLS-ECDH-ECDSA-WITH-ARIA-128-CBC-SHA256", - MBEDTLS_CIPHER_ARIA_128_CBC, MBEDTLS_MD_SHA256, MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA, - 0, - MBEDTLS_SSL_VERSION_TLS1_2, MBEDTLS_SSL_VERSION_TLS1_2 }, -#endif - -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ - #endif /* PSA_WANT_KEY_TYPE_ARIA */ @@ -1203,10 +911,6 @@ mbedtls_pk_type_t mbedtls_ssl_get_ciphersuite_sig_pk_alg(const mbedtls_ssl_ciphe case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: return MBEDTLS_PK_ECDSA; - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - return MBEDTLS_PK_ECKEY; - default: return MBEDTLS_PK_NONE; } @@ -1222,10 +926,6 @@ psa_algorithm_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_alg(const mbedtls_ssl_cip case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: return PSA_ALG_ECDSA(mbedtls_md_psa_alg_from_type((mbedtls_md_type_t) info->mac)); - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - return PSA_ALG_ECDH; - default: return PSA_ALG_NONE; } @@ -1238,10 +938,6 @@ psa_key_usage_t mbedtls_ssl_get_ciphersuite_sig_pk_psa_usage(const mbedtls_ssl_c case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: return PSA_KEY_USAGE_SIGN_HASH; - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - return PSA_KEY_USAGE_DERIVE; - default: return 0; } @@ -1272,8 +968,6 @@ int mbedtls_ssl_ciphersuite_uses_ec(const mbedtls_ssl_ciphersuite_t *info) case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_PSK: - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECJPAKE: return 1; diff --git a/library/ssl_ciphersuites_internal.h b/library/ssl_ciphersuites_internal.h index d1db2dba46..524e419f47 100644 --- a/library/ssl_ciphersuites_internal.h +++ b/library/ssl_ciphersuites_internal.h @@ -41,12 +41,10 @@ static inline int mbedtls_ssl_ciphersuite_has_pfs(const mbedtls_ssl_ciphersuite_ } #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PFS_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t *info) { switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: case MBEDTLS_KEY_EXCHANGE_PSK: return 1; @@ -54,28 +52,12 @@ static inline int mbedtls_ssl_ciphersuite_no_pfs(const mbedtls_ssl_ciphersuite_t return 0; } } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ - -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) -static inline int mbedtls_ssl_ciphersuite_uses_ecdh(const mbedtls_ssl_ciphersuite_t *info) -{ - switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - return 1; - - default: - return 0; - } -} -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_ciphersuite_t *info) { switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: return 1; @@ -87,9 +69,7 @@ static inline int mbedtls_ssl_ciphersuite_cert_req_allowed(const mbedtls_ssl_cip static inline int mbedtls_ssl_ciphersuite_uses_srv_cert(const mbedtls_ssl_ciphersuite_t *info) { switch (info->MBEDTLS_PRIVATE(key_exchange)) { - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: case MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA: return 1; diff --git a/library/ssl_misc.h b/library/ssl_misc.h index 72dc9418f2..ed3c4a776f 100644 --- a/library/ssl_misc.h +++ b/library/ssl_misc.h @@ -19,26 +19,26 @@ #include "mbedtls/debug.h" #include "debug_internal.h" -#include "mbedtls/cipher.h" +#include "mbedtls/private/cipher.h" #include "psa/crypto.h" #include "psa_util_internal.h" extern const mbedtls_error_pair_t psa_to_ssl_errors[7]; #if defined(PSA_WANT_ALG_MD5) -#include "mbedtls/md5.h" +#include "mbedtls/private/md5.h" #endif #if defined(PSA_WANT_ALG_SHA_1) -#include "mbedtls/sha1.h" +#include "mbedtls/private/sha1.h" #endif #if defined(PSA_WANT_ALG_SHA_256) -#include "mbedtls/sha256.h" +#include "mbedtls/private/sha256.h" #endif #if defined(PSA_WANT_ALG_SHA_512) -#include "mbedtls/sha512.h" +#include "mbedtls/private/sha512.h" #endif #include "mbedtls/pk.h" @@ -712,11 +712,6 @@ struct mbedtls_ssl_handshake_params { unsigned char retransmit_state; /*!< Retransmission state */ #endif -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - unsigned char group_list_heap_allocated; - unsigned char sig_algs_heap_allocated; -#endif - #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) uint8_t ecrs_enabled; /*!< Handshake supports EC restart? */ enum { /* this complements ssl->state with info on intra-state operations */ @@ -2243,10 +2238,6 @@ static inline int mbedtls_ssl_tls12_named_group_is_ecdhe(uint16_t named_group) named_group == MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_X448 || /* Below deprecated curves should be removed with notice to users */ - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1 || - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1 || - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1 || - named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1 || named_group == MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1 || @@ -2309,15 +2300,6 @@ static inline int mbedtls_ssl_named_group_is_supported(uint16_t named_group) /* * Return supported signature algorithms. - * - * In future, invocations can be changed to ssl->conf->sig_algs when - * mbedtls_ssl_conf_sig_hashes() is deleted. - * - * ssl->handshake->sig_algs is either a translation of sig_hashes to IANA TLS - * signature algorithm identifiers when mbedtls_ssl_conf_sig_hashes() has been - * used, or a pointer to ssl->conf->sig_algs when mbedtls_ssl_conf_sig_algs() has - * been more recently invoked. - * */ static inline const void *mbedtls_ssl_get_sig_algs( const mbedtls_ssl_context *ssl) @@ -2326,7 +2308,6 @@ static inline const void *mbedtls_ssl_get_sig_algs( #if !defined(MBEDTLS_DEPRECATED_REMOVED) if (ssl->handshake != NULL && - ssl->handshake->sig_algs_heap_allocated == 1 && ssl->handshake->sig_algs != NULL) { return ssl->handshake->sig_algs; } diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 5774bfc865..731cbc8ece 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -663,8 +663,7 @@ static void ssl_extract_add_data_from_record(unsigned char *add_data, unsigned char *cur = add_data; size_t ad_len_field = rec->data_len; -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) const unsigned char seq_num_placeholder[] = { 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff, 0xff }; #endif @@ -680,8 +679,7 @@ static void ssl_extract_add_data_from_record(unsigned char *add_data, ((void) tls_version); ((void) taglen); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if (rec->cid_len != 0) { // seq_num_placeholder memcpy(cur, seq_num_placeholder, sizeof(seq_num_placeholder)); @@ -711,24 +709,7 @@ static void ssl_extract_add_data_from_record(unsigned char *add_data, memcpy(cur, rec->ver, sizeof(rec->ver)); cur += sizeof(rec->ver); -#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 1 - - if (rec->cid_len != 0) { - // CID - memcpy(cur, rec->cid, rec->cid_len); - cur += rec->cid_len; - - // cid_length - *cur = rec->cid_len; - cur++; - - // length of inner plaintext - MBEDTLS_PUT_UINT16_BE(ad_len_field, cur, 0); - cur += 2; - } else -#elif defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) && \ - MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT == 0 +#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) if (rec->cid_len != 0) { // epoch + sequence number diff --git a/library/ssl_tls.c b/library/ssl_tls.c index 051fce36e3..38db9cd103 100644 --- a/library/ssl_tls.c +++ b/library/ssl_tls.c @@ -1066,73 +1066,6 @@ static int ssl_handshake_init(mbedtls_ssl_context *ssl) mbedtls_ssl_set_timer(ssl, 0); } #endif - -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -#if defined(MBEDTLS_SSL_PROTO_TLS1_2) - /* Heap allocate and translate sig_hashes from internal hash identifiers to - signature algorithms IANA identifiers. */ - if (mbedtls_ssl_conf_is_tls12_only(ssl->conf) && - ssl->conf->sig_hashes != NULL) { - const int *md; - const int *sig_hashes = ssl->conf->sig_hashes; - size_t sig_algs_len = 0; - uint16_t *p; - - MBEDTLS_STATIC_ASSERT(MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN - <= (SIZE_MAX - (2 * sizeof(uint16_t))), - "MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN too big"); - - for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { - if (mbedtls_ssl_hash_from_md_alg(*md) == MBEDTLS_SSL_HASH_NONE) { - continue; - } -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - sig_algs_len += sizeof(uint16_t); -#endif - -#if defined(MBEDTLS_RSA_C) - sig_algs_len += sizeof(uint16_t); -#endif - if (sig_algs_len > MBEDTLS_SSL_MAX_SIG_ALG_LIST_LEN) { - return MBEDTLS_ERR_SSL_BAD_CONFIG; - } - } - - if (sig_algs_len < MBEDTLS_SSL_MIN_SIG_ALG_LIST_LEN) { - return MBEDTLS_ERR_SSL_BAD_CONFIG; - } - - ssl->handshake->sig_algs = mbedtls_calloc(1, sig_algs_len + - sizeof(uint16_t)); - if (ssl->handshake->sig_algs == NULL) { - return MBEDTLS_ERR_SSL_ALLOC_FAILED; - } - - p = (uint16_t *) ssl->handshake->sig_algs; - for (md = sig_hashes; *md != MBEDTLS_MD_NONE; md++) { - unsigned char hash = mbedtls_ssl_hash_from_md_alg(*md); - if (hash == MBEDTLS_SSL_HASH_NONE) { - continue; - } -#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED) - *p = ((hash << 8) | MBEDTLS_SSL_SIG_ECDSA); - p++; -#endif -#if defined(MBEDTLS_RSA_C) - *p = ((hash << 8) | MBEDTLS_SSL_SIG_RSA); - p++; -#endif - } - *p = MBEDTLS_TLS_SIG_NONE; - ssl->handshake->sig_algs_heap_allocated = 1; - } else -#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */ - { - ssl->handshake->sig_algs_heap_allocated = 0; - } -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ return 0; } @@ -1820,14 +1753,13 @@ static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( size_t user_len = 0; const uint8_t *peer = NULL; size_t peer_len = 0; - psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE); + psa_pake_cs_set_algorithm(&cipher_suite, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_pake_cs_set_primitive(&cipher_suite, PSA_PAKE_PRIMITIVE(PSA_PAKE_PRIMITIVE_TYPE_ECC, PSA_ECC_FAMILY_SECP_R1, 256)); - psa_pake_cs_set_hash(&cipher_suite, PSA_ALG_SHA_256); - status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, &cipher_suite); + status = psa_pake_setup(&ssl->handshake->psa_pake_ctx, pwd, &cipher_suite); if (status != PSA_SUCCESS) { return status; } @@ -1854,11 +1786,6 @@ static psa_status_t mbedtls_ssl_set_hs_ecjpake_password_common( return status; } - status = psa_pake_set_password_key(&ssl->handshake->psa_pake_ctx, pwd); - if (status != PSA_SUCCESS) { - return status; - } - ssl->handshake->psa_pake_ctx_is_ok = 1; return PSA_SUCCESS; @@ -1881,7 +1808,7 @@ int mbedtls_ssl_set_hs_ecjpake_password(mbedtls_ssl_context *ssl, } psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, pw, pw_len, @@ -2425,24 +2352,11 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type } #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) && defined(MBEDTLS_SSL_PROTO_TLS1_2) -/* - * Set allowed/preferred hashes for handshake signatures - */ -void mbedtls_ssl_conf_sig_hashes(mbedtls_ssl_config *conf, - const int *hashes) -{ - conf->sig_hashes = hashes; -} -#endif /* !MBEDTLS_DEPRECATED_REMOVED && MBEDTLS_SSL_PROTO_TLS1_2 */ /* Configure allowed signature algorithms for handshake */ void mbedtls_ssl_conf_sig_algs(mbedtls_ssl_config *conf, const uint16_t *sig_algs) { -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - conf->sig_hashes = NULL; -#endif /* !MBEDTLS_DEPRECATED_REMOVED */ conf->sig_algs = sig_algs; } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ @@ -2638,18 +2552,6 @@ void mbedtls_ssl_get_dtls_srtp_negotiation_result(const mbedtls_ssl_context *ssl } #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if !defined(MBEDTLS_DEPRECATED_REMOVED) -void mbedtls_ssl_conf_max_version(mbedtls_ssl_config *conf, int major, int minor) -{ - conf->max_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); -} - -void mbedtls_ssl_conf_min_version(mbedtls_ssl_config *conf, int major, int minor) -{ - conf->min_tls_version = (mbedtls_ssl_protocol_version) ((major << 8) | minor); -} -#endif /* MBEDTLS_DEPRECATED_REMOVED */ - #if defined(MBEDTLS_SSL_SRV_C) void mbedtls_ssl_conf_cert_req_ca_list(mbedtls_ssl_config *conf, char cert_req_ca_list) @@ -4465,20 +4367,8 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl) return; } -#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY) -#if !defined(MBEDTLS_DEPRECATED_REMOVED) - if (ssl->handshake->group_list_heap_allocated) { - mbedtls_free((void *) handshake->group_list); - } - handshake->group_list = NULL; -#endif /* MBEDTLS_DEPRECATED_REMOVED */ -#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */ - #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #if !defined(MBEDTLS_DEPRECATED_REMOVED) - if (ssl->handshake->sig_algs_heap_allocated) { - mbedtls_free((void *) handshake->sig_algs); - } handshake->sig_algs = NULL; #endif /* MBEDTLS_DEPRECATED_REMOVED */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -5898,15 +5788,6 @@ static const struct { #if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256) { 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 }, #endif -#if defined(PSA_WANT_ECC_SECP_R1_224) - { 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 }, -#endif -#if defined(PSA_WANT_ECC_SECP_R1_192) - { 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 }, -#endif -#if defined(PSA_WANT_ECC_SECP_K1_192) - { 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 }, -#endif #if defined(PSA_WANT_ECC_MONTGOMERY_255) { 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 }, #endif @@ -5971,10 +5852,6 @@ static const struct { { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, "secp256r1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256K1, "secp256k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224K1, "secp224k1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1" }, - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1" }, { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519" }, { MBEDTLS_SSL_IANA_TLS_GROUP_X448, "x448" }, { 0, NULL }, @@ -6508,8 +6385,28 @@ static int ssl_compute_master(mbedtls_ssl_handshake_params *handshake, return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; } - status = psa_pake_get_implicit_key(&handshake->psa_pake_ctx, - &derivation); + mbedtls_svc_key_id_t shared_key_id = MBEDTLS_SVC_KEY_ID_INIT; + + psa_key_attributes_t shared_key_attributes = PSA_KEY_ATTRIBUTES_INIT; + psa_set_key_usage_flags(&shared_key_attributes, PSA_KEY_USAGE_DERIVE); + psa_set_key_algorithm(&shared_key_attributes, alg); + psa_set_key_type(&shared_key_attributes, PSA_KEY_TYPE_DERIVE); + + status = psa_pake_get_shared_key(&handshake->psa_pake_ctx, + &shared_key_attributes, + &shared_key_id); + + if (status != PSA_SUCCESS) { + psa_key_derivation_abort(&derivation); + return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; + } + + status = psa_key_derivation_input_key(&derivation, + PSA_KEY_DERIVATION_INPUT_SECRET, + shared_key_id); + + psa_destroy_key(shared_key_id); + if (status != PSA_SUCCESS) { psa_key_derivation_abort(&derivation); return MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; @@ -8726,11 +8623,6 @@ int mbedtls_ssl_check_cert_usage(const mbedtls_x509_crt *cert, usage = MBEDTLS_X509_KU_DIGITAL_SIGNATURE; break; - case MBEDTLS_KEY_EXCHANGE_ECDH_RSA: - case MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA: - usage = MBEDTLS_X509_KU_KEY_AGREEMENT; - break; - /* Don't use default: we want warnings when adding new values */ case MBEDTLS_KEY_EXCHANGE_NONE: case MBEDTLS_KEY_EXCHANGE_PSK: diff --git a/library/ssl_tls12_client.c b/library/ssl_tls12_client.c index 2129da122d..7675f95e37 100644 --- a/library/ssl_tls12_client.c +++ b/library/ssl_tls12_client.c @@ -1732,71 +1732,6 @@ static int ssl_parse_server_psk_hint(mbedtls_ssl_context *ssl, } #endif /* MBEDTLS_KEY_EXCHANGE_SOME_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - mbedtls_pk_context *peer_pk; - -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - peer_pk = &ssl->handshake->peer_pubkey; -#else /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - if (ssl->session_negotiate->peer_cert == NULL) { - /* Should never happen */ - MBEDTLS_SSL_DEBUG_MSG(1, ("should never happen")); - return MBEDTLS_ERR_SSL_INTERNAL_ERROR; - } - peer_pk = &ssl->session_negotiate->peer_cert->pk; -#endif /* MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - - /* This is a public key, so it can't be opaque, so can_do() is a good - * enough check to ensure pk_ec() is safe to use below. */ - if (!mbedtls_pk_can_do(peer_pk, MBEDTLS_PK_ECKEY)) { - MBEDTLS_SSL_DEBUG_MSG(1, ("server key not ECDH capable")); - return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; - } - - uint16_t tls_id = 0; - psa_key_type_t key_type = PSA_KEY_TYPE_NONE; - mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk); - - if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)")); - return MBEDTLS_ERR_SSL_BAD_CERTIFICATE; - } - - tls_id = mbedtls_ssl_get_tls_id_from_ecp_group_id(grp_id); - if (tls_id == 0) { - MBEDTLS_SSL_DEBUG_MSG(1, ("ECC group %u not supported", - grp_id)); - return MBEDTLS_ERR_SSL_ILLEGAL_PARAMETER; - } - - /* If the above conversion to TLS ID was fine, then also this one will be, - so there is no need to check the return value here */ - mbedtls_ssl_get_psa_curve_info_from_tls_id(tls_id, &key_type, - &ssl->handshake->xxdh_psa_bits); - - ssl->handshake->xxdh_psa_type = key_type; - - /* Store peer's public key in psa format. */ - memcpy(ssl->handshake->xxdh_psa_peerkey, peer_pk->pub_raw, peer_pk->pub_raw_len); - ssl->handshake->xxdh_psa_peerkey_len = peer_pk->pub_raw_len; - ret = 0; -#if !defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE) - /* We don't need the peer's public key anymore. Free it, - * so that more RAM is available for upcoming expensive - * operations like ECDHE. */ - mbedtls_pk_free(peer_pk); -#endif /* !MBEDTLS_SSL_KEEP_PEER_CERTIFICATE */ - - return ret; -} -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ - MBEDTLS_CHECK_RETURN_CRITICAL static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) { @@ -1807,28 +1742,6 @@ static int ssl_parse_server_key_exchange(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> parse server key exchange")); -#if defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) - if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { - if ((ret = ssl_get_ecdh_params_from_cert(ssl)) != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); - mbedtls_ssl_send_alert_message( - ssl, - MBEDTLS_SSL_ALERT_LEVEL_FATAL, - MBEDTLS_SSL_ALERT_MSG_HANDSHAKE_FAILURE); - return ret; - } - - MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip parse server key exchange")); - mbedtls_ssl_handshake_increment_state(ssl); - return 0; - } - ((void) p); - ((void) end); -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ - #if defined(MBEDTLS_SSL_ECP_RESTARTABLE_ENABLED) if (ssl->handshake->ecrs_enabled && ssl->handshake->ecrs_state == ssl_ecrs_ske_start_processing) { @@ -2380,13 +2293,9 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) MBEDTLS_SSL_DEBUG_MSG(2, ("=> write client key exchange")); #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_status_t destruction_status = PSA_ERROR_CORRUPTION_DETECTED; psa_key_attributes_t key_attributes; @@ -2460,9 +2369,7 @@ static int ssl_write_client_key_exchange(mbedtls_ssl_context *ssl) } } else #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED) if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_PSK) { psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; diff --git a/library/ssl_tls12_server.c b/library/ssl_tls12_server.c index b2b5e33c0b..256f1b1583 100644 --- a/library/ssl_tls12_server.c +++ b/library/ssl_tls12_server.c @@ -22,8 +22,7 @@ /* Define a local translating function to save code size by not using too many * arguments in each translating place. */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDHE_ENABLED) static int local_err_translation(psa_status_t status) { return psa_status_to_mbedtls(status, psa_to_ssl_errors, @@ -34,7 +33,7 @@ static int local_err_translation(psa_status_t status) #endif #if defined(MBEDTLS_ECP_C) -#include "mbedtls/ecp.h" +#include "mbedtls/private/ecp.h" #endif #if defined(MBEDTLS_HAVE_TIME) @@ -2513,100 +2512,6 @@ static int ssl_write_certificate_request(mbedtls_ssl_context *ssl) } #endif /* MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED */ -#if (defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED)) -MBEDTLS_CHECK_RETURN_CRITICAL -static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl) -{ - int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; - psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - mbedtls_pk_context *pk; - mbedtls_pk_type_t pk_type; - psa_key_attributes_t key_attributes = PSA_KEY_ATTRIBUTES_INIT; - unsigned char buf[PSA_KEY_EXPORT_ECC_KEY_PAIR_MAX_SIZE(PSA_VENDOR_ECC_MAX_CURVE_BITS)]; - size_t key_len; - - pk = mbedtls_ssl_own_key(ssl); - - if (pk == NULL) { - return MBEDTLS_ERR_ECP_BAD_INPUT_DATA; - } - - pk_type = mbedtls_pk_get_type(pk); - - switch (pk_type) { - case MBEDTLS_PK_OPAQUE: - case MBEDTLS_PK_ECKEY: - case MBEDTLS_PK_ECKEY_DH: - case MBEDTLS_PK_ECDSA: - if (!mbedtls_pk_can_do(pk, MBEDTLS_PK_ECKEY)) { - return MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; - } - - /* Get the attributes of the key previously parsed by PK module in - * order to extract its type and length (in bits). */ - status = psa_get_key_attributes(pk->priv_id, &key_attributes); - if (status != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - goto exit; - } - ssl->handshake->xxdh_psa_type = psa_get_key_type(&key_attributes); - ssl->handshake->xxdh_psa_bits = psa_get_key_bits(&key_attributes); - - if (pk_type != MBEDTLS_PK_OPAQUE) { - /* PK_ECKEY[_DH] and PK_ECDSA instead as parsed from the PK - * module and only have ECDSA capabilities. Since we need - * them for ECDH later, we export and then re-import them with - * proper flags and algorithm. Of course We also set key's type - * and bits that we just got above. */ - key_attributes = psa_key_attributes_init(); - psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&key_attributes, PSA_ALG_ECDH); - psa_set_key_type(&key_attributes, - PSA_KEY_TYPE_ECC_KEY_PAIR(ssl->handshake->xxdh_psa_type)); - psa_set_key_bits(&key_attributes, ssl->handshake->xxdh_psa_bits); - - status = psa_export_key(pk->priv_id, buf, sizeof(buf), &key_len); - if (status != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - goto exit; - } - status = psa_import_key(&key_attributes, buf, key_len, - &ssl->handshake->xxdh_psa_privkey); - if (status != PSA_SUCCESS) { - ret = PSA_TO_MBEDTLS_ERR(status); - goto exit; - } - - /* Set this key as owned by the TLS library: it will be its duty - * to clear it exit. */ - ssl->handshake->xxdh_psa_privkey_is_external = 0; - - ret = 0; - break; - } - - /* Opaque key is created by the user (externally from Mbed TLS) - * so we assume it already has the right algorithm and flags - * set. Just copy its ID as reference. */ - ssl->handshake->xxdh_psa_privkey = pk->priv_id; - ssl->handshake->xxdh_psa_privkey_is_external = 1; - ret = 0; - break; - - default: - ret = MBEDTLS_ERR_SSL_PK_TYPE_MISMATCH; - } - -exit: - psa_reset_key_attributes(&key_attributes); - mbedtls_platform_zeroize(buf, sizeof(buf)); - - return ret; -} -#endif /* MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ - #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ defined(MBEDTLS_SSL_ASYNC_PRIVATE) MBEDTLS_CHECK_RETURN_CRITICAL @@ -2997,36 +2902,22 @@ static int ssl_write_server_key_exchange(mbedtls_ssl_context *ssl) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; size_t signature_len = 0; -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) const mbedtls_ssl_ciphersuite_t *ciphersuite_info = ssl->handshake->ciphersuite_info; -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ MBEDTLS_SSL_DEBUG_MSG(2, ("=> write server key exchange")); -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED) - /* Extract static ECDH parameters and abort if ServerKeyExchange - * is not needed. */ +#if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if (mbedtls_ssl_ciphersuite_no_pfs(ciphersuite_info)) { - /* For suites involving ECDH, extract DH parameters - * from certificate at this point. */ -#if defined(MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED) - if (mbedtls_ssl_ciphersuite_uses_ecdh(ciphersuite_info)) { - ret = ssl_get_ecdh_params_from_cert(ssl); - if (ret != 0) { - MBEDTLS_SSL_DEBUG_RET(1, "ssl_get_ecdh_params_from_cert", ret); - return ret; - } - } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_ECDH_ENABLED */ - /* Key exchanges not involving ephemeral keys don't use * ServerKeyExchange, so end here. */ MBEDTLS_SSL_DEBUG_MSG(2, ("<= skip write server key exchange")); mbedtls_ssl_handshake_increment_state(ssl); return 0; } -#endif /* MBEDTLS_KEY_EXCHANGE_SOME_NON_PFS_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_PSK_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_WITH_SERVER_SIGNATURE_ENABLED) && \ defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -3210,13 +3101,9 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) } #if defined(MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED) || \ - defined(MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED) + defined(MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED) if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_RSA || - ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA) { + ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA) { size_t data_len = (size_t) (*p++); size_t buf_len = (size_t) (end - p); psa_status_t status = PSA_ERROR_GENERIC_ERROR; @@ -3279,9 +3166,7 @@ static int ssl_parse_client_key_exchange(mbedtls_ssl_context *ssl) handshake->xxdh_psa_privkey = MBEDTLS_SVC_KEY_ID_INIT; } else #endif /* MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED || - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED */ + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED */ #if defined(MBEDTLS_KEY_EXCHANGE_PSK_ENABLED) if (ciphersuite_info->key_exchange == MBEDTLS_KEY_EXCHANGE_PSK) { if ((ret = ssl_parse_client_psk_identity(ssl, &p, end)) != 0) { diff --git a/library/ssl_tls13_generic.c b/library/ssl_tls13_generic.c index 372bf84608..e88c00a564 100644 --- a/library/ssl_tls13_generic.c +++ b/library/ssl_tls13_generic.c @@ -963,7 +963,7 @@ static int ssl_tls13_write_certificate_verify_body(mbedtls_ssl_context *ssl, MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len); - if ((ret = mbedtls_pk_sign_ext(pk_type, own_key, + if ((ret = mbedtls_pk_sign_ext((mbedtls_pk_sigalg_t) pk_type, own_key, md_alg, verify_hash, verify_hash_len, p + 4, (size_t) (end - (p + 4)), &signature_len)) != 0) { MBEDTLS_SSL_DEBUG_MSG(2, ("CertificateVerify signature failed with %s", @@ -1144,7 +1144,8 @@ static int ssl_tls13_prepare_finished_message(mbedtls_ssl_context *ssl) ssl->handshake->state_local.finished_out.digest, sizeof(ssl->handshake->state_local.finished_out. digest), - &ssl->handshake->state_local.finished_out.digest_len, + &ssl->handshake->state_local.finished_out. + digest_len, ssl->conf->endpoint); if (ret != 0) { diff --git a/library/version.c b/library/version.c index 2cd947da72..e828673c0d 100644 --- a/library/version.c +++ b/library/version.c @@ -17,16 +17,14 @@ unsigned int mbedtls_version_get_number(void) return MBEDTLS_VERSION_NUMBER; } -void mbedtls_version_get_string(char *string) +const char *mbedtls_version_get_string(void) { - memcpy(string, MBEDTLS_VERSION_STRING, - sizeof(MBEDTLS_VERSION_STRING)); + return MBEDTLS_VERSION_STRING; } -void mbedtls_version_get_string_full(char *string) +const char *mbedtls_version_get_string_full(void) { - memcpy(string, MBEDTLS_VERSION_STRING_FULL, - sizeof(MBEDTLS_VERSION_STRING_FULL)); + return MBEDTLS_VERSION_STRING_FULL; } #endif /* MBEDTLS_VERSION_C */ diff --git a/library/x509.c b/library/x509.c index f315821fdf..1adff8fafc 100644 --- a/library/x509.c +++ b/library/x509.c @@ -24,6 +24,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include @@ -716,7 +717,7 @@ int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x5 * Get signature algorithm from alg OID and optional parameters */ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg) + mbedtls_md_type_t *md_alg, mbedtls_pk_sigalg_t *pk_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; @@ -725,7 +726,7 @@ int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509 } #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (*pk_alg == MBEDTLS_PK_RSASSA_PSS) { + if (*pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) { mbedtls_md_type_t mgf1_hash_id; int expected_salt_len; @@ -1038,7 +1039,7 @@ int mbedtls_x509_serial_gets(char *buf, size_t size, const mbedtls_x509_buf *ser * Helper for writing signature algorithms */ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, - mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg) + mbedtls_pk_sigalg_t pk_alg, mbedtls_md_type_t md_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; char *p = buf; @@ -1054,7 +1055,7 @@ int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *si MBEDTLS_X509_SAFE_SNPRINTF; #if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) - if (pk_alg == MBEDTLS_PK_RSASSA_PSS) { + if (pk_alg == MBEDTLS_PK_SIGALG_RSA_PSS) { const char *name = md_type_to_string(md_alg); if (name != NULL) { ret = mbedtls_snprintf(p, n, " (%s)", name); diff --git a/library/x509_create.c b/library/x509_create.c index 17fc8fbeb5..370eb9b2e1 100644 --- a/library/x509_create.c +++ b/library/x509_create.c @@ -14,6 +14,7 @@ #include "mbedtls/oid.h" #include "x509_oid.h" +#include #include #include "mbedtls/platform.h" @@ -645,7 +646,7 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size, - mbedtls_pk_type_t pk_alg) + mbedtls_pk_sigalg_t pk_alg) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; int write_null_par; @@ -671,7 +672,7 @@ int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, // Write OID // - if (pk_alg == MBEDTLS_PK_ECDSA) { + if (pk_alg == MBEDTLS_PK_SIGALG_ECDSA) { /* * The AlgorithmIdentifier's parameters field must be absent for DSA/ECDSA signature * algorithms, see https://www.rfc-editor.org/rfc/rfc5480#page-17 and diff --git a/library/x509_crt.c b/library/x509_crt.c index 3947eb09aa..e6b9252859 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -27,6 +27,7 @@ #include "x509_oid.h" #include "mbedtls/platform_util.h" +#include #include #if defined(MBEDTLS_PEM_PARSE_C) @@ -187,9 +188,9 @@ static int x509_profile_check_md_alg(const mbedtls_x509_crt_profile *profile, * Return 0 if pk_alg is acceptable for this profile, -1 otherwise */ static int x509_profile_check_pk_alg(const mbedtls_x509_crt_profile *profile, - mbedtls_pk_type_t pk_alg) + mbedtls_pk_sigalg_t pk_alg) { - if (pk_alg == MBEDTLS_PK_NONE) { + if (pk_alg == MBEDTLS_PK_SIGALG_NONE) { return -1; } @@ -2060,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca, flags |= MBEDTLS_X509_BADCERT_BAD_KEY; } - if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk, + if (mbedtls_pk_verify_ext(crl_list->sig_pk, &ca->pk, crl_list->sig_md, hash, hash_length, crl_list->sig.p, crl_list->sig.len) != 0) { flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED; @@ -2120,12 +2121,12 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, } /* Skip expensive computation on obvious mismatch */ - if (!mbedtls_pk_can_do(&parent->pk, child->sig_pk)) { + if (!mbedtls_pk_can_do(&parent->pk, (mbedtls_pk_type_t) child->sig_pk)) { return -1; } #if defined(MBEDTLS_ECP_RESTARTABLE) - if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_ECDSA) { + if (rs_ctx != NULL && child->sig_pk == MBEDTLS_PK_SIGALG_ECDSA) { return mbedtls_pk_verify_restartable(&parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len, &rs_ctx->pk); @@ -2134,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child, (void) rs_ctx; #endif - return mbedtls_pk_verify_new(child->sig_pk, &parent->pk, + return mbedtls_pk_verify_ext(child->sig_pk, &parent->pk, child->sig_md, hash, hash_len, child->sig.p, child->sig.len); } @@ -3056,7 +3057,7 @@ static int x509_crt_verify_restartable_ca_cb(mbedtls_x509_crt *crt, /* Check the type and size of the key */ pk_type = mbedtls_pk_get_type(&crt->pk); - if (x509_profile_check_pk_alg(profile, pk_type) != 0) { + if (x509_profile_check_pk_alg(profile, (mbedtls_pk_sigalg_t) pk_type) != 0) { ee_flags |= MBEDTLS_X509_BADCERT_BAD_PK; } diff --git a/library/x509_internal.h b/library/x509_internal.h index 8160270be1..5505b9778c 100644 --- a/library/x509_internal.h +++ b/library/x509_internal.h @@ -19,7 +19,7 @@ #include "pk_internal.h" #if defined(MBEDTLS_RSA_C) -#include "mbedtls/rsa.h" +#include "mbedtls/private/rsa.h" #endif int mbedtls_x509_get_name(unsigned char **p, const unsigned char *end, @@ -35,7 +35,7 @@ int mbedtls_x509_get_rsassa_pss_params(const mbedtls_x509_buf *params, #endif int mbedtls_x509_get_sig(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *sig); int mbedtls_x509_get_sig_alg(const mbedtls_x509_buf *sig_oid, const mbedtls_x509_buf *sig_params, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg); + mbedtls_md_type_t *md_alg, mbedtls_pk_sigalg_t *pk_alg); int mbedtls_x509_get_time(unsigned char **p, const unsigned char *end, mbedtls_x509_time *t); int mbedtls_x509_get_serial(unsigned char **p, const unsigned char *end, @@ -44,7 +44,7 @@ int mbedtls_x509_get_ext(unsigned char **p, const unsigned char *end, mbedtls_x509_buf *ext, int tag); #if !defined(MBEDTLS_X509_REMOVE_INFO) int mbedtls_x509_sig_alg_gets(char *buf, size_t size, const mbedtls_x509_buf *sig_oid, - mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg); + mbedtls_pk_sigalg_t pk_alg, mbedtls_md_type_t md_alg); #endif int mbedtls_x509_key_size_helper(char *buf, size_t buf_size, const char *name); int mbedtls_x509_set_extension(mbedtls_asn1_named_data **head, const char *oid, size_t oid_len, @@ -57,7 +57,7 @@ int mbedtls_x509_write_names(unsigned char **p, unsigned char *start, int mbedtls_x509_write_sig(unsigned char **p, unsigned char *start, const char *oid, size_t oid_len, unsigned char *sig, size_t size, - mbedtls_pk_type_t pk_alg); + mbedtls_pk_sigalg_t pk_alg); int mbedtls_x509_get_ns_cert_type(unsigned char **p, const unsigned char *end, unsigned char *ns_cert_type); diff --git a/library/x509_oid.c b/library/x509_oid.c index d69fd513ba..cc0063bcd3 100644 --- a/library/x509_oid.c +++ b/library/x509_oid.c @@ -381,7 +381,7 @@ FN_OID_GET_ATTR1(mbedtls_x509_oid_get_certificate_policies, typedef struct { mbedtls_x509_oid_descriptor_t descriptor; mbedtls_md_type_t md_alg; - mbedtls_pk_type_t pk_alg; + mbedtls_pk_sigalg_t pk_alg; } oid_sig_alg_t; static const oid_sig_alg_t oid_sig_alg[] = @@ -390,47 +390,47 @@ static const oid_sig_alg_t oid_sig_alg[] = #if defined(PSA_WANT_ALG_MD5) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_MD5, "md5WithRSAEncryption", "RSA with MD5"), - MBEDTLS_MD_MD5, MBEDTLS_PK_RSA, + MBEDTLS_MD_MD5, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_MD5 */ #if defined(PSA_WANT_ALG_SHA_1) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA1, "sha-1WithRSAEncryption", "RSA with SHA1"), - MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_1 */ #if defined(PSA_WANT_ALG_SHA_224) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA224, "sha224WithRSAEncryption", "RSA with SHA-224"), - MBEDTLS_MD_SHA224, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA224, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_224 */ #if defined(PSA_WANT_ALG_SHA_256) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA256, "sha256WithRSAEncryption", "RSA with SHA-256"), - MBEDTLS_MD_SHA256, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA256, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_256 */ #if defined(PSA_WANT_ALG_SHA_384) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA384, "sha384WithRSAEncryption", "RSA with SHA-384"), - MBEDTLS_MD_SHA384, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA384, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_384 */ #if defined(PSA_WANT_ALG_SHA_512) { OID_DESCRIPTOR(MBEDTLS_OID_PKCS1_SHA512, "sha512WithRSAEncryption", "RSA with SHA-512"), - MBEDTLS_MD_SHA512, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA512, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_512 */ #if defined(PSA_WANT_ALG_SHA_1) { OID_DESCRIPTOR(MBEDTLS_OID_RSA_SHA_OBS, "sha-1WithRSAEncryption", "RSA with SHA1"), - MBEDTLS_MD_SHA1, MBEDTLS_PK_RSA, + MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_RSA_PKCS1V15, }, #endif /* PSA_WANT_ALG_SHA_1 */ #endif /* MBEDTLS_RSA_C */ @@ -438,43 +438,43 @@ static const oid_sig_alg_t oid_sig_alg[] = #if defined(PSA_WANT_ALG_SHA_1) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA1, "ecdsa-with-SHA1", "ECDSA with SHA1"), - MBEDTLS_MD_SHA1, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA1, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_1 */ #if defined(PSA_WANT_ALG_SHA_224) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA224, "ecdsa-with-SHA224", "ECDSA with SHA224"), - MBEDTLS_MD_SHA224, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA224, MBEDTLS_PK_SIGALG_ECDSA, }, #endif #if defined(PSA_WANT_ALG_SHA_256) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA256, "ecdsa-with-SHA256", "ECDSA with SHA256"), - MBEDTLS_MD_SHA256, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA256, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_256 */ #if defined(PSA_WANT_ALG_SHA_384) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA384, "ecdsa-with-SHA384", "ECDSA with SHA384"), - MBEDTLS_MD_SHA384, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA384, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_384 */ #if defined(PSA_WANT_ALG_SHA_512) { OID_DESCRIPTOR(MBEDTLS_OID_ECDSA_SHA512, "ecdsa-with-SHA512", "ECDSA with SHA512"), - MBEDTLS_MD_SHA512, MBEDTLS_PK_ECDSA, + MBEDTLS_MD_SHA512, MBEDTLS_PK_SIGALG_ECDSA, }, #endif /* PSA_WANT_ALG_SHA_512 */ #endif /* PSA_HAVE_ALG_SOME_ECDSA */ #if defined(MBEDTLS_RSA_C) { OID_DESCRIPTOR(MBEDTLS_OID_RSASSA_PSS, "RSASSA-PSS", "RSASSA-PSS"), - MBEDTLS_MD_NONE, MBEDTLS_PK_RSASSA_PSS, + MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_RSA_PSS, }, #endif /* MBEDTLS_RSA_C */ { NULL_OID_DESCRIPTOR, - MBEDTLS_MD_NONE, MBEDTLS_PK_NONE, + MBEDTLS_MD_NONE, MBEDTLS_PK_SIGALG_NONE, }, }; @@ -494,14 +494,14 @@ FN_OID_GET_ATTR2(mbedtls_x509_oid_get_sig_alg, sig_alg, mbedtls_md_type_t, md_alg, - mbedtls_pk_type_t, + mbedtls_pk_sigalg_t, pk_alg) #endif /* MBEDTLS_X509_USE_C */ #if defined(MBEDTLS_X509_CRT_WRITE_C) || defined(MBEDTLS_X509_CSR_WRITE_C) FN_OID_GET_OID_BY_ATTR2(mbedtls_x509_oid_get_oid_by_sig_alg, oid_sig_alg_t, oid_sig_alg, - mbedtls_pk_type_t, + mbedtls_pk_sigalg_t, pk_alg, mbedtls_md_type_t, md_alg) diff --git a/library/x509_oid.h b/library/x509_oid.h index 8d5e1bbff1..0752953aac 100644 --- a/library/x509_oid.h +++ b/library/x509_oid.h @@ -80,7 +80,7 @@ int mbedtls_x509_oid_get_attr_short_name(const mbedtls_asn1_buf *oid, const char * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ int mbedtls_x509_oid_get_sig_alg(const mbedtls_asn1_buf *oid, - mbedtls_md_type_t *md_alg, mbedtls_pk_type_t *pk_alg); + mbedtls_md_type_t *md_alg, mbedtls_pk_sigalg_t *pk_alg); #if !defined(MBEDTLS_X509_REMOVE_INFO) /** @@ -106,7 +106,7 @@ int mbedtls_x509_oid_get_sig_alg_desc(const mbedtls_asn1_buf *oid, const char ** * * \return 0 if successful, or MBEDTLS_ERR_X509_UNKNOWN_OID */ -int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_type_t pk_alg, mbedtls_md_type_t md_alg, +int mbedtls_x509_oid_get_oid_by_sig_alg(mbedtls_pk_sigalg_t pk_alg, mbedtls_md_type_t md_alg, const char **oid, size_t *olen); #endif /* MBEDTLS_X509_CRT_WRITE_C || MBEDTLS_X509_CSR_WRITE_C */ diff --git a/library/x509write_crt.c b/library/x509write_crt.c index 09c2328b1a..663b308d62 100644 --- a/library/x509write_crt.c +++ b/library/x509write_crt.c @@ -94,7 +94,7 @@ int mbedtls_x509write_crt_set_issuer_name(mbedtls_x509write_cert *ctx, } int mbedtls_x509write_crt_set_serial_raw(mbedtls_x509write_cert *ctx, - unsigned char *serial, size_t serial_len) + const unsigned char *serial, size_t serial_len) { if (serial_len > MBEDTLS_X509_RFC5280_MAX_SERIAL_LEN) { return MBEDTLS_ERR_X509_BAD_INPUT_DATA; @@ -416,7 +416,7 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, return MBEDTLS_ERR_X509_INVALID_ALG; } - if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg, + if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len)) != 0) { return ret; } @@ -587,7 +587,8 @@ int mbedtls_x509write_crt_der(mbedtls_x509write_cert *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, c, sig_oid, sig_oid_len, - sig, sig_len, pk_alg)); + sig, sig_len, + (mbedtls_pk_sigalg_t) pk_alg)); /* * Memory layout after this step: diff --git a/library/x509write_csr.c b/library/x509write_csr.c index 88adf794f7..8e37278f95 100644 --- a/library/x509write_csr.c +++ b/library/x509write_csr.c @@ -230,7 +230,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, return MBEDTLS_ERR_X509_INVALID_ALG; } - if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg(pk_alg, ctx->md_alg, + if ((ret = mbedtls_x509_oid_get_oid_by_sig_alg((mbedtls_pk_sigalg_t) pk_alg, ctx->md_alg, &sig_oid, &sig_oid_len)) != 0) { return ret; } @@ -249,7 +249,7 @@ static int x509write_csr_der_internal(mbedtls_x509write_csr *ctx, c2 = buf + size; MBEDTLS_ASN1_CHK_ADD(sig_and_oid_len, mbedtls_x509_write_sig(&c2, buf + len, sig_oid, sig_oid_len, - sig, sig_len, pk_alg)); + sig, sig_len, (mbedtls_pk_sigalg_t) pk_alg)); /* * Compact the space between the CSR data and signature by moving the diff --git a/programs/.gitignore b/programs/.gitignore index 7eaf38d85b..004dcf22f7 100644 --- a/programs/.gitignore +++ b/programs/.gitignore @@ -8,11 +8,6 @@ hash/md5sum hash/sha1sum hash/sha2sum -pkey/gen_key -pkey/pk_sign -pkey/pk_verify -pkey/rsa_sign_pss -pkey/rsa_verify_pss ssl/dtls_client ssl/dtls_server ssl/mini_client diff --git a/programs/CMakeLists.txt b/programs/CMakeLists.txt index 1e5b2a4b67..1aba21b756 100644 --- a/programs/CMakeLists.txt +++ b/programs/CMakeLists.txt @@ -4,7 +4,7 @@ add_custom_target(${programs_target}) if (NOT WIN32) add_subdirectory(fuzz) endif() -add_subdirectory(pkey) + add_subdirectory(ssl) add_subdirectory(test) add_subdirectory(util) diff --git a/programs/Makefile b/programs/Makefile index a043fe1912..6c9d4d7342 100644 --- a/programs/Makefile +++ b/programs/Makefile @@ -36,11 +36,6 @@ LOCAL_CFLAGS += -I$(FRAMEWORK)/tests/programs ## Note: Variables cannot be used to define an apps path. This cannot be ## substituted by the script generate_visualc_files.pl. APPS = \ - pkey/gen_key \ - pkey/pk_sign \ - pkey/pk_verify \ - pkey/rsa_sign_pss \ - pkey/rsa_verify_pss \ ../tf-psa-crypto/programs/psa/aead_demo \ ../tf-psa-crypto/programs/psa/crypto_examples \ ../tf-psa-crypto/programs/psa/hmac_demo \ @@ -136,26 +131,6 @@ test/query_config.c: echo " Gen $@" $(PERL) ../scripts/generate_query_config.pl -pkey/gen_key$(EXEXT): pkey/gen_key.c $(DEP) - echo " CC pkey/gen_key.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/gen_key.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -pkey/pk_sign$(EXEXT): pkey/pk_sign.c $(DEP) - echo " CC pkey/pk_sign.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_sign.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -pkey/pk_verify$(EXEXT): pkey/pk_verify.c $(DEP) - echo " CC pkey/pk_verify.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/pk_verify.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -pkey/rsa_sign_pss$(EXEXT): pkey/rsa_sign_pss.c $(DEP) - echo " CC pkey/rsa_sign_pss.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_sign_pss.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - -pkey/rsa_verify_pss$(EXEXT): pkey/rsa_verify_pss.c $(DEP) - echo " CC pkey/rsa_verify_pss.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) pkey/rsa_verify_pss.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ - ../tf-psa-crypto/programs/psa/aead_demo$(EXEXT): ../tf-psa-crypto/programs/psa/aead_demo.c $(DEP) echo " CC psa/aead_demo.c" $(CC) $(LOCAL_CFLAGS) $(CFLAGS) ../tf-psa-crypto/programs/psa/aead_demo.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ @@ -258,7 +233,7 @@ endif test/metatest$(EXEXT): $(FRAMEWORK)/tests/programs/metatest.c $(DEP) echo " CC $(FRAMEWORK)/tests/programs/metatest.c" - $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core $(FRAMEWORK)/tests/programs/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ + $(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core -I../tf-psa-crypto/drivers/builtin/include -I../tf-psa-crypto/drivers/builtin/src $(FRAMEWORK)/tests/programs/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@ test/query_config.o: test/query_config.c $(FRAMEWORK)/tests/programs/query_config.h $(DEP) echo " CC test/query_config.c" diff --git a/programs/README.md b/programs/README.md index 9239e8a603..b9260bffe9 100644 --- a/programs/README.md +++ b/programs/README.md @@ -3,16 +3,6 @@ Mbed TLS sample programs This subdirectory mostly contains sample programs that illustrate specific features of the library, as well as a few test and support programs. -### Generic public-key cryptography (`pk`) examples - -* [`pkey/gen_key.c`](pkey/gen_key.c): generates a key for any of the supported public-key algorithms (RSA or ECC) and writes it to a file that can be used by the other pk sample programs. - -* [`pkey/pk_sign.c`](pkey/pk_sign.c), [`pkey/pk_verify.c`](pkey/pk_verify.c): loads a PEM or DER private/public key file and uses the key to sign/verify a short string. - -### ECDSA and RSA signature examples - -* [`pkey/rsa_sign_pss.c`](pkey/rsa_sign_pss.c), [`pkey/rsa_verify_pss.c`](pkey/rsa_verify_pss.c): loads an RSA private/public key and uses it to sign/verify a short string with the RSASSA-PSS algorithm. - ### SSL/TLS sample applications * [`ssl/dtls_client.c`](ssl/dtls_client.c): a simple DTLS client program, which sends one datagram to the server and reads one datagram in response. diff --git a/programs/fuzz/fuzz_client.c b/programs/fuzz/fuzz_client.c index 440c0245ff..70eb656487 100644 --- a/programs/fuzz/fuzz_client.c +++ b/programs/fuzz/fuzz_client.c @@ -1,8 +1,8 @@ #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "test/certs.h" #include "fuzz_common.h" #include @@ -78,12 +78,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -139,7 +137,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) } #endif //There may be other options to add : - // mbedtls_ssl_conf_cert_profile, mbedtls_ssl_conf_sig_hashes + // mbedtls_ssl_conf_cert_profile if (mbedtls_ssl_setup(&ssl, &conf) != 0) { goto exit; @@ -179,9 +177,7 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else (void) Data; diff --git a/programs/fuzz/fuzz_dtlsclient.c b/programs/fuzz/fuzz_dtlsclient.c index 7a1da13c38..c83f314138 100644 --- a/programs/fuzz/fuzz_dtlsclient.c +++ b/programs/fuzz/fuzz_dtlsclient.c @@ -6,8 +6,8 @@ #include "fuzz_common.h" #include "mbedtls/ssl.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/timing.h" #include "test/certs.h" @@ -61,12 +61,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) mbedtls_ctr_drbg_init(&ctr_drbg); mbedtls_entropy_init(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -124,9 +122,7 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else (void) Data; diff --git a/programs/fuzz/fuzz_dtlsserver.c b/programs/fuzz/fuzz_dtlsserver.c index 98a70216e1..dd2a8b644b 100644 --- a/programs/fuzz/fuzz_dtlsserver.c +++ b/programs/fuzz/fuzz_dtlsserver.c @@ -7,8 +7,8 @@ #include "mbedtls/ssl.h" #include "test/certs.h" #if defined(MBEDTLS_SSL_PROTO_DTLS) -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/timing.h" #include "mbedtls/ssl_cookie.h" @@ -58,12 +58,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) mbedtls_ssl_config_init(&conf); mbedtls_ssl_cookie_init(&cookie_ctx); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -166,9 +164,7 @@ exit: mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else (void) Data; diff --git a/programs/fuzz/fuzz_server.c b/programs/fuzz/fuzz_server.c index 05b7480cbc..3b1054e16a 100644 --- a/programs/fuzz/fuzz_server.c +++ b/programs/fuzz/fuzz_server.c @@ -1,8 +1,8 @@ #define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/ssl_ticket.h" #include "test/certs.h" #include "fuzz_common.h" @@ -67,12 +67,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_init(&ticket_ctx); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy, (const unsigned char *) pers, strlen(pers)) != 0) { @@ -194,19 +192,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) exit: #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C) mbedtls_ssl_ticket_free(&ticket_ctx); -#endif +#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */ mbedtls_entropy_free(&entropy); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_ssl_config_free(&conf); #if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C) mbedtls_x509_crt_free(&srvcert); mbedtls_pk_free(&pkey); -#endif +#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_PEM_PARSE_C */ mbedtls_ssl_free(&ssl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif -#else +#else /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ (void) Data; (void) Size; #endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */ diff --git a/programs/fuzz/fuzz_x509crl.c b/programs/fuzz/fuzz_x509crl.c index 92e0f5d12e..af50e25f13 100644 --- a/programs/fuzz/fuzz_x509crl.c +++ b/programs/fuzz/fuzz_x509crl.c @@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) unsigned char buf[4096]; mbedtls_x509_crl_init(&crl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_x509_crl_parse(&crl, Data, Size); #if !defined(MBEDTLS_X509_REMOVE_INFO) if (ret == 0) { ret = mbedtls_x509_crl_info((char *) buf, sizeof(buf) - 1, " ", &crl); } -#else +#else /* !MBEDTLS_X509_REMOVE_INFO */ ((void) ret); ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) exit: mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_x509_crl_free(&crl); -#else +#else /* MBEDTLS_X509_CRL_PARSE_C */ (void) Data; (void) Size; -#endif +#endif /* MBEDTLS_X509_CRL_PARSE_C */ return 0; } diff --git a/programs/fuzz/fuzz_x509crt.c b/programs/fuzz/fuzz_x509crt.c index c99ae2e7b1..709fd200f9 100644 --- a/programs/fuzz/fuzz_x509crt.c +++ b/programs/fuzz/fuzz_x509crt.c @@ -12,12 +12,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) unsigned char buf[4096]; mbedtls_x509_crt_init(&crt); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_x509_crt_parse(&crt, Data, Size); #if !defined(MBEDTLS_X509_REMOVE_INFO) if (ret == 0) { @@ -28,15 +26,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) exit: mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_x509_crt_free(&crt); -#else +#else /* MBEDTLS_X509_CRT_PARSE_C */ (void) Data; (void) Size; -#endif +#endif /* MBEDTLS_X509_CRT_PARSE_C */ return 0; } diff --git a/programs/fuzz/fuzz_x509csr.c b/programs/fuzz/fuzz_x509csr.c index 4ab071f1ca..1c26e6f082 100644 --- a/programs/fuzz/fuzz_x509csr.c +++ b/programs/fuzz/fuzz_x509csr.c @@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size) unsigned char buf[4096]; mbedtls_x509_csr_init(&csr); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ ret = mbedtls_x509_csr_parse(&csr, Data, Size); #if !defined(MBEDTLS_X509_REMOVE_INFO) if (ret == 0) { ret = mbedtls_x509_csr_info((char *) buf, sizeof(buf) - 1, " ", &csr); } -#else +#else /* !MBEDTLS_X509_REMOVE_INFO */ ((void) ret); ((void) buf); #endif /* !MBEDTLS_X509_REMOVE_INFO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) exit: mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_x509_csr_free(&csr); -#else +#else /* MBEDTLS_X509_CSR_PARSE_C */ (void) Data; (void) Size; -#endif +#endif /* MBEDTLS_X509_CSR_PARSE_C */ return 0; } diff --git a/programs/pkey/CMakeLists.txt b/programs/pkey/CMakeLists.txt deleted file mode 100644 index a2b1836d58..0000000000 --- a/programs/pkey/CMakeLists.txt +++ /dev/null @@ -1,19 +0,0 @@ -set(executables_mbedcrypto - gen_key - pk_sign - pk_verify - rsa_sign_pss - rsa_verify_pss -) -add_dependencies(${programs_target} ${executables_mbedcrypto}) - -foreach(exe IN LISTS executables_mbedcrypto) - add_executable(${exe} ${exe}.c $) - set_base_compile_options(${exe}) - target_link_libraries(${exe} ${tfpsacrypto_target} ${CMAKE_THREAD_LIBS_INIT}) - target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include) -endforeach() - -install(TARGETS ${executables_mbedcrypto} - DESTINATION "bin" - PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) diff --git a/programs/pkey/dh_prime.txt b/programs/pkey/dh_prime.txt deleted file mode 100644 index de0c281483..0000000000 --- a/programs/pkey/dh_prime.txt +++ /dev/null @@ -1,2 +0,0 @@ -P = FFFFFFFFFFFFFFFFC90FDAA22168C234C4C6628B80DC1CD129024E088A67CC74020BBEA63B139B22514A08798E3404DDEF9519B3CD3A431B302B0A6DF25F14374FE1356D6D51C245E485B576625E7EC6F44C42E9A637ED6B0BFF5CB6F406B7EDEE386BFB5A899FA5AE9F24117C4B1FE649286651ECE45B3DC2007CB8A163BF0598DA48361C55D39A69163FA8FD24CF5F83655D23DCA3AD961C62F356208552BB9ED529077096966D670C354E4ABC9804F1746C08CA18217C32905E462E36CE3BE39E772C180E86039B2783A2EC07A28FB5C55DF06F4C52C9DE2BCBF6955817183995497CEA956AE515D2261898FA051015728E5A8AACAA68FFFFFFFFFFFFFFFF -G = 02 diff --git a/programs/pkey/gen_key.c b/programs/pkey/gen_key.c deleted file mode 100644 index 94604ceeb6..0000000000 --- a/programs/pkey/gen_key.c +++ /dev/null @@ -1,482 +0,0 @@ -/* - * Key generation application - * - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "tf-psa-crypto/build_info.h" - -#include "mbedtls/platform.h" - -#if !defined(MBEDTLS_PK_WRITE_C) || !defined(MBEDTLS_PEM_WRITE_C) || \ - !defined(MBEDTLS_FS_IO) || !defined(MBEDTLS_ENTROPY_C) || \ - !defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_BIGNUM_C) -int main(void) -{ - mbedtls_printf("MBEDTLS_PK_WRITE_C and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or " - "MBEDTLS_PEM_WRITE_C and/or MBEDTLS_BIGNUM_C " - "not defined.\n"); - mbedtls_exit(0); -} -#else - -#include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ -#include "mbedtls/ecdsa.h" -#include "mbedtls/rsa.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" - -#include -#include -#include - -#if !defined(_WIN32) -#include - -#define DEV_RANDOM_THRESHOLD 32 - -static int dev_random_entropy_poll(void *data, unsigned char *output, - size_t len, size_t *olen) -{ - FILE *file; - size_t ret, left = len; - unsigned char *p = output; - ((void) data); - - *olen = 0; - - file = fopen("/dev/random", "rb"); - if (file == NULL) { - return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; - } - - while (left > 0) { - /* /dev/random can return much less than requested. If so, try again */ - ret = fread(p, 1, left, file); - if (ret == 0 && ferror(file)) { - fclose(file); - return MBEDTLS_ERR_ENTROPY_SOURCE_FAILED; - } - - p += ret; - left -= ret; - sleep(1); - } - fclose(file); - *olen = len; - - return 0; -} -#endif /* !_WIN32 */ - -#if defined(MBEDTLS_ECP_C) -#define DFL_EC_CURVE mbedtls_ecp_curve_list()->grp_id -#else -#define DFL_EC_CURVE 0 -#endif - -#if !defined(_WIN32) && defined(MBEDTLS_FS_IO) -#define USAGE_DEV_RANDOM \ - " use_dev_random=0|1 default: 0\n" -#else -#define USAGE_DEV_RANDOM "" -#endif /* !_WIN32 && MBEDTLS_FS_IO */ - -#define FORMAT_PEM 0 -#define FORMAT_DER 1 - -#define DFL_TYPE MBEDTLS_PK_RSA -#define DFL_RSA_KEYSIZE 4096 -#define DFL_FILENAME "keyfile.key" -#define DFL_FORMAT FORMAT_PEM -#define DFL_USE_DEV_RANDOM 0 - -#define USAGE \ - "\n usage: gen_key param=<>...\n" \ - "\n acceptable parameters:\n" \ - " type=rsa|ec default: rsa\n" \ - " rsa_keysize=%%d default: 4096\n" \ - " ec_curve=%%s see below\n" \ - " filename=%%s default: keyfile.key\n" \ - " format=pem|der default: pem\n" \ - USAGE_DEV_RANDOM \ - "\n" - - -/* - * global options - */ -struct options { - int type; /* the type of key to generate */ - int rsa_keysize; /* length of key in bits */ - int ec_curve; /* curve identifier for EC keys */ - const char *filename; /* filename of the key file */ - int format; /* the output format to use */ - int use_dev_random; /* use /dev/random as entropy source */ -} opt; - -static int write_private_key(mbedtls_pk_context *key, const char *output_file) -{ - int ret; - FILE *f; - unsigned char output_buf[16000]; - unsigned char *c = output_buf; - size_t len = 0; - - memset(output_buf, 0, 16000); - if (opt.format == FORMAT_PEM) { - if ((ret = mbedtls_pk_write_key_pem(key, output_buf, 16000)) != 0) { - return ret; - } - - len = strlen((char *) output_buf); - } else { - if ((ret = mbedtls_pk_write_key_der(key, output_buf, 16000)) < 0) { - return ret; - } - - len = ret; - c = output_buf + sizeof(output_buf) - len; - } - - if ((f = fopen(output_file, "wb")) == NULL) { - return -1; - } - - if (fwrite(c, 1, len, f) != len) { - fclose(f); - return -1; - } - - fclose(f); - - return 0; -} - -#if defined(MBEDTLS_ECP_C) -static int show_ecp_key(const mbedtls_ecp_keypair *ecp, int has_private) -{ - int ret = 0; - - const mbedtls_ecp_curve_info *curve_info = - mbedtls_ecp_curve_info_from_grp_id( - mbedtls_ecp_keypair_get_group_id(ecp)); - mbedtls_printf("curve: %s\n", curve_info->name); - - mbedtls_ecp_group grp; - mbedtls_ecp_group_init(&grp); - mbedtls_mpi D; - mbedtls_mpi_init(&D); - mbedtls_ecp_point pt; - mbedtls_ecp_point_init(&pt); - mbedtls_mpi X, Y; - mbedtls_mpi_init(&X); mbedtls_mpi_init(&Y); - - MBEDTLS_MPI_CHK(mbedtls_ecp_export(ecp, &grp, - (has_private ? &D : NULL), - &pt)); - - unsigned char point_bin[MBEDTLS_ECP_MAX_PT_LEN]; - size_t len = 0; - MBEDTLS_MPI_CHK(mbedtls_ecp_point_write_binary( - &grp, &pt, MBEDTLS_ECP_PF_UNCOMPRESSED, - &len, point_bin, sizeof(point_bin))); - switch (mbedtls_ecp_get_type(&grp)) { - case MBEDTLS_ECP_TYPE_SHORT_WEIERSTRASS: - if ((len & 1) == 0 || point_bin[0] != 0x04) { - /* Point in an unxepected format. This shouldn't happen. */ - ret = -1; - goto cleanup; - } - MBEDTLS_MPI_CHK( - mbedtls_mpi_read_binary(&X, point_bin + 1, len / 2)); - MBEDTLS_MPI_CHK( - mbedtls_mpi_read_binary(&Y, point_bin + 1 + len / 2, len / 2)); - mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL); - mbedtls_mpi_write_file("Y_Q: ", &Y, 16, NULL); - break; - case MBEDTLS_ECP_TYPE_MONTGOMERY: - MBEDTLS_MPI_CHK(mbedtls_mpi_read_binary(&X, point_bin, len)); - mbedtls_mpi_write_file("X_Q: ", &X, 16, NULL); - break; - default: - mbedtls_printf( - "This program does not yet support listing coordinates for this curve type.\n"); - break; - } - - if (has_private) { - mbedtls_mpi_write_file("D: ", &D, 16, NULL); - } - -cleanup: - mbedtls_ecp_group_free(&grp); - mbedtls_mpi_free(&D); - mbedtls_ecp_point_free(&pt); - mbedtls_mpi_free(&X); mbedtls_mpi_free(&Y); - return ret; -} -#endif - -int main(int argc, char *argv[]) -{ - int ret = 1; - int exit_code = MBEDTLS_EXIT_FAILURE; - mbedtls_pk_context key; - char buf[1024]; - int i; - char *p, *q; -#if defined(MBEDTLS_RSA_C) - mbedtls_mpi N, P, Q, D, E, DP, DQ, QP; -#endif /* MBEDTLS_RSA_C */ - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; - const char *pers = "gen_key"; -#if defined(MBEDTLS_ECP_C) - const mbedtls_ecp_curve_info *curve_info; -#endif - - /* - * Set to sane values - */ -#if defined(MBEDTLS_RSA_C) - mbedtls_mpi_init(&N); mbedtls_mpi_init(&P); mbedtls_mpi_init(&Q); - mbedtls_mpi_init(&D); mbedtls_mpi_init(&E); mbedtls_mpi_init(&DP); - mbedtls_mpi_init(&DQ); mbedtls_mpi_init(&QP); -#endif /* MBEDTLS_RSA_C */ - - mbedtls_entropy_init(&entropy); - mbedtls_pk_init(&key); - mbedtls_ctr_drbg_init(&ctr_drbg); - memset(buf, 0, sizeof(buf)); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", - (int) status); - goto exit; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - if (argc < 2) { -usage: - mbedtls_printf(USAGE); -#if defined(MBEDTLS_ECP_C) - mbedtls_printf(" available ec_curve values:\n"); - curve_info = mbedtls_ecp_curve_list(); - mbedtls_printf(" %s (default)\n", curve_info->name); - while ((++curve_info)->name != NULL) { - mbedtls_printf(" %s\n", curve_info->name); - } -#endif /* MBEDTLS_ECP_C */ - goto exit; - } - - opt.type = DFL_TYPE; - opt.rsa_keysize = DFL_RSA_KEYSIZE; - opt.ec_curve = DFL_EC_CURVE; - opt.filename = DFL_FILENAME; - opt.format = DFL_FORMAT; - opt.use_dev_random = DFL_USE_DEV_RANDOM; - - for (i = 1; i < argc; i++) { - p = argv[i]; - if ((q = strchr(p, '=')) == NULL) { - goto usage; - } - *q++ = '\0'; - - if (strcmp(p, "type") == 0) { - if (strcmp(q, "rsa") == 0) { - opt.type = MBEDTLS_PK_RSA; - } else if (strcmp(q, "ec") == 0) { - opt.type = MBEDTLS_PK_ECKEY; - } else { - goto usage; - } - } else if (strcmp(p, "format") == 0) { - if (strcmp(q, "pem") == 0) { - opt.format = FORMAT_PEM; - } else if (strcmp(q, "der") == 0) { - opt.format = FORMAT_DER; - } else { - goto usage; - } - } else if (strcmp(p, "rsa_keysize") == 0) { - opt.rsa_keysize = atoi(q); - if (opt.rsa_keysize < 1024 || - opt.rsa_keysize > MBEDTLS_MPI_MAX_BITS) { - goto usage; - } - } -#if defined(MBEDTLS_ECP_C) - else if (strcmp(p, "ec_curve") == 0) { - if ((curve_info = mbedtls_ecp_curve_info_from_name(q)) == NULL) { - goto usage; - } - opt.ec_curve = curve_info->grp_id; - } -#endif - else if (strcmp(p, "filename") == 0) { - opt.filename = q; - } else if (strcmp(p, "use_dev_random") == 0) { - opt.use_dev_random = atoi(q); - if (opt.use_dev_random < 0 || opt.use_dev_random > 1) { - goto usage; - } - } else { - goto usage; - } - } - - mbedtls_printf("\n . Seeding the random number generator..."); - fflush(stdout); - -#if !defined(_WIN32) && defined(MBEDTLS_FS_IO) - if (opt.use_dev_random) { - if ((ret = mbedtls_entropy_add_source(&entropy, dev_random_entropy_poll, - NULL, DEV_RANDOM_THRESHOLD, - MBEDTLS_ENTROPY_SOURCE_STRONG)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_entropy_add_source returned -0x%04x\n", - (unsigned int) -ret); - goto exit; - } - - mbedtls_printf("\n Using /dev/random, so can take a long time! "); - fflush(stdout); - } -#endif /* !_WIN32 && MBEDTLS_FS_IO */ - - if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *) pers, - strlen(pers))) != 0) { - mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n", - (unsigned int) -ret); - goto exit; - } - - /* - * 1.1. Generate the key - */ - mbedtls_printf("\n . Generating the private key ..."); - fflush(stdout); - - if ((ret = mbedtls_pk_setup(&key, - mbedtls_pk_info_from_type((mbedtls_pk_type_t) opt.type))) != 0) { - mbedtls_printf(" failed\n ! mbedtls_pk_setup returned -0x%04x", (unsigned int) -ret); - goto exit; - } - -#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME) - if (opt.type == MBEDTLS_PK_RSA) { - ret = mbedtls_rsa_gen_key(mbedtls_pk_rsa(key), mbedtls_ctr_drbg_random, &ctr_drbg, - opt.rsa_keysize, 65537); - if (ret != 0) { - mbedtls_printf(" failed\n ! mbedtls_rsa_gen_key returned -0x%04x", - (unsigned int) -ret); - goto exit; - } - } else -#endif /* MBEDTLS_RSA_C */ -#if defined(MBEDTLS_ECP_C) - if (opt.type == MBEDTLS_PK_ECKEY) { - ret = mbedtls_ecp_gen_key((mbedtls_ecp_group_id) opt.ec_curve, - mbedtls_pk_ec(key), - mbedtls_ctr_drbg_random, &ctr_drbg); - if (ret != 0) { - mbedtls_printf(" failed\n ! mbedtls_ecp_gen_key returned -0x%04x", - (unsigned int) -ret); - goto exit; - } - } else -#endif /* MBEDTLS_ECP_C */ - { - mbedtls_printf(" failed\n ! key type not supported\n"); - goto exit; - } - - /* - * 1.2 Print the key - */ - mbedtls_printf(" ok\n . Key information:\n"); - -#if defined(MBEDTLS_RSA_C) - if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_RSA) { - mbedtls_rsa_context *rsa = mbedtls_pk_rsa(key); - - if ((ret = mbedtls_rsa_export(rsa, &N, &P, &Q, &D, &E)) != 0 || - (ret = mbedtls_rsa_export_crt(rsa, &DP, &DQ, &QP)) != 0) { - mbedtls_printf(" failed\n ! could not export RSA parameters\n\n"); - goto exit; - } - - mbedtls_mpi_write_file("N: ", &N, 16, NULL); - mbedtls_mpi_write_file("E: ", &E, 16, NULL); - mbedtls_mpi_write_file("D: ", &D, 16, NULL); - mbedtls_mpi_write_file("P: ", &P, 16, NULL); - mbedtls_mpi_write_file("Q: ", &Q, 16, NULL); - mbedtls_mpi_write_file("DP: ", &DP, 16, NULL); - mbedtls_mpi_write_file("DQ: ", &DQ, 16, NULL); - mbedtls_mpi_write_file("QP: ", &QP, 16, NULL); - } else -#endif -#if defined(MBEDTLS_ECP_C) - if (mbedtls_pk_get_type(&key) == MBEDTLS_PK_ECKEY) { - if (show_ecp_key(mbedtls_pk_ec(key), 1) != 0) { - mbedtls_printf(" failed\n ! could not export ECC parameters\n\n"); - goto exit; - } - } else -#endif - mbedtls_printf(" ! key type not supported\n"); - - /* - * 1.3 Export key - */ - mbedtls_printf(" . Writing key to file..."); - - if ((ret = write_private_key(&key, opt.filename)) != 0) { - mbedtls_printf(" failed\n"); - goto exit; - } - - mbedtls_printf(" ok\n"); - - exit_code = MBEDTLS_EXIT_SUCCESS; - -exit: - - if (exit_code != MBEDTLS_EXIT_SUCCESS) { -#ifdef MBEDTLS_ERROR_C - mbedtls_printf("Error code: %d", ret); - /* mbedtls_strerror(ret, buf, sizeof(buf)); - mbedtls_printf(" - %s\n", buf); */ -#else - mbedtls_printf("\n"); -#endif - } - -#if defined(MBEDTLS_RSA_C) - mbedtls_mpi_free(&N); mbedtls_mpi_free(&P); mbedtls_mpi_free(&Q); - mbedtls_mpi_free(&D); mbedtls_mpi_free(&E); mbedtls_mpi_free(&DP); - mbedtls_mpi_free(&DQ); mbedtls_mpi_free(&QP); -#endif /* MBEDTLS_RSA_C */ - - mbedtls_pk_free(&key); - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - mbedtls_exit(exit_code); -} -#endif /* program viability conditions */ diff --git a/programs/pkey/pk_sign.c b/programs/pkey/pk_sign.c deleted file mode 100644 index 551173e496..0000000000 --- a/programs/pkey/pk_sign.c +++ /dev/null @@ -1,158 +0,0 @@ -/* - * Public key-based signature creation program - * - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "tf-psa-crypto/build_info.h" - -#include "mbedtls/platform.h" -/* md.h is included this early since MD_CAN_XXX macros are defined there. */ -#include "mbedtls/md.h" - -#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \ - !defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_MD_C) || \ - !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ - !defined(MBEDTLS_CTR_DRBG_C) -int main(void) -{ - mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or " - "PSA_WANT_ALG_SHA_256 and/or MBEDTLS_MD_C and/or " - "MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C not defined.\n"); - mbedtls_exit(0); -} -#else - -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ - -#include -#include - -int main(int argc, char *argv[]) -{ - FILE *f; - int ret = 1; - int exit_code = MBEDTLS_EXIT_FAILURE; - mbedtls_pk_context pk; - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; - unsigned char hash[32]; - unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; - char filename[512]; - const char *pers = "mbedtls_pk_sign"; - size_t olen = 0; - - mbedtls_entropy_init(&entropy); - mbedtls_ctr_drbg_init(&ctr_drbg); - mbedtls_pk_init(&pk); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", - (int) status); - goto exit; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - if (argc != 3) { - mbedtls_printf("usage: mbedtls_pk_sign \n"); - -#if defined(_WIN32) - mbedtls_printf("\n"); -#endif - - goto exit; - } - - mbedtls_printf("\n . Seeding the random number generator..."); - fflush(stdout); - - if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *) pers, - strlen(pers))) != 0) { - mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned -0x%04x\n", - (unsigned int) -ret); - goto exit; - } - - mbedtls_printf("\n . Reading private key from '%s'", argv[1]); - fflush(stdout); - - if ((ret = mbedtls_pk_parse_keyfile(&pk, argv[1], "")) != 0) { - mbedtls_printf(" failed\n ! Could not parse '%s'\n", argv[1]); - goto exit; - } - - /* - * Compute the SHA-256 hash of the input file, - * then calculate the signature of the hash. - */ - mbedtls_printf("\n . Generating the SHA-256 signature"); - fflush(stdout); - - if ((ret = mbedtls_md_file( - mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), - argv[2], hash)) != 0) { - mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]); - goto exit; - } - - if ((ret = mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0, - buf, sizeof(buf), &olen)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_pk_sign returned -0x%04x\n", (unsigned int) -ret); - goto exit; - } - - /* - * Write the signature into .sig - */ - mbedtls_snprintf(filename, sizeof(filename), "%s.sig", argv[2]); - - if ((f = fopen(filename, "wb+")) == NULL) { - mbedtls_printf(" failed\n ! Could not create %s\n\n", filename); - goto exit; - } - - if (fwrite(buf, 1, olen, f) != olen) { - mbedtls_printf("failed\n ! fwrite failed\n\n"); - fclose(f); - goto exit; - } - - fclose(f); - - mbedtls_printf("\n . Done (created \"%s\")\n\n", filename); - - exit_code = MBEDTLS_EXIT_SUCCESS; - -exit: - mbedtls_pk_free(&pk); - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -#if defined(MBEDTLS_ERROR_C) - if (exit_code != MBEDTLS_EXIT_SUCCESS) { - mbedtls_printf("Error code: %d", ret); - /* mbedtls_strerror(ret, (char *) buf, sizeof(buf)); - mbedtls_printf(" ! Last error was: %s\n", buf); */ - } -#endif - - mbedtls_exit(exit_code); -} -#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && - PSA_WANT_ALG_SHA_256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && - MBEDTLS_CTR_DRBG_C */ diff --git a/programs/pkey/pk_verify.c b/programs/pkey/pk_verify.c deleted file mode 100644 index 507812e350..0000000000 --- a/programs/pkey/pk_verify.c +++ /dev/null @@ -1,133 +0,0 @@ -/* - * Public key-based signature verification program - * - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "tf-psa-crypto/build_info.h" - -#include "mbedtls/platform.h" -/* md.h is included this early since MD_CAN_XXX macros are defined there. */ -#include "mbedtls/md.h" - -#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_MD_C) || \ - !defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_PK_PARSE_C) || \ - !defined(MBEDTLS_FS_IO) -int main(void) -{ - mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_MD_C and/or " - "PSA_WANT_ALG_SHA_256 and/or MBEDTLS_PK_PARSE_C and/or " - "MBEDTLS_FS_IO not defined.\n"); - mbedtls_exit(0); -} -#else - -#include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ - -#include -#include - - -int main(int argc, char *argv[]) -{ - FILE *f; - int ret = 1; - int exit_code = MBEDTLS_EXIT_FAILURE; - size_t i; - mbedtls_pk_context pk; - unsigned char hash[32]; - unsigned char buf[MBEDTLS_PK_SIGNATURE_MAX_SIZE]; - char filename[512]; - - mbedtls_pk_init(&pk); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", - (int) status); - goto exit; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - if (argc != 3) { - mbedtls_printf("usage: mbedtls_pk_verify \n"); - -#if defined(_WIN32) - mbedtls_printf("\n"); -#endif - - goto exit; - } - - mbedtls_printf("\n . Reading public key from '%s'", argv[1]); - fflush(stdout); - - if ((ret = mbedtls_pk_parse_public_keyfile(&pk, argv[1])) != 0) { - mbedtls_printf(" failed\n ! mbedtls_pk_parse_public_keyfile returned -0x%04x\n", - (unsigned int) -ret); - goto exit; - } - - /* - * Extract the signature from the file - */ - mbedtls_snprintf(filename, sizeof(filename), "%s.sig", argv[2]); - - if ((f = fopen(filename, "rb")) == NULL) { - mbedtls_printf("\n ! Could not open %s\n\n", filename); - goto exit; - } - - i = fread(buf, 1, sizeof(buf), f); - - fclose(f); - - /* - * Compute the SHA-256 hash of the input file and - * verify the signature - */ - mbedtls_printf("\n . Verifying the SHA-256 signature"); - fflush(stdout); - - if ((ret = mbedtls_md_file( - mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), - argv[2], hash)) != 0) { - mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]); - goto exit; - } - - if ((ret = mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, hash, 0, - buf, i)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_pk_verify returned -0x%04x\n", (unsigned int) -ret); - goto exit; - } - - mbedtls_printf("\n . OK (the signature is valid)\n\n"); - - exit_code = MBEDTLS_EXIT_SUCCESS; - -exit: - mbedtls_pk_free(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - -#if defined(MBEDTLS_ERROR_C) - if (exit_code != MBEDTLS_EXIT_SUCCESS) { - mbedtls_printf("Error code: %d", ret); - /* mbedtls_strerror(ret, (char *) buf, sizeof(buf)); - mbedtls_printf(" ! Last error was: %s\n", buf); */ - } -#endif - - mbedtls_exit(exit_code); -} -#endif /* MBEDTLS_BIGNUM_C && PSA_WANT_ALG_SHA_256 && - MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */ diff --git a/programs/pkey/rsa_priv.txt b/programs/pkey/rsa_priv.txt deleted file mode 100644 index 254fcf8522..0000000000 --- a/programs/pkey/rsa_priv.txt +++ /dev/null @@ -1,8 +0,0 @@ -N = A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211 -E = 010001 -D = 589552BB4F2F023ADDDD5586D0C8FD857512D82080436678D07F984A29D892D31F1F7000FC5A39A0F73E27D885E47249A4148C8A5653EF69F91F8F736BA9F84841C2D99CD8C24DE8B72B5C9BE0EDBE23F93D731749FEA9CFB4A48DD2B7F35A2703E74AA2D4DB7DE9CEEA7D763AF0ADA7AC176C4E9A22C4CDA65CEC0C65964401 -P = CD083568D2D46C44C40C1FA0101AF2155E59C70B08423112AF0C1202514BBA5210765E29FF13036F56C7495894D80CF8C3BAEE2839BACBB0B86F6A2965F60DB1 -Q = CA0EEEA5E710E8E9811A6B846399420E3AE4A4C16647E426DDF8BBBCB11CD3F35CE2E4B6BCAD07AE2C0EC2ECBFCC601B207CDD77B5673E16382B1130BF465261 -DP = 0D0E21C07BF434B4A83B116472C2147A11D8EB98A33CFBBCF1D275EF19D815941622435AAF3839B6C432CA53CE9E772CFBE1923A937A766FD93E96E6EDEC1DF1 -DQ = 269CEBE6305DFEE4809377F078C814E37B45AE6677114DFC4F76F5097E1F3031D592567AC55B9B98213B40ECD54A4D2361F5FAACA1B1F51F71E4690893C4F081 -QP = 97AC5BB885ABCA314375E9E4DB1BA4B2218C90619F61BD474F5785075ECA81750A735199A8C191FE2D3355E7CF601A70E5CABDE0E02C2538BB9FB4871540B3C1 diff --git a/programs/pkey/rsa_pub.txt b/programs/pkey/rsa_pub.txt deleted file mode 100644 index 1e7ae0c9c9..0000000000 --- a/programs/pkey/rsa_pub.txt +++ /dev/null @@ -1,2 +0,0 @@ -N = A1D46FBA2318F8DCEF16C280948B1CF27966B9B47225ED2989F8D74B45BD36049C0AAB5AD0FF003553BA843C8E12782FC5873BB89A3DC84B883D25666CD22BF3ACD5B675969F8BEBFBCAC93FDD927C7442B178B10D1DFF9398E52316AAE0AF74E594650BDC3C670241D418684593CDA1A7B9DC4F20D2FDC6F66344074003E211 -E = 010001 diff --git a/programs/pkey/rsa_sign_pss.c b/programs/pkey/rsa_sign_pss.c deleted file mode 100644 index 8f605b56bc..0000000000 --- a/programs/pkey/rsa_sign_pss.c +++ /dev/null @@ -1,164 +0,0 @@ -/* - * RSASSA-PSS/SHA-256 signature creation program - * - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "tf-psa-crypto/build_info.h" - -#include "mbedtls/platform.h" -/* md.h is included this early since MD_CAN_XXX macros are defined there. */ -#include "mbedtls/md.h" - -#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \ - !defined(MBEDTLS_RSA_C) || !defined(PSA_WANT_ALG_SHA_256) || \ - !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ - !defined(MBEDTLS_CTR_DRBG_C) -int main(void) -{ - mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_ENTROPY_C and/or " - "MBEDTLS_RSA_C and/or PSA_WANT_ALG_SHA_256 and/or " - "MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C not defined.\n"); - mbedtls_exit(0); -} -#else - -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/rsa.h" -#include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ - -#include -#include - - -int main(int argc, char *argv[]) -{ - FILE *f; - int ret = 1; - int exit_code = MBEDTLS_EXIT_FAILURE; - mbedtls_pk_context pk; - mbedtls_entropy_context entropy; - mbedtls_ctr_drbg_context ctr_drbg; - unsigned char hash[32]; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; - char filename[512]; - const char *pers = "rsa_sign_pss"; - size_t olen = 0; - - mbedtls_entropy_init(&entropy); - mbedtls_pk_init(&pk); - mbedtls_ctr_drbg_init(&ctr_drbg); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", - (int) status); - goto exit; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - if (argc != 3) { - mbedtls_printf("usage: rsa_sign_pss \n"); - -#if defined(_WIN32) - mbedtls_printf("\n"); -#endif - - goto exit; - } - - mbedtls_printf("\n . Seeding the random number generator..."); - fflush(stdout); - - if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, - (const unsigned char *) pers, - strlen(pers))) != 0) { - mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret); - goto exit; - } - - mbedtls_printf("\n . Reading private key from '%s'", argv[1]); - fflush(stdout); - - if ((ret = mbedtls_pk_parse_keyfile(&pk, argv[1], "")) != 0) { - mbedtls_printf(" failed\n ! Could not read key from '%s'\n", argv[1]); - mbedtls_printf(" ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret); - goto exit; - } - - if (!mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA)) { - mbedtls_printf(" failed\n ! Key is not an RSA key\n"); - goto exit; - } - - if ((ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), - MBEDTLS_RSA_PKCS_V21, - MBEDTLS_MD_SHA256)) != 0) { - mbedtls_printf(" failed\n ! Padding not supported\n"); - goto exit; - } - - /* - * Compute the SHA-256 hash of the input file, - * then calculate the RSA signature of the hash. - */ - mbedtls_printf("\n . Generating the RSA/SHA-256 signature"); - fflush(stdout); - - if ((ret = mbedtls_md_file( - mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), - argv[2], hash)) != 0) { - mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]); - goto exit; - } - - if ((ret = mbedtls_pk_sign(&pk, MBEDTLS_MD_SHA256, hash, 0, - buf, sizeof(buf), &olen)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_pk_sign returned %d\n\n", ret); - goto exit; - } - - /* - * Write the signature into .sig - */ - mbedtls_snprintf(filename, 512, "%s.sig", argv[2]); - - if ((f = fopen(filename, "wb+")) == NULL) { - mbedtls_printf(" failed\n ! Could not create %s\n\n", filename); - goto exit; - } - - if (fwrite(buf, 1, olen, f) != olen) { - mbedtls_printf("failed\n ! fwrite failed\n\n"); - fclose(f); - goto exit; - } - - fclose(f); - - mbedtls_printf("\n . Done (created \"%s\")\n\n", filename); - - exit_code = MBEDTLS_EXIT_SUCCESS; - -exit: - mbedtls_pk_free(&pk); - mbedtls_ctr_drbg_free(&ctr_drbg); - mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - mbedtls_exit(exit_code); -} -#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_RSA_C && - PSA_WANT_ALG_SHA_256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO && - MBEDTLS_CTR_DRBG_C */ diff --git a/programs/pkey/rsa_verify_pss.c b/programs/pkey/rsa_verify_pss.c deleted file mode 100644 index 97f9d186e8..0000000000 --- a/programs/pkey/rsa_verify_pss.c +++ /dev/null @@ -1,141 +0,0 @@ -/* - * RSASSA-PSS/SHA-256 signature verification program - * - * Copyright The Mbed TLS Contributors - * SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later - */ - -#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS - -#include "tf-psa-crypto/build_info.h" - -#include "mbedtls/platform.h" -/* md.h is included this early since MD_CAN_XXX macros are defined there. */ -#include "mbedtls/md.h" - -#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \ - !defined(MBEDTLS_RSA_C) || !defined(PSA_WANT_ALG_SHA_256) || \ - !defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \ - !defined(MBEDTLS_CTR_DRBG_C) -int main(void) -{ - mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_ENTROPY_C and/or " - "MBEDTLS_RSA_C and/or PSA_WANT_ALG_SHA_256 and/or " - "MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or " - "MBEDTLS_CTR_DRBG_C not defined.\n"); - mbedtls_exit(0); -} -#else - -#include "mbedtls/md.h" -#include "mbedtls/pem.h" -#include "mbedtls/pk.h" -#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) -#include -#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ - -#include -#include - - -int main(int argc, char *argv[]) -{ - FILE *f; - int ret = 1; - int exit_code = MBEDTLS_EXIT_FAILURE; - size_t i; - mbedtls_pk_context pk; - unsigned char hash[32]; - unsigned char buf[MBEDTLS_MPI_MAX_SIZE]; - char filename[512]; - - mbedtls_pk_init(&pk); - -#if defined(MBEDTLS_USE_PSA_CRYPTO) - psa_status_t status = psa_crypto_init(); - if (status != PSA_SUCCESS) { - mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", - (int) status); - goto exit; - } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - if (argc != 3) { - mbedtls_printf("usage: rsa_verify_pss \n"); - -#if defined(_WIN32) - mbedtls_printf("\n"); -#endif - - goto exit; - } - - mbedtls_printf("\n . Reading public key from '%s'", argv[1]); - fflush(stdout); - - if ((ret = mbedtls_pk_parse_public_keyfile(&pk, argv[1])) != 0) { - mbedtls_printf(" failed\n ! Could not read key from '%s'\n", argv[1]); - mbedtls_printf(" ! mbedtls_pk_parse_public_keyfile returned %d\n\n", ret); - goto exit; - } - - if (!mbedtls_pk_can_do(&pk, MBEDTLS_PK_RSA)) { - mbedtls_printf(" failed\n ! Key is not an RSA key\n"); - goto exit; - } - - if ((ret = mbedtls_rsa_set_padding(mbedtls_pk_rsa(pk), - MBEDTLS_RSA_PKCS_V21, - MBEDTLS_MD_SHA256)) != 0) { - mbedtls_printf(" failed\n ! Invalid padding\n"); - goto exit; - } - - /* - * Extract the RSA signature from the file - */ - mbedtls_snprintf(filename, 512, "%s.sig", argv[2]); - - if ((f = fopen(filename, "rb")) == NULL) { - mbedtls_printf("\n ! Could not open %s\n\n", filename); - goto exit; - } - - i = fread(buf, 1, MBEDTLS_MPI_MAX_SIZE, f); - - fclose(f); - - /* - * Compute the SHA-256 hash of the input file and - * verify the signature - */ - mbedtls_printf("\n . Verifying the RSA/SHA-256 signature"); - fflush(stdout); - - if ((ret = mbedtls_md_file( - mbedtls_md_info_from_type(MBEDTLS_MD_SHA256), - argv[2], hash)) != 0) { - mbedtls_printf(" failed\n ! Could not open or read %s\n\n", argv[2]); - goto exit; - } - - if ((ret = mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256, hash, 0, - buf, i)) != 0) { - mbedtls_printf(" failed\n ! mbedtls_pk_verify returned %d\n\n", ret); - goto exit; - } - - mbedtls_printf("\n . OK (the signature is valid)\n\n"); - - exit_code = MBEDTLS_EXIT_SUCCESS; - -exit: - mbedtls_pk_free(&pk); -#if defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - - mbedtls_exit(exit_code); -} -#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 && - MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */ diff --git a/programs/ssl/dtls_client.c b/programs/ssl/dtls_client.c index 26eb20d49f..bb1d5af2e3 100644 --- a/programs/ssl/dtls_client.c +++ b/programs/ssl/dtls_client.c @@ -31,8 +31,8 @@ int main(void) #include "mbedtls/net_sockets.h" #include "mbedtls/debug.h" #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/error.h" #include "mbedtls/timing.h" #include "test/certs.h" diff --git a/programs/ssl/dtls_server.c b/programs/ssl/dtls_server.c index 0e155fd0d2..479b5430f9 100644 --- a/programs/ssl/dtls_server.c +++ b/programs/ssl/dtls_server.c @@ -45,8 +45,8 @@ int main(void) #include #include -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/ssl_cookie.h" diff --git a/programs/ssl/mini_client.c b/programs/ssl/mini_client.c index e3adb3cf8a..96d41b35ba 100644 --- a/programs/ssl/mini_client.c +++ b/programs/ssl/mini_client.c @@ -43,8 +43,8 @@ int main(void) #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include #include diff --git a/programs/ssl/ssl_client1.c b/programs/ssl/ssl_client1.c index dba8aab658..c56ff0702f 100644 --- a/programs/ssl/ssl_client1.c +++ b/programs/ssl/ssl_client1.c @@ -27,8 +27,8 @@ int main(void) #include "mbedtls/net_sockets.h" #include "mbedtls/debug.h" #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/error.h" #include "test/certs.h" diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index d5e7fdf304..b099fded5a 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -7,11 +7,11 @@ #define MBEDTLS_ALLOW_PRIVATE_ACCESS +#include "mbedtls/private/pk_private.h" + #include "ssl_test_lib.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main(void) @@ -145,7 +145,7 @@ int main(void) #else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private key as if it were opaque\n" \ " default: 0 (disabled)\n" @@ -172,7 +172,6 @@ int main(void) " psk=%%s default: \"\" (disabled)\n" \ " The PSK values are in hex, without 0x.\n" \ " psk_identity=%%s default: \"Client_identity\"\n" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -183,9 +182,6 @@ int main(void) " Note: This is to test integration of PSA-based opaque PSKs with\n" \ " Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \ " with prepopulated key slots instead of importing raw key material.\n" -#else -#define USAGE_PSK_SLOT "" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -309,14 +305,9 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#define USAGE_ECJPAKE \ - " ecjpake_pw=%%s default: none (disabled)\n" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -488,9 +479,7 @@ struct options { const char *crt_file; /* the file with the client certificate */ const char *key_file; /* the file with the client key */ int key_opaque; /* handle private key as if it were opaque */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -498,9 +487,7 @@ struct options { const char *psk; /* the pre-shared key */ const char *psk_identity; /* the pre-shared key identity */ const char *ecjpake_pw; /* the EC J-PAKE password */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ -#endif int ec_max_ops; /* EC consecutive operations limit */ int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -824,16 +811,12 @@ int main(int argc, char *argv[]) const char *pers = "ssl_client2"; -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT; psa_algorithm_t alg = 0; psa_key_attributes_t key_attributes; #endif psa_status_t status; -#elif defined(MBEDTLS_SSL_PROTO_TLS1_3) - psa_status_t status; -#endif rng_context_t rng; mbedtls_ssl_context ssl; @@ -850,9 +833,7 @@ int main(int argc, char *argv[]) mbedtls_x509_crt clicert; mbedtls_pk_context pkey; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ -#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ char *p, *q; const int *list; @@ -877,10 +858,9 @@ int main(int argc, char *argv[]) MBEDTLS_TLS_SRTP_UNSET }; #endif /* MBEDTLS_SSL_DTLS_SRTP */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf)); @@ -907,7 +887,6 @@ int main(int argc, char *argv[]) memset((void *) alpn_list, 0, sizeof(alpn_list)); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -915,7 +894,6 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -942,17 +920,13 @@ int main(int argc, char *argv[]) opt.key_opaque = DFL_KEY_OPAQUE; opt.key_pwd = DFL_KEY_PWD; opt.psk = DFL_PSK; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.ecjpake_pw = DFL_ECJPAKE_PW; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; -#endif opt.ec_max_ops = DFL_EC_MAX_OPS; opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) @@ -1127,7 +1101,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1151,12 +1125,9 @@ usage: #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ else if (strcmp(p, "psk") == 0) { opt.psk = q; - } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - else if (strcmp(p, "psk_opaque") == 0) { + } else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1166,13 +1137,9 @@ usage: opt.psk_identity = q; } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; - } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - else if (strcmp(p, "ecjpake_pw_opaque") == 0) { + } else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); - } -#endif - else if (strcmp(p, "ec_max_ops") == 0) { + } else if (strcmp(p, "ec_max_ops") == 0) { opt.ec_max_ops = atoi(q); } else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); @@ -1500,7 +1467,6 @@ usage: } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (opt.psk == NULL) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -1515,7 +1481,6 @@ usage: goto usage; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -1550,7 +1515,6 @@ usage: } } -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -1562,7 +1526,6 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -1786,7 +1749,6 @@ usage: goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t usage = 0; @@ -1805,7 +1767,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key type: %s)\n", strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ? @@ -2006,7 +1967,6 @@ usage: #endif #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { key_attributes = psa_key_attributes_init(); psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE); @@ -2027,7 +1987,6 @@ usage: goto exit; } } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -2098,12 +2057,11 @@ usage: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, @@ -2123,9 +2081,7 @@ usage: goto exit; } mbedtls_printf("using opaque password\n"); - } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - { + } else { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, strlen(opt.ecjpake_pw))) != 0) { @@ -3206,13 +3162,10 @@ exit: mbedtls_x509_crt_free(&clicert); mbedtls_x509_crt_free(&cacert); mbedtls_pk_free(&pkey); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); -#endif #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -3229,11 +3182,9 @@ exit: } } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && - MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -3252,9 +3203,8 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -3262,12 +3212,10 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } -#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \ - !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif diff --git a/programs/ssl/ssl_fork_server.c b/programs/ssl/ssl_fork_server.c index f8752bb604..ff1c877ee2 100644 --- a/programs/ssl/ssl_fork_server.c +++ b/programs/ssl/ssl_fork_server.c @@ -31,8 +31,8 @@ int main(void) } #else -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "test/certs.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" diff --git a/programs/ssl/ssl_mail_client.c b/programs/ssl/ssl_mail_client.c index 521bc5418a..0c2822cb30 100644 --- a/programs/ssl/ssl_mail_client.c +++ b/programs/ssl/ssl_mail_client.c @@ -38,8 +38,8 @@ int main(void) #include "mbedtls/error.h" #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "test/certs.h" #include "mbedtls/x509.h" diff --git a/programs/ssl/ssl_pthread_server.c b/programs/ssl/ssl_pthread_server.c index 5701a7b838..867926d98c 100644 --- a/programs/ssl/ssl_pthread_server.c +++ b/programs/ssl/ssl_pthread_server.c @@ -38,8 +38,8 @@ int main(void) #include #endif -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/net_sockets.h" diff --git a/programs/ssl/ssl_server.c b/programs/ssl/ssl_server.c index 2f26ca4801..fd9da18490 100644 --- a/programs/ssl/ssl_server.c +++ b/programs/ssl/ssl_server.c @@ -31,8 +31,8 @@ int main(void) #include #endif -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/x509.h" #include "mbedtls/ssl.h" #include "mbedtls/net_sockets.h" diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 639fe5616e..64fd45952f 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -53,9 +53,7 @@ int main(void) #include #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) #include "test/psa_crypto_helpers.h" -#endif #include "mbedtls/pk.h" #if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER) @@ -205,7 +203,7 @@ int main(void) #else #define USAGE_IO "" #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) #define USAGE_KEY_OPAQUE \ " key_opaque=%%d Handle your private keys as if they were opaque\n" \ " default: 0 (disabled)\n" @@ -248,7 +246,6 @@ int main(void) " The PSK values are in hex, without 0x.\n" \ " id1,psk1[,id2,psk2[,...]]\n" \ " psk_identity=%%s default: \"Client_identity\"\n" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_PSK_SLOT \ " psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \ " Enable this to store the PSK configured through command line\n" \ @@ -268,9 +265,6 @@ int main(void) " Note: This is to test integration of PSA-based opaque PSKs with\n" \ " Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \ " with prepopulated key slots instead of importing raw key material.\n" -#else -#define USAGE_PSK_SLOT "" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT #else #define USAGE_PSK "" @@ -419,14 +413,9 @@ int main(void) #endif #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define USAGE_ECJPAKE \ " ecjpake_pw=%%s default: none (disabled)\n" \ " ecjpake_pw_opaque=%%d default: 0 (disabled)\n" -#else /* MBEDTLS_USE_PSA_CRYPTO */ -#define USAGE_ECJPAKE \ - " ecjpake_pw=%%s default: none (disabled)\n" -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #define USAGE_ECJPAKE "" #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ @@ -641,10 +630,8 @@ struct options { int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */ int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */ int async_private_error; /* inject error in async private callback */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int psk_opaque; int psk_list_opaque; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback; /* Use callback for trusted certificate list */ #endif @@ -652,9 +639,7 @@ struct options { const char *psk_identity; /* the pre-shared key identity */ char *psk_list; /* list of PSK id/key pairs for callback */ const char *ecjpake_pw; /* the EC J-PAKE password */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */ -#endif int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */ #if defined(MBEDTLS_SSL_PROTO_TLS1_3) int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */ @@ -962,9 +947,7 @@ struct _psk_entry { const char *name; size_t key_len; unsigned char key[MBEDTLS_PSK_MAX_LEN]; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t slot; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ psk_entry *next; }; @@ -976,7 +959,6 @@ static int psk_free(psk_entry *head) psk_entry *next; while (head != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status; mbedtls_svc_key_id_t const slot = head->slot; @@ -986,7 +968,6 @@ static int psk_free(psk_entry *head) return status; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ next = head->next; mbedtls_free(head); @@ -1052,12 +1033,11 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl, while (cur != NULL) { if (name_len == strlen(cur->name) && memcmp(name, cur->name, name_len) == 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) { return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot); - } else -#endif - return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); + } else { + return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len); + } } cur = cur->next; @@ -1302,7 +1282,6 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl) #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, psa_algorithm_t alg, @@ -1326,7 +1305,6 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot, return PSA_SUCCESS; } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) static int report_cid_usage(mbedtls_ssl_context *ssl, @@ -1543,10 +1521,8 @@ int main(int argc, char *argv[]) io_ctx_t io_ctx; unsigned char *buf = 0; #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t alg = 0; mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char psk[MBEDTLS_PSK_MAX_LEN]; size_t psk_len = 0; psk_entry *psk_info = NULL; @@ -1574,10 +1550,8 @@ int main(int argc, char *argv[]) mbedtls_x509_crt srvcert2; mbedtls_pk_context pkey2; mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */ -#endif int key_cert_init = 0, key_cert_init2 = 0; #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */ #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) @@ -1609,10 +1583,9 @@ int main(int argc, char *argv[]) unsigned char *context_buf = NULL; size_t context_buf_len = 0; #endif -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */ -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) uint16_t sig_alg_list[SIG_ALG_LIST_SIZE]; @@ -1621,9 +1594,7 @@ int main(int argc, char *argv[]) int i; char *p, *q; const int *list; -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) psa_status_t status; -#endif unsigned char eap_tls_keymaterial[16]; unsigned char eap_tls_iv[8]; const char *eap_tls_label = "client EAP encryption"; @@ -1684,7 +1655,6 @@ int main(int argc, char *argv[]) mbedtls_ssl_cookie_init(&cookie_ctx); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", @@ -1692,7 +1662,6 @@ int main(int argc, char *argv[]) ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED; goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) mbedtls_test_enable_insecure_external_rng(); #endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */ @@ -1731,19 +1700,15 @@ int main(int argc, char *argv[]) opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2; opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR; opt.psk = DFL_PSK; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.psk_opaque = DFL_PSK_OPAQUE; opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE; -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) opt.ca_callback = DFL_CA_CALLBACK; #endif opt.psk_identity = DFL_PSK_IDENTITY; opt.psk_list = DFL_PSK_LIST; opt.ecjpake_pw = DFL_ECJPAKE_PW; -#if defined(MBEDTLS_USE_PSA_CRYPTO) opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE; -#endif opt.force_ciphersuite[0] = DFL_FORCE_CIPHER; #if defined(MBEDTLS_SSL_PROTO_TLS1_3) opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES; @@ -1924,7 +1889,7 @@ usage: } else if (strcmp(p, "key_pwd") == 0) { opt.key_pwd = q; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED) else if (strcmp(p, "key_opaque") == 0) { opt.key_opaque = atoi(q); } @@ -1972,14 +1937,11 @@ usage: #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ else if (strcmp(p, "psk") == 0) { opt.psk = q; - } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - else if (strcmp(p, "psk_opaque") == 0) { + } else if (strcmp(p, "psk_opaque") == 0) { opt.psk_opaque = atoi(q); } else if (strcmp(p, "psk_list_opaque") == 0) { opt.psk_list_opaque = atoi(q); } -#endif #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) else if (strcmp(p, "ca_callback") == 0) { opt.ca_callback = atoi(q); @@ -1991,13 +1953,9 @@ usage: opt.psk_list = q; } else if (strcmp(p, "ecjpake_pw") == 0) { opt.ecjpake_pw = q; - } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - else if (strcmp(p, "ecjpake_pw_opaque") == 0) { + } else if (strcmp(p, "ecjpake_pw_opaque") == 0) { opt.ecjpake_pw_opaque = atoi(q); - } -#endif - else if (strcmp(p, "force_ciphersuite") == 0) { + } else if (strcmp(p, "force_ciphersuite") == 0) { opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q); if (opt.force_ciphersuite[0] == 0) { @@ -2367,7 +2325,6 @@ usage: goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { if (strlen(opt.psk) == 0) { mbedtls_printf("psk_opaque set but no psk to be imported specified.\n"); @@ -2397,7 +2354,6 @@ usage: goto usage; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (opt.force_ciphersuite[0] > 0) { const mbedtls_ssl_ciphersuite_t *ciphersuite_info; @@ -2427,7 +2383,6 @@ usage: opt.min_version = ciphersuite_info->min_tls_version; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) { /* Determine KDF algorithm the opaque PSK will be used in. */ @@ -2439,7 +2394,6 @@ usage: alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256); } #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID) @@ -2732,7 +2686,6 @@ usage: #endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.key_opaque != 0) { psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE; psa_key_usage_t psa_usage = 0; @@ -2768,7 +2721,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_printf(" ok (key types: %s, %s)\n", key_cert_init ? mbedtls_pk_get_name(&pkey) : "none", @@ -3182,7 +3134,6 @@ usage: #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_opaque != 0) { /* The algorithm has already been determined earlier. */ status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len); @@ -3199,7 +3150,6 @@ usage: goto exit; } } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (psk_len > 0) { ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len, (const unsigned char *) opt.psk_identity, @@ -3213,7 +3163,6 @@ usage: } if (opt.psk_list != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.psk_list_opaque != 0) { psk_entry *cur_psk; for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) { @@ -3227,7 +3176,6 @@ usage: } } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info); } @@ -3384,12 +3332,11 @@ reset: #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) if (opt.ecjpake_pw != DFL_ECJPAKE_PW) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); status = psa_import_key(&attributes, @@ -3409,9 +3356,7 @@ reset: goto exit; } mbedtls_printf("using opaque password\n"); - } else -#endif /* MBEDTLS_USE_PSA_CRYPTO */ - { + } else { if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, (const unsigned char *) opt.ecjpake_pw, strlen(opt.ecjpake_pw))) != 0) { @@ -4253,11 +4198,9 @@ exit: mbedtls_pk_free(&pkey); mbedtls_x509_crt_free(&srvcert2); mbedtls_pk_free(&pkey2); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_slot); psa_destroy_key(key_slot2); #endif -#endif #if defined(MBEDTLS_SSL_ASYNC_PRIVATE) for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) { @@ -4269,8 +4212,7 @@ exit: } #endif -#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) if (opt.psk_opaque != 0) { /* This is ok even if the slot hasn't been * initialized (we might have jumed here @@ -4284,11 +4226,9 @@ exit: (int) status); } } -#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED && - MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ -#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \ - defined(MBEDTLS_USE_PSA_CRYPTO) +#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) /* * In case opaque keys it's the user responsibility to keep the key valid * for the duration of the handshake and destroy it at the end @@ -4307,9 +4247,8 @@ exit: psa_destroy_key(ecjpake_pw_slot); } } -#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */ +#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3) const char *message = mbedtls_test_helper_is_psa_leaking(); if (message) { if (ret == 0) { @@ -4317,12 +4256,10 @@ exit: } mbedtls_printf("PSA memory leak detected: %s\n", message); } -#endif /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto * resources are freed by rng_free(). */ -#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \ - && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) +#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) mbedtls_psa_crypto_free(); #endif diff --git a/programs/ssl/ssl_test_lib.c b/programs/ssl/ssl_test_lib.c index f9a6402525..79d3059306 100644 --- a/programs/ssl/ssl_test_lib.c +++ b/programs/ssl/ssl_test_lib.c @@ -83,13 +83,11 @@ void rng_init(rng_context_t *rng) int rng_seed(rng_context_t *rng, int reproducible, const char *pers) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (reproducible) { mbedtls_fprintf(stderr, - "MBEDTLS_USE_PSA_CRYPTO does not support reproducible mode.\n"); + "reproducible mode is not supported.\n"); return -1; } -#endif #if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) /* The PSA crypto RNG does its own seeding. */ (void) rng; @@ -217,7 +215,6 @@ int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2) return 0; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) int key_opaque_set_alg_usage(const char *alg1, const char *alg2, psa_algorithm_t *psa_alg1, psa_algorithm_t *psa_alg2, @@ -301,7 +298,6 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor return 0; } #endif /* MBEDTLS_PK_C */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK) int ca_callback(void *data, mbedtls_x509_crt const *child, @@ -509,21 +505,6 @@ static const struct { #else { MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1, "brainpoolP256r1", 0 }, #endif -#if defined(MBEDTLS_ECP_DP_SECP224R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_224) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, "secp224r1", 0 }, -#endif -#if defined(MBEDTLS_ECP_DP_SECP192R1_ENABLED) || defined(PSA_WANT_ECC_SECP_R1_192) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, "secp192r1", 0 }, -#endif -#if defined(MBEDTLS_ECP_DP_SECP192K1_ENABLED) || defined(PSA_WANT_ECC_SECP_K1_192) - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 1 }, -#else - { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192K1, "secp192k1", 0 }, -#endif #if defined(MBEDTLS_ECP_DP_CURVE25519_ENABLED) || defined(PSA_WANT_ECC_MONTGOMERY_255) { MBEDTLS_SSL_IANA_TLS_GROUP_X25519, "x25519", 1 }, #else diff --git a/programs/ssl/ssl_test_lib.h b/programs/ssl/ssl_test_lib.h index c001a2afa1..6602b1ae21 100644 --- a/programs/ssl/ssl_test_lib.h +++ b/programs/ssl/ssl_test_lib.h @@ -8,15 +8,15 @@ #ifndef MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H #define MBEDTLS_PROGRAMS_SSL_SSL_TEST_LIB_H +#include "mbedtls/private/pk_private.h" + #include "mbedtls/build_info.h" #include "mbedtls/platform.h" #include "mbedtls/md.h" #undef HAVE_RNG -#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \ - (defined(MBEDTLS_USE_PSA_CRYPTO) || \ - defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)) +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) #define HAVE_RNG #elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C) #define HAVE_RNG @@ -45,9 +45,9 @@ #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" #include "mbedtls/ssl_ciphersuites.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/hmac_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" +#include "mbedtls/private/hmac_drbg.h" #include "mbedtls/x509.h" #include "mbedtls/error.h" #include "mbedtls/debug.h" @@ -55,10 +55,8 @@ #include "mbedtls/base64.h" #include "test/certs.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) #include "psa/crypto.h" #include "mbedtls/psa_util.h" -#endif #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C) #include "mbedtls/memory_buffer_alloc.h" @@ -108,30 +106,7 @@ void my_debug(void *ctx, int level, mbedtls_time_t dummy_constant_time(mbedtls_time_t *time); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG) -/* If MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is defined, the SSL test programs will use - * mbedtls_psa_get_random() rather than entropy+DRBG as a random generator. - * - * The constraints are: - * - Without the entropy module, the PSA RNG is the only option. - * - Without at least one of the DRBG modules, the PSA RNG is the only option. - * - The PSA RNG does not support explicit seeding, so it is incompatible with - * the reproducible mode used by test programs. - * - For good overall test coverage, there should be at least one configuration - * where the test programs use the PSA RNG while the PSA RNG is itself based - * on entropy+DRBG, and at least one configuration where the test programs - * do not use the PSA RNG even though it's there. - * - * A simple choice that meets the constraints is to use the PSA RNG whenever - * MBEDTLS_USE_PSA_CRYPTO is enabled. There's no real technical reason the - * choice to use the PSA RNG in the test programs and the choice to use - * PSA crypto when TLS code needs crypto have to be tied together, but it - * happens to be a good match. It's also a good match from an application - * perspective: either PSA is preferred for TLS (both for crypto and for - * random generation) or it isn't. - */ #define MBEDTLS_TEST_USE_PSA_CRYPTO_RNG -#endif /** A context for random number generation (RNG). */ @@ -213,7 +188,6 @@ int rng_get(void *p_rng, unsigned char *output, size_t output_len); */ int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2); -#if defined(MBEDTLS_USE_PSA_CRYPTO) /** Parse given opaque key algorithms to obtain psa algs and usage * that will be passed to mbedtls_pk_wrap_as_opaque(). * @@ -259,9 +233,8 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2, int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2, psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id); #endif /* MBEDTLS_PK_C */ -#endif /* MBEDTLS_USE_PSA_CRYPTO */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) +#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) /* The test implementation of the PSA external RNG is insecure. When * MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, before using any PSA crypto * function that makes use of an RNG, you must call diff --git a/programs/test/CMakeLists.txt b/programs/test/CMakeLists.txt index 949708420c..8a5d6ba822 100644 --- a/programs/test/CMakeLists.txt +++ b/programs/test/CMakeLists.txt @@ -56,6 +56,7 @@ if(GEN_FILES) ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt ${CMAKE_CURRENT_BINARY_DIR}/query_config.c + WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../.. DEPENDS ${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl ${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h @@ -101,6 +102,10 @@ foreach(exe IN LISTS executables) target_link_libraries(${exe} ${libs} ${CMAKE_THREAD_LIBS_INIT}) endforeach() +target_include_directories(metatest + PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/drivers/builtin/include + ${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/drivers/builtin/src) + install(TARGETS ${executables} DESTINATION "bin" PERMISSIONS OWNER_READ OWNER_WRITE OWNER_EXECUTE GROUP_READ GROUP_EXECUTE WORLD_READ WORLD_EXECUTE) diff --git a/programs/test/cmake_package/cmake_package.c b/programs/test/cmake_package/cmake_package.c index f7d5230f46..cd050e97bc 100644 --- a/programs/test/cmake_package/cmake_package.c +++ b/programs/test/cmake_package/cmake_package.c @@ -18,10 +18,7 @@ * linkage works, but that is all. */ int main() { - /* This version string is 18 bytes long, as advised by version.h. */ - char version[18]; - - mbedtls_version_get_string_full(version); + const char *version = mbedtls_version_get_string_full(); mbedtls_printf("Built against %s\n", version); diff --git a/programs/test/cmake_package_install/CMakeLists.txt b/programs/test/cmake_package_install/CMakeLists.txt index 0d7dbe4dad..60a4481e48 100644 --- a/programs/test/cmake_package_install/CMakeLists.txt +++ b/programs/test/cmake_package_install/CMakeLists.txt @@ -37,5 +37,11 @@ find_package(MbedTLS REQUIRED) # add_executable(cmake_package_install cmake_package_install.c) + +string(REGEX MATCH "GNU" CMAKE_COMPILER_IS_GNU "${CMAKE_C_COMPILER_ID}") +if(CMAKE_COMPILER_IS_GNU) + target_compile_options(cmake_package_install PRIVATE -Wall -Werror) +endif() + target_link_libraries(cmake_package_install MbedTLS::mbedtls MbedTLS::mbedx509 MbedTLS::tfpsacrypto) diff --git a/programs/test/cmake_package_install/cmake_package_install.c b/programs/test/cmake_package_install/cmake_package_install.c index fb68883fee..a63f7dbb0f 100644 --- a/programs/test/cmake_package_install/cmake_package_install.c +++ b/programs/test/cmake_package_install/cmake_package_install.c @@ -19,10 +19,7 @@ * linkage works, but that is all. */ int main() { - /* This version string is 18 bytes long, as advised by version.h. */ - char version[18]; - - mbedtls_version_get_string_full(version); + const char *version = mbedtls_version_get_string_full(); mbedtls_printf("Built against %s\n", version); diff --git a/programs/test/cmake_subproject/cmake_subproject.c b/programs/test/cmake_subproject/cmake_subproject.c index efab789553..69b5d0b819 100644 --- a/programs/test/cmake_subproject/cmake_subproject.c +++ b/programs/test/cmake_subproject/cmake_subproject.c @@ -19,10 +19,7 @@ * linkage works, but that is all. */ int main() { - /* This version string is 18 bytes long, as advised by version.h. */ - char version[18]; - - mbedtls_version_get_string_full(version); + const char *version = mbedtls_version_get_string_full(); mbedtls_printf("Built against %s\n", version); diff --git a/programs/test/selftest.c b/programs/test/selftest.c index 372a84dc79..0e906ab4a3 100644 --- a/programs/test/selftest.c +++ b/programs/test/selftest.c @@ -9,31 +9,31 @@ #include "mbedtls/build_info.h" -#include "mbedtls/entropy.h" -#include "mbedtls/hmac_drbg.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/gcm.h" -#include "mbedtls/ccm.h" -#include "mbedtls/cmac.h" -#include "mbedtls/md5.h" -#include "mbedtls/ripemd160.h" -#include "mbedtls/sha1.h" -#include "mbedtls/sha256.h" -#include "mbedtls/sha512.h" -#include "mbedtls/sha3.h" -#include "mbedtls/aes.h" -#include "mbedtls/camellia.h" -#include "mbedtls/aria.h" -#include "mbedtls/chacha20.h" -#include "mbedtls/poly1305.h" -#include "mbedtls/chachapoly.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/hmac_drbg.h" +#include "mbedtls/private/ctr_drbg.h" +#include "mbedtls/private/gcm.h" +#include "mbedtls/private/ccm.h" +#include "mbedtls/private/cmac.h" +#include "mbedtls/private/md5.h" +#include "mbedtls/private/ripemd160.h" +#include "mbedtls/private/sha1.h" +#include "mbedtls/private/sha256.h" +#include "mbedtls/private/sha512.h" +#include "mbedtls/private/sha3.h" +#include "mbedtls/private/aes.h" +#include "mbedtls/private/camellia.h" +#include "mbedtls/private/aria.h" +#include "mbedtls/private/chacha20.h" +#include "mbedtls/private/poly1305.h" +#include "mbedtls/private/chachapoly.h" #include "mbedtls/base64.h" -#include "mbedtls/bignum.h" -#include "mbedtls/rsa.h" +#include "mbedtls/private/bignum.h" +#include "mbedtls/private/rsa.h" #include "mbedtls/x509.h" -#include "mbedtls/pkcs5.h" -#include "mbedtls/ecp.h" -#include "mbedtls/ecjpake.h" +#include "mbedtls/private/pkcs5.h" +#include "mbedtls/private/ecp.h" +#include "mbedtls/private/ecjpake.h" #include "mbedtls/timing.h" #include "mbedtls/nist_kw.h" #include "mbedtls/debug.h" @@ -210,7 +210,7 @@ static int run_test_snprintf(void) * back. */ #if defined(MBEDTLS_SELF_TEST) && defined(MBEDTLS_ENTROPY_C) -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) static void dummy_entropy(unsigned char *output, size_t output_size) { srand(1); @@ -239,7 +239,7 @@ static void create_entropy_seed_file(void) static int mbedtls_entropy_self_test_wrapper(int verbose) { -#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PLATFORM_GET_ENTROPY_ALT) +#if defined(MBEDTLS_ENTROPY_NV_SEED) && !defined(MBEDTLS_PSA_DRIVER_GET_ENTROPY) create_entropy_seed_file(); #endif return mbedtls_entropy_self_test(verbose); diff --git a/programs/test/udp_proxy.c b/programs/test/udp_proxy.c index 6e9ebf9a28..c80a3f59fc 100644 --- a/programs/test/udp_proxy.c +++ b/programs/test/udp_proxy.c @@ -16,6 +16,7 @@ #include "mbedtls/build_info.h" +#include #if defined(MBEDTLS_PLATFORM_C) #include "mbedtls/platform.h" #else diff --git a/programs/x509/cert_app.c b/programs/x509/cert_app.c index d9d5bb60ac..2f31a8e3ae 100644 --- a/programs/x509/cert_app.c +++ b/programs/x509/cert_app.c @@ -27,8 +27,8 @@ int main(void) } #else -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/net_sockets.h" #include "mbedtls/ssl.h" #include "mbedtls/x509.h" @@ -152,14 +152,12 @@ int main(int argc, char *argv[]) memset(&cacrl, 0, sizeof(mbedtls_x509_crl)); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -446,9 +444,7 @@ exit: #endif mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/x509/cert_req.c b/programs/x509/cert_req.c index e59772ffda..c20f08d569 100644 --- a/programs/x509/cert_req.c +++ b/programs/x509/cert_req.c @@ -29,8 +29,8 @@ int main(void) #else #include "mbedtls/x509_csr.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/error.h" #include @@ -162,14 +162,12 @@ int main(int argc, char *argv[]) memset(buf, 0, sizeof(buf)); mbedtls_entropy_init(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -502,9 +500,7 @@ exit: mbedtls_pk_free(&key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ cur = opt.san_list; while (cur != NULL) { diff --git a/programs/x509/cert_write.c b/programs/x509/cert_write.c index 3cabff4b5a..2ed63f08de 100644 --- a/programs/x509/cert_write.c +++ b/programs/x509/cert_write.c @@ -31,8 +31,8 @@ int main(void) #include "mbedtls/x509_crt.h" #include "mbedtls/x509_csr.h" #include "mbedtls/oid.h" -#include "mbedtls/entropy.h" -#include "mbedtls/ctr_drbg.h" +#include "mbedtls/private/entropy.h" +#include "mbedtls/private/ctr_drbg.h" #include "mbedtls/error.h" #include "test/helpers.h" @@ -326,14 +326,12 @@ int main(int argc, char *argv[]) memset(buf, 0, sizeof(buf)); memset(serial, 0, sizeof(serial)); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -1026,9 +1024,7 @@ exit: mbedtls_pk_free(&loaded_issuer_key); mbedtls_ctr_drbg_free(&ctr_drbg); mbedtls_entropy_free(&entropy); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/x509/crl_app.c b/programs/x509/crl_app.c index fee8b693ce..bb518adeef 100644 --- a/programs/x509/crl_app.c +++ b/programs/x509/crl_app.c @@ -60,14 +60,12 @@ int main(int argc, char *argv[]) */ mbedtls_x509_crl_init(&crl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -124,9 +122,7 @@ usage: exit: mbedtls_x509_crl_free(&crl); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/programs/x509/load_roots.c b/programs/x509/load_roots.c index 2ae7c9b017..34d3508459 100644 --- a/programs/x509/load_roots.c +++ b/programs/x509/load_roots.c @@ -86,14 +86,12 @@ int main(int argc, char *argv[]) struct mbedtls_timing_hr_time timer; unsigned long ms; -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc <= 1) { mbedtls_printf(USAGE); @@ -159,9 +157,7 @@ int main(int argc, char *argv[]) exit_code = MBEDTLS_EXIT_SUCCESS; exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } #endif /* necessary configuration */ diff --git a/programs/x509/req_app.c b/programs/x509/req_app.c index 2929d687d4..b960818a09 100644 --- a/programs/x509/req_app.c +++ b/programs/x509/req_app.c @@ -60,14 +60,12 @@ int main(int argc, char *argv[]) */ mbedtls_x509_csr_init(&csr); -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = psa_crypto_init(); if (status != PSA_SUCCESS) { mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n", (int) status); goto exit; } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (argc < 2) { usage: @@ -124,9 +122,7 @@ usage: exit: mbedtls_x509_csr_free(&csr); -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_psa_crypto_free(); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_exit(exit_code); } diff --git a/scripts/config.py b/scripts/config.py index 750ff88c72..e60d1606f1 100755 --- a/scripts/config.py +++ b/scripts/config.py @@ -76,18 +76,15 @@ EXCLUDE_FROM_FULL = frozenset([ 'MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH', # interacts with CTR_DRBG_128_BIT_KEY 'MBEDTLS_AES_USE_HARDWARE_ONLY', # hardware dependency 'MBEDTLS_BLOCK_CIPHER_NO_DECRYPT', # incompatible with ECB in PSA, CBC/XTS/NIST_KW - 'MBEDTLS_CTR_DRBG_USE_128_BIT_KEY', # interacts with ENTROPY_FORCE_SHA256 'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options 'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options 'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS 'MBEDTLS_ECP_WITH_MPI_UINT', # disables the default ECP and is experimental - 'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY 'MBEDTLS_HAVE_SSE2', # hardware dependency 'MBEDTLS_MEMORY_BACKTRACE', # depends on MEMORY_BUFFER_ALLOC_C 'MBEDTLS_MEMORY_BUFFER_ALLOC_C', # makes sanitizers (e.g. ASan) less effective 'MBEDTLS_MEMORY_DEBUG', # depends on MEMORY_BUFFER_ALLOC_C 'MBEDTLS_NO_64BIT_MULTIPLICATION', # influences anything that uses bignum - 'MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', # removes a feature 'MBEDTLS_NO_UDBL_DIVISION', # influences anything that uses bignum 'MBEDTLS_PSA_DRIVER_GET_ENTROPY', # incompatible with MBEDTLS_PSA_BUILTIN_GET_ENTROPY 'MBEDTLS_PSA_P256M_DRIVER_ENABLED', # influences SECP256R1 KeyGen/ECDH/ECDSA @@ -182,8 +179,10 @@ def baremetal_adapter(name, value, active): """Config adapter for "baremetal".""" if not is_boolean_setting(name, value): return active - if name == 'MBEDTLS_PLATFORM_GET_ENTROPY_ALT': + if name == 'MBEDTLS_PSA_BUILTIN_GET_ENTROPY': # No OS-provided entropy source + return False + if name == 'MBEDTLS_PSA_DRIVER_GET_ENTROPY': return True return include_in_full(name) and keep_in_baremetal(name) diff --git a/scripts/data_files/query_config.fmt b/scripts/data_files/query_config.fmt index 12517596d6..603c7dd200 100644 --- a/scripts/data_files/query_config.fmt +++ b/scripts/data_files/query_config.fmt @@ -1,4 +1,4 @@ -/* +/* -*-c-*- * Query Mbed TLS compile time configurations from mbedtls_config.h * * Copyright The Mbed TLS Contributors @@ -10,73 +10,17 @@ #include "query_config.h" #include "mbedtls/platform.h" - -/* - * Include all the headers with public APIs in case they define a macro to its - * default value when that configuration is not set in mbedtls_config.h, or - * for PSA_WANT macros, in case they're auto-defined based on mbedtls_config.h - * rather than defined directly in crypto_config.h. - */ -#include "psa/crypto.h" - -#include "mbedtls/aes.h" -#include "mbedtls/aria.h" -#include "mbedtls/asn1.h" -#include "mbedtls/asn1write.h" -#include "mbedtls/base64.h" -#include "mbedtls/bignum.h" -#include "mbedtls/camellia.h" -#include "mbedtls/ccm.h" -#include "mbedtls/chacha20.h" -#include "mbedtls/chachapoly.h" -#include "mbedtls/cipher.h" -#include "mbedtls/cmac.h" -#include "mbedtls/ctr_drbg.h" -#include "mbedtls/debug.h" -#include "mbedtls/des.h" -#include "mbedtls/ecdh.h" -#include "mbedtls/ecdsa.h" -#include "mbedtls/ecjpake.h" -#include "mbedtls/ecp.h" -#include "mbedtls/entropy.h" -#include "mbedtls/error.h" -#include "mbedtls/gcm.h" -#include "mbedtls/hmac_drbg.h" -#include "mbedtls/md.h" -#include "mbedtls/md5.h" -#include "mbedtls/memory_buffer_alloc.h" -#include "mbedtls/net_sockets.h" -#include "mbedtls/nist_kw.h" -#include "mbedtls/oid.h" -#include "mbedtls/pem.h" -#include "mbedtls/pk.h" -#include "mbedtls/pkcs12.h" -#include "mbedtls/pkcs5.h" -#if defined(MBEDTLS_HAVE_TIME) -#include "mbedtls/platform_time.h" -#endif -#include "mbedtls/platform_util.h" -#include "mbedtls/poly1305.h" -#include "mbedtls/ripemd160.h" -#include "mbedtls/rsa.h" -#include "mbedtls/sha1.h" -#include "mbedtls/sha256.h" -#include "mbedtls/sha512.h" -#include "mbedtls/ssl.h" -#include "mbedtls/ssl_cache.h" -#include "mbedtls/ssl_ciphersuites.h" -#include "mbedtls/ssl_cookie.h" -#include "mbedtls/ssl_ticket.h" -#include "mbedtls/threading.h" -#include "mbedtls/timing.h" -#include "mbedtls/version.h" -#include "mbedtls/x509.h" -#include "mbedtls/x509_crl.h" -#include "mbedtls/x509_crt.h" -#include "mbedtls/x509_csr.h" - #include +/* Work around https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/393 */ +#if defined(MBEDTLS_HAVE_TIME) +#include +#endif + +/* *INDENT-OFF* */ +INCLUDE_HEADERS +/* *INDENT-ON* */ + /* * Helper macros to convert a macro or its expansion into a string * WARNING: This does not work for expanding function-like macros. However, diff --git a/scripts/footprint.sh b/scripts/footprint.sh index e45a9265ac..1f2945159e 100755 --- a/scripts/footprint.sh +++ b/scripts/footprint.sh @@ -19,14 +19,22 @@ set -eu CONFIG_H='include/mbedtls/mbedtls_config.h' +CRYPTO_CONFIG_H='tf-psa-crypto/include/psa/crypto_config.h' -if [ -r $CONFIG_H ]; then :; else +if [ ! -r $CONFIG_H ]; then echo "$CONFIG_H not found" >&2 echo "This script needs to be run from the root of" >&2 echo "a git checkout or uncompressed tarball" >&2 exit 1 fi +if [ ! -r $CRYPTO_CONFIG_H ]; then + echo "$CRYPTO_CONFIG_H not found" >&2 + echo "This script needs to be run from the root of" >&2 + echo "a git checkout or uncompressed tarball" >&2 + exit 1 +fi + if grep -i cmake Makefile >/dev/null; then echo "Not compatible with CMake" >&2 exit 1 @@ -56,15 +64,25 @@ doit() log "$NAME ($FILE):" cp $CONFIG_H ${CONFIG_H}.bak + cp $CRYPTO_CONFIG_H ${CRYPTO_CONFIG_H}.bak if [ "$FILE" != $CONFIG_H ]; then + CRYPTO_FILE="${FILE%/*}/crypto-${FILE##*/}" cp "$FILE" $CONFIG_H + cp "$CRYPTO_FILE" $CRYPTO_CONFIG_H fi { + scripts/config.py unset MBEDTLS_HAVE_TIME || true + scripts/config.py unset MBEDTLS_HAVE_TIME_DATE || true scripts/config.py unset MBEDTLS_NET_C || true scripts/config.py unset MBEDTLS_TIMING_C || true scripts/config.py unset MBEDTLS_FS_IO || true - scripts/config.py --force set MBEDTLS_PLATFORM_GET_ENTROPY_ALT || true + scripts/config.py unset MBEDTLS_PSA_ITS_FILE_C || true + scripts/config.py unset MBEDTLS_PSA_CRYPTO_STORAGE_C || true + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY || true + # Force the definition of MBEDTLS_PSA_DRIVER_GET_ENTROPY as it may + # not exist in custom configurations. + scripts/config.py --force -f ${CRYPTO_CONFIG_H} set MBEDTLS_PSA_DRIVER_GET_ENTROPY || true } >/dev/null 2>&1 make clean >/dev/null @@ -76,7 +94,8 @@ doit() log "$( head -n1 "$OUT" )" log "$( tail -n1 "$OUT" )" - cp ${CONFIG_H}.bak $CONFIG_H + mv ${CONFIG_H}.bak $CONFIG_H + mv ${CRYPTO_CONFIG_H}.bak $CRYPTO_CONFIG_H } # truncate the file just this time diff --git a/scripts/generate_query_config.pl b/scripts/generate_query_config.pl index 6a2f9cbdfa..99128ca7ac 100755 --- a/scripts/generate_query_config.pl +++ b/scripts/generate_query_config.pl @@ -49,6 +49,8 @@ if( @ARGV ) { or die "No arguments supplied, must be run from project root or a first-level subdirectory\n"; } } +-f 'include/mbedtls/build_info.h' + or die "$0: must be run from project root, or from a first-level subdirectory with no arguments\n"; # Excluded macros from the generated query_config.c. For example, macros that # have commas or function-like macros cannot be transformed into strings easily @@ -100,6 +102,34 @@ EOT close(CONFIG_FILE); } +# We need to include all the headers with public APIs in case they +# define a macro to its default value when that configuration is not +# set in a header included by build_info.h (crypto_config.h, +# mbedtls_config.h, *adjust*.h). Some module-specific macros are set +# in that module's header. For simplicity, include all headers, with +# some ad hoc knowledge of headers that are included by other headers +# and should not be included directly. We don't include internal headers +# because those should not define configurable macros. +my @header_files = (); +my @header_roots = qw( + include + tf-psa-crypto/include + tf-psa-crypto/drivers/builtin/include + ); +for my $root (@header_roots) { + my @paths = glob "$root/*/*.h $root/*/*/*.h"; + map {s!^\Q$root/!!} @paths; + # Exclude some headers that are included by build_info.h and cannot + # be included directly. + push @header_files, grep {!m[ + ^psa/crypto_(platform|struct)\.h$ | # have alt versions, included by psa/crypto.h anyway + ^mbedtls/platform_time\.h$ | # errors without time.h + _config\.h | + [/_]adjust[/_] + ]x} @paths; +} +my $include_headers = join('', map {"#include <$_>\n"} @header_files); + # Read the full format file into a string local $/; open(FORMAT_FILE, "<", $query_config_format_file) or die "Opening query config format file '$query_config_format_file': $!"; @@ -107,6 +137,7 @@ my $query_config_format = ; close(FORMAT_FILE); # Replace the body of the query_config() function with the code we just wrote +$query_config_format =~ s/INCLUDE_HEADERS/$include_headers/g; $query_config_format =~ s/CHECK_CONFIG/$config_check/g; $query_config_format =~ s/LIST_CONFIG/$list_config/g; diff --git a/tests/Makefile b/tests/Makefile index 3a6f0e62ea..a52bc32f57 100644 --- a/tests/Makefile +++ b/tests/Makefile @@ -369,6 +369,7 @@ libtestdriver1.a: perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/include/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/core/*.[ch] perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*.h + perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*/*.h perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch] diff --git a/tests/compat.sh b/tests/compat.sh index a11fffda06..2b6f454127 100755 --- a/tests/compat.sh +++ b/tests/compat.sh @@ -359,13 +359,6 @@ add_openssl_ciphersuites() "ECDSA") CIPHERS="$CIPHERS \ - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \ - TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \ - TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \ - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \ - TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \ - TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \ - TLS_ECDH_ECDSA_WITH_NULL_SHA \ TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \ TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \ TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \ @@ -468,14 +461,6 @@ add_mbedtls_ciphersuites() "ECDSA") M_CIPHERS="$M_CIPHERS \ - TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \ - TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \ - TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \ - TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \ - TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \ - TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \ - TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \ - TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \ TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \ TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \ " diff --git a/tests/configs/tls13-only.h b/tests/configs/tls13-only.h index 342bbed91e..8260ef5e12 100644 --- a/tests/configs/tls13-only.h +++ b/tests/configs/tls13-only.h @@ -25,4 +25,3 @@ #undef MBEDTLS_SSL_DTLS_SRTP #undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE #undef MBEDTLS_SSL_DTLS_CONNECTION_ID -#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT diff --git a/tests/include/test/ssl_helpers.h b/tests/include/test/ssl_helpers.h index 5bfdedaaf0..d019c5065e 100644 --- a/tests/include/test/ssl_helpers.h +++ b/tests/include/test/ssl_helpers.h @@ -31,11 +31,9 @@ #include "mbedtls/ssl_cache.h" #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \ psa_to_ssl_errors, \ psa_generic_status_to_mbedtls) -#endif #if defined(MBEDTLS_SSL_PROTO_TLS1_3) #if defined(PSA_WANT_KEY_TYPE_AES) @@ -751,18 +749,11 @@ int mbedtls_test_get_tls13_ticket( #define ECJPAKE_TEST_PWD "bla" -#if defined(MBEDTLS_USE_PSA_CRYPTO) #define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \ ret = (use_opaque_arg) ? \ mbedtls_ssl_set_hs_ecjpake_password_opaque(&ssl, pwd_slot) : \ mbedtls_ssl_set_hs_ecjpake_password(&ssl, pwd_string, pwd_len); \ TEST_EQUAL(ret, exp_ret_val) -#else -#define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \ - ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, \ - pwd_string, pwd_len); \ - TEST_EQUAL(ret, exp_ret_val) -#endif /* MBEDTLS_USE_PSA_CRYPTO */ #define TEST_AVAILABLE_ECC(tls_id_, group_id_, psa_family_, psa_bits_) \ TEST_EQUAL(mbedtls_ssl_get_ecp_group_id_from_tls_id(tls_id_), \ diff --git a/tests/psa-client-server/psasim/src/aut_psa_random.c b/tests/psa-client-server/psasim/src/aut_psa_random.c index 5880c4deb9..203f4d44ba 100644 --- a/tests/psa-client-server/psasim/src/aut_psa_random.c +++ b/tests/psa-client-server/psasim/src/aut_psa_random.c @@ -10,7 +10,7 @@ #include #include -#include "mbedtls/entropy.h" +#include "mbedtls/private/entropy.h" #define BUFFER_SIZE 100 diff --git a/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c b/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c index 635a70545a..9051f20535 100644 --- a/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c +++ b/tests/psa-client-server/psasim/src/psa_sim_crypto_client.c @@ -73,12 +73,12 @@ int psa_crypto_call(int function, psa_status_t psa_crypto_init(void) { - char mbedtls_version[18]; + const char *mbedtls_version; uint8_t *result = NULL; size_t result_length; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - mbedtls_version_get_string_full(mbedtls_version); + mbedtls_version = mbedtls_version_get_string_full(); CLIENT_PRINT("%s", mbedtls_version); CLIENT_PRINT("My PID: %d", getpid()); diff --git a/tests/psa-client-server/psasim/src/psa_sim_generate.pl b/tests/psa-client-server/psasim/src/psa_sim_generate.pl index 3eec226e16..0f4c86f817 100755 --- a/tests/psa-client-server/psasim/src/psa_sim_generate.pl +++ b/tests/psa-client-server/psasim/src/psa_sim_generate.pl @@ -390,12 +390,12 @@ int psa_crypto_call(int function, psa_status_t psa_crypto_init(void) { - char mbedtls_version[18]; + const char *mbedtls_version; uint8_t *result = NULL; size_t result_length; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; - mbedtls_version_get_string_full(mbedtls_version); + mbedtls_version = mbedtls_version_get_string_full(); CLIENT_PRINT("%s", mbedtls_version); CLIENT_PRINT("My PID: %d", getpid()); diff --git a/tests/psa-client-server/psasim/src/server.c b/tests/psa-client-server/psasim/src/server.c index 44939f1c2a..aa0c75a488 100644 --- a/tests/psa-client-server/psasim/src/server.c +++ b/tests/psa-client-server/psasim/src/server.c @@ -56,8 +56,7 @@ int psa_server_main(int argc, char *argv[]) extern psa_status_t psa_crypto_close(void); #if defined(MBEDTLS_VERSION_C) - char mbedtls_version[18]; - mbedtls_version_get_string_full(mbedtls_version); + const char *mbedtls_version = mbedtls_version_get_string_full(); SERVER_PRINT("%s", mbedtls_version); #endif diff --git a/tests/scripts/analyze_outcomes.py b/tests/scripts/analyze_outcomes.py index d1bb553c67..8660e68942 100755 --- a/tests/scripts/analyze_outcomes.py +++ b/tests/scripts/analyze_outcomes.py @@ -124,10 +124,8 @@ class CoverageTask(outcome_analysis.CoverageTask): # Untested platform-specific optimizations. # https://github.com/Mbed-TLS/mbedtls/issues/9588 'Config: MBEDTLS_HAVE_SSE2', - # Obsolete configuration options, to be replaced by - # PSA entropy drivers. - # https://github.com/Mbed-TLS/mbedtls/issues/8150 - 'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES', + # Obsolete config option that we are about to remove + 'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT', # Untested aspect of the platform interface. # https://github.com/Mbed-TLS/mbedtls/issues/9589 'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS', diff --git a/tests/scripts/components-basic-checks.sh b/tests/scripts/components-basic-checks.sh index 85731a1710..c7d8161893 100644 --- a/tests/scripts/components-basic-checks.sh +++ b/tests/scripts/components-basic-checks.sh @@ -123,4 +123,7 @@ component_check_test_helpers () { msg "unit test: translate_ciphers.py" python3 -m unittest framework/scripts/translate_ciphers.py 2>&1 + + msg "unit test: generate_config_checks.py" + tests/scripts/test_config_checks.py 2>&1 } diff --git a/tests/scripts/components-configuration-crypto.sh b/tests/scripts/components-configuration-crypto.sh index 5a13d5102a..608afaa42d 100644 --- a/tests/scripts/components-configuration-crypto.sh +++ b/tests/scripts/components-configuration-crypto.sh @@ -82,22 +82,27 @@ component_test_psa_crypto_without_heap() { msg "crypto without heap: build libtestdriver1" # Disable PSA features that cannot be accelerated and whose builtin support # requires calloc/free. - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_" + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset-all "^PSA_WANT_ALG_HKDF" + scripts/config.py unset-all "^PSA_WANT_ALG_PBKDF2_" + scripts/config.py unset-all "^PSA_WANT_ALG_TLS12_" # RSA key support requires ASN1 parse/write support for testing, but ASN1 # is disabled below. - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_" - scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_" + scripts/config.py unset-all "^PSA_WANT_KEY_TYPE_RSA_" + scripts/config.py unset-all "^PSA_WANT_ALG_RSA_" # DES requires built-in support for key generation (parity check) so it # cannot be accelerated - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_KEY_TYPE_DES # EC-JPAKE use calloc/free in PSA core - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + scripts/config.py unset PSA_WANT_ALG_JPAKE + # Enable p192[k|r]1 curves which are disabled by default in tf-psa-crypto. + # This is required to get the proper test coverage otherwise there are + # tests in 'test_suite_psa_crypto_op_fail' that would never be executed. + scripts/config.py set PSA_WANT_ECC_SECP_K1_192 + scripts/config.py set PSA_WANT_ECC_SECP_R1_192 # Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H). - PSA_SYM_LIST=$(./scripts/config.py -c $CRYPTO_CONFIG_H get-all-enabled PSA_WANT) + PSA_SYM_LIST=$(./scripts/config.py get-all-enabled PSA_WANT) loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g') helper_libtestdriver1_adjust_config crypto @@ -138,7 +143,7 @@ component_test_psa_crypto_without_heap() { component_test_no_rsa_key_pair_generation () { msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE" @@ -205,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () { msg "build: Full minus HMAC_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # requires HMAC_DRBG CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make @@ -231,12 +236,11 @@ component_test_psa_external_rng_no_drbg_use_psa () { msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG - scripts/config.py unset MBEDTLS_ENTROPY_C scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT scripts/config.py unset MBEDTLS_CTR_DRBG_C scripts/config.py unset MBEDTLS_HMAC_DRBG_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites" @@ -247,16 +251,18 @@ component_test_psa_external_rng_no_drbg_use_psa () { } component_test_psa_external_rng_use_psa_crypto () { - msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" scripts/config.py full scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG scripts/config.py unset MBEDTLS_CTR_DRBG_C + scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" make test - msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG" + msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED" tests/ssl-opt.sh -f 'Default\|opaque' } @@ -288,8 +294,7 @@ component_test_crypto_full_md_light_only () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_PKCS7_C # Disable indirect dependencies of MD_C - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Disable things that would auto-enable MD_C scripts/config.py unset MBEDTLS_PKCS5_C @@ -314,17 +319,17 @@ component_test_full_no_cipher () { # on CIPHER_C so we disable them. # This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305 # so we keep them enabled. - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_CMAC + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CFB + scripts/config.py unset PSA_WANT_ALG_CTR + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_OFB + scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py unset PSA_WANT_KEY_TYPE_DES # The following modules directly depends on CIPHER_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -352,7 +357,7 @@ component_test_full_no_ccm () { # # Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause # PSA_WANT_ALG_CCM to be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM make @@ -373,17 +378,17 @@ component_test_full_no_ccm_star_no_tag () { # # Note: PSA_WANT_ALG_CCM is enabled, but it does not cause # PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER + scripts/config.py unset PSA_WANT_ALG_CTR + scripts/config.py unset PSA_WANT_ALG_CFB + scripts/config.py unset PSA_WANT_ALG_OFB + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING # NOTE unsettting PSA_WANT_ALG_ECB_NO_PADDING without unsetting NIST_KW_C will # mean PSA_WANT_ALG_ECB_NO_PADDING is re-enabled, so disabling it also. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_NIST_KW_C - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset MBEDTLS_NIST_KW_C + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 make @@ -536,10 +541,10 @@ component_test_psa_crypto_config_ffdh_2048_only () { scripts/config.py full # Disable all DH groups other than 2048. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192 + scripts/config.py unset PSA_WANT_DH_RFC7919_3072 + scripts/config.py unset PSA_WANT_DH_RFC7919_4096 + scripts/config.py unset PSA_WANT_DH_RFC7919_6144 + scripts/config.py unset PSA_WANT_DH_RFC7919_8192 make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS" @@ -553,23 +558,22 @@ component_test_psa_crypto_config_ffdh_2048_only () { component_test_psa_crypto_config_accel_ecdsa () { msg "build: accelerated ECDSA" - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - # Configure # --------- # Start from default config + TLS 1.3 helper_libtestdriver1_adjust_config "default" + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + # Disable the module that's accelerated scripts/config.py unset MBEDTLS_ECDSA_C # Disable things that depend on it scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED # Build # ----- @@ -595,23 +599,21 @@ component_test_psa_crypto_config_accel_ecdsa () { component_test_psa_crypto_config_accel_ecdh () { msg "build: accelerated ECDH" - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDH \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - # Configure # --------- # Start from default config (no USE_PSA) helper_libtestdriver1_adjust_config "default" + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDH \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + # Disable the module that's accelerated scripts/config.py unset MBEDTLS_ECDH_C # Disable things that depend on it - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED @@ -636,17 +638,17 @@ component_test_psa_crypto_config_accel_ecdh () { component_test_psa_crypto_config_accel_ffdh () { msg "build: full with accelerated FFDH" - # Algorithms and key types to accelerate - loc_accel_list="ALG_FFDH \ - $(helper_get_psa_key_type_list "DH") \ - $(helper_get_psa_dh_group_list)" - # Configure # --------- # start with full (USE_PSA and TLS 1.3) helper_libtestdriver1_adjust_config "full" + # Algorithms and key types to accelerate + loc_accel_list="ALG_FFDH \ + $(helper_get_psa_key_type_list "DH") \ + $(helper_get_psa_dh_group_list)" + # Build # ----- @@ -685,15 +687,15 @@ component_test_psa_crypto_config_reference_ffdh () { component_test_psa_crypto_config_accel_pake () { msg "build: full with accelerated PAKE" - loc_accel_list="ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - # Configure # --------- helper_libtestdriver1_adjust_config "full" + loc_accel_list="ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + # Make built-in fallback not available scripts/config.py unset MBEDTLS_ECJPAKE_C scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED @@ -718,6 +720,12 @@ component_test_psa_crypto_config_accel_pake () { component_test_psa_crypto_config_accel_ecc_some_key_types () { msg "build: full with accelerated EC algs and some key types" + # Configure + # --------- + + # start with config full for maximum coverage (also enables USE_PSA) + helper_libtestdriver1_adjust_config "full" + # Algorithms and key types to accelerate # For key types, use an explicitly list to omit GENERATE (and DERIVE) loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ @@ -729,12 +737,6 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { KEY_TYPE_ECC_KEY_PAIR_EXPORT \ $(helper_get_psa_curve_list)" - # Configure - # --------- - - # start with config full for maximum coverage (also enables USE_PSA) - helper_libtestdriver1_adjust_config "full" - # Disable modules that are accelerated - some will be re-enabled scripts/config.py unset MBEDTLS_ECDSA_C scripts/config.py unset MBEDTLS_ECDH_C @@ -750,7 +752,7 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () { scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # this is not supported by the driver API yet - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Build # ----- @@ -789,6 +791,25 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { msg "build: crypto_full minus PK with accelerated EC algs and $desc curves" + # Configure + # --------- + + # Start with config crypto_full and remove PK_C: + # that's what's supported now, see docs/driver-only-builds.md. + helper_libtestdriver1_adjust_config "crypto_full" + scripts/config.py unset MBEDTLS_PK_C + scripts/config.py unset MBEDTLS_PK_PARSE_C + scripts/config.py unset MBEDTLS_PK_WRITE_C + + # Disable modules that are accelerated - some will be re-enabled + scripts/config.py unset MBEDTLS_ECDSA_C + scripts/config.py unset MBEDTLS_ECDH_C + scripts/config.py unset MBEDTLS_ECJPAKE_C + scripts/config.py unset MBEDTLS_ECP_C + + # Disable all curves - those that aren't accelerated should be re-enabled + helper_disable_builtin_curves + # Note: Curves are handled in a special way by the libtestdriver machinery, # so we only want to include them in the accel list when building the main # libraries, hence the use of a separate variable. @@ -819,32 +840,13 @@ common_test_psa_crypto_config_accel_ecc_some_curves () { $(helper_get_psa_key_type_list "ECC") \ $loc_curve_list" - # Configure - # --------- - - # Start with config crypto_full and remove PK_C: - # that's what's supported now, see docs/driver-only-builds.md. - helper_libtestdriver1_adjust_config "crypto_full" - scripts/config.py unset MBEDTLS_PK_C - scripts/config.py unset MBEDTLS_PK_PARSE_C - scripts/config.py unset MBEDTLS_PK_WRITE_C - - # Disable modules that are accelerated - some will be re-enabled - scripts/config.py unset MBEDTLS_ECDSA_C - scripts/config.py unset MBEDTLS_ECDH_C - scripts/config.py unset MBEDTLS_ECJPAKE_C - scripts/config.py unset MBEDTLS_ECP_C - - # Disable all curves - those that aren't accelerated should be re-enabled - helper_disable_builtin_curves - # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues # 6061, 6332 and following ones) scripts/config.py unset MBEDTLS_ECP_RESTARTABLE # this is not supported by the driver API yet - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Build # ----- @@ -929,6 +931,12 @@ config_psa_crypto_config_ecp_light_only () { component_test_psa_crypto_config_accel_ecc_ecp_light_only () { msg "build: full with accelerated EC algs" + # Configure + # --------- + + # Use the same config as reference, only without built-in EC algs + config_psa_crypto_config_ecp_light_only 1 + # Algorithms and key types to accelerate loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ @@ -936,12 +944,6 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () { $(helper_get_psa_key_type_list "ECC") \ $(helper_get_psa_curve_list)" - # Configure - # --------- - - # Use the same config as reference, only without built-in EC algs - config_psa_crypto_config_ecp_light_only 1 - # Do not disable builtin curves because that support is required for: # - MBEDTLS_PK_PARSE_EC_EXTENDED # - MBEDTLS_PK_PARSE_EC_COMPRESSED @@ -1017,7 +1019,7 @@ config_psa_crypto_no_ecp_at_all () { # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # Restartable feature is not yet supported by PSA. Once it will in # the future, the following line could be removed (see issues @@ -1033,13 +1035,6 @@ config_psa_crypto_no_ecp_at_all () { component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { msg "build: full + accelerated EC algs - ECP" - # Algorithms and key types to accelerate - loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ - ALG_ECDH \ - ALG_JPAKE \ - $(helper_get_psa_key_type_list "ECC") \ - $(helper_get_psa_curve_list)" - # Configure # --------- @@ -1048,6 +1043,13 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () { # Disable all the builtin curves. All the required algs are accelerated. helper_disable_builtin_curves + # Algorithms and key types to accelerate + loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ + ALG_ECDH \ + ALG_JPAKE \ + $(helper_get_psa_key_type_list "ECC") \ + $(helper_get_psa_curve_list)" + # Build # ----- @@ -1134,23 +1136,22 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () { # Disable all the features that auto-enable ECP_LIGHT (see build_info.h) scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE + scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE # RSA support is intentionally disabled on this test because RSA_C depends # on BIGNUM_C. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" + scripts/config.py unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*" + scripts/config.py unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*" scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Also disable key exchanges that depend on RSA scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED if [ "$test_target" = "ECC" ]; then # When testing ECC only, we disable FFDH support, both from builtin and # PSA sides. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*" + scripts/config.py unset PSA_WANT_ALG_FFDH + scripts/config.py unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*" + scripts/config.py unset-all "PSA_WANT_DH_RFC7919_[0-9]*" fi # Restartable feature is not yet supported by PSA. Once it will in @@ -1184,6 +1185,14 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM" + # Configure + # --------- + + # Set common configurations between library's and driver's builds + config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" + # Disable all the builtin curves. All the required algs are accelerated. + helper_disable_builtin_curves + # By default we accelerate all EC keys/algs loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \ ALG_ECDH \ @@ -1198,14 +1207,6 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () { $(helper_get_psa_dh_group_list)" fi - # Configure - # --------- - - # Set common configurations between library's and driver's builds - config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target" - # Disable all the builtin curves. All the required algs are accelerated. - helper_disable_builtin_curves - # Build # ----- @@ -1352,7 +1353,7 @@ component_test_tfm_config_no_p256m () { # Disable P256M driver, which is on by default, so that analyze_outcomes # can compare this test with test_tfm_config_p256m_driver_accel_ec - sed -i '/PROFILE_M_PSA_CRYPTO_CONFIG_H/i #undef MBEDTLS_PSA_P256M_DRIVER_ENABLED' "$CRYPTO_CONFIG_H" + scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_PSA_P256M_DRIVER_ENABLED msg "build: TF-M config without p256m" make CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests @@ -1387,7 +1388,7 @@ build_and_test_psa_want_key_pair_partial () { # All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in # crypto_config.h so we just disable the one we don't want. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want" + scripts/config.py unset "$disabled_psa_want" make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" @@ -1492,15 +1493,15 @@ component_test_new_psa_want_key_pair_symbol () { scripts/config.py crypto # Remove RSA support and its dependencies - scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED + scripts/config.py unset MBEDTLS_PKCS1_V15 scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT # Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure # that proper translations is done in crypto_legacy.h. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE make @@ -1652,8 +1653,7 @@ config_psa_crypto_hmac_use_psa () { scripts/config.py unset MBEDTLS_HMAC_DRBG_C scripts/config.py unset MBEDTLS_HKDF_C # Dependencies of HMAC_DRBG - scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA } component_test_psa_crypto_config_accel_hmac () { @@ -1710,7 +1710,7 @@ component_test_psa_crypto_config_accel_aead () { helper_libtestdriver1_adjust_config "full" # Disable CCM_STAR_NO_TAG because this re-enables CCM_C. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG # Build # ----- @@ -1826,14 +1826,14 @@ common_block_cipher_dispatch () { # legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h". # Keep this also in the reference component in order to skip the same tests # that were skipped in the accelerated one. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset PSA_WANT_ALG_CTR + scripts/config.py unset PSA_WANT_ALG_CFB + scripts/config.py unset PSA_WANT_ALG_OFB + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CMAC + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 # Disable direct dependency on AES_C scripts/config.py unset MBEDTLS_NIST_KW_C @@ -1926,7 +1926,7 @@ component_test_full_block_cipher_legacy_dispatch () { component_test_aead_chachapoly_disabled () { msg "build: full minus CHACHAPOLY" scripts/config.py full - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full minus CHACHAPOLY" @@ -1936,8 +1936,8 @@ component_test_aead_chachapoly_disabled () { component_test_aead_only_ccm () { msg "build: full minus CHACHAPOLY and GCM" scripts/config.py full - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_GCM make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" msg "test: full minus CHACHAPOLY and GCM" @@ -2063,10 +2063,10 @@ component_build_aes_variations () { scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT scripts/config.py unset MBEDTLS_NIST_KW_C - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_KEY_TYPE_DES build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \ "MBEDTLS_AES_ROM_TABLES" \ @@ -2088,9 +2088,9 @@ END #define PSA_WANT_ALG_SHA3_384 1 #define PSA_WANT_ALG_SHA3_512 1 #define PSA_WANT_KEY_TYPE_AES 1 - #define MBEDTLS_CTR_DRBG_C - #define MBEDTLS_ENTROPY_C #define MBEDTLS_PSA_CRYPTO_C + #define MBEDTLS_CTR_DRBG_C + #define MBEDTLS_PSA_BUILTIN_GET_ENTROPY #define MBEDTLS_SELF_TEST END @@ -2140,6 +2140,7 @@ component_build_aes_aesce_armcc () { component_test_aes_only_128_bit_keys () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 make CFLAGS='-O2 -Werror -Wall -Wextra' @@ -2150,6 +2151,7 @@ component_test_aes_only_128_bit_keys () { component_test_no_ctr_drbg_aes_only_128_bit_keys () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 scripts/config.py unset MBEDTLS_CTR_DRBG_C make CC=clang CFLAGS='-Werror -Wall -Wextra' @@ -2161,6 +2163,7 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () { component_test_aes_only_128_bit_keys_have_builtins () { msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C" scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 scripts/config.py unset MBEDTLS_AESNI_C scripts/config.py unset MBEDTLS_AESCE_C @@ -2274,10 +2277,10 @@ config_block_cipher_no_decrypt () { # Enable support for cryptographic mechanisms through the PSA API. # Note: XTS, KW are not yet supported via the PSA API in Mbed TLS. - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING + scripts/config.py unset PSA_WANT_KEY_TYPE_DES } component_test_block_cipher_no_decrypt_aesni () { @@ -2346,40 +2349,53 @@ component_test_block_cipher_no_decrypt_aesce_armcc () { not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o } -component_test_ctr_drbg_aes_256_sha_256 () { - msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" +component_test_ctr_drbg_aes_256_sha_512 () { + msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + msg "test: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 (ASan build)" + make test +} + +component_test_ctr_drbg_aes_256_sha_256 () { + msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" + scripts/config.py full + scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 + CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . + make + + msg "test: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" make test } component_test_ctr_drbg_aes_128_sha_512 () { - msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" + msg "build: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)" + msg "test: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 (ASan build)" make test } component_test_ctr_drbg_aes_128_sha_256 () { - msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + msg "build: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" scripts/config.py full scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C - scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY - scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256 + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . make - msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)" + msg "test: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)" make test } diff --git a/tests/scripts/components-configuration-platform.sh b/tests/scripts/components-configuration-platform.sh index ade207a650..b408bec618 100644 --- a/tests/scripts/components-configuration-platform.sh +++ b/tests/scripts/components-configuration-platform.sh @@ -20,17 +20,18 @@ component_build_no_std_function () { make } -component_test_platform_get_entropy_alt() +component_test_psa_driver_get_entropy() { - msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + msg "build: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY" # Use hardware polling as the only source for entropy - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY make # Run all the tests - msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT" + msg "test: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY" make test } @@ -40,7 +41,8 @@ component_build_no_sockets () { msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s scripts/config.py full scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc. - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY # prevent syscall() on GNU/Linux + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib } diff --git a/tests/scripts/components-configuration-tls.sh b/tests/scripts/components-configuration-tls.sh index 450bdebab1..e9f2666d3f 100644 --- a/tests/scripts/components-configuration-tls.sh +++ b/tests/scripts/components-configuration-tls.sh @@ -50,15 +50,15 @@ component_test_tls1_2_default_stream_cipher_only () { msg "build: default with only stream cipher use psa" # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -79,14 +79,14 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () { msg "build: default with only CBC-legacy cipher use psa" # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Enable CBC-legacy - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING # Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -108,14 +108,14 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () { msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa" # Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C) - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305 + scripts/config.py unset PSA_WANT_ALG_CCM + scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG + scripts/config.py unset PSA_WANT_ALG_GCM + scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305 #Disable TLS 1.3 (as no AEAD) scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3 # Enable CBC-legacy - scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING # Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC) scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC # Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER)) @@ -235,6 +235,7 @@ component_test_small_mbedtls_ssl_dtls_max_buffering () { # - test only TLS (i.e. test_suite_tls and ssl-opt) build_full_minus_something_and_test_tls () { symbols_to_disable="$1" + filter="${2-.}" msg "build: full minus something, test TLS" @@ -250,11 +251,12 @@ build_full_minus_something_and_test_tls () { ( cd tests; ./test_suite_ssl ) msg "ssl-opt: full minus something, test TLS" - tests/ssl-opt.sh + tests/ssl-opt.sh -f "$filter" } +#These tests are temporarily disabled due to an unknown dependency of static ecdh as described in https://github.com/Mbed-TLS/mbedtls/issues/10385. component_full_without_ecdhe_ecdsa () { - build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" + build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" 'psk\|PSK\|1\.3' } component_full_without_ecdhe_ecdsa_and_tls13 () { @@ -342,23 +344,6 @@ component_test_variable_ssl_in_out_buffer_len () { tests/compat.sh } -component_test_dtls_cid_legacy () { - msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)" - scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1 - - CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan . - make - - msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)" - make test - - msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" - tests/ssl-opt.sh - - msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled" - tests/compat.sh -} - component_test_ssl_alloc_buffer_and_mfl () { msg "build: default config with memory buffer allocator and MFL extension" scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C @@ -378,10 +363,10 @@ component_test_ssl_alloc_buffer_and_mfl () { component_test_when_no_ciphersuites_have_mac () { msg "build: when no ciphersuites have MAC" - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7 - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC - scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 + scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING + scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7 + scripts/config.py unset PSA_WANT_ALG_CMAC + scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128 scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER @@ -436,22 +421,22 @@ component_test_tls13_only_psk () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_FFDH - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_2048 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_3072 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_4096 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_6144 - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_8192 + scripts/config.py unset PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_FFDH + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT + scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE + scripts/config.py unset PSA_WANT_DH_RFC7919_2048 + scripts/config.py unset PSA_WANT_DH_RFC7919_3072 + scripts/config.py unset PSA_WANT_DH_RFC7919_4096 + scripts/config.py unset PSA_WANT_DH_RFC7919_6144 + scripts/config.py unset PSA_WANT_DH_RFC7919_8192 # Note: The four unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C @@ -481,6 +466,7 @@ component_test_tls13_only_ephemeral () { tests/ssl-opt.sh } +#These tests are temporarily disabled due to an unknown dependency of static ecdh as described in https://github.com/Mbed-TLS/mbedtls/issues/10385. component_test_tls13_only_ephemeral_ffdh () { msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode" scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED @@ -488,7 +474,7 @@ component_test_tls13_only_ephemeral_ffdh () { scripts/config.py unset MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_ECDH # Note: The unset below is to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C @@ -498,7 +484,7 @@ component_test_tls13_only_ephemeral_ffdh () { cd tests; ./test_suite_ssl; cd .. msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode" - tests/ssl-opt.sh + tests/ssl-opt.sh -f "ffdh" } component_test_tls13_only_psk_ephemeral () { @@ -512,10 +498,10 @@ component_test_tls13_only_psk_ephemeral () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C @@ -539,11 +525,11 @@ component_test_tls13_only_psk_ephemeral_ffdh () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_ECDH + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The three unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDH_C scripts/config.py unset MBEDTLS_ECDSA_C @@ -567,10 +553,10 @@ component_test_tls13_only_psk_all () { scripts/config.py set MBEDTLS_SSL_EARLY_DATA scripts/config.py set MBEDTLS_TEST_HOOKS - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP - scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS + scripts/config.py unset PSA_WANT_ALG_ECDSA + scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA + scripts/config.py unset PSA_WANT_ALG_RSA_OAEP + scripts/config.py unset PSA_WANT_ALG_RSA_PSS # Note: The two unsets below are to be removed for Mbed TLS 4.0 scripts/config.py unset MBEDTLS_ECDSA_C diff --git a/tests/scripts/components-configuration.sh b/tests/scripts/components-configuration.sh index 5fd9ede124..a35704f299 100644 --- a/tests/scripts/components-configuration.sh +++ b/tests/scripts/components-configuration.sh @@ -284,7 +284,8 @@ component_test_no_platform () { # Use the test alternative implementation of mbedtls_platform_get_entropy() # which is provided in "framework/tests/src/fake_external_rng_for_test.c" # since the default one is excluded in this scenario. - scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT + scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY + scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY # Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19, # to re-enable platform integration features otherwise disabled in C99 builds make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs diff --git a/tests/scripts/components-platform.sh b/tests/scripts/components-platform.sh index 25cfd4163d..4c297483f6 100644 --- a/tests/scripts/components-platform.sh +++ b/tests/scripts/components-platform.sh @@ -297,15 +297,6 @@ component_build_sha_armce () { grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY - - # test the deprecated form of the config option - scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb" - make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, test T32 crypto instructions built" - grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY - scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64" make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto" @@ -313,18 +304,6 @@ component_build_sha_armce () { grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT - - # test the deprecated form of the config option - scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm" - make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99" - - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb" - make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb" - msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, test T32 crypto instructions built" - grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s - scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT - # examine the disassembly for absence of SHA instructions msg "clang, test A32 crypto instructions not built" make -B library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72 -marm" diff --git a/tests/scripts/components-psasim.sh b/tests/scripts/components-psasim.sh index ba8ab331d2..a20f917ddb 100644 --- a/tests/scripts/components-psasim.sh +++ b/tests/scripts/components-psasim.sh @@ -78,7 +78,7 @@ component_test_suite_with_psasim() msg "build client library" helper_psasim_config client # PAKE functions are still unsupported from PSASIM - scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE + scripts/config.py unset PSA_WANT_ALG_JPAKE scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED helper_psasim_build client diff --git a/tests/scripts/components-sanitizers.sh b/tests/scripts/components-sanitizers.sh index 45d0960a1d..26b149f69e 100644 --- a/tests/scripts/components-sanitizers.sh +++ b/tests/scripts/components-sanitizers.sh @@ -66,7 +66,7 @@ component_release_test_valgrind_constant_flow_no_asm () { # - or alternatively, build with debug info and manually run the offending # test suite with valgrind --track-origins=yes, then check if the origin # was TEST_CF_SECRET() or something else. - msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing" + msg "build: cmake release GCC, full config minus MBEDTLS_HAVE_ASM with constant flow testing" scripts/config.py full scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND scripts/config.py unset MBEDTLS_AESNI_C @@ -77,7 +77,7 @@ component_release_test_valgrind_constant_flow_no_asm () { # this only shows a summary of the results (how many of each type) # details are left in Testing//DynamicAnalysis.xml - msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM, valgrind + constant flow)" + msg "test: some suites (full minus MBEDTLS_HAVE_ASM, valgrind + constant flow)" make memcheck } @@ -150,7 +150,7 @@ component_test_memsan () { component_release_test_valgrind () { msg "build: Release (clang)" - # default config, in particular without MBEDTLS_USE_PSA_CRYPTO + # default config CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . make @@ -178,7 +178,7 @@ component_release_test_valgrind () { component_release_test_valgrind_psa () { msg "build: Release, full (clang)" - # full config, in particular with MBEDTLS_USE_PSA_CRYPTO + # full config scripts/config.py full CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release . make diff --git a/tests/scripts/depends.py b/tests/scripts/depends.py index 679f05af1b..ad78c26e1c 100755 --- a/tests/scripts/depends.py +++ b/tests/scripts/depends.py @@ -257,23 +257,29 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'], 'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'], + # These reverse dependencies can be removed as part of issue + # tf-psa-crypto#364. 'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'], 'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'], 'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'], 'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], - 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE', 'MBEDTLS_ECP_DP_SECP256R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'], 'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'], - 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], 'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'], + # Support for secp224[k|r]1 was removed in tfpsacrypto#408 while + # secp192[k|r]1 were kept only for internal testing (hidden to the end + # user). We need to keep these reverse dependencies here until + # symbols are hidden/removed from crypto_config.h. + 'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'], + 'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'], + 'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'], + 'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA', 'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED', - 'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED', 'MBEDTLS_ECDSA_C'], 'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC': [ 'PSA_WANT_ALG_ECDSA', @@ -287,7 +293,6 @@ REVERSE_DEPENDENCIES = { 'MBEDTLS_ECP_RESTARTABLE', 'MBEDTLS_PK_PARSE_EC_EXTENDED', 'MBEDTLS_PK_PARSE_EC_COMPRESSED', - 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED', 'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED', 'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED', @@ -305,15 +310,12 @@ REVERSE_DEPENDENCIES = { 'PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT', 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT', - 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE', - 'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'], + 'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE'], 'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', - 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'], 'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED', - 'MBEDTLS_ENTROPY_FORCE_SHA256', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT', 'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY', 'MBEDTLS_LMS_C', @@ -482,9 +484,7 @@ class DomainData: if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)} # Find elliptic curve enabling macros by name. - # MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves - curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|' - r'MBEDTLS_ECP_DP_SECP224K1_ENABLED') + curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z') # Find key exchange enabling macros by name. key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z') @@ -512,10 +512,10 @@ class DomainData: 'curves': ExclusiveDomain(curve_symbols, build_and_test), # Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, SHA3*, - # SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used + # SHA224 and SHA384 because the built-in entropy module is extensively used # across various modules, but it depends on either SHA256 or SHA512. # As a consequence an "exclusive" test of anything other than SHA256 - # or SHA512 with MBEDTLS_ENTROPY_C enabled is not possible. + # or SHA512 with the built-in entropy module enabled is not possible. 'hashes': DualDomain(hash_symbols, build_and_test, exclude=r'PSA_WANT_ALG_(?!SHA_(256|512))'), diff --git a/tests/scripts/libtestdriver1_rewrite.pl b/tests/scripts/libtestdriver1_rewrite.pl index 202575d855..36143b0caf 100755 --- a/tests/scripts/libtestdriver1_rewrite.pl +++ b/tests/scripts/libtestdriver1_rewrite.pl @@ -15,11 +15,15 @@ my @public_files = map { basename($_) } glob("../tf-psa-crypto/include/mbedtls/* my $public_files_regex = join('|', map { quotemeta($_) } @public_files); +my @private_files = map { basename($_) } glob("../tf-psa-crypto/include/mbedtls/private/*.h"); + +my $private_files_regex = join('|', map { quotemeta($_) } @private_files); + while (<>) { s!^(\s*#\s*include\s*[\"<])mbedtls/build_info.h!${1}libtestdriver1/include/mbedtls/build_info.h!; s!^(\s*#\s*include\s*[\"<])mbedtls/mbedtls_config.h!${1}libtestdriver1/include/mbedtls/mbedtls_config.h!; - s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_x509.h!${1}libtestdriver1/include/mbedtls/config_adjust_x509.h!; - s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_ssl.h!${1}libtestdriver1/include/mbedtls/config_adjust_ssl.h!; + s!^(\s*#\s*include\s*[\"<])mbedtls/private/config_adjust_x509.h!${1}libtestdriver1/include/mbedtls/private/config_adjust_x509.h!; + s!^(\s*#\s*include\s*[\"<])mbedtls/private/config_adjust_ssl.h!${1}libtestdriver1/include/mbedtls/private/config_adjust_ssl.h!; s!^(\s*#\s*include\s*[\"<])mbedtls/check_config.h!${1}libtestdriver1/include/mbedtls/check_config.h!; # Files in include/mbedtls and drivers/builtin/include/mbedtls are both # included in files via #include mbedtls/.h, so when expanding to the @@ -28,6 +32,9 @@ while (<>) { if ( $public_files_regex ) { s!^(\s*#\s*include\s*[\"<])mbedtls/($public_files_regex)!${1}libtestdriver1/tf-psa-crypto/include/mbedtls/${2}!; } + if ( $private_files_regex ) { + s!^(\s*#\s*include\s*[\"<])mbedtls/private/($private_files_regex)!${1}libtestdriver1/tf-psa-crypto/include/mbedtls/private/${2}!; + } s!^(\s*#\s*include\s*[\"<])mbedtls/!${1}libtestdriver1/tf-psa-crypto/drivers/builtin/include/mbedtls/!; s!^(\s*#\s*include\s*[\"<])psa/!${1}libtestdriver1/tf-psa-crypto/include/psa/!; s!^(\s*#\s*include\s*[\"<])tf-psa-crypto/!${1}libtestdriver1/tf-psa-crypto/include/tf-psa-crypto/!; diff --git a/tests/scripts/set_psa_test_dependencies.py b/tests/scripts/set_psa_test_dependencies.py index 2267311e44..0be8ac5e4e 100755 --- a/tests/scripts/set_psa_test_dependencies.py +++ b/tests/scripts/set_psa_test_dependencies.py @@ -27,13 +27,9 @@ CLASSIC_DEPENDENCIES = frozenset([ 'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS', 'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN', 'MBEDTLS_CIPHER_PADDING_ZEROS', - #curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED', - #curve#'MBEDTLS_ECP_DP_SECP224R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED', - #curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED', - #curve#'MBEDTLS_ECP_DP_SECP224K1_ENABLED', #curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED', #curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED', #curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED', diff --git a/tests/scripts/test_config_checks.py b/tests/scripts/test_config_checks.py new file mode 100755 index 0000000000..540144923e --- /dev/null +++ b/tests/scripts/test_config_checks.py @@ -0,0 +1,63 @@ +#!/usr/bin/env python3 +"""Test the configuration checks generated by generate_config_checks.py. +""" + +## Copyright The Mbed TLS Contributors +## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + +import unittest + +import scripts_path # pylint: disable=unused-import +from mbedtls_framework import unittest_config_checks + + +class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks): + """Mbed TLS unit tests for checks generated by config_checks_generator.""" + + #pylint: disable=invalid-name # uppercase letters make sense here + + PROJECT_CONFIG_C = 'library/mbedtls_config.c' + PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [ + 'tf-psa-crypto/include', + 'tf-psa-crypto/drivers/builtin/include', + ] + + @unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.") + def test_crypto_no_fs_io(self) -> None: + """A sample error expected from crypto's check_config.h.""" + self.bad_case('#undef MBEDTLS_FS_IO', + None, + error=('MBEDTLS_PSA_ITS_FILE_C')) + + def test_mbedtls_no_session_tickets_for_early_data(self) -> None: + """An error expected from mbedtls_check_config.h based on the TLS configuration.""" + self.bad_case(None, + ''' + #define MBEDTLS_SSL_EARLY_DATA + #undef MBEDTLS_SSL_SESSION_TICKETS + ''', + error=('MBEDTLS_SSL_EARLY_DATA')) + + def test_mbedtls_no_ecdsa(self) -> None: + """An error expected from mbedtls_check_config.h based on crypto+TLS configuration.""" + self.bad_case(''' + #undef PSA_WANT_ALG_ECDSA + #undef PSA_WANT_ALG_DETERMINISTIC_ECDSA + #undef MBEDTLS_ECDSA_C + ''', + ''' + #if defined(PSA_WANT_ALG_ECDSA) + #error PSA_WANT_ALG_ECDSA unexpected + #endif + #if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA) + #error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected + #endif + #if defined(MBEDTLS_ECDSA_C) + #error MBEDTLS_ECDSA_C unexpected + #endif + ''', + error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED')) + + +if __name__ == '__main__': + unittest.main() diff --git a/tests/src/test_helpers/ssl_helpers.c b/tests/src/test_helpers/ssl_helpers.c index faa79ffd92..83dac17419 100644 --- a/tests/src/test_helpers/ssl_helpers.c +++ b/tests/src/test_helpers/ssl_helpers.c @@ -11,6 +11,8 @@ #include #include "mbedtls/psa_util.h" +#include + #if defined(MBEDTLS_SSL_TLS_C) int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len) { @@ -642,11 +644,9 @@ static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep) ep->cert = NULL; } if (ep->pkey != NULL) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (mbedtls_pk_get_type(ep->pkey) == MBEDTLS_PK_OPAQUE) { psa_destroy_key(ep->pkey->priv_id); } -#endif mbedtls_pk_free(ep->pkey); mbedtls_free(ep->pkey); ep->pkey = NULL; @@ -723,9 +723,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, int i = 0; int ret = -1; int ok = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; -#endif if (ep == NULL) { return MBEDTLS_ERR_SSL_BAD_INPUT_DATA; @@ -757,7 +755,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, TEST_EQUAL(load_endpoint_ecc(ep), 0); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (opaque_alg != 0) { psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; /* Use a fake key usage to get a successful initial guess for the PSA attributes. */ @@ -774,11 +771,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep, mbedtls_pk_init(ep->pkey); TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0); } -#else - (void) opaque_alg; - (void) opaque_alg2; - (void) opaque_usage; -#endif mbedtls_ssl_conf_ca_chain(&(ep->conf), ep->ca_chain, NULL); @@ -1210,7 +1202,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform, unsigned char *output, size_t *olen) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT; size_t part_len; @@ -1244,10 +1235,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform, *olen += part_len; return 0; -#else - return mbedtls_cipher_crypt(&transform->cipher_ctx_enc, - iv, iv_len, input, ilen, output, olen); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } #endif /* MBEDTLS_SSL_PROTO_TLS1_2 && PSA_WANT_ALG_CBC_NO_PADDING && PSA_WANT_KEY_TYPE_AES */ @@ -1381,14 +1368,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, size_t key_bits = 0; int ret = 0; -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_key_type_t key_type; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_algorithm_t alg; psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED; -#else - mbedtls_cipher_info_t const *cipher_info; -#endif size_t keylen, maclen, ivlen = 0; unsigned char *key0 = NULL, *key1 = NULL; @@ -1420,58 +1403,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, memset(key0, 0x1, keylen); memset(key1, 0x2, keylen); -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - /* Pick cipher */ - cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type); - CHK(cipher_info != NULL); - CHK(mbedtls_cipher_info_get_iv_size(cipher_info) <= 16); - CHK(mbedtls_cipher_info_get_key_bitlen(cipher_info) % 8 == 0); - - /* Setup cipher contexts */ - CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_enc, cipher_info) == 0); - CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_dec, cipher_info) == 0); - CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_enc, cipher_info) == 0); - CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_dec, cipher_info) == 0); - -#if defined(MBEDTLS_CIPHER_MODE_CBC) - if (cipher_mode == MBEDTLS_MODE_CBC) { - CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_enc, - MBEDTLS_PADDING_NONE) == 0); - CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_dec, - MBEDTLS_PADDING_NONE) == 0); - CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_enc, - MBEDTLS_PADDING_NONE) == 0); - CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_dec, - MBEDTLS_PADDING_NONE) == 0); - } -#endif /* MBEDTLS_CIPHER_MODE_CBC */ - - CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_enc, key0, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_ENCRYPT) - == 0); - CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_dec, key1, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_DECRYPT) - == 0); - CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_enc, key1, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_ENCRYPT) - == 0); - CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_dec, key0, - (keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3, - MBEDTLS_DECRYPT) - == 0); -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ - /* Setup MAC contexts */ #if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC) if (cipher_mode == MBEDTLS_MODE_CBC || cipher_mode == MBEDTLS_MODE_STREAM) { -#if !defined(MBEDTLS_USE_PSA_CRYPTO) - mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) hash_id); - CHK(md_info != NULL); -#endif maclen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) hash_id); CHK(maclen != 0); /* Pick hash keys */ @@ -1480,7 +1415,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, memset(md0, 0x5, maclen); memset(md1, 0x6, maclen); -#if defined(MBEDTLS_USE_PSA_CRYPTO) alg = mbedtls_md_psa_alg_from_type(hash_id); CHK(alg != 0); @@ -1521,21 +1455,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, CHK(psa_import_key(&attributes, md0, maclen, &t_out->psa_mac_dec) == PSA_SUCCESS); -#else - CHK(mbedtls_md_setup(&t_out->md_ctx_enc, md_info, 1) == 0); - CHK(mbedtls_md_setup(&t_out->md_ctx_dec, md_info, 1) == 0); - CHK(mbedtls_md_setup(&t_in->md_ctx_enc, md_info, 1) == 0); - CHK(mbedtls_md_setup(&t_in->md_ctx_dec, md_info, 1) == 0); - - CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_enc, - md0, maclen) == 0); - CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_dec, - md1, maclen) == 0); - CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_enc, - md1, maclen) == 0); - CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_dec, - md0, maclen) == 0); -#endif } #else ((void) hash_id); @@ -1655,7 +1574,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, t_out->out_cid_len = (uint8_t) cid0_len; #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) status = mbedtls_ssl_cipher_to_psa(cipher_type, t_in->taglen, &alg, @@ -1718,7 +1636,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in, goto cleanup; } } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ cleanup: @@ -1735,9 +1652,7 @@ cleanup: int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, mbedtls_ssl_transform *transform_out) { -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -#endif /* Serialized version of record header for MAC purposes */ unsigned char add_data[13]; @@ -1749,7 +1664,6 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, add_data[12] = (record->data_len >> 0) & 0xff; /* MAC with additional data */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) size_t sign_mac_length = 0; TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation, transform_out->psa_mac_enc, @@ -1765,26 +1679,13 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record, TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation, mac, sizeof(mac), &sign_mac_length)); -#else - TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, add_data, 13)); - TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, - record->buf + record->data_offset, - record->data_len)); - /* Use a temporary buffer for the MAC, because with the truncated HMAC - * extension, there might not be enough room in the record for the - * full-length MAC. */ - unsigned char mac[MBEDTLS_MD_MAX_SIZE]; - TEST_EQUAL(0, mbedtls_md_hmac_finish(&transform_out->md_ctx_enc, mac)); -#endif memcpy(record->buf + record->data_offset + record->data_len, mac, transform_out->maclen); record->data_len += transform_out->maclen; return 0; exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_abort(&operation); -#endif return -1; } #endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */ @@ -1838,7 +1739,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, return -1; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type( MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE); size_t hash_size = 0; @@ -1849,12 +1749,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session, MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN, &hash_size); ret = PSA_TO_MBEDTLS_ERR(status); -#else - ret = mbedtls_md(mbedtls_md_info_from_type( - MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE), - tmp_crt.raw.p, tmp_crt.raw.len, - session->peer_cert_digest); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (ret != 0) { return ret; } diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index c667cd14bd..22377b8d04 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -312,12 +312,7 @@ requires_any_configs_disabled() { } TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" - -TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \ - MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED" + MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \ MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" @@ -436,14 +431,12 @@ requires_cipher_enabled() { # - $1 = command line (call to a TLS client or server program) # - $2 = client/server # - $3 = TLS version (TLS12 or TLS13) -# - $4 = Use an external tool without ECDH support -# - $5 = run test options +# - $4 = run test options detect_required_features() { CMD_LINE=$1 ROLE=$2 TLS_VERSION=$3 - EXT_WO_ECDH=$4 - TEST_OPTIONS=${5:-} + TEST_OPTIONS=${4:-} case "$CMD_LINE" in *\ force_version=*) @@ -484,7 +477,8 @@ detect_required_features() { *"programs/ssl/dtls_client "*|\ *"programs/ssl/ssl_client1 "*) requires_config_enabled MBEDTLS_CTR_DRBG_C - requires_config_enabled MBEDTLS_ENTROPY_C + requires_config_enabled MBEDTLS_PSA_CRYPTO_C + requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG requires_config_enabled MBEDTLS_PEM_PARSE_C requires_config_enabled MBEDTLS_SSL_CLI_C requires_certificate_authentication @@ -494,7 +488,8 @@ detect_required_features() { *"programs/ssl/ssl_pthread_server "*|\ *"programs/ssl/ssl_server "*) requires_config_enabled MBEDTLS_CTR_DRBG_C - requires_config_enabled MBEDTLS_ENTROPY_C + requires_config_enabled MBEDTLS_PSA_CRYPTO_C + requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG requires_config_enabled MBEDTLS_PEM_PARSE_C requires_config_enabled MBEDTLS_SSL_SRV_C requires_certificate_authentication @@ -523,24 +518,9 @@ detect_required_features() { else # For TLS12 requirements are different between server and client if [ "$ROLE" = "server" ]; then - # If the server uses "server5*" certificates, then an ECDSA based - # key exchange is required. However gnutls also does not - # support ECDH, so this limit the choice to ECDHE-ECDSA - if [ "$EXT_WO_ECDH" = "yes" ]; then - requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED - else - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT - fi + requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED elif [ "$ROLE" = "client" ]; then - # On the client side it is enough to have any certificate - # based authentication together with support for ECDSA. - # Of course the GnuTLS limitation mentioned above applies - # also here. - if [ "$EXT_WO_ECDH" = "yes" ]; then - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH - else - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT - fi + requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH requires_pk_alg "ECDSA" fi fi @@ -1303,28 +1283,6 @@ is_gnutls() { esac } -# Some external tools (gnutls or openssl) might not have support for static ECDH -# and this limit the tests that can be run with them. This function checks server -# and client command lines, given as input, to verify if the current test -# is using one of these tools. -use_ext_tool_without_ecdh_support() { - case "$1" in - *$GNUTLS_SERV*|\ - *${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\ - *${OPENSSL_NEXT:-"openssl-dummy"}*) - echo "yes" - return;; - esac - case "$2" in - *$GNUTLS_CLI*|\ - *${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\ - *${OPENSSL_NEXT:-"openssl-dummy"}*) - echo "yes" - return;; - esac - echo "no" -} - # Generate random psk_list argument for ssl_server2 get_srv_psk_list () { @@ -1811,26 +1769,20 @@ run_test() { requires_config_enabled MBEDTLS_SSL_PROTO_DTLS fi - # Check if we are trying to use an external tool which does not support ECDH - EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD") # Guess the TLS version which is going to be used. # Note that this detection is wrong in some cases, which causes unduly # skipped test cases in builds with TLS 1.3 but not TLS 1.2. # https://github.com/Mbed-TLS/mbedtls/issues/9560 - if [ "$EXT_WO_ECDH" = "no" ]; then - TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD") - else - TLS_VERSION="TLS12" - fi + TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD") # If we're in a PSK-only build and the test can be adapted to PSK, do that. maybe_adapt_for_psk "$@" # If the client or server requires certain features that can be detected # from their command-line arguments, check whether they're enabled. - detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@" - detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@" + detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@" + detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@" # should we skip? if [ "X$SKIP_NEXT" = "XYES" ]; then @@ -2355,52 +2307,6 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \ -S "error" \ -C "error" -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_hash_alg SHA_256 -run_test "Opaque key for server authentication: ECDH-" \ - "$P_SRV auth_mode=required key_opaque=1\ - crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\ - key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \ - "$P_CLI force_version=tls12" \ - 0 \ - -c "Verifying peer X.509 certificate... ok" \ - -c "Ciphersuite is TLS-ECDH-" \ - -s "key types: Opaque, none" \ - -s "Ciphersuite is TLS-ECDH-" \ - -S "error" \ - -C "error" - -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled MBEDTLS_ECDSA_C -requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC -requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_hash_alg SHA_256 -run_test "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \ - "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ - key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \ - debug_level=1" \ - "$P_CLI force_version=tls12" \ - 1 \ - -s "key types: Opaque, none" \ - -s "error" \ - -c "error" \ - -c "Public key type mismatch" - -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC -requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE -requires_hash_alg SHA_256 -run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \ - "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \ - key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \ - debug_level=1" \ - "$P_CLI force_version=tls12" \ - 1 \ - -s "key types: Opaque, none" \ - -s "got ciphersuites in common, but none of them usable" \ - -s "error" \ - -c "error" - requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_256 run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \ @@ -2433,24 +2339,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs, -S "error" \ -C "error" -requires_config_enabled MBEDTLS_X509_CRT_PARSE_C -requires_hash_alg SHA_384 -requires_config_disabled MBEDTLS_X509_REMOVE_INFO -run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \ - "$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \ - key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdsa-sign,none \ - crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \ - key_opaque_algs2=ecdh,none debug_level=3" \ - "$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384" \ - 0 \ - -c "Verifying peer X.509 certificate... ok" \ - -c "Ciphersuite is TLS-ECDH-ECDSA" \ - -c "CN=Polarssl Test EC CA" \ - -s "key types: Opaque, Opaque" \ - -s "Ciphersuite is TLS-ECDH-ECDSA" \ - -S "error" \ - -C "error" - requires_config_enabled MBEDTLS_X509_CRT_PARSE_C requires_hash_alg SHA_384 requires_config_disabled MBEDTLS_X509_REMOVE_INFO @@ -2659,12 +2547,6 @@ requires_config_enabled PSA_WANT_ECC_SECP_K1_256 run_test_psa_force_curve "secp256k1" requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256 run_test_psa_force_curve "brainpoolP256r1" -requires_config_enabled PSA_WANT_ECC_SECP_R1_224 -run_test_psa_force_curve "secp224r1" -requires_config_enabled PSA_WANT_ECC_SECP_R1_192 -run_test_psa_force_curve "secp192r1" -requires_config_enabled PSA_WANT_ECC_SECP_K1_192 -run_test_psa_force_curve "secp192k1" # Test current time in ServerHello requires_config_enabled MBEDTLS_HAVE_TIME @@ -6183,31 +6065,6 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.3" -C "x509_verify_cert() returned -" \ -C "X509 - Certificate verification failed" -# The purpose of the next two tests is to test the client's behaviour when receiving a server -# certificate with an unsupported elliptic curve. This should usually not happen because -# the client informs the server about the supported curves - it does, though, in the -# corner case of a static ECDH suite, because the server doesn't check the curve on that -# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a -# different means to have the server ignoring the client's supported curve list. - -run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ - crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ - "$P_CLI force_version=tls12 debug_level=3 auth_mode=required groups=secp521r1" \ - 1 \ - -c "bad certificate (EC key curve)"\ - -c "! Certificate verification flags"\ - -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage - -run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ - crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ - "$P_CLI force_version=tls12 debug_level=3 auth_mode=optional groups=secp521r1" \ - 1 \ - -c "bad certificate (EC key curve)"\ - -c "! Certificate verification flags"\ - -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication: client SHA256, server required" \ "$P_SRV auth_mode=required" \ @@ -6560,33 +6417,6 @@ run_test "Authentication, CA callback: server badcert, client none" \ -C "! mbedtls_ssl_handshake returned" \ -C "X509 - Certificate verification failed" -# The purpose of the next two tests is to test the client's behaviour when receiving a server -# certificate with an unsupported elliptic curve. This should usually not happen because -# the client informs the server about the supported curves - it does, though, in the -# corner case of a static ECDH suite, because the server doesn't check the curve on that -# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a -# different means to have the server ignoring the client's supported curve list. - -run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ - crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ - "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required groups=secp521r1" \ - 1 \ - -c "use CA callback for X.509 CRT verification" \ - -c "bad certificate (EC key curve)" \ - -c "! Certificate verification flags" \ - -C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage - -run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \ - "$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \ - crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ - "$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional groups=secp521r1" \ - 1 \ - -c "use CA callback for X.509 CRT verification" \ - -c "bad certificate (EC key curve)"\ - -c "! Certificate verification flags"\ - -c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check - requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT run_test "Authentication, CA callback: client SHA384, server required" \ "$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \ @@ -7991,14 +7821,6 @@ run_test "keyUsage srv 1.2: ECC, digitalSignature -> ECDHE-ECDSA" \ 0 \ -c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-" - -run_test "keyUsage srv 1.2: ECC, keyAgreement -> ECDH-" \ - "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ - crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \ - "$P_CLI" \ - 0 \ - -c "Ciphersuite is TLS-ECDH-" - run_test "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \ "$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \ crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \ @@ -9445,12 +9267,12 @@ run_test "EC restart: TLS, max_ops=65535" \ # The following test cases for restartable ECDH come in two variants: # * The "(USE_PSA)" variant expects the current behavior, which is the behavior -# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. This tests # the partial implementation where ECDH in TLS is not actually restartable. # * The "(no USE_PSA)" variant expects the desired behavior. These test # cases cannot currently pass because the implementation of restartable ECC # in TLS is partial: ECDH is not actually restartable. This is the behavior -# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. +# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. # # As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294, # we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test diff --git a/tests/suites/test_suite_constant_time_hmac.function b/tests/suites/test_suite_constant_time_hmac.function index 0e870d80fd..057d104d0e 100644 --- a/tests/suites/test_suite_constant_time_hmac.function +++ b/tests/suites/test_suite_constant_time_hmac.function @@ -16,15 +16,10 @@ void ssl_cf_hmac(int hash) * Test the function mbedtls_ct_hmac() against a reference * implementation. */ -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_algorithm_t alg; psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT; -#else - mbedtls_md_context_t ctx, ref_ctx; - const mbedtls_md_info_t *md_info; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ size_t out_len, block_size; size_t min_in_len, in_len, max_in_len, i; /* TLS additional data is 13 bytes (hence the "lucky 13" name) */ @@ -36,7 +31,6 @@ void ssl_cf_hmac(int hash) USE_PSA_INIT(); -#if defined(MBEDTLS_USE_PSA_CRYPTO) alg = PSA_ALG_HMAC(mbedtls_md_psa_alg_from_type(hash)); out_len = PSA_HASH_LENGTH(alg); @@ -47,36 +41,15 @@ void ssl_cf_hmac(int hash) PSA_KEY_USAGE_VERIFY_HASH); psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(alg)); psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC); -#else - mbedtls_md_init(&ctx); - mbedtls_md_init(&ref_ctx); - - md_info = mbedtls_md_info_from_type(hash); - TEST_ASSERT(md_info != NULL); - out_len = mbedtls_md_get_size(md_info); - TEST_ASSERT(out_len != 0); - block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* Use allocated out buffer to catch overwrites */ TEST_CALLOC(out, out_len); -#if defined(MBEDTLS_USE_PSA_CRYPTO) /* Set up dummy key */ memset(ref_out, 42, sizeof(ref_out)); TEST_EQUAL(PSA_SUCCESS, psa_import_key(&attributes, ref_out, out_len, &key)); -#else - /* Set up contexts with the given hash and a dummy key */ - TEST_EQUAL(0, mbedtls_md_setup(&ctx, md_info, 1)); - TEST_EQUAL(0, mbedtls_md_setup(&ref_ctx, md_info, 1)); - memset(ref_out, 42, sizeof(ref_out)); - TEST_EQUAL(0, mbedtls_md_hmac_starts(&ctx, ref_out, out_len)); - TEST_EQUAL(0, mbedtls_md_hmac_starts(&ref_ctx, ref_out, out_len)); - memset(ref_out, 0, sizeof(ref_out)); -#endif - /* * Test all possible lengths up to a point. The difference between * max_in_len and min_in_len is at most 255, and make sure they both vary @@ -101,22 +74,14 @@ void ssl_cf_hmac(int hash) /* Get the function's result */ TEST_CF_SECRET(&in_len, sizeof(in_len)); -#if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_EQUAL(0, mbedtls_ct_hmac(key, PSA_ALG_HMAC(alg), add_data, sizeof(add_data), data, in_len, min_in_len, max_in_len, out)); -#else - TEST_EQUAL(0, mbedtls_ct_hmac(&ctx, add_data, sizeof(add_data), - data, in_len, - min_in_len, max_in_len, - out)); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ TEST_CF_PUBLIC(&in_len, sizeof(in_len)); TEST_CF_PUBLIC(out, out_len); -#if defined(MBEDTLS_USE_PSA_CRYPTO) TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_setup(&operation, key, alg)); TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data, @@ -125,17 +90,6 @@ void ssl_cf_hmac(int hash) data, in_len)); TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_finish(&operation, out, out_len)); -#else - /* Compute the reference result */ - TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, add_data, - sizeof(add_data))); - TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, data, in_len)); - TEST_EQUAL(0, mbedtls_md_hmac_finish(&ref_ctx, ref_out)); - TEST_EQUAL(0, mbedtls_md_hmac_reset(&ref_ctx)); - - /* Compare */ - TEST_MEMORY_COMPARE(out, out_len, ref_out, out_len); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ } mbedtls_free(data); @@ -143,13 +97,8 @@ void ssl_cf_hmac(int hash) } exit: -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_mac_abort(&operation); psa_destroy_key(key); -#else - mbedtls_md_free(&ref_ctx); - mbedtls_md_free(&ctx); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_free(data); mbedtls_free(out); diff --git a/tests/suites/test_suite_error.data b/tests/suites/test_suite_error.data index dec5639ee0..8565098286 100644 --- a/tests/suites/test_suite_error.data +++ b/tests/suites/test_suite_error.data @@ -3,12 +3,8 @@ depends_on:MBEDTLS_AES_C error_strerror:-0x0020:"AES - Invalid key length" Single high error -depends_on:MBEDTLS_RSA_C -error_strerror:-0x4080:"RSA - Bad input parameters to function" - -Low and high error -depends_on:MBEDTLS_AES_C:MBEDTLS_RSA_C -error_strerror:-0x40A0:"RSA - Bad input parameters to function \: AES - Invalid key length" +depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_X509_CRT_PARSE_C +error_strerror:-0x2280:"X509 - The serial tag or value is invalid" Non existing high error error_strerror:-0x8880:"UNKNOWN ERROR CODE (8880)" diff --git a/tests/suites/test_suite_pkcs7.function b/tests/suites/test_suite_pkcs7.function index 0c4a00b9e3..91e0e46ae3 100644 --- a/tests/suites/test_suite_pkcs7.function +++ b/tests/suites/test_suite_pkcs7.function @@ -1,5 +1,5 @@ /* BEGIN_HEADER */ -#include "mbedtls/bignum.h" +#include "mbedtls/private/bignum.h" #include "mbedtls/pkcs7.h" #include "mbedtls/x509.h" #include "mbedtls/x509_crt.h" @@ -8,7 +8,7 @@ #include "mbedtls/oid.h" #include "sys/types.h" #include "sys/stat.h" -#include "mbedtls/rsa.h" +#include "mbedtls/private/rsa.h" #include "mbedtls/error.h" /* END_HEADER */ diff --git a/tests/suites/test_suite_ssl.data b/tests/suites/test_suite_ssl.data index 378c5339fe..6c5e718c60 100644 --- a/tests/suites/test_suite_ssl.data +++ b/tests/suites/test_suite_ssl.data @@ -380,10 +380,6 @@ Handshake, ECDHE-ECDSA-WITH-AES-256-CCM depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:0 -Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0 - Handshake, PSK-WITH-AES-128-CBC-SHA depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":0 @@ -408,10 +404,6 @@ DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:1 -DTLS Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384 -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1 - DTLS Handshake, PSK-WITH-AES-128-CBC-SHA depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:PSA_WANT_ALG_SHA_1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":1 @@ -440,23 +432,23 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_R handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque @@ -464,57 +456,21 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256 -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH +depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 -Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - -Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384 - -Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - -Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH -handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - -Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED -handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - -Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C -handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - -Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384 -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C -handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 - -Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO -handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - -Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage -depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO -handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0 - Sending app data via TLS, MFL=512 without fragmentation depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:400:512:1:1 @@ -3236,7 +3192,7 @@ depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED ssl_ecjpake_set_password:0 EC-JPAKE set opaque password -depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED ssl_ecjpake_set_password:1 Test Elliptic curves' info parsing diff --git a/tests/suites/test_suite_ssl.function b/tests/suites/test_suite_ssl.function index 918edd5aca..5b6500898e 100644 --- a/tests/suites/test_suite_ssl.function +++ b/tests/suites/test_suite_ssl.function @@ -3422,7 +3422,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */ void test_multiple_psks_opaque(int mode) { /* @@ -3537,9 +3537,9 @@ exit: /* BEGIN_CASE */ void conf_group() { - uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1, - MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1, - MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1, + MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1, MBEDTLS_SSL_IANA_TLS_GROUP_NONE }; mbedtls_ssl_config conf; @@ -3768,7 +3768,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ +/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */ void raw_key_agreement_fail(int bad_server_ecdhe_key) { enum { BUFFSIZE = 17000 }; @@ -3941,11 +3941,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg) { mbedtls_ssl_context ssl; mbedtls_ssl_config conf; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT; -#else /* MBEDTLS_USE_PSA_CRYPTO */ - (void) use_opaque_arg; -#endif /* MBEDTLS_USE_PSA_CRYPTO */ unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = ""; size_t pwd_len = 0; int ret; @@ -3971,14 +3967,13 @@ void ssl_ecjpake_set_password(int use_opaque_arg) pwd_len = strlen(ECJPAKE_TEST_PWD); memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (use_opaque_arg) { psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT; psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT; /* First try with an invalid usage */ psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH); - psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE); + psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256)); psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD); PSA_ASSERT(psa_import_key(&attributes, pwd_string, @@ -3998,16 +3993,13 @@ void ssl_ecjpake_set_password(int use_opaque_arg) PSA_ASSERT(psa_import_key(&attributes, pwd_string, pwd_len, &pwd_slot)); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ /* final check which should work without errors */ ECJPAKE_TEST_SET_PASSWORD(0); -#if defined(MBEDTLS_USE_PSA_CRYPTO) if (use_opaque_arg) { psa_destroy_key(pwd_slot); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ mbedtls_ssl_free(&ssl); mbedtls_ssl_config_free(&conf); @@ -4058,21 +4050,6 @@ void elliptic_curve_get_properties() #else TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256); #endif -#if defined(PSA_WANT_ECC_SECP_R1_224) - TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); -#else - TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224); -#endif -#if defined(PSA_WANT_ECC_SECP_R1_192) - TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); -#else - TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192); -#endif -#if defined(PSA_WANT_ECC_SECP_K1_192) - TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); -#else - TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192); -#endif #if defined(PSA_WANT_ECC_MONTGOMERY_255) TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255); #else diff --git a/tests/suites/test_suite_version.function b/tests/suites/test_suite_version.function index eeae512626..af0eb86d23 100644 --- a/tests/suites/test_suite_version.function +++ b/tests/suites/test_suite_version.function @@ -38,19 +38,17 @@ void check_compiletime_version(char *version_str) void check_runtime_version(char *version_str) { char build_str[100]; - char get_str[100]; + const char *get_str; char build_str_full[100]; - char get_str_full[100]; + const char *get_str_full; unsigned int get_int; memset(build_str, 0, 100); - memset(get_str, 0, 100); memset(build_str_full, 0, 100); - memset(get_str_full, 0, 100); get_int = mbedtls_version_get_number(); - mbedtls_version_get_string(get_str); - mbedtls_version_get_string_full(get_str_full); + get_str = mbedtls_version_get_string(); + get_str_full = mbedtls_version_get_string_full(); mbedtls_snprintf(build_str, 100, "%u.%u.%u", (get_int >> 24) & 0xFF, diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index c2a7f30fd9..14e7afa740 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -900,7 +900,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_ x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA) -depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1 x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL" X509 CRT verification #70 (v1 trusted CA) diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 079dca48c9..f813cc1ac3 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -1,5 +1,5 @@ /* BEGIN_HEADER */ -#include "mbedtls/bignum.h" +#include "mbedtls/private/bignum.h" #include "mbedtls/x509.h" #include "mbedtls/x509_crt.h" #include "mbedtls/x509_crl.h" diff --git a/tests/suites/test_suite_x509write.data b/tests/suites/test_suite_x509write.data index 4dcd967226..4d57a8fb69 100644 --- a/tests/suites/test_suite_x509write.data +++ b/tests/suites/test_suite_x509write.data @@ -47,7 +47,7 @@ depends_on:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15 x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0 Certificate Request check Server5 ECDSA, key_usage -depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256 x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0 Certificate Request check Server1, set_extension @@ -123,23 +123,23 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.ca_noauthid.crt":1:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, key_usage -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, ns_cert_type -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, version 1 -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":2:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Opaque, CA -depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO +depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":2:1:"../framework/data_files/test-ca.crt":0 Certificate write check Server1 SHA1, Full length serial @@ -155,11 +155,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5 x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0 Certificate write check Server5 ECDSA -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server5 ECDSA, Opaque -depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO +depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256 x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0 Certificate write check Server1 SHA1, SubjectAltNames @@ -337,4 +337,3 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F" OID from numeric string - OID with overflowing subidentifier oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:"" - diff --git a/tests/suites/test_suite_x509write.function b/tests/suites/test_suite_x509write.function index e0aad90a04..40677f2338 100644 --- a/tests/suites/test_suite_x509write.function +++ b/tests/suites/test_suite_x509write.function @@ -1,12 +1,12 @@ /* BEGIN_HEADER */ -#include "mbedtls/bignum.h" +#include "mbedtls/private/bignum.h" #include "mbedtls/x509_crt.h" #include "mbedtls/x509_csr.h" #include "x509_internal.h" #include "mbedtls/pem.h" #include "mbedtls/oid.h" #include "x509_oid.h" -#include "mbedtls/rsa.h" +#include "mbedtls/private/rsa.h" #include "mbedtls/asn1.h" #include "mbedtls/asn1write.h" #include "mbedtls/pk.h" @@ -15,8 +15,7 @@ #endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */ #include "mbedtls/psa_util.h" -#if defined(MBEDTLS_USE_PSA_CRYPTO) && \ - defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) +#if defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C) static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) { unsigned char hash[PSA_HASH_MAX_SIZE]; @@ -41,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen) goto cleanup; } - if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk, + if (mbedtls_pk_verify_ext(csr.sig_pk, &csr.pk, csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md), csr.sig.p, csr.sig.len) != 0) { ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED; @@ -53,7 +52,7 @@ cleanup: mbedtls_x509_csr_free(&csr); return ret; } -#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ +#endif /* MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */ #if defined(MBEDTLS_X509_CSR_WRITE_C) @@ -131,11 +130,9 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, mbedtls_x509write_csr req; unsigned char buf[4096]; int ret; -#if !defined(MBEDTLS_USE_PSA_CRYPTO) unsigned char check_buf[4000]; FILE *f; size_t olen = 0; -#endif /* !MBEDTLS_USE_PSA_CRYPTO */ size_t pem_len = 0, buf_index; int der_len = -1; const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1"; @@ -215,20 +212,14 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, TEST_ASSERT(buf[buf_index] == 0); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - // When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used - (void) cert_req_check_file; - buf[pem_len] = '\0'; - TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0); -#else - f = fopen(cert_req_check_file, "r"); - TEST_ASSERT(f != NULL); - olen = fread(check_buf, 1, sizeof(check_buf), f); - fclose(f); + f = fopen(cert_req_check_file, "r"); //open the file + TEST_ASSERT(f != NULL); //check the file has been opened. + olen = fread(check_buf, 1, sizeof(check_buf), f); // read the file + fclose(f); // close the file TEST_ASSERT(olen >= pem_len - 1); TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0); -#endif /* MBEDTLS_USE_PSA_CRYPTO */ + der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf)); TEST_ASSERT(der_len >= 0); @@ -237,14 +228,7 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type, goto exit; } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - // When using PSA crypto, RNG isn't controllable, result length isn't - // deterministic over multiple runs, removing a single byte isn't enough to - // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case - der_len /= 2; -#else der_len -= 1; -#endif ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len)); TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL); @@ -256,7 +240,7 @@ exit: } /* END_CASE */ -/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */ +/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage, int cert_type) { @@ -342,10 +326,8 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, int der_len = -1; FILE *f; mbedtls_test_rnd_pseudo_info rnd_info; -#if defined(MBEDTLS_USE_PSA_CRYPTO) mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT; psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT; -#endif mbedtls_pk_type_t issuer_key_type; mbedtls_x509_san_list san_ip; mbedtls_x509_san_list san_dns; @@ -409,7 +391,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, issuer_key_type = mbedtls_pk_get_type(&issuer_key); -#if defined(MBEDTLS_USE_PSA_CRYPTO) /* Turn the issuer PK context into an opaque one. */ if (pk_wrap == 2) { TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH, @@ -419,7 +400,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, mbedtls_pk_init(&issuer_key); TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0); } -#endif /* MBEDTLS_USE_PSA_CRYPTO */ if (pk_wrap == 2) { TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE); @@ -570,14 +550,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd, TEST_ASSERT(p < end); } -#if defined(MBEDTLS_USE_PSA_CRYPTO) - // When using PSA crypto, RNG isn't controllable, result length isn't - // deterministic over multiple runs, removing a single byte isn't enough to - // go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case - if (issuer_key_type != MBEDTLS_PK_RSA) { - der_len /= 2; - } else -#endif der_len -= 1; ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len)); @@ -592,9 +564,7 @@ exit: #if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C) mbedtls_mpi_free(&serial_mpi); #endif -#if defined(MBEDTLS_USE_PSA_CRYPTO) psa_destroy_key(key_id); -#endif MD_OR_USE_PSA_DONE(); } /* END_CASE */ diff --git a/tf-psa-crypto b/tf-psa-crypto index 52691f95e9..ed6f6b5b0b 160000 --- a/tf-psa-crypto +++ b/tf-psa-crypto @@ -1 +1 @@ -Subproject commit 52691f95e9235dff461836a2c440e70d44661a7f +Subproject commit ed6f6b5b0bc72eb789ee62cd7ac87bbf953e0685