TeamHepta/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2026-03-20 19:21:09 +01:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'development' into restricted-mbedtls-merge-public-20250916

Browse Source 
Conflicts:
* `tf-psa-crypto`: updated to the merge of `development` and
  `development-restricted`.
This commit is contained in:
Gilles Peskine
2025-09-16 16:22:39 +02:00
parent aa19698d8b 07912c9e36
commit a1d6b2733b
142 changed files with 940 additions and 3623 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
tests/Makefile
View File

@@ -369,6 +369,7 @@ libtestdriver1.a:
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/include/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/core/*.[ch]
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/include/*/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*/*.h
perl -i ./scripts/libtestdriver1_rewrite.pl ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch]

15
tests/compat.sh
View File

@@ -359,13 +359,6 @@ add_openssl_ciphersuites()
"ECDSA")
CIPHERS="$CIPHERS \
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA \
TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256 \
TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256 \
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA \
TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384 \
TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384 \
TLS_ECDH_ECDSA_WITH_NULL_SHA \
TLS_ECDHE_ECDSA_WITH_ARIA_128_GCM_SHA256 \
TLS_ECDHE_ECDSA_WITH_ARIA_256_GCM_SHA384 \
TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 \
@@ -468,14 +461,6 @@ add_mbedtls_ciphersuites()
"ECDSA")
M_CIPHERS="$M_CIPHERS \
TLS_ECDH_ECDSA_WITH_ARIA_128_CBC_SHA256 \
TLS_ECDH_ECDSA_WITH_ARIA_128_GCM_SHA256 \
TLS_ECDH_ECDSA_WITH_ARIA_256_CBC_SHA384 \
TLS_ECDH_ECDSA_WITH_ARIA_256_GCM_SHA384 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_CBC_SHA256 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_128_GCM_SHA256 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384 \
TLS_ECDH_ECDSA_WITH_CAMELLIA_256_GCM_SHA384 \
TLS_ECDHE_ECDSA_WITH_ARIA_128_CBC_SHA256 \
TLS_ECDHE_ECDSA_WITH_ARIA_256_CBC_SHA384 \
"

1
tests/configs/tls13-only.h
View File

@@ -25,4 +25,3 @@
#undef MBEDTLS_SSL_DTLS_SRTP
#undef MBEDTLS_SSL_DTLS_CLIENT_PORT_REUSE
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID
#undef MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT

9
tests/include/test/ssl_helpers.h
View File

@@ -31,11 +31,9 @@
#include "mbedtls/ssl_cache.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if defined(PSA_WANT_KEY_TYPE_AES)
@@ -751,18 +749,11 @@ int mbedtls_test_get_tls13_ticket(
#define ECJPAKE_TEST_PWD "bla"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \
ret = (use_opaque_arg) ? \
mbedtls_ssl_set_hs_ecjpake_password_opaque(&ssl, pwd_slot) : \
mbedtls_ssl_set_hs_ecjpake_password(&ssl, pwd_string, pwd_len); \
TEST_EQUAL(ret, exp_ret_val)
#else
#define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \
ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, \
pwd_string, pwd_len); \
TEST_EQUAL(ret, exp_ret_val)
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#define TEST_AVAILABLE_ECC(tls_id_, group_id_, psa_family_, psa_bits_) \
TEST_EQUAL(mbedtls_ssl_get_ecp_group_id_from_tls_id(tls_id_), \

2
tests/psa-client-server/psasim/src/aut_psa_random.c
View File

@@ -10,7 +10,7 @@
#include <stdio.h>
#include <stdlib.h>
#include "mbedtls/entropy.h"
#include "mbedtls/private/entropy.h"
#define BUFFER_SIZE 100

4
tests/psa-client-server/psasim/src/psa_sim_crypto_client.c
View File

@@ -73,12 +73,12 @@ int psa_crypto_call(int function,
psa_status_t psa_crypto_init(void)
{
char mbedtls_version[18];
const char *mbedtls_version;
uint8_t *result = NULL;
size_t result_length;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_version_get_string_full(mbedtls_version);
mbedtls_version = mbedtls_version_get_string_full();
CLIENT_PRINT("%s", mbedtls_version);
CLIENT_PRINT("My PID: %d", getpid());

4
tests/psa-client-server/psasim/src/psa_sim_generate.pl
View File

@@ -390,12 +390,12 @@ int psa_crypto_call(int function,
psa_status_t psa_crypto_init(void)
{
char mbedtls_version[18];
const char *mbedtls_version;
uint8_t *result = NULL;
size_t result_length;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
mbedtls_version_get_string_full(mbedtls_version);
mbedtls_version = mbedtls_version_get_string_full();
CLIENT_PRINT("%s", mbedtls_version);
CLIENT_PRINT("My PID: %d", getpid());

3
tests/psa-client-server/psasim/src/server.c
View File

@@ -56,8 +56,7 @@ int psa_server_main(int argc, char *argv[])
extern psa_status_t psa_crypto_close(void);
#if defined(MBEDTLS_VERSION_C)
char mbedtls_version[18];
mbedtls_version_get_string_full(mbedtls_version);
const char *mbedtls_version = mbedtls_version_get_string_full();
SERVER_PRINT("%s", mbedtls_version);
#endif

6
tests/scripts/analyze_outcomes.py
View File

@@ -124,10 +124,8 @@ class CoverageTask(outcome_analysis.CoverageTask):
# Untested platform-specific optimizations.
# https://github.com/Mbed-TLS/mbedtls/issues/9588
'Config: MBEDTLS_HAVE_SSE2',
# Obsolete configuration options, to be replaced by
# PSA entropy drivers.
# https://github.com/Mbed-TLS/mbedtls/issues/8150
'Config: MBEDTLS_NO_DEFAULT_ENTROPY_SOURCES',
# Obsolete config option that we are about to remove
'Config: MBEDTLS_PLATFORM_GET_ENTROPY_ALT',
# Untested aspect of the platform interface.
# https://github.com/Mbed-TLS/mbedtls/issues/9589
'Config: MBEDTLS_PLATFORM_NO_STD_FUNCTIONS',

3
tests/scripts/components-basic-checks.sh
View File

@@ -123,4 +123,7 @@ component_check_test_helpers () {
msg "unit test: translate_ciphers.py"
python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
msg "unit test: generate_config_checks.py"
tests/scripts/test_config_checks.py 2>&1
}

340
tests/scripts/components-configuration-crypto.sh
View File

@@ -82,22 +82,27 @@ component_test_psa_crypto_without_heap() {
msg "crypto without heap: build libtestdriver1"
# Disable PSA features that cannot be accelerated and whose builtin support
# requires calloc/free.
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_HKDF"
scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_PBKDF2_"
scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_TLS12_"
scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
scripts/config.py unset-all "^PSA_WANT_ALG_HKDF"
scripts/config.py unset-all "^PSA_WANT_ALG_PBKDF2_"
scripts/config.py unset-all "^PSA_WANT_ALG_TLS12_"
# RSA key support requires ASN1 parse/write support for testing, but ASN1
# is disabled below.
scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_KEY_TYPE_RSA_"
scripts/config.py -c $CRYPTO_CONFIG_H unset-all "^PSA_WANT_ALG_RSA_"
scripts/config.py unset-all "^PSA_WANT_KEY_TYPE_RSA_"
scripts/config.py unset-all "^PSA_WANT_ALG_RSA_"
# DES requires built-in support for key generation (parity check) so it
# cannot be accelerated
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
# EC-JPAKE use calloc/free in PSA core
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
scripts/config.py unset PSA_WANT_ALG_JPAKE
# Enable p192[k|r]1 curves which are disabled by default in tf-psa-crypto.
# This is required to get the proper test coverage otherwise there are
# tests in 'test_suite_psa_crypto_op_fail' that would never be executed.
scripts/config.py set PSA_WANT_ECC_SECP_K1_192
scripts/config.py set PSA_WANT_ECC_SECP_R1_192
# Accelerate all PSA features (which are still enabled in CRYPTO_CONFIG_H).
PSA_SYM_LIST=$(./scripts/config.py -c $CRYPTO_CONFIG_H get-all-enabled PSA_WANT)
PSA_SYM_LIST=$(./scripts/config.py get-all-enabled PSA_WANT)
loc_accel_list=$(echo $PSA_SYM_LIST | sed 's/PSA_WANT_//g')
helper_libtestdriver1_adjust_config crypto
@@ -138,7 +143,7 @@ component_test_psa_crypto_without_heap() {
component_test_no_rsa_key_pair_generation () {
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
make
msg "test: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
@@ -205,7 +210,7 @@ component_test_no_hmac_drbg_use_psa () {
msg "build: Full minus HMAC_DRBG, PSA crypto in TLS"
scripts/config.py full
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # requires HMAC_DRBG
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
@@ -231,12 +236,11 @@ component_test_psa_external_rng_no_drbg_use_psa () {
msg "build: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto in TLS"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py unset MBEDTLS_ENTROPY_C
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_CTR_DRBG_C
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA # Requires HMAC_DRBG
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
@@ -247,16 +251,18 @@ component_test_psa_external_rng_no_drbg_use_psa () {
}
component_test_psa_external_rng_use_psa_crypto () {
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
msg "build: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED"
scripts/config.py full
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py unset MBEDTLS_CTR_DRBG_C
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED"
make test
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG/NV_SEED"
tests/ssl-opt.sh -f 'Default\|opaque'
}
@@ -288,8 +294,7 @@ component_test_crypto_full_md_light_only () {
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_PKCS7_C
# Disable indirect dependencies of MD_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # needs HMAC_DRBG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
# Disable things that would auto-enable MD_C
scripts/config.py unset MBEDTLS_PKCS5_C
@@ -314,17 +319,17 @@ component_test_full_no_cipher () {
# on CIPHER_C so we disable them.
# This does not hold for KEY_TYPE_CHACHA20 and ALG_CHACHA20_POLY1305
# so we keep them enabled.
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CMAC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CFB
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CTR
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_OFB
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_CMAC
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset PSA_WANT_ALG_CFB
scripts/config.py unset PSA_WANT_ALG_CTR
scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_OFB
scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
# The following modules directly depends on CIPHER_C
scripts/config.py unset MBEDTLS_NIST_KW_C
@@ -352,7 +357,7 @@ component_test_full_no_ccm () {
#
# Note: also PSA_WANT_ALG_CCM_STAR_NO_TAG is enabled, but it does not cause
# PSA_WANT_ALG_CCM to be re-enabled.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
scripts/config.py unset PSA_WANT_ALG_CCM
make
@@ -373,17 +378,17 @@ component_test_full_no_ccm_star_no_tag () {
#
# Note: PSA_WANT_ALG_CCM is enabled, but it does not cause
# PSA_WANT_ALG_CCM_STAR_NO_TAG to be re-enabled.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_STREAM_CIPHER
scripts/config.py unset PSA_WANT_ALG_CTR
scripts/config.py unset PSA_WANT_ALG_CFB
scripts/config.py unset PSA_WANT_ALG_OFB
scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING
# NOTE unsettting PSA_WANT_ALG_ECB_NO_PADDING without unsetting NIST_KW_C will
# mean PSA_WANT_ALG_ECB_NO_PADDING is re-enabled, so disabling it also.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_NIST_KW_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset MBEDTLS_NIST_KW_C
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
make
@@ -536,10 +541,10 @@ component_test_psa_crypto_config_ffdh_2048_only () {
scripts/config.py full
# Disable all DH groups other than 2048.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_3072
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_4096
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_6144
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_DH_RFC7919_8192
scripts/config.py unset PSA_WANT_DH_RFC7919_3072
scripts/config.py unset PSA_WANT_DH_RFC7919_4096
scripts/config.py unset PSA_WANT_DH_RFC7919_6144
scripts/config.py unset PSA_WANT_DH_RFC7919_8192
make CFLAGS="$ASAN_CFLAGS -Werror" LDFLAGS="$ASAN_CFLAGS"
@@ -553,23 +558,22 @@ component_test_psa_crypto_config_ffdh_2048_only () {
component_test_psa_crypto_config_accel_ecdsa () {
msg "build: accelerated ECDSA"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Configure
# ---------
# Start from default config + TLS 1.3
helper_libtestdriver1_adjust_config "default"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDSA_C
# Disable things that depend on it
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
# Build
# -----
@@ -595,23 +599,21 @@ component_test_psa_crypto_config_accel_ecdsa () {
component_test_psa_crypto_config_accel_ecdh () {
msg "build: accelerated ECDH"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDH \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Configure
# ---------
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDH \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Disable the module that's accelerated
scripts/config.py unset MBEDTLS_ECDH_C
# Disable things that depend on it
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
@@ -636,17 +638,17 @@ component_test_psa_crypto_config_accel_ecdh () {
component_test_psa_crypto_config_accel_ffdh () {
msg "build: full with accelerated FFDH"
# Algorithms and key types to accelerate
loc_accel_list="ALG_FFDH \
$(helper_get_psa_key_type_list "DH") \
$(helper_get_psa_dh_group_list)"
# Configure
# ---------
# start with full (USE_PSA and TLS 1.3)
helper_libtestdriver1_adjust_config "full"
# Algorithms and key types to accelerate
loc_accel_list="ALG_FFDH \
$(helper_get_psa_key_type_list "DH") \
$(helper_get_psa_dh_group_list)"
# Build
# -----
@@ -685,15 +687,15 @@ component_test_psa_crypto_config_reference_ffdh () {
component_test_psa_crypto_config_accel_pake () {
msg "build: full with accelerated PAKE"
loc_accel_list="ALG_JPAKE \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Configure
# ---------
helper_libtestdriver1_adjust_config "full"
loc_accel_list="ALG_JPAKE \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Make built-in fallback not available
scripts/config.py unset MBEDTLS_ECJPAKE_C
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
@@ -718,6 +720,12 @@ component_test_psa_crypto_config_accel_pake () {
component_test_psa_crypto_config_accel_ecc_some_key_types () {
msg "build: full with accelerated EC algs and some key types"
# Configure
# ---------
# start with config full for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
# Algorithms and key types to accelerate
# For key types, use an explicitly list to omit GENERATE (and DERIVE)
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
@@ -729,12 +737,6 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
KEY_TYPE_ECC_KEY_PAIR_EXPORT \
$(helper_get_psa_curve_list)"
# Configure
# ---------
# start with config full for maximum coverage (also enables USE_PSA)
helper_libtestdriver1_adjust_config "full"
# Disable modules that are accelerated - some will be re-enabled
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
@@ -750,7 +752,7 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
# this is not supported by the driver API yet
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
# Build
# -----
@@ -789,6 +791,25 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
msg "build: crypto_full minus PK with accelerated EC algs and $desc curves"
# Configure
# ---------
# Start with config crypto_full and remove PK_C:
# that's what's supported now, see docs/driver-only-builds.md.
helper_libtestdriver1_adjust_config "crypto_full"
scripts/config.py unset MBEDTLS_PK_C
scripts/config.py unset MBEDTLS_PK_PARSE_C
scripts/config.py unset MBEDTLS_PK_WRITE_C
# Disable modules that are accelerated - some will be re-enabled
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECJPAKE_C
scripts/config.py unset MBEDTLS_ECP_C
# Disable all curves - those that aren't accelerated should be re-enabled
helper_disable_builtin_curves
# Note: Curves are handled in a special way by the libtestdriver machinery,
# so we only want to include them in the accel list when building the main
# libraries, hence the use of a separate variable.
@@ -819,32 +840,13 @@ common_test_psa_crypto_config_accel_ecc_some_curves () {
$(helper_get_psa_key_type_list "ECC") \
$loc_curve_list"
# Configure
# ---------
# Start with config crypto_full and remove PK_C:
# that's what's supported now, see docs/driver-only-builds.md.
helper_libtestdriver1_adjust_config "crypto_full"
scripts/config.py unset MBEDTLS_PK_C
scripts/config.py unset MBEDTLS_PK_PARSE_C
scripts/config.py unset MBEDTLS_PK_WRITE_C
# Disable modules that are accelerated - some will be re-enabled
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECJPAKE_C
scripts/config.py unset MBEDTLS_ECP_C
# Disable all curves - those that aren't accelerated should be re-enabled
helper_disable_builtin_curves
# Restartable feature is not yet supported by PSA. Once it will in
# the future, the following line could be removed (see issues
# 6061, 6332 and following ones)
scripts/config.py unset MBEDTLS_ECP_RESTARTABLE
# this is not supported by the driver API yet
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
# Build
# -----
@@ -929,6 +931,12 @@ config_psa_crypto_config_ecp_light_only () {
component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
msg "build: full with accelerated EC algs"
# Configure
# ---------
# Use the same config as reference, only without built-in EC algs
config_psa_crypto_config_ecp_light_only 1
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
ALG_ECDH \
@@ -936,12 +944,6 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Configure
# ---------
# Use the same config as reference, only without built-in EC algs
config_psa_crypto_config_ecp_light_only 1
# Do not disable builtin curves because that support is required for:
# - MBEDTLS_PK_PARSE_EC_EXTENDED
# - MBEDTLS_PK_PARSE_EC_COMPRESSED
@@ -1017,7 +1019,7 @@ config_psa_crypto_no_ecp_at_all () {
# Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
# Restartable feature is not yet supported by PSA. Once it will in
# the future, the following line could be removed (see issues
@@ -1033,13 +1035,6 @@ config_psa_crypto_no_ecp_at_all () {
component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
msg "build: full + accelerated EC algs - ECP"
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
ALG_ECDH \
ALG_JPAKE \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Configure
# ---------
@@ -1048,6 +1043,13 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
# Disable all the builtin curves. All the required algs are accelerated.
helper_disable_builtin_curves
# Algorithms and key types to accelerate
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
ALG_ECDH \
ALG_JPAKE \
$(helper_get_psa_key_type_list "ECC") \
$(helper_get_psa_curve_list)"
# Build
# -----
@@ -1134,23 +1136,22 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
# Disable all the features that auto-enable ECP_LIGHT (see build_info.h)
scripts/config.py unset MBEDTLS_PK_PARSE_EC_EXTENDED
scripts/config.py unset MBEDTLS_PK_PARSE_EC_COMPRESSED
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
scripts/config.py unset PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_DERIVE
# RSA support is intentionally disabled on this test because RSA_C depends
# on BIGNUM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
scripts/config.py unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
scripts/config.py unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Also disable key exchanges that depend on RSA
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
if [ "$test_target" = "ECC" ]; then
# When testing ECC only, we disable FFDH support, both from builtin and
# PSA sides.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_FFDH
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_DH_RFC7919_[0-9]*"
scripts/config.py unset PSA_WANT_ALG_FFDH
scripts/config.py unset-all "PSA_WANT_KEY_TYPE_DH_[0-9A-Z_a-z]*"
scripts/config.py unset-all "PSA_WANT_DH_RFC7919_[0-9]*"
fi
# Restartable feature is not yet supported by PSA. Once it will in
@@ -1184,6 +1185,14 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
msg "build: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
# Configure
# ---------
# Set common configurations between library's and driver's builds
config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
# Disable all the builtin curves. All the required algs are accelerated.
helper_disable_builtin_curves
# By default we accelerate all EC keys/algs
loc_accel_list="ALG_ECDSA ALG_DETERMINISTIC_ECDSA \
ALG_ECDH \
@@ -1198,14 +1207,6 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
$(helper_get_psa_dh_group_list)"
fi
# Configure
# ---------
# Set common configurations between library's and driver's builds
config_psa_crypto_config_accel_ecc_ffdh_no_bignum 1 "$test_target"
# Disable all the builtin curves. All the required algs are accelerated.
helper_disable_builtin_curves
# Build
# -----
@@ -1352,7 +1353,7 @@ component_test_tfm_config_no_p256m () {
# Disable P256M driver, which is on by default, so that analyze_outcomes
# can compare this test with test_tfm_config_p256m_driver_accel_ec
sed -i '/PROFILE_M_PSA_CRYPTO_CONFIG_H/i #undef MBEDTLS_PSA_P256M_DRIVER_ENABLED' "$CRYPTO_CONFIG_H"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset MBEDTLS_PSA_P256M_DRIVER_ENABLED
msg "build: TF-M config without p256m"
make CFLAGS='-Werror -Wall -Wextra -I../framework/tests/include/spe' tests
@@ -1387,7 +1388,7 @@ build_and_test_psa_want_key_pair_partial () {
# All the PSA_WANT_KEY_TYPE_xxx_KEY_PAIR_yyy are enabled by default in
# crypto_config.h so we just disable the one we don't want.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
scripts/config.py unset "$disabled_psa_want"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@@ -1492,15 +1493,15 @@ component_test_new_psa_want_key_pair_symbol () {
scripts/config.py crypto
# Remove RSA support and its dependencies
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
# that proper translations is done in crypto_legacy.h.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT
scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT
scripts/config.py unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
make
@@ -1652,8 +1653,7 @@ config_psa_crypto_hmac_use_psa () {
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_HKDF_C
# Dependencies of HMAC_DRBG
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
}
component_test_psa_crypto_config_accel_hmac () {
@@ -1710,7 +1710,7 @@ component_test_psa_crypto_config_accel_aead () {
helper_libtestdriver1_adjust_config "full"
# Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
# Build
# -----
@@ -1826,14 +1826,14 @@ common_block_cipher_dispatch () {
# legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
# Keep this also in the reference component in order to skip the same tests
# that were skipped in the accelerated one.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CTR
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CFB
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_OFB
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset PSA_WANT_ALG_CTR
scripts/config.py unset PSA_WANT_ALG_CFB
scripts/config.py unset PSA_WANT_ALG_OFB
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset PSA_WANT_ALG_CMAC
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
# Disable direct dependency on AES_C
scripts/config.py unset MBEDTLS_NIST_KW_C
@@ -1926,7 +1926,7 @@ component_test_full_block_cipher_legacy_dispatch () {
component_test_aead_chachapoly_disabled () {
msg "build: full minus CHACHAPOLY"
scripts/config.py full
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test: full minus CHACHAPOLY"
@@ -1936,8 +1936,8 @@ component_test_aead_chachapoly_disabled () {
component_test_aead_only_ccm () {
msg "build: full minus CHACHAPOLY and GCM"
scripts/config.py full
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py unset PSA_WANT_ALG_GCM
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
msg "test: full minus CHACHAPOLY and GCM"
@@ -2063,10 +2063,10 @@ component_build_aes_variations () {
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
scripts/config.py unset MBEDTLS_NIST_KW_C
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
"MBEDTLS_AES_ROM_TABLES" \
@@ -2088,9 +2088,9 @@ END
#define PSA_WANT_ALG_SHA3_384 1
#define PSA_WANT_ALG_SHA3_512 1
#define PSA_WANT_KEY_TYPE_AES 1
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PSA_CRYPTO_C
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_PSA_BUILTIN_GET_ENTROPY
#define MBEDTLS_SELF_TEST
END
@@ -2140,6 +2140,7 @@ component_build_aes_aesce_armcc () {
component_test_aes_only_128_bit_keys () {
msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH"
scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128
make CFLAGS='-O2 -Werror -Wall -Wextra'
@@ -2150,6 +2151,7 @@ component_test_aes_only_128_bit_keys () {
component_test_no_ctr_drbg_aes_only_128_bit_keys () {
msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - CTR_DRBG_C"
scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128
scripts/config.py unset MBEDTLS_CTR_DRBG_C
make CC=clang CFLAGS='-Werror -Wall -Wextra'
@@ -2161,6 +2163,7 @@ component_test_no_ctr_drbg_aes_only_128_bit_keys () {
component_test_aes_only_128_bit_keys_have_builtins () {
msg "build: default config + AES_ONLY_128_BIT_KEY_LENGTH - AESNI_C - AESCE_C"
scripts/config.py set MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128
scripts/config.py unset MBEDTLS_AESNI_C
scripts/config.py unset MBEDTLS_AESCE_C
@@ -2274,10 +2277,10 @@ config_block_cipher_no_decrypt () {
# Enable support for cryptographic mechanisms through the PSA API.
# Note: XTS, KW are not yet supported via the PSA API in Mbed TLS.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
}
component_test_block_cipher_no_decrypt_aesni () {
@@ -2346,40 +2349,53 @@ component_test_block_cipher_no_decrypt_aesce_armcc () {
not grep aesce_decrypt_block ${BUILTIN_SRC_PATH}/aesce.o
}
component_test_ctr_drbg_aes_256_sha_256 () {
msg "build: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
component_test_ctr_drbg_aes_256_sha_512 () {
msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 (ASan build)"
scripts/config.py full
scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: full + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
msg "test: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512 (ASan build)"
make test
}
component_test_ctr_drbg_aes_256_sha_256 () {
msg "build: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)"
scripts/config.py full
scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: full + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)"
make test
}
component_test_ctr_drbg_aes_128_sha_512 () {
msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
msg "build: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 (ASan build)"
scripts/config.py full
scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_512
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY (ASan build)"
msg "test: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 (ASan build)"
make test
}
component_test_ctr_drbg_aes_128_sha_256 () {
msg "build: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
msg "build: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)"
scripts/config.py full
scripts/config.py unset MBEDTLS_MEMORY_BUFFER_ALLOC_C
scripts/config.py set MBEDTLS_CTR_DRBG_USE_128_BIT_KEY
scripts/config.py set MBEDTLS_ENTROPY_FORCE_SHA256
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128
scripts/config.py set MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: full + MBEDTLS_CTR_DRBG_USE_128_BIT_KEY + MBEDTLS_ENTROPY_FORCE_SHA256 (ASan build)"
msg "test: full + set MBEDTLS_PSA_CRYPTO_RNG_STRENGTH 128 + MBEDTLS_PSA_CRYPTO_RNG_HASH PSA_ALG_SHA_256 (ASan build)"
make test
}

12
tests/scripts/components-configuration-platform.sh
View File

@@ -20,17 +20,18 @@ component_build_no_std_function () {
make
}
component_test_platform_get_entropy_alt()
component_test_psa_driver_get_entropy()
{
msg "build: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT"
msg "build: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY"
# Use hardware polling as the only source for entropy
scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT
scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY
scripts/config.py unset MBEDTLS_ENTROPY_NV_SEED
scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY
make
# Run all the tests
msg "test: default config + MBEDTLS_PLATFORM_GET_ENTROPY_ALT"
msg "test: default - MBEDTLS_PSA_BUILTIN_GET_ENTROPY + MBEDTLS_PSA_DRIVER_GET_ENTROPY"
make test
}
@@ -40,7 +41,8 @@ component_build_no_sockets () {
msg "build: full config except net_sockets.c, make, gcc -std=c99 -pedantic" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_NET_C # getaddrinfo() undeclared, etc.
scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT # prevent syscall() on GNU/Linux
scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY # prevent syscall() on GNU/Linux
scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1 -std=c99 -pedantic' lib
}

126
tests/scripts/components-configuration-tls.sh
View File

@@ -50,15 +50,15 @@ component_test_tls1_2_default_stream_cipher_only () {
msg "build: default with only stream cipher use psa"
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py unset PSA_WANT_ALG_CCM
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_GCM
scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -79,14 +79,14 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
msg "build: default with only CBC-legacy cipher use psa"
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py unset PSA_WANT_ALG_CCM
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_GCM
scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -108,14 +108,14 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
msg "build: default with only CBC-legacy and CBC-EtM ciphers use psa"
# Disable AEAD (controlled by the presence of one of GCM_C, CCM_C, CHACHAPOLY_C)
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py unset PSA_WANT_ALG_CCM
scripts/config.py unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py unset PSA_WANT_ALG_GCM
scripts/config.py unset PSA_WANT_ALG_CHACHA20_POLY1305
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Disable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@@ -235,6 +235,7 @@ component_test_small_mbedtls_ssl_dtls_max_buffering () {
# - test only TLS (i.e. test_suite_tls and ssl-opt)
build_full_minus_something_and_test_tls () {
symbols_to_disable="$1"
filter="${2-.}"
msg "build: full minus something, test TLS"
@@ -250,11 +251,12 @@ build_full_minus_something_and_test_tls () {
( cd tests; ./test_suite_ssl )
msg "ssl-opt: full minus something, test TLS"
tests/ssl-opt.sh
tests/ssl-opt.sh -f "$filter"
}
#These tests are temporarily disabled due to an unknown dependency of static ecdh as described in https://github.com/Mbed-TLS/mbedtls/issues/10385.
component_full_without_ecdhe_ecdsa () {
build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
build_full_minus_something_and_test_tls "MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED" 'psk\|PSK\|1\.3'
}
component_full_without_ecdhe_ecdsa_and_tls13 () {
@@ -342,23 +344,6 @@ component_test_variable_ssl_in_out_buffer_len () {
tests/compat.sh
}
component_test_dtls_cid_legacy () {
msg "build: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled (ASan build)"
scripts/config.py set MBEDTLS_SSL_DTLS_CONNECTION_ID_COMPAT 1
CC=$ASAN_CC cmake -D CMAKE_BUILD_TYPE:String=Asan .
make
msg "test: MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy)"
make test
msg "test: ssl-opt.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
tests/ssl-opt.sh
msg "test: compat.sh, MBEDTLS_SSL_DTLS_CONNECTION_ID (legacy) enabled"
tests/compat.sh
}
component_test_ssl_alloc_buffer_and_mfl () {
msg "build: default config with memory buffer allocator and MFL extension"
scripts/config.py set MBEDTLS_MEMORY_BUFFER_ALLOC_C
@@ -378,10 +363,10 @@ component_test_ssl_alloc_buffer_and_mfl () {
component_test_when_no_ciphersuites_have_mac () {
msg "build: when no ciphersuites have MAC"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CMAC
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py unset PSA_WANT_ALG_CMAC
scripts/config.py unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
@@ -436,22 +421,22 @@ component_test_tls13_only_psk () {
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
scripts/config.py set MBEDTLS_TEST_HOOKS
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_FFDH
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_2048
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_3072
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_4096
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_6144
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_DH_RFC7919_8192
scripts/config.py unset PSA_WANT_ALG_ECDH
scripts/config.py unset PSA_WANT_ALG_ECDSA
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py unset PSA_WANT_ALG_RSA_PSS
scripts/config.py unset PSA_WANT_ALG_FFDH
scripts/config.py unset PSA_WANT_KEY_TYPE_DH_PUBLIC_KEY
scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_BASIC
scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_IMPORT
scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_EXPORT
scripts/config.py unset PSA_WANT_KEY_TYPE_DH_KEY_PAIR_GENERATE
scripts/config.py unset PSA_WANT_DH_RFC7919_2048
scripts/config.py unset PSA_WANT_DH_RFC7919_3072
scripts/config.py unset PSA_WANT_DH_RFC7919_4096
scripts/config.py unset PSA_WANT_DH_RFC7919_6144
scripts/config.py unset PSA_WANT_DH_RFC7919_8192
# Note: The four unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -481,6 +466,7 @@ component_test_tls13_only_ephemeral () {
tests/ssl-opt.sh
}
#These tests are temporarily disabled due to an unknown dependency of static ecdh as described in https://github.com/Mbed-TLS/mbedtls/issues/10385.
component_test_tls13_only_ephemeral_ffdh () {
msg "build: TLS 1.3 only from default, only ephemeral ffdh key exchange mode"
scripts/config.py unset MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ENABLED
@@ -488,7 +474,7 @@ component_test_tls13_only_ephemeral_ffdh () {
scripts/config.py unset MBEDTLS_SSL_EARLY_DATA
scripts/config.py set MBEDTLS_TEST_HOOKS
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
scripts/config.py unset PSA_WANT_ALG_ECDH
# Note: The unset below is to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
@@ -498,7 +484,7 @@ component_test_tls13_only_ephemeral_ffdh () {
cd tests; ./test_suite_ssl; cd ..
msg "ssl-opt.sh: TLS 1.3 only, only ephemeral ffdh key exchange mode"
tests/ssl-opt.sh
tests/ssl-opt.sh -f "ffdh"
}
component_test_tls13_only_psk_ephemeral () {
@@ -512,10 +498,10 @@ component_test_tls13_only_psk_ephemeral () {
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
scripts/config.py set MBEDTLS_TEST_HOOKS
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
scripts/config.py unset PSA_WANT_ALG_ECDSA
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -539,11 +525,11 @@ component_test_tls13_only_psk_ephemeral_ffdh () {
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
scripts/config.py set MBEDTLS_TEST_HOOKS
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDH
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
scripts/config.py unset PSA_WANT_ALG_ECDH
scripts/config.py unset PSA_WANT_ALG_ECDSA
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py unset PSA_WANT_ALG_RSA_PSS
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
@@ -567,10 +553,10 @@ component_test_tls13_only_psk_all () {
scripts/config.py set MBEDTLS_SSL_EARLY_DATA
scripts/config.py set MBEDTLS_TEST_HOOKS
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
scripts/config.py unset PSA_WANT_ALG_ECDSA
scripts/config.py unset PSA_WANT_ALG_DETERMINISTIC_ECDSA
scripts/config.py unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C

3
tests/scripts/components-configuration.sh
View File

@@ -284,7 +284,8 @@ component_test_no_platform () {
# Use the test alternative implementation of mbedtls_platform_get_entropy()
# which is provided in "framework/tests/src/fake_external_rng_for_test.c"
# since the default one is excluded in this scenario.
scripts/config.py set MBEDTLS_PLATFORM_GET_ENTROPY_ALT
scripts/config.py unset MBEDTLS_PSA_BUILTIN_GET_ENTROPY
scripts/config.py set MBEDTLS_PSA_DRIVER_GET_ENTROPY
# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
# to re-enable platform integration features otherwise disabled in C99 builds
make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs

21
tests/scripts/components-platform.sh
View File

@@ -297,15 +297,6 @@ component_build_sha_armce () {
grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY
# test the deprecated form of the config option
scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, thumb"
make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY clang, test T32 crypto instructions built"
grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_ONLY
scripts/config.py set MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
msg "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT clang, aarch64"
make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=aarch64-linux-gnu -march=armv8-a+crypto"
@@ -313,18 +304,6 @@ component_build_sha_armce () {
grep -E 'sha256[a-z0-9]+\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
# test the deprecated form of the config option
scripts/config.py set MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, arm"
make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72+crypto -marm -std=c99"
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, thumb"
make -B library/../${BUILTIN_SRC_PATH}/sha256.o library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a32+crypto -mthumb"
msg "MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT clang, test T32 crypto instructions built"
grep -E 'sha256[a-z0-9]+.32\s+[qv]' ${BUILTIN_SRC_PATH}/sha256.s
scripts/config.py unset MBEDTLS_SHA256_USE_A64_CRYPTO_IF_PRESENT
# examine the disassembly for absence of SHA instructions
msg "clang, test A32 crypto instructions not built"
make -B library/../${BUILTIN_SRC_PATH}/sha256.s CC=clang CFLAGS="--target=arm-linux-gnueabihf -mcpu=cortex-a72 -marm"

2
tests/scripts/components-psasim.sh
View File

@@ -78,7 +78,7 @@ component_test_suite_with_psasim()
msg "build client library"
helper_psasim_config client
# PAKE functions are still unsupported from PSASIM
scripts/config.py -f $CRYPTO_CONFIG_H unset PSA_WANT_ALG_JPAKE
scripts/config.py unset PSA_WANT_ALG_JPAKE
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
helper_psasim_build client

8
tests/scripts/components-sanitizers.sh
View File

@@ -66,7 +66,7 @@ component_release_test_valgrind_constant_flow_no_asm () {
# - or alternatively, build with debug info and manually run the offending
# test suite with valgrind --track-origins=yes, then check if the origin
# was TEST_CF_SECRET() or something else.
msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing"
msg "build: cmake release GCC, full config minus MBEDTLS_HAVE_ASM with constant flow testing"
scripts/config.py full
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
scripts/config.py unset MBEDTLS_AESNI_C
@@ -77,7 +77,7 @@ component_release_test_valgrind_constant_flow_no_asm () {
# this only shows a summary of the results (how many of each type)
# details are left in Testing/<date>/DynamicAnalysis.xml
msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM, valgrind + constant flow)"
msg "test: some suites (full minus MBEDTLS_HAVE_ASM, valgrind + constant flow)"
make memcheck
}
@@ -150,7 +150,7 @@ component_test_memsan () {
component_release_test_valgrind () {
msg "build: Release (clang)"
# default config, in particular without MBEDTLS_USE_PSA_CRYPTO
# default config
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make
@@ -178,7 +178,7 @@ component_release_test_valgrind () {
component_release_test_valgrind_psa () {
msg "build: Release, full (clang)"
# full config, in particular with MBEDTLS_USE_PSA_CRYPTO
# full config
scripts/config.py full
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make

28
tests/scripts/depends.py
View File

@@ -257,23 +257,29 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
# These reverse dependencies can be removed as part of issue
# tf-psa-crypto#364.
'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_512': ['MBEDTLS_ECP_DP_BP512R1_ENABLED'],
'PSA_WANT_ECC_MONTGOMERY_255': ['MBEDTLS_ECP_DP_CURVE25519_ENABLED'],
'PSA_WANT_ECC_MONTGOMERY_448': ['MBEDTLS_ECP_DP_CURVE448_ENABLED'],
'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_256': ['PSA_WANT_ALG_JPAKE',
'MBEDTLS_ECP_DP_SECP256R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_384': ['MBEDTLS_ECP_DP_SECP384R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_521': ['MBEDTLS_ECP_DP_SECP521R1_ENABLED'],
'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
'PSA_WANT_ECC_SECP_K1_256': ['MBEDTLS_ECP_DP_SECP256K1_ENABLED'],
# Support for secp224[k|r]1 was removed in tfpsacrypto#408 while
# secp192[k|r]1 were kept only for internal testing (hidden to the end
# user). We need to keep these reverse dependencies here until
# symbols are hidden/removed from crypto_config.h.
'PSA_WANT_ECC_SECP_R1_192': ['MBEDTLS_ECP_DP_SECP192R1_ENABLED'],
'PSA_WANT_ECC_SECP_R1_224': ['MBEDTLS_ECP_DP_SECP224R1_ENABLED'],
'PSA_WANT_ECC_SECP_K1_192': ['MBEDTLS_ECP_DP_SECP192K1_ENABLED'],
'PSA_WANT_ALG_ECDSA': ['PSA_WANT_ALG_DETERMINISTIC_ECDSA',
'MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED',
'MBEDTLS_ECDSA_C'],
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_BASIC': [
'PSA_WANT_ALG_ECDSA',
@@ -287,7 +293,6 @@ REVERSE_DEPENDENCIES = {
'MBEDTLS_ECP_RESTARTABLE',
'MBEDTLS_PK_PARSE_EC_EXTENDED',
'MBEDTLS_PK_PARSE_EC_COMPRESSED',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED',
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ENABLED',
@@ -305,15 +310,12 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE'],
'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'],
'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
'MBEDTLS_LMS_C',
@@ -482,9 +484,7 @@ class DomainData:
if alg.can_do(crypto_knowledge.AlgorithmCategory.HASH)}
# Find elliptic curve enabling macros by name.
# MBEDTLS_ECP_DP_SECP224K1_ENABLED added to disable it for all curves
curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z|'
r'MBEDTLS_ECP_DP_SECP224K1_ENABLED')
curve_symbols = self.config_symbols_matching(r'PSA_WANT_ECC_\w+\Z')
# Find key exchange enabling macros by name.
key_exchange_symbols = self.config_symbols_matching(r'MBEDTLS_KEY_EXCHANGE_\w+_ENABLED\Z')
@@ -512,10 +512,10 @@ class DomainData:
'curves': ExclusiveDomain(curve_symbols, build_and_test),
# Hash algorithms. Excluding exclusive domains of MD, RIPEMD, SHA1, SHA3*,
# SHA224 and SHA384 because MBEDTLS_ENTROPY_C is extensively used
# SHA224 and SHA384 because the built-in entropy module is extensively used
# across various modules, but it depends on either SHA256 or SHA512.
# As a consequence an "exclusive" test of anything other than SHA256
# or SHA512 with MBEDTLS_ENTROPY_C enabled is not possible.
# or SHA512 with the built-in entropy module enabled is not possible.
'hashes': DualDomain(hash_symbols, build_and_test,
exclude=r'PSA_WANT_ALG_(?!SHA_(256|512))'),

11
tests/scripts/libtestdriver1_rewrite.pl
View File

@@ -15,11 +15,15 @@ my @public_files = map { basename($_) } glob("../tf-psa-crypto/include/mbedtls/*
my $public_files_regex = join('|', map { quotemeta($_) } @public_files);
my @private_files = map { basename($_) } glob("../tf-psa-crypto/include/mbedtls/private/*.h");
my $private_files_regex = join('|', map { quotemeta($_) } @private_files);
while (<>) {
s!^(\s*#\s*include\s*[\"<])mbedtls/build_info.h!${1}libtestdriver1/include/mbedtls/build_info.h!;
s!^(\s*#\s*include\s*[\"<])mbedtls/mbedtls_config.h!${1}libtestdriver1/include/mbedtls/mbedtls_config.h!;
s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_x509.h!${1}libtestdriver1/include/mbedtls/config_adjust_x509.h!;
s!^(\s*#\s*include\s*[\"<])mbedtls/config_adjust_ssl.h!${1}libtestdriver1/include/mbedtls/config_adjust_ssl.h!;
s!^(\s*#\s*include\s*[\"<])mbedtls/private/config_adjust_x509.h!${1}libtestdriver1/include/mbedtls/private/config_adjust_x509.h!;
s!^(\s*#\s*include\s*[\"<])mbedtls/private/config_adjust_ssl.h!${1}libtestdriver1/include/mbedtls/private/config_adjust_ssl.h!;
s!^(\s*#\s*include\s*[\"<])mbedtls/check_config.h!${1}libtestdriver1/include/mbedtls/check_config.h!;
# Files in include/mbedtls and drivers/builtin/include/mbedtls are both
# included in files via #include mbedtls/<file>.h, so when expanding to the
@@ -28,6 +32,9 @@ while (<>) {
if ( $public_files_regex ) {
s!^(\s*#\s*include\s*[\"<])mbedtls/($public_files_regex)!${1}libtestdriver1/tf-psa-crypto/include/mbedtls/${2}!;
}
if ( $private_files_regex ) {
s!^(\s*#\s*include\s*[\"<])mbedtls/private/($private_files_regex)!${1}libtestdriver1/tf-psa-crypto/include/mbedtls/private/${2}!;
}
s!^(\s*#\s*include\s*[\"<])mbedtls/!${1}libtestdriver1/tf-psa-crypto/drivers/builtin/include/mbedtls/!;
s!^(\s*#\s*include\s*[\"<])psa/!${1}libtestdriver1/tf-psa-crypto/include/psa/!;
s!^(\s*#\s*include\s*[\"<])tf-psa-crypto/!${1}libtestdriver1/tf-psa-crypto/include/tf-psa-crypto/!;

4
tests/scripts/set_psa_test_dependencies.py
View File

@@ -27,13 +27,9 @@ CLASSIC_DEPENDENCIES = frozenset([
'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS',
'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN',
'MBEDTLS_CIPHER_PADDING_ZEROS',
#curve#'MBEDTLS_ECP_DP_SECP192R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP224R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP256R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP384R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP521R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP192K1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP224K1_ENABLED',
#curve#'MBEDTLS_ECP_DP_SECP256K1_ENABLED',
#curve#'MBEDTLS_ECP_DP_BP256R1_ENABLED',
#curve#'MBEDTLS_ECP_DP_BP384R1_ENABLED',

63
tests/scripts/test_config_checks.py Executable file
View File

@@ -0,0 +1,63 @@
#!/usr/bin/env python3
"""Test the configuration checks generated by generate_config_checks.py.
"""
## Copyright The Mbed TLS Contributors
## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
import unittest
import scripts_path # pylint: disable=unused-import
from mbedtls_framework import unittest_config_checks
class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
"""Mbed TLS unit tests for checks generated by config_checks_generator."""
#pylint: disable=invalid-name # uppercase letters make sense here
PROJECT_CONFIG_C = 'library/mbedtls_config.c'
PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [
'tf-psa-crypto/include',
'tf-psa-crypto/drivers/builtin/include',
]
@unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.")
def test_crypto_no_fs_io(self) -> None:
"""A sample error expected from crypto's check_config.h."""
self.bad_case('#undef MBEDTLS_FS_IO',
None,
error=('MBEDTLS_PSA_ITS_FILE_C'))
def test_mbedtls_no_session_tickets_for_early_data(self) -> None:
"""An error expected from mbedtls_check_config.h based on the TLS configuration."""
self.bad_case(None,
'''
#define MBEDTLS_SSL_EARLY_DATA
#undef MBEDTLS_SSL_SESSION_TICKETS
''',
error=('MBEDTLS_SSL_EARLY_DATA'))
def test_mbedtls_no_ecdsa(self) -> None:
"""An error expected from mbedtls_check_config.h based on crypto+TLS configuration."""
self.bad_case('''
#undef PSA_WANT_ALG_ECDSA
#undef PSA_WANT_ALG_DETERMINISTIC_ECDSA
#undef MBEDTLS_ECDSA_C
''',
'''
#if defined(PSA_WANT_ALG_ECDSA)
#error PSA_WANT_ALG_ECDSA unexpected
#endif
#if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA)
#error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected
#endif
#if defined(MBEDTLS_ECDSA_C)
#error MBEDTLS_ECDSA_C unexpected
#endif
''',
error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
if __name__ == '__main__':
unittest.main()

110
tests/src/test_helpers/ssl_helpers.c
View File

@@ -11,6 +11,8 @@
#include <test/ssl_helpers.h>
#include "mbedtls/psa_util.h"
#include <limits.h>
#if defined(MBEDTLS_SSL_TLS_C)
int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
{
@@ -642,11 +644,9 @@ static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
ep->cert = NULL;
}
if (ep->pkey != NULL) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(ep->pkey) == MBEDTLS_PK_OPAQUE) {
psa_destroy_key(ep->pkey->priv_id);
}
#endif
mbedtls_pk_free(ep->pkey);
mbedtls_free(ep->pkey);
ep->pkey = NULL;
@@ -723,9 +723,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
int i = 0;
int ret = -1;
int ok = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT;
#endif
if (ep == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@@ -757,7 +755,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
TEST_EQUAL(load_endpoint_ecc(ep), 0);
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opaque_alg != 0) {
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
/* Use a fake key usage to get a successful initial guess for the PSA attributes. */
@@ -774,11 +771,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
mbedtls_pk_init(ep->pkey);
TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0);
}
#else
(void) opaque_alg;
(void) opaque_alg2;
(void) opaque_usage;
#endif
mbedtls_ssl_conf_ca_chain(&(ep->conf), ep->ca_chain, NULL);
@@ -1210,7 +1202,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
unsigned char *output,
size_t *olen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
size_t part_len;
@@ -1244,10 +1235,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
*olen += part_len;
return 0;
#else
return mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
iv, iv_len, input, ilen, output, olen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && PSA_WANT_ALG_CBC_NO_PADDING &&
PSA_WANT_KEY_TYPE_AES */
@@ -1381,14 +1368,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
size_t key_bits = 0;
int ret = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t key_type;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#else
mbedtls_cipher_info_t const *cipher_info;
#endif
size_t keylen, maclen, ivlen = 0;
unsigned char *key0 = NULL, *key1 = NULL;
@@ -1420,58 +1403,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
memset(key0, 0x1, keylen);
memset(key1, 0x2, keylen);
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/* Pick cipher */
cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type);
CHK(cipher_info != NULL);
CHK(mbedtls_cipher_info_get_iv_size(cipher_info) <= 16);
CHK(mbedtls_cipher_info_get_key_bitlen(cipher_info) % 8 == 0);
/* Setup cipher contexts */
CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_enc, cipher_info) == 0);
CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_dec, cipher_info) == 0);
CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_enc, cipher_info) == 0);
CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_dec, cipher_info) == 0);
#if defined(MBEDTLS_CIPHER_MODE_CBC)
if (cipher_mode == MBEDTLS_MODE_CBC) {
CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_enc,
MBEDTLS_PADDING_NONE) == 0);
CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_dec,
MBEDTLS_PADDING_NONE) == 0);
CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_enc,
MBEDTLS_PADDING_NONE) == 0);
CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_dec,
MBEDTLS_PADDING_NONE) == 0);
}
#endif /* MBEDTLS_CIPHER_MODE_CBC */
CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_enc, key0,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_ENCRYPT)
== 0);
CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_dec, key1,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_DECRYPT)
== 0);
CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_enc, key1,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_ENCRYPT)
== 0);
CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_dec, key0,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_DECRYPT)
== 0);
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/* Setup MAC contexts */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
if (cipher_mode == MBEDTLS_MODE_CBC ||
cipher_mode == MBEDTLS_MODE_STREAM) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) hash_id);
CHK(md_info != NULL);
#endif
maclen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) hash_id);
CHK(maclen != 0);
/* Pick hash keys */
@@ -1480,7 +1415,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
memset(md0, 0x5, maclen);
memset(md1, 0x6, maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = mbedtls_md_psa_alg_from_type(hash_id);
CHK(alg != 0);
@@ -1521,21 +1455,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
CHK(psa_import_key(&attributes,
md0, maclen,
&t_out->psa_mac_dec) == PSA_SUCCESS);
#else
CHK(mbedtls_md_setup(&t_out->md_ctx_enc, md_info, 1) == 0);
CHK(mbedtls_md_setup(&t_out->md_ctx_dec, md_info, 1) == 0);
CHK(mbedtls_md_setup(&t_in->md_ctx_enc, md_info, 1) == 0);
CHK(mbedtls_md_setup(&t_in->md_ctx_dec, md_info, 1) == 0);
CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_enc,
md0, maclen) == 0);
CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_dec,
md1, maclen) == 0);
CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_enc,
md1, maclen) == 0);
CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_dec,
md0, maclen) == 0);
#endif
}
#else
((void) hash_id);
@@ -1655,7 +1574,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
t_out->out_cid_len = (uint8_t) cid0_len;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = mbedtls_ssl_cipher_to_psa(cipher_type,
t_in->taglen,
&alg,
@@ -1718,7 +1636,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
goto cleanup;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
cleanup:
@@ -1735,9 +1652,7 @@ cleanup:
int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
mbedtls_ssl_transform *transform_out)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#endif
/* Serialized version of record header for MAC purposes */
unsigned char add_data[13];
@@ -1749,7 +1664,6 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
add_data[12] = (record->data_len >> 0) & 0xff;
/* MAC with additional data */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t sign_mac_length = 0;
TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation,
transform_out->psa_mac_enc,
@@ -1765,26 +1679,13 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation,
mac, sizeof(mac),
&sign_mac_length));
#else
TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, add_data, 13));
TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc,
record->buf + record->data_offset,
record->data_len));
/* Use a temporary buffer for the MAC, because with the truncated HMAC
* extension, there might not be enough room in the record for the
* full-length MAC. */
unsigned char mac[MBEDTLS_MD_MAX_SIZE];
TEST_EQUAL(0, mbedtls_md_hmac_finish(&transform_out->md_ctx_enc, mac));
#endif
memcpy(record->buf + record->data_offset + record->data_len, mac, transform_out->maclen);
record->data_len += transform_out->maclen;
return 0;
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_abort(&operation);
#endif
return -1;
}
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
@@ -1838,7 +1739,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
return -1;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE);
size_t hash_size = 0;
@@ -1849,12 +1749,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN,
&hash_size);
ret = PSA_TO_MBEDTLS_ERR(status);
#else
ret = mbedtls_md(mbedtls_md_info_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
tmp_crt.raw.p, tmp_crt.raw.len,
session->peer_cert_digest);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
return ret;
}

206
tests/ssl-opt.sh
View File

@@ -312,12 +312,7 @@ requires_any_configs_disabled() {
}
TLS1_2_KEY_EXCHANGES_WITH_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT="MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED"
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH="MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED \
MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED"
@@ -436,14 +431,12 @@ requires_cipher_enabled() {
# - $1 = command line (call to a TLS client or server program)
# - $2 = client/server
# - $3 = TLS version (TLS12 or TLS13)
# - $4 = Use an external tool without ECDH support
# - $5 = run test options
# - $4 = run test options
detect_required_features() {
CMD_LINE=$1
ROLE=$2
TLS_VERSION=$3
EXT_WO_ECDH=$4
TEST_OPTIONS=${5:-}
TEST_OPTIONS=${4:-}
case "$CMD_LINE" in
*\ force_version=*)
@@ -484,7 +477,8 @@ detect_required_features() {
*"programs/ssl/dtls_client "*|\
*"programs/ssl/ssl_client1 "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PSA_CRYPTO_C
requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
requires_config_enabled MBEDTLS_PEM_PARSE_C
requires_config_enabled MBEDTLS_SSL_CLI_C
requires_certificate_authentication
@@ -494,7 +488,8 @@ detect_required_features() {
*"programs/ssl/ssl_pthread_server "*|\
*"programs/ssl/ssl_server "*)
requires_config_enabled MBEDTLS_CTR_DRBG_C
requires_config_enabled MBEDTLS_ENTROPY_C
requires_config_enabled MBEDTLS_PSA_CRYPTO_C
requires_config_disabled MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
requires_config_enabled MBEDTLS_PEM_PARSE_C
requires_config_enabled MBEDTLS_SSL_SRV_C
requires_certificate_authentication
@@ -523,24 +518,9 @@ detect_required_features() {
else
# For TLS12 requirements are different between server and client
if [ "$ROLE" = "server" ]; then
# If the server uses "server5*" certificates, then an ECDSA based
# key exchange is required. However gnutls also does not
# support ECDH, so this limit the choice to ECDHE-ECDSA
if [ "$EXT_WO_ECDH" = "yes" ]; then
requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
else
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_ECDSA_CERT
fi
requires_any_configs_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED
elif [ "$ROLE" = "client" ]; then
# On the client side it is enough to have any certificate
# based authentication together with support for ECDSA.
# Of course the GnuTLS limitation mentioned above applies
# also here.
if [ "$EXT_WO_ECDH" = "yes" ]; then
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
else
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
fi
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT_WO_ECDH
requires_pk_alg "ECDSA"
fi
fi
@@ -1303,28 +1283,6 @@ is_gnutls() {
esac
}
# Some external tools (gnutls or openssl) might not have support for static ECDH
# and this limit the tests that can be run with them. This function checks server
# and client command lines, given as input, to verify if the current test
# is using one of these tools.
use_ext_tool_without_ecdh_support() {
case "$1" in
*$GNUTLS_SERV*|\
*${GNUTLS_NEXT_SERV:-"gnutls-serv-dummy"}*|\
*${OPENSSL_NEXT:-"openssl-dummy"}*)
echo "yes"
return;;
esac
case "$2" in
*$GNUTLS_CLI*|\
*${GNUTLS_NEXT_CLI:-"gnutls-cli-dummy"}*|\
*${OPENSSL_NEXT:-"openssl-dummy"}*)
echo "yes"
return;;
esac
echo "no"
}
# Generate random psk_list argument for ssl_server2
get_srv_psk_list ()
{
@@ -1811,26 +1769,20 @@ run_test() {
requires_config_enabled MBEDTLS_SSL_PROTO_DTLS
fi
# Check if we are trying to use an external tool which does not support ECDH
EXT_WO_ECDH=$(use_ext_tool_without_ecdh_support "$SRV_CMD" "$CLI_CMD")
# Guess the TLS version which is going to be used.
# Note that this detection is wrong in some cases, which causes unduly
# skipped test cases in builds with TLS 1.3 but not TLS 1.2.
# https://github.com/Mbed-TLS/mbedtls/issues/9560
if [ "$EXT_WO_ECDH" = "no" ]; then
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
else
TLS_VERSION="TLS12"
fi
TLS_VERSION=$(get_tls_version "$SRV_CMD" "$CLI_CMD")
# If we're in a PSK-only build and the test can be adapted to PSK, do that.
maybe_adapt_for_psk "$@"
# If the client or server requires certain features that can be detected
# from their command-line arguments, check whether they're enabled.
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$EXT_WO_ECDH" "$@"
detect_required_features "$SRV_CMD" "server" "$TLS_VERSION" "$@"
detect_required_features "$CLI_CMD" "client" "$TLS_VERSION" "$@"
# should we skip?
if [ "X$SKIP_NEXT" = "XYES" ]; then
@@ -2355,52 +2307,6 @@ run_test "Opaque key for server authentication: ECDHE-ECDSA" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: ECDH-" \
"$P_SRV auth_mode=required key_opaque=1\
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt\
key_file=$DATA_FILES_PATH/server5.key key_opaque_algs=ecdh,none" \
"$P_CLI force_version=tls12" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-ECDH-" \
-s "key types: Opaque, none" \
-s "Ciphersuite is TLS-ECDH-" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled MBEDTLS_ECDSA_C
requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
requires_config_disabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: invalid key: ecdh with RSA key, no async" \
"$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
debug_level=1" \
"$P_CLI force_version=tls12" \
1 \
-s "key types: Opaque, none" \
-s "error" \
-c "error" \
-c "Public key type mismatch"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_config_enabled PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC
requires_config_enabled MBEDTLS_SSL_ASYNC_PRIVATE
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: invalid alg: ecdh with RSA key, async" \
"$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server2-sha256.crt \
key_file=$DATA_FILES_PATH/server2.key key_opaque_algs=ecdh,none \
debug_level=1" \
"$P_CLI force_version=tls12" \
1 \
-s "key types: Opaque, none" \
-s "got ciphersuites in common, but none of them usable" \
-s "error" \
-c "error"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_256
run_test "Opaque key for server authentication: invalid alg: ECDHE-ECDSA with ecdh" \
@@ -2433,24 +2339,6 @@ run_test "Opaque keys for server authentication: EC keys with different algs,
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_384
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
run_test "Opaque keys for server authentication: EC keys with different algs, force ECDH-ECDSA" \
"$P_SRV key_opaque=1 crt_file=$DATA_FILES_PATH/server7.crt \
key_file=$DATA_FILES_PATH/server7.key key_opaque_algs=ecdsa-sign,none \
crt_file2=$DATA_FILES_PATH/server5.crt key_file2=$DATA_FILES_PATH/server5.key \
key_opaque_algs2=ecdh,none debug_level=3" \
"$P_CLI force_version=tls12 force_ciphersuite=TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384" \
0 \
-c "Verifying peer X.509 certificate... ok" \
-c "Ciphersuite is TLS-ECDH-ECDSA" \
-c "CN=Polarssl Test EC CA" \
-s "key types: Opaque, Opaque" \
-s "Ciphersuite is TLS-ECDH-ECDSA" \
-S "error" \
-C "error"
requires_config_enabled MBEDTLS_X509_CRT_PARSE_C
requires_hash_alg SHA_384
requires_config_disabled MBEDTLS_X509_REMOVE_INFO
@@ -2659,12 +2547,6 @@ requires_config_enabled PSA_WANT_ECC_SECP_K1_256
run_test_psa_force_curve "secp256k1"
requires_config_enabled PSA_WANT_ECC_BRAINPOOL_P_R1_256
run_test_psa_force_curve "brainpoolP256r1"
requires_config_enabled PSA_WANT_ECC_SECP_R1_224
run_test_psa_force_curve "secp224r1"
requires_config_enabled PSA_WANT_ECC_SECP_R1_192
run_test_psa_force_curve "secp192r1"
requires_config_enabled PSA_WANT_ECC_SECP_K1_192
run_test_psa_force_curve "secp192k1"
# Test current time in ServerHello
requires_config_enabled MBEDTLS_HAVE_TIME
@@ -6183,31 +6065,6 @@ run_test "Authentication: hostname unset, client default, server picks PSK, 1.3"
-C "x509_verify_cert() returned -" \
-C "X509 - Certificate verification failed"
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
# the client informs the server about the supported curves - it does, though, in the
# corner case of a static ECDH suite, because the server doesn't check the curve on that
# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
# different means to have the server ignoring the client's supported curve list.
run_test "Authentication: server ECDH p256v1, client required, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=required groups=secp521r1" \
1 \
-c "bad certificate (EC key curve)"\
-c "! Certificate verification flags"\
-C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
run_test "Authentication: server ECDH p256v1, client optional, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
"$P_CLI force_version=tls12 debug_level=3 auth_mode=optional groups=secp521r1" \
1 \
-c "bad certificate (EC key curve)"\
-c "! Certificate verification flags"\
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication: client SHA256, server required" \
"$P_SRV auth_mode=required" \
@@ -6560,33 +6417,6 @@ run_test "Authentication, CA callback: server badcert, client none" \
-C "! mbedtls_ssl_handshake returned" \
-C "X509 - Certificate verification failed"
# The purpose of the next two tests is to test the client's behaviour when receiving a server
# certificate with an unsupported elliptic curve. This should usually not happen because
# the client informs the server about the supported curves - it does, though, in the
# corner case of a static ECDH suite, because the server doesn't check the curve on that
# occasion (to be fixed). If that bug's fixed, the test needs to be altered to use a
# different means to have the server ignoring the client's supported curve list.
run_test "Authentication, CA callback: server ECDH p256v1, client required, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
"$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=required groups=secp521r1" \
1 \
-c "use CA callback for X.509 CRT verification" \
-c "bad certificate (EC key curve)" \
-c "! Certificate verification flags" \
-C "bad server certificate (ECDH curve)" # Expect failure at earlier verification stage
run_test "Authentication, CA callback: server ECDH p256v1, client optional, p256v1 unsupported" \
"$P_SRV debug_level=1 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
"$P_CLI force_version=tls12 ca_callback=1 debug_level=3 auth_mode=optional groups=secp521r1" \
1 \
-c "use CA callback for X.509 CRT verification" \
-c "bad certificate (EC key curve)"\
-c "! Certificate verification flags"\
-c "bad server certificate (ECDH curve)" # Expect failure only at ECDH params check
requires_any_configs_enabled $TLS1_2_KEY_EXCHANGES_WITH_CERT
run_test "Authentication, CA callback: client SHA384, server required" \
"$P_SRV ca_callback=1 debug_level=3 auth_mode=required" \
@@ -7991,14 +7821,6 @@ run_test "keyUsage srv 1.2: ECC, digitalSignature -> ECDHE-ECDSA" \
0 \
-c "Ciphersuite is TLS-ECDHE-ECDSA-WITH-"
run_test "keyUsage srv 1.2: ECC, keyAgreement -> ECDH-" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ka.crt" \
"$P_CLI" \
0 \
-c "Ciphersuite is TLS-ECDH-"
run_test "keyUsage srv 1.2: ECC, keyEncipherment -> fail" \
"$P_SRV force_version=tls12 key_file=$DATA_FILES_PATH/server5.key \
crt_file=$DATA_FILES_PATH/server5.ku-ke.crt" \
@@ -9445,12 +9267,12 @@ run_test "EC restart: TLS, max_ops=65535" \
# The following test cases for restartable ECDH come in two variants:
# * The "(USE_PSA)" variant expects the current behavior, which is the behavior
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. This tests
# the partial implementation where ECDH in TLS is not actually restartable.
# * The "(no USE_PSA)" variant expects the desired behavior. These test
# cases cannot currently pass because the implementation of restartable ECC
# in TLS is partial: ECDH is not actually restartable. This is the behavior
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled.
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled.
#
# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294,
# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test

51
tests/suites/test_suite_constant_time_hmac.function
View File

@@ -16,15 +16,10 @@ void ssl_cf_hmac(int hash)
* Test the function mbedtls_ct_hmac() against a reference
* implementation.
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#else
mbedtls_md_context_t ctx, ref_ctx;
const mbedtls_md_info_t *md_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t out_len, block_size;
size_t min_in_len, in_len, max_in_len, i;
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
@@ -36,7 +31,6 @@ void ssl_cf_hmac(int hash)
USE_PSA_INIT();
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = PSA_ALG_HMAC(mbedtls_md_psa_alg_from_type(hash));
out_len = PSA_HASH_LENGTH(alg);
@@ -47,36 +41,15 @@ void ssl_cf_hmac(int hash)
PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(alg));
psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
#else
mbedtls_md_init(&ctx);
mbedtls_md_init(&ref_ctx);
md_info = mbedtls_md_info_from_type(hash);
TEST_ASSERT(md_info != NULL);
out_len = mbedtls_md_get_size(md_info);
TEST_ASSERT(out_len != 0);
block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Use allocated out buffer to catch overwrites */
TEST_CALLOC(out, out_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Set up dummy key */
memset(ref_out, 42, sizeof(ref_out));
TEST_EQUAL(PSA_SUCCESS, psa_import_key(&attributes,
ref_out, out_len,
&key));
#else
/* Set up contexts with the given hash and a dummy key */
TEST_EQUAL(0, mbedtls_md_setup(&ctx, md_info, 1));
TEST_EQUAL(0, mbedtls_md_setup(&ref_ctx, md_info, 1));
memset(ref_out, 42, sizeof(ref_out));
TEST_EQUAL(0, mbedtls_md_hmac_starts(&ctx, ref_out, out_len));
TEST_EQUAL(0, mbedtls_md_hmac_starts(&ref_ctx, ref_out, out_len));
memset(ref_out, 0, sizeof(ref_out));
#endif
/*
* Test all possible lengths up to a point. The difference between
* max_in_len and min_in_len is at most 255, and make sure they both vary
@@ -101,22 +74,14 @@ void ssl_cf_hmac(int hash)
/* Get the function's result */
TEST_CF_SECRET(&in_len, sizeof(in_len));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL(0, mbedtls_ct_hmac(key, PSA_ALG_HMAC(alg),
add_data, sizeof(add_data),
data, in_len,
min_in_len, max_in_len,
out));
#else
TEST_EQUAL(0, mbedtls_ct_hmac(&ctx, add_data, sizeof(add_data),
data, in_len,
min_in_len, max_in_len,
out));
#endif /* MBEDTLS_USE_PSA_CRYPTO */
TEST_CF_PUBLIC(&in_len, sizeof(in_len));
TEST_CF_PUBLIC(out, out_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_setup(&operation,
key, alg));
TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data,
@@ -125,17 +90,6 @@ void ssl_cf_hmac(int hash)
data, in_len));
TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_finish(&operation,
out, out_len));
#else
/* Compute the reference result */
TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, add_data,
sizeof(add_data)));
TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, data, in_len));
TEST_EQUAL(0, mbedtls_md_hmac_finish(&ref_ctx, ref_out));
TEST_EQUAL(0, mbedtls_md_hmac_reset(&ref_ctx));
/* Compare */
TEST_MEMORY_COMPARE(out, out_len, ref_out, out_len);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
mbedtls_free(data);
@@ -143,13 +97,8 @@ void ssl_cf_hmac(int hash)
}
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_abort(&operation);
psa_destroy_key(key);
#else
mbedtls_md_free(&ref_ctx);
mbedtls_md_free(&ctx);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_free(data);
mbedtls_free(out);

8
tests/suites/test_suite_error.data
View File

@@ -3,12 +3,8 @@ depends_on:MBEDTLS_AES_C
error_strerror:-0x0020:"AES - Invalid key length"
Single high error
depends_on:MBEDTLS_RSA_C
error_strerror:-0x4080:"RSA - Bad input parameters to function"
Low and high error
depends_on:MBEDTLS_AES_C:MBEDTLS_RSA_C
error_strerror:-0x40A0:"RSA - Bad input parameters to function \: AES - Invalid key length"
depends_on:PSA_WANT_ALG_SHA_256:MBEDTLS_RSA_C:MBEDTLS_X509_CRT_PARSE_C
error_strerror:-0x2280:"X509 - The serial tag or value is invalid"
Non existing high error
error_strerror:-0x8880:"UNKNOWN ERROR CODE (8880)"

4
tests/suites/test_suite_pkcs7.function
View File

@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
#include "mbedtls/bignum.h"
#include "mbedtls/private/bignum.h"
#include "mbedtls/pkcs7.h"
#include "mbedtls/x509.h"
#include "mbedtls/x509_crt.h"
@@ -8,7 +8,7 @@
#include "mbedtls/oid.h"
#include "sys/types.h"
#include "sys/stat.h"
#include "mbedtls/rsa.h"
#include "mbedtls/private/rsa.h"
#include "mbedtls/error.h"
/* END_HEADER */

64
tests/suites/test_suite_ssl.data
View File

@@ -380,10 +380,6 @@ Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:0
Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:0
Handshake, PSK-WITH-AES-128-CBC-SHA
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ALG_SHA_1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":0
@@ -408,10 +404,6 @@ DTLS Handshake, ECDHE-ECDSA-WITH-AES-256-CCM
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_cipher:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:1
DTLS Handshake, ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
handshake_cipher:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:1
DTLS Handshake, PSK-WITH-AES-128-CBC-SHA
depends_on:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_SSL_PROTO_DTLS:PSA_WANT_ALG_SHA_1:MBEDTLS_KEY_EXCHANGE_PSK_ENABLED
handshake_psk_cipher:"TLS-PSK-WITH-AES-128-CBC-SHA":MBEDTLS_PK_RSA:"abc123":1
@@ -440,23 +432,23 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_R
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque
@@ -464,57 +456,21 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Sending app data via TLS, MFL=512 without fragmentation
depends_on:MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
app_data_tls:MBEDTLS_SSL_MAX_FRAG_LEN_512:400:512:1:1
@@ -3236,7 +3192,7 @@ depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
ssl_ecjpake_set_password:0
EC-JPAKE set opaque password
depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
ssl_ecjpake_set_password:1
Test Elliptic curves' info parsing

35
tests/suites/test_suite_ssl.function
View File

@@ -3422,7 +3422,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
void test_multiple_psks_opaque(int mode)
{
/*
@@ -3537,9 +3537,9 @@ exit:
/* BEGIN_CASE */
void conf_group()
{
uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP192R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP224R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
uint16_t iana_tls_group_list[] = { MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
MBEDTLS_SSL_IANA_TLS_GROUP_NONE };
mbedtls_ssl_config conf;
@@ -3768,7 +3768,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
void raw_key_agreement_fail(int bad_server_ecdhe_key)
{
enum { BUFFSIZE = 17000 };
@@ -3941,11 +3941,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT;
#else /* MBEDTLS_USE_PSA_CRYPTO */
(void) use_opaque_arg;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = "";
size_t pwd_len = 0;
int ret;
@@ -3971,14 +3967,13 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
pwd_len = strlen(ECJPAKE_TEST_PWD);
memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (use_opaque_arg) {
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
/* First try with an invalid usage */
psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_SIGN_HASH);
psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE(PSA_ALG_SHA_256));
psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
PSA_ASSERT(psa_import_key(&attributes, pwd_string,
@@ -3998,16 +3993,13 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
PSA_ASSERT(psa_import_key(&attributes, pwd_string,
pwd_len, &pwd_slot));
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* final check which should work without errors */
ECJPAKE_TEST_SET_PASSWORD(0);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (use_opaque_arg) {
psa_destroy_key(pwd_slot);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
@@ -4058,21 +4050,6 @@ void elliptic_curve_get_properties()
#else
TEST_UNAVAILABLE_ECC(26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_224)
TEST_AVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
#else
TEST_UNAVAILABLE_ECC(21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224);
#endif
#if defined(PSA_WANT_ECC_SECP_R1_192)
TEST_AVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
#else
TEST_UNAVAILABLE_ECC(19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192);
#endif
#if defined(PSA_WANT_ECC_SECP_K1_192)
TEST_AVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
#else
TEST_UNAVAILABLE_ECC(18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192);
#endif
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
TEST_AVAILABLE_ECC(29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255);
#else

10
tests/suites/test_suite_version.function
View File

@@ -38,19 +38,17 @@ void check_compiletime_version(char *version_str)
void check_runtime_version(char *version_str)
{
char build_str[100];
char get_str[100];
const char *get_str;
char build_str_full[100];
char get_str_full[100];
const char *get_str_full;
unsigned int get_int;
memset(build_str, 0, 100);
memset(get_str, 0, 100);
memset(build_str_full, 0, 100);
memset(get_str_full, 0, 100);
get_int = mbedtls_version_get_number();
mbedtls_version_get_string(get_str);
mbedtls_version_get_string_full(get_str_full);
get_str = mbedtls_version_get_string();
get_str_full = mbedtls_version_get_string_full();
mbedtls_snprintf(build_str, 100, "%u.%u.%u",
(get_int >> 24) & 0xFF,

2
tests/suites/test_suite_x509parse.data
View File

@@ -900,7 +900,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_
x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1
x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #70 (v1 trusted CA)

2
tests/suites/test_suite_x509parse.function
View File

@@ -1,5 +1,5 @@
/* BEGIN_HEADER */
#include "mbedtls/bignum.h"
#include "mbedtls/private/bignum.h"
#include "mbedtls/x509.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_crl.h"

17
tests/suites/test_suite_x509write.data
View File

@@ -47,7 +47,7 @@ depends_on:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
Certificate Request check Server5 ECDSA, key_usage
depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256
depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256
x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
Certificate Request check Server1, set_extension
@@ -123,23 +123,23 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.ca_noauthid.crt":1:1:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, key_usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, ns_cert_type
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, version 1
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, CA
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":2:1:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Full length serial
@@ -155,11 +155,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server5 ECDSA
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server5 ECDSA, Opaque
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server1 SHA1, SubjectAltNames
@@ -337,4 +337,3 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F"
OID from numeric string - OID with overflowing subidentifier
oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:""

52
tests/suites/test_suite_x509write.function
View File

@@ -1,12 +1,12 @@
/* BEGIN_HEADER */
#include "mbedtls/bignum.h"
#include "mbedtls/private/bignum.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_csr.h"
#include "x509_internal.h"
#include "mbedtls/pem.h"
#include "mbedtls/oid.h"
#include "x509_oid.h"
#include "mbedtls/rsa.h"
#include "mbedtls/private/rsa.h"
#include "mbedtls/asn1.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/pk.h"
@@ -15,8 +15,7 @@
#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */
#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
#if defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
{
unsigned char hash[PSA_HASH_MAX_SIZE];
@@ -41,7 +40,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
goto cleanup;
}
if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk,
if (mbedtls_pk_verify_ext(csr.sig_pk, &csr.pk,
csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
csr.sig.p, csr.sig.len) != 0) {
ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
@@ -53,7 +52,7 @@ cleanup:
mbedtls_x509_csr_free(&csr);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
#endif /* MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
#if defined(MBEDTLS_X509_CSR_WRITE_C)
@@ -131,11 +130,9 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char check_buf[4000];
FILE *f;
size_t olen = 0;
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
size_t pem_len = 0, buf_index;
int der_len = -1;
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
@@ -215,20 +212,14 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
TEST_ASSERT(buf[buf_index] == 0);
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used
(void) cert_req_check_file;
buf[pem_len] = '\0';
TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0);
#else
f = fopen(cert_req_check_file, "r");
TEST_ASSERT(f != NULL);
olen = fread(check_buf, 1, sizeof(check_buf), f);
fclose(f);
f = fopen(cert_req_check_file, "r"); //open the file
TEST_ASSERT(f != NULL); //check the file has been opened.
olen = fread(check_buf, 1, sizeof(check_buf), f); // read the file
fclose(f); // close the file
TEST_ASSERT(olen >= pem_len - 1);
TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf));
TEST_ASSERT(der_len >= 0);
@@ -237,14 +228,7 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
goto exit;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, result length isn't
// deterministic over multiple runs, removing a single byte isn't enough to
// go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
der_len /= 2;
#else
der_len -= 1;
#endif
ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len));
TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
@@ -256,7 +240,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
int cert_type)
{
@@ -342,10 +326,8 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
int der_len = -1;
FILE *f;
mbedtls_test_rnd_pseudo_info rnd_info;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif
mbedtls_pk_type_t issuer_key_type;
mbedtls_x509_san_list san_ip;
mbedtls_x509_san_list san_dns;
@@ -409,7 +391,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
issuer_key_type = mbedtls_pk_get_type(&issuer_key);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) {
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
@@ -419,7 +400,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
mbedtls_pk_init(&issuer_key);
TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (pk_wrap == 2) {
TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE);
@@ -570,14 +550,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
TEST_ASSERT(p < end);
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, result length isn't
// deterministic over multiple runs, removing a single byte isn't enough to
// go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
if (issuer_key_type != MBEDTLS_PK_RSA) {
der_len /= 2;
} else
#endif
der_len -= 1;
ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len));
@@ -592,9 +564,7 @@ exit:
#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
mbedtls_mpi_free(&serial_mpi);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(key_id);
#endif
MD_OR_USE_PSA_DONE();
}
/* END_CASE */