mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-04-16 08:42:50 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge pull request #1264 from Mbed-TLS/pre3.6.1_test_merge_upstream_dev

Browse Source 
Merge development into -restricted
This commit is contained in:
Gilles Peskine 2024-08-12 11:24:35 +02:00 committed by GitHub
commit 1782cc8b95
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
1310 changed files with 14329 additions and 33496 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
.github/pull_request_template.md vendored
View File

@ -6,12 +6,15 @@ Please write a few sentences describing the overall goals of the pull request's
## PR checklist
Please tick as appropriate and edit the reasons (e.g.: "backport: not needed because this is a new feature")
Please remove the segment/s on either side of the | symbol as appropriate, and add any relevant link/s to the end of the line.
If the provided content is part of the present PR remove the # symbol.
- [ ] **changelog** provided, or not required
- [ ] **3.6 backport** done, or not required
- [ ] **2.28 backport** done, or not required
- [ ] **tests** provided, or not required
- [ ] **changelog** provided | not required because:
- [ ] **development PR** provided # | not required because:
- [ ] **framework PR** provided Mbed-TLS/mbedtls-framework# | not required
- [ ] **3.6 PR** provided # | not required because:
- [ ] **2.28 PR** provided # | not required because:
- **tests** provided | not required because:

3
3rdparty/Makefile.inc vendored
View File

@ -1,3 +0,0 @@
THIRDPARTY_DIR := $(dir $(lastword $(MAKEFILE_LIST)))
include $(THIRDPARTY_DIR)/everest/Makefile.inc
include $(THIRDPARTY_DIR)/p256-m/Makefile.inc

26
CMakeLists.txt
View File

@ -22,6 +22,10 @@ cmake_minimum_required(VERSION 3.5.1)
include(CMakePackageConfigHelpers)
# Include convenience functions for printing properties and variables, like
# cmake_print_properties(), cmake_print_variables().
include(CMakePrintHelpers)
# https://cmake.org/cmake/help/latest/policy/CMP0011.html
# Setting this policy is required in CMake >= 3.18.0, otherwise a warning is generated. The OLD
# policy setting is deprecated, and will be removed in future versions.
@ -277,6 +281,15 @@ if(MBEDTLS_FATAL_WARNINGS)
endif(CMAKE_COMPILER_IS_IAR)
endif(MBEDTLS_FATAL_WARNINGS)
if(CMAKE_BUILD_TYPE STREQUAL "Check" AND TEST_CPP)
set(CMAKE_CXX_STANDARD 11)
set(CMAKE_CXX_STANDARD_REQUIRED ON)
set(CMAKE_CXX_EXTENSIONS OFF)
if(CMAKE_COMPILER_IS_CLANG OR CMAKE_COMPILER_IS_GNU)
set(CMAKE_CXX_FLAGS "${CMAKE_CXX_FLAGS} -pedantic")
endif()
endif()
if(CMAKE_BUILD_TYPE STREQUAL "Coverage")
if(CMAKE_COMPILER_IS_GNU OR CMAKE_COMPILER_IS_CLANG)
set(CMAKE_SHARED_LINKER_FLAGS "--coverage")
@ -294,12 +307,10 @@ add_subdirectory(framework)
add_subdirectory(include)
add_subdirectory(3rdparty)
add_subdirectory(tf-psa-crypto)
add_subdirectory(library)
add_subdirectory(tf-psa-crypto)
add_subdirectory(pkgconfig)
#
@ -357,7 +368,9 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library)
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src)
# Request C11, needed for memory poisoning tests
set_target_properties(mbedtls_test PROPERTIES C_STANDARD 11)
@ -370,7 +383,9 @@ if(ENABLE_TESTING OR ENABLE_PROGRAMS)
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/library
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/3rdparty/everest/include)
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/core
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/builtin/src
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/tf-psa-crypto/drivers/everest/include)
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
if(MBEDTLS_CONFIG_FILE)
@ -399,6 +414,7 @@ if(ENABLE_TESTING)
enable_testing()
add_subdirectory(tests)
add_subdirectory(tf-psa-crypto/tests)
# additional convenience targets for Unix only
if(UNIX)

2
CONTRIBUTING.md
View File

@ -57,7 +57,7 @@ Tests
-----
As mentioned, tests that show the correctness of the feature or bug fix should be added to the pull request, if no such tests exist.
Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_rsa.c`). These files are generated from a `function file` (e.g. `suites/test_suite_rsa.function`) and a `data file` (e.g. `suites/test_suite_rsa.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
Mbed TLS includes a comprehensive set of test suites in the `tests/` directory that are dynamically generated to produce the actual test source files (e.g. `test_suite_ssl.c`). These files are generated from a `function file` (e.g. `suites/test_suite_ssl.function`) and a `data file` (e.g. `suites/test_suite_ssl.data`). The function file contains the test functions. The data file contains the test cases, specified as parameters that will be passed to the test function.
[A Knowledge Base article describing how to add additional tests is available on the Mbed TLS website](https://mbed-tls.readthedocs.io/en/latest/kb/development/test_suites/).

9
ChangeLog.d/psa_generate_key_custom.txt Normal file
View File

@ -0,0 +1,9 @@
API changes
* The experimental functions psa_generate_key_ext() and
psa_key_derivation_output_key_ext() have been replaced by
psa_generate_key_custom() and psa_key_derivation_output_key_custom().
They have almost exactly the same interface, but the variable-length
data is passed in a separate parameter instead of a flexible array
member. This resolves a build failure under C++ compilers that do not
support flexible array members (a C99 feature not adopted by C++).
Fixes #9020.

20
Makefile
View File

@ -200,16 +200,23 @@ endif
## Editor navigation files
C_SOURCE_FILES = $(wildcard \
3rdparty/*/include/*/*.h 3rdparty/*/include/*/*/*.h 3rdparty/*/include/*/*/*/*.h \
3rdparty/*/*.c 3rdparty/*/*/*.c 3rdparty/*/*/*/*.c 3rdparty/*/*/*/*/*.c \
include/*/*.h \
library/*.[hc] \
tf-psa-crypto/core/*.[hc] \
tf-psa-crypto/include/*/*.h \
tf-psa-crypto/drivers/builtin/include/*/*.h \
tf-psa-crypto/drivers/*/include/*/*.h \
tf-psa-crypto/drivers/*/include/*/*/*.h \
tf-psa-crypto/drivers/*/include/*/*/*/*.h \
tf-psa-crypto/drivers/builtin/src/*.[hc] \
tf-psa-crypto/drivers/*/*.c \
tf-psa-crypto/drivers/*/*/*.c \
tf-psa-crypto/drivers/*/*/*/*.c \
tf-psa-crypto/drivers/*/*/*/*/*.c \
programs/*/*.[hc] \
tests/include/*/*.h tests/include/*/*/*.h \
tests/src/*.c tests/src/*/*.c \
tests/suites/*.function \
tf-psa-crypto/tests/suites/*.function \
)
# Exuberant-ctags invocation. Other ctags implementations may require different options.
CTAGS = ctags --langmap=c:+.h.function --line-directives=no -o
@ -222,7 +229,8 @@ GPATH GRTAGS GSYMS GTAGS: $(C_SOURCE_FILES)
ls $(C_SOURCE_FILES) | gtags -f - --gtagsconf .globalrc
cscope: cscope.in.out cscope.po.out cscope.out
cscope.in.out cscope.po.out cscope.out: $(C_SOURCE_FILES)
cscope -bq -u -Iinclude -Ilibrary -Itf-psa-crypto/include \
-Itf-psa-crypto/drivers/builtin/include \
$(patsubst %,-I%,$(wildcard 3rdparty/*/include)) -Itests/include $(C_SOURCE_FILES)
cscope -bq -u -Iinclude -Ilibrary -Itf-psa-crypto/core \
-Itf-psa-crypto/include \
-Itf-psa-crypto/drivers/builtin/src \
$(patsubst %,-I%,$(wildcard tf-psa-crypto/drivers/*/include)) -Itests/include $(C_SOURCE_FILES)
.PHONY: cscope global

8
README.md
View File

@ -240,7 +240,7 @@ Please note that the goal of these sample programs is to demonstrate specific fe
Tests
-----
Mbed TLS includes an elaborate test suite in `tests/` that initially requires Python to generate the tests files (e.g. `test\_suite\_mpi.c`). These files are generated from a `function file` (e.g. `suites/test\_suite\_mpi.function`) and a `data file` (e.g. `suites/test\_suite\_mpi.data`). The `function file` contains the test functions. The `data file` contains the test cases, specified as parameters that will be passed to the test function.
Mbed TLS includes an elaborate test suite in `tests/` that initially requires Python to generate the tests files (e.g. `test\_suite\_ssl.c`). These files are generated from a `function file` (e.g. `suites/test\_suite\_ssl.function`) and a `data file` (e.g. `suites/test\_suite\_ssl.data`). The `function file` contains the test functions. The `data file` contains the test cases, specified as parameters that will be passed to the test function.
For machines with a Unix shell and OpenSSL (and optionally GnuTLS) installed, additional test scripts are available:
@ -315,10 +315,10 @@ Unless specifically indicated otherwise in a file, Mbed TLS files are provided u
### Third-party code included in Mbed TLS
This project contains code from other projects. This code is located within the `3rdparty/` directory. The original license text is included within project subdirectories, where it differs from the normal Mbed TLS license, and/or in source files. The projects are listed below:
This project contains code from other projects. This code is located within the `tf-psa-crypto/drivers/` directory. The original license text is included within project subdirectories, where it differs from the normal Mbed TLS license, and/or in source files. The projects are listed below:
* `3rdparty/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
* `3rdparty/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is distributed in Mbed TLS under a dual Apache-2.0 OR GPL-2.0-or-later license with permission from the author.
* `drivers/everest/`: Files stem from [Project Everest](https://project-everest.github.io/) and are distributed under the Apache 2.0 license.
* `drivers/p256-m/p256-m/`: Files have been taken from the [p256-m](https://github.com/mpg/p256-m) repository. The code in the original repository is distributed under the Apache 2.0 license. It is distributed in Mbed TLS under a dual Apache-2.0 OR GPL-2.0-or-later license with permission from the author.
Contributing
------------

212
docs/architecture/psa-keystore-design.md Normal file
View File

@ -0,0 +1,212 @@
PSA key store design
====================
## Introduction
This document describes the architecture of the key storage in memory in the Mbed TLS and TF-PSA-Crypto implementation of the PSA Cryptography API.
In the PSA Cryptography API, cryptographic operations access key materials via a key identifier (key ID for short). Applications must first create a key object, which allocates storage in memory for the key material and metadata. This storage is under the control of the library and may be located in a different memory space such as a trusted execution environment or a secure element.
The storage of persistent keys is out of scope of this document. See the [Mbed Crypto storage specification](mbed-crypto-storage-specification.md).
## Key slot management interface
### Key store and key slots
The **key store** consists of a collection of **key slots**. Each key slot contains the metadata for one key, as well as the key material or a reference to the key material.
A key slot has the type `psa_key_slot_t`. The key store is a global object which is private inside `psa_crypto_slot_management.c`.
### Key slot entry points
The following operations allocate a key slot by calling `psa_reserve_free_key_slot()`:
* **Creating** a key object, through means such as import, random generation, deterministic derivation, copy, or registration of an existing key that is stored in protected hardware (secure element, hardware unique key (HUK)).
* **Loading** a persistent key from storage, or loading a built-in key. This is done through `psa_get_and_lock_key_slot()`, which calls `psa_reserve_free_key_slot()` and loads the key if applicable.
The following operations free a key slot by calling `psa_wipe_key_slot()` and, if applicable, `psa_free_key_slot()`:
* **Destroying** a key.
* **Purging** a persistent key from memory, either explicitly at the application's request or to free memory.
Deinitializing the PSA Crypto subsystem with `mbedtls_psa_crypto_free()` destroys all volatile keys and purges all persistent keys.
The library accesses key slots in the following scenarios:
* while the key is being created or loaded;
* while the key is being destroyed or purged;
* while the key metadata or key material is being accessed.
### Key slot states
The state of a key slot is indicated by its `state` field of type `psa_key_slot_state_t`, which can be:
* `PSA_SLOT_EMPTY`: a slot that occupies memory but does not currently contain a key.
* `PSA_SLOT_FILLING`: a slot that is being filled to create or load a key.
* `PSA_SLOT_FULL`: a slot containing a key.
* `PSA_SLOT_PENDING_DELETION`: a slot whose key is being destroy or purged.
These states are mostly useful for concurrency. See [Concurrency](#concurrency) below and [key slot states in the PSA thread safety specification](psa-thread-safety/psa-thread-safety.md#key-slot-states).
#### Concurrency
In a multithreaded environment, since Mbed TLS 3.6.0, each key slot is protected by a reader-writer lock. (In earlier versions, the key store was not thread-safe.) The lock is controlled by a single global mutex `mbedtls_threading_psa_globaldata_mutex`. The concurrency state of the slot is indicated by the state and the `registered_readers` field:
* `EMPTY` or `FULL` state, `registered_readers == 0`: the slot is not in use by any thread.
* `FULL` state, `registered_readers != 0`: the slot is being read.
* `FILLING` or `PENDING_DELETION` state: the slot is being written.
For more information, see [PSA thread safety](psa-thread-safety/psa-thread-safety.md).
Note that a slot must not be moved in memory while it is being read or written.
## Key slot management implementations
### Key store implementation variants
There are three variants of the key store implementation, responding to different needs.
* Hybrid key store ([static key slots](#static-key-store) with dynamic key data): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Key material is allocated on the heap. This is the historical implementation. It remains the default in the Mbed TLS 3.6 long-time support (LTS) branch when using a handwritten `mbedtls_config.h`, as is common on resource-constrained platforms, because the alternatives have tradeoffs (key size limit and larger RAM usage at rest for the static key store, larger code size and more risk due to code complexity for the dynamic key store).
* Fully [static key store](#static-key-store) (since Mbed TLS 3.6.1): the key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. Each key slot contains the key representation directly, and the key representation must be no more than `MBEDTLS_PSA_STATIC_KEY_SLOT_BUFFER_SIZE` bytes. This is intended for very constrained devices that do not have a heap.
* [Dynamic key store](#dynamic-key-store) (since Mbed TLS 3.6.1): the key store is dynamically allocated as multiple slices on the heap, with a size that adjusts to the application's usage. Key material is allocated on the heap. Compared to the hybrid key store, the code size and RAM consumption are larger. This is intended for higher-end devices where applications are not expected to have a highly predicatable resource usage. This is the default implementation when using the default `mbedtls_config.h` file, as is common on platforms such as Linux, starting with Mbed TLS 3.6.1.
#### Future improvement: merging the key store variants
In the future, we may reduce the number of key store variants to just two, perhaps even one.
We introduced the variants other than the hybrid key store in a patch release of a long-time support version. As a consequence, we wanted to minimize making changes to the default build (when not using the supplied `mbedtls_config.h`, as explained above), to minimize the risk of bugs and the increase in code size. These considerations will not apply in future major or minor releases, so the default key store can change later.
The static key store could become a runtime decision, where only keys larger than some threshold require the use of heap memory. The reasons not to do this in Mbed TLS 3.6.x are that this increases complexity somewhat (slightly more code size, and more risk), and this changes the RAM usage profile somewhat.
A major constraint on the design of the dynamic key store is the need to preserve slot pointers while a slot may be accessed by another thread (see [“Concurrency”](#concurrency)). With the concurrency primitives available in Mbed TLS 3.x, it is very hard to move a key slot in memory, because there could be an indefinite wait until some other thread has finished accessing the slot. This pushed towards the slice-based organisation described below, where each slice is allocated for the long term. In particular, slices cannot be compacted (compacting would be moving slots out of a sparsely-used slice to free it). Better concurrency primitives (e.g. condition variables or semaphores), together with a `realloc()` primitive, could allow freeing unused memory more aggressively, which could make the dynamic key store not detrimental in RAM usage compared to the historical hybrid key store.
#### Slice abstraction
Some parts of the key slot management code use **key slices** as an abstraction. A key slice is an array of key slots. Key slices are identified by an index which is a small non-negative integer.
* With a [static key store](#static-key-store), there is a single, statically allocated slice, with the index 0.
* With a [dynamic key store](#dynamic-key-store), there is statically allocated array of pointers to key slices. The index of a slice is the index in that array. The slices are allocated on the heap as needed.
#### Key identifiers and slot location
When creating a volatile key, the slice containing the slot and index of the slot in its slice determine the key identifier. When accessing a volatile key, the slice and the slot index in the slice are calculated from the key identifier. The encoding of the slot location in the volatile key identifier is different for a [static](#volatile-key-identifiers-in-the-static-key-store) or [dynamic](#volatile-key-identifiers-in-the-dynamic-key-store) key store.
### Static key store
The static key store is the historical implementation. The key store is a statically allocated array of slots, of size `MBEDTLS_PSA_KEY_SLOT_COUNT`. This value is an upper bound for the total number of volatile keys plus loaded keys.
Since Mbed TLS 3.6.1, there are two variants for the static key store: a hybrid variant (default), and a fully-static variant enabled by the configuration option `MBEDTLS_PSA_STATIC_KEY_SLOTS`. The two variants have the same key store management: the only difference is in how the memory for key data is managed. With fully static key slots, the key data is directly inside the slot, and limited to `MBEDTLS_PSA_KEY_SLOT_BUFFER_SIZE` bytes. With the hybrid key store, the slot contains a pointer to the key data, which is allocated on the heap.
#### Volatile key identifiers in the static key store
For easy lookup, a volatile key whose index is `id` is stored at the index `id - PSA_KEY_ID_VOLATILE_MIN`.
#### Key creation with a static key store
To create a key, `psa_reserve_free_key_slot()` searches the key slot array until it finds one that is empty. If there are none, the code looks for a persistent key that can be purged (see [“Persistent key cache”](#persistent-key-cache)), and purges it. If no slot is free and no slot contains a purgeable key, the key creation fails.
#### Freeing a key slot with a static key store
With a static key store, `psa_wipe_key_slot()` destroys or purges a key by freeing any associated resources, then setting the key slot to the empty state. The slot is then ready for reuse.
### Dynamic key store
The dynamic key store allows a large number of keys, at the expense of more complex memory management.
#### Dynamic key slot performance characteristics
Key management and key access have $O(1)$ amortized performance, and mostly $O(1)$ performance for actions involving keys. More precisely:
* Access to an existing volatile key takes $O(1)$ time.
* Access to a persistent key (including creation and destruction) takes time that is linear in `MBEDTLS_PSA_KEY_SLOT_COUNT`.
* Allocating a key takes amortized $O(1)$ time. Usually the time is $O(s)$ where $s$ is the number of slices (which is a hard-coded value less than $30$), but when creating $k$ volatile keys, at most $\log(k)$ creations will involve calls to `calloc()`, totalling $O(k)$ memory.
* Destroying a volatile key takes $O(1)$ time as of Mbed TLS 3.6.1. Later improvements to memory consumption are likely to involve calls to `free()` which may total $O(k)$ memory where $k$ is the maximum number of volatile keys.
#### Key slices in the dynamic key store
The key slot is organized in slices, which are dynamically arrays of key slot. The number of slices is determined at compile time. The key store contains a static array of pointers to slices.
Volatile keys and loaded keys (persistent or built-in) are stored in separate slices.
Key slices number 0 to `KEY_SLOT_VOLATILE_SLICE_COUNT - 1` contain only volatile keys.
One key slice contains only loaded keys: that key slice is thus the cache slice. See [“Persistent key cache”](persistent-key-cache) for how the cache is managed.
#### Volatile key identifiers in the dynamic key store
A volatile key identifier encodes the slice index and the slot index at separate bit positions. That is, `key_id = BASE | slice_index | slot_index` where the bits set in `BASE`, `slice_index` and `slot_index` do not overlap.
#### From key slot to key slice
Some parts of the slot management code need to determine which key slice contains a key slot when given a pointer to the key slot. In principle, the key slice is uniquely determined from the key identifier which is located in the slot:
* for a volatile key identifier, the [slice index is encoded in the key identifier](#volatile-key-identifiers-in-the-dynamic-key-store);
* for a persistent key identifier or built-in key identifier, [the slot is in the sole cache slice](#key-slices-in-the-dynamic-key-store).
Nonetheless, we store the slice index as a field in the slot, for two reasons:
* It is more robust in case the slice assignment becomes more complex in the future or is somehow buggy.
* It allows the slot to slice correspondence to work even if the key identifier field has not been filled yet or has been wiped. The implementation in Mbed TLS 3.6.1 requires this because `psa_wipe_key_slot()` wipes the slot, then calls `psa_free_key_slot()`, which needs to determine the slice. Keeping the slice index as a separate field allows us to better separate the concerns of key liveness and slot liveness. A redesign of the internal interfaces could improve this, but would be too disruptive in the 3.6 LTS branch.
#### Length of the volatile key slices
The volatile key slices have exponentially increasing length: each slice is twice as long as the previous one. Thus if the length of slice 0 is `B` and there are `N` slices, then there are `B * (2^N - 1)` slots.
As of Mbed TLS 3.6.1, the maximum number of volatile key slots is less than the theoretical maximum of 2^30 - 2^16 (0x10000000..0x7ffeffff, the largest range of key identifiers reserved for the PSA Crypto implementation that does not overlap the range for built-in keys). The reason is that we limit the slot index to 2^25-1 so that the [encoding of volatile key identifiers](#volatile-key-identifiers-in-the-dynamic-key-store) has 25 bits for the slot index.
When `MBEDTLS_TEST_HOOKS` is enabled, the length of key slices can be overridden. We use this in tests that need to fill the key store.
#### Free list
Each volatile key slice has a **free list**. This is a linked list of all the slots in the slice that are free. The global data contains a static array of free list heads, i.e. the index of a free slot in the slice. Each free slot contains the index of the next free slot in that slice's free list. The end of the list is indicated by an index that is larger than the length of the slice. If the list is empty, the head contains an index that is larger than the length.
As a small optimization, a free slot does not actually contain the index of the next slot, but the index of the next free slot on the list _relative to the next slot in the array_. For example, 0 indicates that the next free slot is the slot immediately after the current slot. This fact is the reason for the encoding: a slice freshly obtained from `calloc` has all of its slots in the free list in order. The value 1 indicates that there is one element between this slot and the next free slot. The next element of the free list can come before the current slot: -2 indicates that it's the slot immediately before, -3 is two slots before, and so on (-1 is impossible). In general, the absolute index of the next slot after slot `i` in the free list is `i + 1 slice[i].next_free_relative_to_next`.
#### Dynamic key slot allocation
To create a volatile key, `psa_reserve_free_key_slot()` searches the free lists of each allocated slice until it finds a slice that is not full. If all allocated slices are full, the code allocates a new slice at the lowest possible slice index. If all possible slices are already allocated and full, the key creation fails.
The newly allocated slot is removed from the slice's free list.
We only allocate a slice of size `B * 2^k` if there are already `B * (2^k - 1)` occupied slots. Thus the memory overhead is at most `B` slots plus the number of occupied slots, i.e. the memory consumption for slots is at most twice the required memory plus a small constant overhead.
#### Dynamic key slot deallocation
When destroying a volatile key, `psa_wipe_key_slot()` calls `psa_free_key_slot()`. This function adds the newly freed slot to the head of the free list.
##### Future improvement: slice deallocation
As of Mbed TLS 3.6.1, `psa_free_key_slot()` does not deallocate slices. Thus the memory consumption for slots never decreases (except when the PSA crypto subsystem is deinitialized). Freeing key slices intelligently would be a desirable improvement.
We should not free a key slice as soon as it becomes empty, because that would cause large allocations and deallocations if there are slices full of long-lived keys, and then one slice keeps being allocate and deallocated for the occasional short-lived keys. Rather, there should be some hysteresis, e.g. only deallocate a slice if there are at least T free slots in the previous slice. [#9435](https://github.com/Mbed-TLS/mbedtls/issues/9435)
Note that currently, the slice array contains one sequence of allocated slices followed by one sequence of unallocated slices. Mixing allocated and unallocated slices may make some parts of the code a little more complex, and should be tested thoroughly.
### Persistent key cache
Persistent keys and built-in keys need to be loaded into the in-memory key store each time they are accessed:
* while creating them;
* to access their metadata;
* to start performing an operation with the key;
* when destroying the key.
To avoid frequent storage access, we cache persistent keys in memory. This cache also applies to built-in keys.
With the [static key store](#static-key-store), a non-empty slot can contain either a volatile key or a cache entry for a persistent or built-in key. With the [dynamic key store](#dynamic-key-store), volatile keys and cached keys are placed in separate [slices](#key-slices-in-the-dynamic-key-store).
The persistent key cache is a fixed-size array of `MBEDTLS_PSA_KEY_SLOT_COUNT` slots. In the static key store, this array is shared with volatile keys. In the dynamic key store, the cache is a separate array that does not contain volatile keys.
#### Accessing a persistent key
`psa_get_and_lock_key_slot()` automatically loads persistent and built-in keys if the specified key identifier is in the corresponding range. To that effect, it traverses the key cache to see if a key with the given identifier is already loaded. If not, it loads the key. This cache walk takes time that is proportional to the cache size.
#### Cache eviction
A key slot must be allocated in the cache slice:
* to create a volatile key (static key store only);
* to create a persistent key;
* to load a persistent or built-in key.
If the cache slice is full, the code will try to evict an entry. Only slots that do not have readers can be evicted (see [“Concurrency”](#concurrency)). In the static key store, slots containing volatile keys cannot be evicted.
As of Mbed TLS 3.6.1, there is no tracking of a key's usage frequency or age. The slot eviction code picks the first evictable slot it finds in its traversal order. We have not reasoned about or experimented with different strategies.

2
docs/psa-driver-example-and-guide.md
View File

@ -138,7 +138,7 @@ This guide assumes you are building Mbed TLS from source alongside your project.
### Example: Manually integrating a software accelerator alongside Mbed TLS
[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. It started out as an independent project and has been integrated in Mbed TLS as a PSA transparent driver. The source code of p256-m and the driver entry points is located in the Mbed TLS source tree under `3rdparty/p256-m`. In this section, we will look at how this integration was done.
[p256-m](https://github.com/mpg/p256-m) is a minimalistic implementation of ECDH and ECDSA on the NIST P-256 curve, specifically optimized for use in constrained 32-bit environments. It started out as an independent project and has been integrated in Mbed TLS as a PSA transparent driver. The source code of p256-m and the driver entry points is located in the Mbed TLS source tree under `drivers/p256-m`. In this section, we will look at how this integration was done.
The Mbed TLS build system includes the instructions needed to build p256-m. To build with and use p256-m, set the macro `MBEDTLS_PSA_P256M_DRIVER_ENABLED` using `config.py`, then build as usual using make/cmake. From the root of the `mbedtls/` directory, run:

2
docs/psa-transition.md
View File

@ -779,7 +779,7 @@ A finite-field Diffie-Hellman key can be used for key agreement with the algorit
The easiest way to create a key pair object is by randomly generating it with [`psa_generate_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga1985eae417dfbccedf50d5fff54ea8c5). Compared with the low-level functions from the legacy API (`mbedtls_rsa_gen_key`, `mbedtls_ecp_gen_privkey`, `mbedtls_ecp_gen_keypair`, `mbedtls_ecp_gen_keypair_base`, `mbedtls_ecdsa_genkey`), this directly creates an object that can be used with high-level APIs, but removes some of the flexibility. Note that if you want to export the generated private key, you must pass the flag [`PSA_KEY_USAGE_EXPORT`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__policy/#group__policy_1ga7dddccdd1303176e87a4d20c87b589ed) to [`psa_set_key_usage_flags`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__attributes/#group__attributes_1ga42a65b3c4522ce9b67ea5ea7720e17de); exporting the public key with [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) is always permitted.
For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_ext`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#group__random_1ga6776360ae8046a4456a5f990f997da58) to select a different public exponent. As of Mbed TLS 3.6.0, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers.
For RSA keys, `psa_generate_key` uses 65537 as the public exponent. You can use [`psa_generate_key_custom`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__random/#ga0415617443afe42a712027bbb8ad89f0) to select a different public exponent. As of Mbed TLS 3.6.1, selecting a different public exponent is only supported with the built-in RSA implementation, not with PSA drivers.
To create a key object from existing material, use [`psa_import_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga0336ea76bf30587ab204a8296462327b). This function has the same basic goal as the PK parse functions (`mbedtls_pk_parse_key`, `mbedtls_pk_parse_public_key`, `mbedtls_pk_parse_subpubkey`), but only supports a single format that just contains the number(s) that make up the key, with very little metadata. The table below summarizes the PSA import/export format for key pairs and public keys; see the documentation of [`psa_export_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1ga668e35be8d2852ad3feeef74ac6f75bf) and [`psa_export_public_key`](https://mbed-tls.readthedocs.io/projects/api/en/development/api/group/group__import__export/#group__import__export_1gaf22ae73312217aaede2ea02cdebb6062) for more details.

50
docs/requirements.txt
View File

@ -1,63 +1,66 @@
#
# This file is autogenerated by pip-compile with Python 3.9
# This file is autogenerated by pip-compile with Python 3.8
# by the following command:
#
# pip-compile requirements.in
#
alabaster==0.7.13
# via sphinx
babel==2.12.1
babel==2.15.0
# via sphinx
breathe==4.35.0
# via -r requirements.in
certifi==2022.12.7
certifi==2024.7.4
# via requests
charset-normalizer==3.1.0
charset-normalizer==3.3.2
# via requests
click==8.1.3
click==8.1.7
# via readthedocs-cli
docutils==0.17.1
docutils==0.20.1
# via
# breathe
# sphinx
# sphinx-rtd-theme
idna==3.4
idna==3.7
# via requests
imagesize==1.4.1
# via sphinx
importlib-metadata==6.0.0
importlib-metadata==8.0.0
# via sphinx
jinja2==3.1.2
jinja2==3.1.4
# via sphinx
markdown-it-py==2.2.0
markdown-it-py==3.0.0
# via rich
markupsafe==2.1.2
markupsafe==2.1.5
# via jinja2
mdurl==0.1.2
# via markdown-it-py
packaging==23.0
packaging==24.1
# via sphinx
pygments==2.14.0
pygments==2.18.0
# via
# rich
# sphinx
pyyaml==6.0
pytz==2024.1
# via babel
pyyaml==6.0.1
# via readthedocs-cli
readthedocs-cli==4
# via -r requirements.in
requests==2.28.2
requests==2.32.3
# via
# readthedocs-cli
# sphinx
rich==13.3.5
rich==13.7.1
# via readthedocs-cli
snowballstemmer==2.2.0
# via sphinx
sphinx==4.5.0
sphinx==7.1.2
# via
# breathe
# sphinx-rtd-theme
sphinx-rtd-theme==1.2.0
# sphinxcontrib-jquery
sphinx-rtd-theme==2.0.0
# via -r requirements.in
sphinxcontrib-applehelp==1.0.4
# via sphinx
@ -65,7 +68,7 @@ sphinxcontrib-devhelp==1.0.2
# via sphinx
sphinxcontrib-htmlhelp==2.0.1
# via sphinx
sphinxcontrib-jquery==2.0.0
sphinxcontrib-jquery==4.1
# via sphinx-rtd-theme
sphinxcontrib-jsmath==1.0.1
# via sphinx
@ -73,10 +76,9 @@ sphinxcontrib-qthelp==1.0.3
# via sphinx
sphinxcontrib-serializinghtml==1.1.5
# via sphinx
urllib3==1.26.15
typing-extensions==4.12.2
# via rich
urllib3==2.2.2
# via requests
zipp==3.15.0
zipp==3.19.2
# via importlib-metadata
# The following packages are considered to be unsafe in a requirements file:
# setuptools

2
framework

@ -1 +1 @@
Subproject commit 29e8dce54a1041e22489f713cc8c44f700fafcec
Subproject commit 331565b041f794df2da76394b3b0039abce30355

48
include/mbedtls/check_config.h
View File

@ -189,9 +189,7 @@
defined(MBEDTLS_ECDH_GEN_PUBLIC_ALT) || \
defined(MBEDTLS_ECDSA_SIGN_ALT) || \
defined(MBEDTLS_ECDSA_VERIFY_ALT) || \
defined(MBEDTLS_ECDSA_GENKEY_ALT) || \
defined(MBEDTLS_ECP_INTERNAL_ALT) || \
defined(MBEDTLS_ECP_ALT) )
defined(MBEDTLS_ECDSA_GENKEY_ALT) )
#error "MBEDTLS_ECP_RESTARTABLE defined, but it cannot coexist with an alternative ECP implementation"
#endif
@ -269,42 +267,6 @@
#error "MBEDTLS_CHACHAPOLY_C defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_RANDOMIZE_JAC_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_ADD_MIXED_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_ADD_MIXED_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_DOUBLE_JAC_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_NORMALIZE_JAC_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_RANDOMIZE_MXZ_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_NORMALIZE_MXZ_ALT defined, but not all prerequisites"
#endif
#if defined(MBEDTLS_ECP_NO_FALLBACK) && !defined(MBEDTLS_ECP_INTERNAL_ALT)
#error "MBEDTLS_ECP_NO_FALLBACK defined, but no alternative implementation enabled"
#endif
#if defined(MBEDTLS_HKDF_C) && !defined(MBEDTLS_MD_C)
#error "MBEDTLS_HKDF_C defined, but not all prerequisites"
#endif
@ -768,8 +730,8 @@
#if !defined(MBEDTLS_SHA512_C)
#error "MBEDTLS_SHA512_USE_A64_CRYPTO_* defined without MBEDTLS_SHA512_C"
#endif
#if defined(MBEDTLS_SHA512_ALT) || defined(MBEDTLS_SHA512_PROCESS_ALT)
#error "MBEDTLS_SHA512_*ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*"
#if defined(MBEDTLS_SHA512_PROCESS_ALT)
#error "MBEDTLS_SHA512_PROCESS_ALT can't be used with MBEDTLS_SHA512_USE_A64_CRYPTO_*"
#endif
#endif /* MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT || MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY */
@ -788,8 +750,8 @@
#if !defined(MBEDTLS_SHA256_C)
#error "MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_* defined without MBEDTLS_SHA256_C"
#endif
#if defined(MBEDTLS_SHA256_ALT) || defined(MBEDTLS_SHA256_PROCESS_ALT)
#error "MBEDTLS_SHA256_*ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
#if defined(MBEDTLS_SHA256_PROCESS_ALT)
#error "MBEDTLS_SHA256_PROCESS_ALT can't be used with MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_*"
#endif
#endif

6
include/mbedtls/config_adjust_legacy_crypto.h
View File

@ -4,7 +4,7 @@
*
* This is an internal header. Do not include it directly.
*
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
* Automatically enable certain dependencies. Generally, MBEDTLS_xxx
* configurations need to be explicitly enabled by the user: enabling
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
* compilation error. However, we do automatically enable certain options
@ -433,7 +433,7 @@
#define MBEDTLS_PSA_UTIL_HAVE_ECDSA
#endif
/* Some internal helpers to determine which keys are availble. */
/* Some internal helpers to determine which keys are available. */
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_AES_C)) || \
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_KEY_TYPE_AES))
#define MBEDTLS_SSL_HAVE_AES
@ -447,7 +447,7 @@
#define MBEDTLS_SSL_HAVE_CAMELLIA
#endif
/* Some internal helpers to determine which operation modes are availble. */
/* Some internal helpers to determine which operation modes are available. */
#if (!defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_CIPHER_MODE_CBC)) || \
(defined(MBEDTLS_USE_PSA_CRYPTO) && defined(PSA_WANT_ALG_CBC_NO_PADDING))
#define MBEDTLS_SSL_HAVE_CBC

2
include/mbedtls/config_adjust_ssl.h
View File

@ -4,7 +4,7 @@
*
* This is an internal header. Do not include it directly.
*
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
* Automatically enable certain dependencies. Generally, MBEDTLS_xxx
* configurations need to be explicitly enabled by the user: enabling
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
* compilation error. However, we do automatically enable certain options

2
include/mbedtls/config_adjust_x509.h
View File

@ -4,7 +4,7 @@
*
* This is an internal header. Do not include it directly.
*
* Automatically enable certain dependencies. Generally, MBEDLTS_xxx
* Automatically enable certain dependencies. Generally, MBEDTLS_xxx
* configurations need to be explicitly enabled by the user: enabling
* MBEDTLS_xxx_A but not MBEDTLS_xxx_B when A requires B results in a
* compilation error. However, we do automatically enable certain options

132
include/mbedtls/mbedtls_config.h
View File

@ -350,62 +350,6 @@
*/
//#define MBEDTLS_TIMING_ALT
/**
* \def MBEDTLS_AES_ALT
*
* MBEDTLS__MODULE_NAME__ALT: Uncomment a macro to let Mbed TLS use your
* alternate core implementation of a symmetric crypto, an arithmetic or hash
* module (e.g. platform specific assembly optimized implementations). Keep
* in mind that the function prototypes should remain the same.
*
* This replaces the whole module. If you only want to replace one of the
* functions, use one of the MBEDTLS__FUNCTION_NAME__ALT flags.
*
* Example: In case you uncomment MBEDTLS_AES_ALT, Mbed TLS will no longer
* provide the "struct mbedtls_aes_context" definition and omit the base
* function declarations and implementations. "aes_alt.h" will be included from
* "aes.h" to include the new function definitions.
*
* Uncomment a macro to enable alternate implementation of the corresponding
* module.
*
* \warning MD5, DES and SHA-1 are considered weak and their
* use constitutes a security risk. If possible, we recommend
* avoiding dependencies on them, and considering stronger message
* digests and ciphers instead.
*
*/
//#define MBEDTLS_AES_ALT
//#define MBEDTLS_ARIA_ALT
//#define MBEDTLS_CAMELLIA_ALT
//#define MBEDTLS_CCM_ALT
//#define MBEDTLS_CHACHA20_ALT
//#define MBEDTLS_CHACHAPOLY_ALT
//#define MBEDTLS_CMAC_ALT
//#define MBEDTLS_DES_ALT
//#define MBEDTLS_DHM_ALT
//#define MBEDTLS_ECJPAKE_ALT
//#define MBEDTLS_GCM_ALT
//#define MBEDTLS_NIST_KW_ALT
//#define MBEDTLS_MD5_ALT
//#define MBEDTLS_POLY1305_ALT
//#define MBEDTLS_RIPEMD160_ALT
//#define MBEDTLS_RSA_ALT
//#define MBEDTLS_SHA1_ALT
//#define MBEDTLS_SHA256_ALT
//#define MBEDTLS_SHA512_ALT
/*
* When replacing the elliptic curve module, please consider, that it is
* implemented with two .c files:
* - ecp.c
* - ecp_curves.c
* You can replace them very much like all the other MBEDTLS__MODULE_NAME__ALT
* macros as described above. The only difference is that you have to make sure
* that you provide functionality for both .c files.
*/
//#define MBEDTLS_ECP_ALT
/**
* \def MBEDTLS_SHA256_PROCESS_ALT
*
@ -461,71 +405,6 @@
//#define MBEDTLS_ECDSA_SIGN_ALT
//#define MBEDTLS_ECDSA_GENKEY_ALT
/**
* \def MBEDTLS_ECP_INTERNAL_ALT
*
* Expose a part of the internal interface of the Elliptic Curve Point module.
*
* MBEDTLS_ECP__FUNCTION_NAME__ALT: Uncomment a macro to let Mbed TLS use your
* alternative core implementation of elliptic curve arithmetic. Keep in mind
* that function prototypes should remain the same.
*
* This partially replaces one function. The header file from Mbed TLS is still
* used, in contrast to the MBEDTLS_ECP_ALT flag. The original implementation
* is still present and it is used for group structures not supported by the
* alternative.
*
* The original implementation can in addition be removed by setting the
* MBEDTLS_ECP_NO_FALLBACK option, in which case any function for which the
* corresponding MBEDTLS_ECP__FUNCTION_NAME__ALT macro is defined will not be
* able to fallback to curves not supported by the alternative implementation.
*
* Any of these options become available by defining MBEDTLS_ECP_INTERNAL_ALT
* and implementing the following functions:
* unsigned char mbedtls_internal_ecp_grp_capable(
* const mbedtls_ecp_group *grp )
* int mbedtls_internal_ecp_init( const mbedtls_ecp_group *grp )
* void mbedtls_internal_ecp_free( const mbedtls_ecp_group *grp )
* The mbedtls_internal_ecp_grp_capable function should return 1 if the
* replacement functions implement arithmetic for the given group and 0
* otherwise.
* The functions mbedtls_internal_ecp_init and mbedtls_internal_ecp_free are
* called before and after each point operation and provide an opportunity to
* implement optimized set up and tear down instructions.
*
* Example: In case you set MBEDTLS_ECP_INTERNAL_ALT and
* MBEDTLS_ECP_DOUBLE_JAC_ALT, Mbed TLS will still provide the ecp_double_jac()
* function, but will use your mbedtls_internal_ecp_double_jac() if the group
* for the operation is supported by your implementation (i.e. your
* mbedtls_internal_ecp_grp_capable() function returns 1 for this group). If the
* group is not supported by your implementation, then the original Mbed TLS
* implementation of ecp_double_jac() is used instead, unless this fallback
* behaviour is disabled by setting MBEDTLS_ECP_NO_FALLBACK (in which case
* ecp_double_jac() will return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE).
*
* The function prototypes and the definition of mbedtls_ecp_group and
* mbedtls_ecp_point will not change based on MBEDTLS_ECP_INTERNAL_ALT, so your
* implementation of mbedtls_internal_ecp__function_name__ must be compatible
* with their definitions.
*
* Uncomment a macro to enable alternate implementation of the corresponding
* function.
*/
/* Required for all the functions in this section */
//#define MBEDTLS_ECP_INTERNAL_ALT
/* Turn off software fallback for curves not supported in hardware */
//#define MBEDTLS_ECP_NO_FALLBACK
/* Support for Weierstrass curves with Jacobi representation */
//#define MBEDTLS_ECP_RANDOMIZE_JAC_ALT
//#define MBEDTLS_ECP_ADD_MIXED_ALT
//#define MBEDTLS_ECP_DOUBLE_JAC_ALT
//#define MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT
//#define MBEDTLS_ECP_NORMALIZE_JAC_ALT
/* Support for curves with Montgomery arithmetic */
//#define MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT
//#define MBEDTLS_ECP_RANDOMIZE_MXZ_ALT
//#define MBEDTLS_ECP_NORMALIZE_MXZ_ALT
/**
* \def MBEDTLS_ENTROPY_HARDWARE_ALT
*
@ -828,7 +707,7 @@
*
* \note This option only works with the default software implementation of
* elliptic curve functionality. It is incompatible with
* MBEDTLS_ECP_ALT, MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT.
* MBEDTLS_ECDH_XXX_ALT, MBEDTLS_ECDSA_XXX_ALT.
*
* Requires: MBEDTLS_ECP_C
*
@ -1116,7 +995,7 @@
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
* \warning If SHA-256 is provided only by a PSA driver, you must call
* psa_crypto_init() before the first hanshake (even if
* psa_crypto_init() before the first handshake (even if
* MBEDTLS_USE_PSA_CRYPTO is disabled).
*
* This enables the following ciphersuites (if other requisites are
@ -2604,11 +2483,6 @@
* Enable the CMAC (Cipher-based Message Authentication Code) mode for block
* ciphers.
*
* \note When #MBEDTLS_CMAC_ALT is active, meaning that the underlying
* implementation of the CMAC algorithm is provided by an alternate
* implementation, that alternate implementation may opt to not support
* AES-192 or 3DES as underlying block ciphers for the CMAC operation.
*
* Module: library/cmac.c
*
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_AES_C or MBEDTLS_DES_C
@ -2623,7 +2497,7 @@
* The CTR_DRBG generator uses AES-256 by default.
* To use AES-128 instead, enable \c MBEDTLS_CTR_DRBG_USE_128_BIT_KEY above.
*
* AES support can either be achived through builtin (MBEDTLS_AES_C) or PSA.
* AES support can either be achieved through builtin (MBEDTLS_AES_C) or PSA.
* Builtin is the default option when MBEDTLS_AES_C is defined otherwise PSA
* is used.
*

4
include/mbedtls/ssl.h
View File

@ -643,7 +643,7 @@
*/
#if defined(MBEDTLS_SSL_PROTO_TLS1_3) && \
defined(MBEDTLS_SSL_SESSION_TICKETS) && \
defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM) && \
defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM) && \
defined(PSA_WANT_ALG_SHA_384)
#define MBEDTLS_PSK_MAX_LEN 48 /* 384 bits */
#else
@ -1153,7 +1153,7 @@ typedef void mbedtls_ssl_async_cancel_t(mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_KEY_EXCHANGE_WITH_CERT_ENABLED) && \
!defined(MBEDTLS_SSL_KEEP_PEER_CERTIFICATE)
#define MBEDTLS_SSL_PEER_CERT_DIGEST_MAX_LEN 48
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE MBEDTLS_MD_SHA256
#define MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN 32
#elif defined(PSA_WANT_ALG_SHA_384)

2
library/.gitignore vendored
View File

@ -6,6 +6,4 @@ libmbed*
/error.c
/version_features.c
/ssl_debug_helpers_generated.c
/psa_crypto_driver_wrappers.h
/psa_crypto_driver_wrappers_no_static.c
###END_GENERATED_FILES###

198
library/CMakeLists.txt
View File

@ -10,87 +10,90 @@ if(NOT DEFINED MBEDTLS_DIR)
set(MBEDTLS_DIR ${CMAKE_SOURCE_DIR})
endif()
set(TF_PSA_CRYPTO_CORE_DIR ../tf-psa-crypto/core)
set(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR ../tf-psa-crypto/drivers/builtin/src)
set(src_crypto
aes.c
aesni.c
aesce.c
aria.c
asn1parse.c
asn1write.c
base64.c
bignum.c
bignum_core.c
bignum_mod.c
bignum_mod_raw.c
block_cipher.c
camellia.c
ccm.c
chacha20.c
chachapoly.c
cipher.c
cipher_wrap.c
constant_time.c
cmac.c
ctr_drbg.c
des.c
dhm.c
ecdh.c
ecdsa.c
ecjpake.c
ecp.c
ecp_curves.c
ecp_curves_new.c
entropy.c
entropy_poll.c
error.c
gcm.c
hkdf.c
hmac_drbg.c
lmots.c
lms.c
md.c
md5.c
memory_buffer_alloc.c
nist_kw.c
oid.c
pem.c
pk.c
pk_ecc.c
pk_wrap.c
pkcs12.c
pkcs5.c
pkparse.c
pkwrite.c
platform.c
platform_util.c
poly1305.c
psa_crypto.c
psa_crypto_aead.c
psa_crypto_cipher.c
psa_crypto_client.c
psa_crypto_driver_wrappers_no_static.c
psa_crypto_ecp.c
psa_crypto_ffdh.c
psa_crypto_hash.c
psa_crypto_mac.c
psa_crypto_pake.c
psa_crypto_rsa.c
psa_crypto_se.c
psa_crypto_slot_management.c
psa_crypto_storage.c
psa_its_file.c
psa_util.c
ripemd160.c
rsa.c
rsa_alt_helpers.c
sha1.c
sha256.c
sha512.c
sha3.c
threading.c
timing.c
version.c
version_features.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aes.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aesni.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aesce.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/aria.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/asn1parse.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/asn1write.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/base64.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_core.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_mod.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/bignum_mod_raw.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/block_cipher.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/camellia.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ccm.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/chacha20.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/chachapoly.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cipher.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cipher_wrap.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/constant_time.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/cmac.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ctr_drbg.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/des.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/dhm.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecdh.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecdsa.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecjpake.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp_curves.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ecp_curves_new.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/entropy.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/entropy_poll.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/gcm.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/hkdf.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/hmac_drbg.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/lmots.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/lms.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/md.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/md5.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/memory_buffer_alloc.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/nist_kw.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/oid.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pem.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk_ecc.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pk_wrap.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkcs12.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkcs5.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkparse.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/pkwrite.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/platform.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/platform_util.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/poly1305.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_aead.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_cipher.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_client.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_ecp.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_ffdh.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_hash.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_mac.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_pake.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_rsa.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_se.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_slot_management.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_storage.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_its_file.c
${TF_PSA_CRYPTO_CORE_DIR}/psa_util.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/ripemd160.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/rsa.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/rsa_alt_helpers.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha1.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha256.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha512.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/sha3.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/threading.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/timing.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version.c
${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
)
set(src_x509
@ -133,14 +136,14 @@ if(GEN_FILES)
file(GLOB tls_error_headers ${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/*.h)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/error.c
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
COMMAND
${PERL_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/include/mbedtls
${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
${CMAKE_CURRENT_BINARY_DIR}/error.c
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_errors.pl
${crypto_error_headers}
@ -150,13 +153,13 @@ if(GEN_FILES)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/version_features.c
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
COMMAND
${PERL_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files
${CMAKE_CURRENT_BINARY_DIR}/version_features.c
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_features.pl
${CMAKE_CURRENT_SOURCE_DIR}/../include/mbedtls/mbedtls_config.h
@ -178,24 +181,23 @@ if(GEN_FILES)
add_custom_command(
OUTPUT
${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers.h
${CMAKE_CURRENT_BINARY_DIR}/psa_crypto_driver_wrappers_no_static.c
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers.h
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
${CMAKE_CURRENT_BINARY_DIR}
${CMAKE_CURRENT_BINARY_DIR}/${TF_PSA_CRYPTO_CORE_DIR}
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/generate_driver_wrappers.py
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
${CMAKE_CURRENT_SOURCE_DIR}/../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
)
else()
link_to_source(error.c)
link_to_source(version_features.c)
link_to_source(${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/error.c)
link_to_source(${TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_DIR}/version_features.c)
link_to_source(ssl_debug_helpers_generated.c)
link_to_source(psa_crypto_driver_wrappers_no_static.c)
link_to_source(${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers.h)
link_to_source(${TF_PSA_CRYPTO_CORE_DIR}/psa_crypto_driver_wrappers_no_static.c)
endif()
if(CMAKE_COMPILER_IS_GNUCC)
@ -324,19 +326,19 @@ endif(USE_SHARED_MBEDTLS_LIBRARY)
foreach(target IN LISTS target_libraries)
add_library(MbedTLS::${target} ALIAS ${target}) # add_subdirectory support
# Include public header files from /include and other directories
# declared by /3rdparty/**/CMakeLists.txt. Include private header files
# from /library and others declared by /3rdparty/**/CMakeLists.txt.
# /library needs to be listed explicitly when building .c files outside
# of /library (which currently means: under /3rdparty).
# Include public header files from /include, /tf-psa-crypto/include/ and
# tf-psa-crypto/drivers/builtin/include/. Include private header files
# from /library, tf-psa-crypto/core/ and tf-psa-crypto/drivers/builtin/src/.
target_include_directories(${target}
PUBLIC $<BUILD_INTERFACE:${MBEDTLS_DIR}/include/>
$<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/include/>
$<BUILD_INTERFACE:${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/include/>
$<INSTALL_INTERFACE:include/>
PRIVATE ${MBEDTLS_DIR}/library/
${MBEDTLS_DIR}/tf-psa-crypto/core
${MBEDTLS_DIR}/tf-psa-crypto/drivers/builtin/src
# Needed to include psa_crypto_driver_wrappers.h
${CMAKE_CURRENT_BINARY_DIR})
${CMAKE_CURRENT_BINARY_DIR}/../tf-psa-crypto/core)
# Pass-through MBEDTLS_CONFIG_FILE and MBEDTLS_USER_CONFIG_FILE
if(MBEDTLS_CONFIG_FILE)
target_compile_definitions(${target}

212
library/Makefile
View File

@ -2,11 +2,15 @@ ifndef MBEDTLS_PATH
MBEDTLS_PATH := ..
endif
TF_PSA_CRYPTO_CORE_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/core
TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH = $(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
GENERATED_FILES := \
error.c version_features.c \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c \
ssl_debug_helpers_generated.c \
psa_crypto_driver_wrappers.h \
psa_crypto_driver_wrappers_no_static.c
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
ifneq ($(GENERATED_FILES),$(wildcard $(GENERATED_FILES)))
ifeq (,$(wildcard $(MBEDTLS_PATH)/framework/exported.make))
@ -29,11 +33,12 @@ WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
LDFLAGS ?=
# Include ../include, ../tf-psa-crypto/include and
# ../tf-psa-crypto/drivers/builtin/include for public headers and . for
# private headers. Note that . needs to be included explicitly for the sake of
# library files that are not in the /library directory (which currently means
# under /3rdparty).
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../include -I../tf-psa-crypto/include \
# ../tf-psa-crypto/drivers/builtin/include for public headers and .,
# ../tf-psa-crypto/core and ../tf-psa-crypto/drivers/builtin/src for
# private headers.
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I. -I../tf-psa-crypto/core \
-I../tf-psa-crypto/drivers/builtin/src \
-I../include -I../tf-psa-crypto/include \
-I../tf-psa-crypto/drivers/builtin/include -D_FILE_OFFSET_BITS=64
LOCAL_LDFLAGS =
@ -105,89 +110,91 @@ endif
endif
OBJS_CRYPTO= \
aes.o \
aesni.o \
aesce.o \
aria.o \
asn1parse.o \
asn1write.o \
base64.o \
bignum.o \
bignum_core.o \
bignum_mod.o \
bignum_mod_raw.o \
block_cipher.o \
camellia.o \
ccm.o \
chacha20.o \
chachapoly.o \
cipher.o \
cipher_wrap.o \
cmac.o \
constant_time.o \
ctr_drbg.o \
des.o \
dhm.o \
ecdh.o \
ecdsa.o \
ecjpake.o \
ecp.o \
ecp_curves.o \
ecp_curves_new.o \
entropy.o \
entropy_poll.o \
error.o \
gcm.o \
hkdf.o \
hmac_drbg.o \
lmots.o \
lms.o \
md.o \
md5.o \
memory_buffer_alloc.o \
nist_kw.o \
oid.o \
pem.o \
pk.o \
pk_ecc.o \
pk_wrap.o \
pkcs12.o \
pkcs5.o \
pkparse.o \
pkwrite.o \
platform.o \
platform_util.o \
poly1305.o \
psa_crypto.o \
psa_crypto_aead.o \
psa_crypto_cipher.o \
psa_crypto_client.o \
psa_crypto_driver_wrappers_no_static.o \
psa_crypto_ecp.o \
psa_crypto_ffdh.o \
psa_crypto_hash.o \
psa_crypto_mac.o \
psa_crypto_pake.o \
psa_crypto_rsa.o \
psa_crypto_se.o \
psa_crypto_slot_management.o \
psa_crypto_storage.o \
psa_its_file.o \
psa_util.o \
ripemd160.o \
rsa.o \
rsa_alt_helpers.o \
sha1.o \
sha256.o \
sha512.o \
sha3.o \
threading.o \
timing.o \
version.o \
version_features.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_aead.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_cipher.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_client.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_ecp.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_ffdh.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_hash.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_mac.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_pake.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_rsa.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_se.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_slot_management.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_storage.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_its_file.o \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_util.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aes.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesni.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aesce.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/aria.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1parse.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/asn1write.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/base64.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_core.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/bignum_mod_raw.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/block_cipher.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/camellia.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ccm.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chacha20.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/chachapoly.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cipher_wrap.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/cmac.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/constant_time.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ctr_drbg.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/des.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/dhm.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdh.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecdsa.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecjpake.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ecp_curves_new.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/entropy_poll.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/gcm.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hkdf.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/hmac_drbg.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lmots.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/lms.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/md5.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/memory_buffer_alloc.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/nist_kw.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/oid.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pem.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_ecc.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pk_wrap.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs12.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkcs5.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkparse.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/pkwrite.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/platform_util.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/poly1305.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/ripemd160.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/rsa_alt_helpers.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha1.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha256.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha512.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/sha3.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/threading.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/timing.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version.o \
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.o \
# This line is intentionally left blank
include ../3rdparty/Makefile.inc
THIRDPARTY_DIR := $(MBEDTLS_PATH)/tf-psa-crypto/drivers
include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/everest/Makefile.inc
include $(MBEDTLS_PATH)/tf-psa-crypto/drivers/p256-m/Makefile.inc
LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
@ -236,6 +243,7 @@ endif
static: libmbedcrypto.a libmbedx509.a libmbedtls.a
cd ../tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile
cd ../tf-psa-crypto/tests && echo "This is a seedfile that contains 64 bytes (65 on Windows)......" > seedfile
shared: libmbedcrypto.$(DLEXT) libmbedx509.$(DLEXT) libmbedtls.$(DLEXT)
@ -349,10 +357,10 @@ else
gen_file_dep = |
endif
error.c: $(gen_file_dep) ../scripts/generate_errors.pl
error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
error.c:
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/generate_errors.pl
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) ../scripts/data_files/error.fmt
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c: $(gen_file_dep) $(filter-out %config%,$(wildcard ../include/mbedtls/*.h))
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/error.c:
echo " Gen $@"
$(PERL) ../scripts/generate_errors.pl
@ -362,38 +370,38 @@ ssl_debug_helpers_generated.c:
echo " Gen $@"
$(PYTHON) ../scripts/generate_ssl_debug_helpers.py --mbedtls-root .. .
version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c: $(gen_file_dep) ../scripts/generate_features.pl
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c: $(gen_file_dep) ../scripts/data_files/version_features.fmt
## The generated file only depends on the options that are present in mbedtls_config.h,
## not on which options are set. To avoid regenerating this file all the time
## when switching between configurations, don't declare mbedtls_config.h as a
## dependency. Remove this file from your working tree if you've just added or
## removed an option in mbedtls_config.h.
#version_features.c: ../include/mbedtls/mbedtls_config.h
version_features.c:
$(TF_PSA_CRYPTO_DRIVERS_BUILTIN_SRC_PATH)/version_features.c:
echo " Gen $@"
$(PERL) ../scripts/generate_features.pl
GENERATED_WRAPPER_FILES = \
psa_crypto_driver_wrappers.h \
psa_crypto_driver_wrappers_no_static.c
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h \
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers_no_static.c
$(GENERATED_WRAPPER_FILES): ../scripts/generate_driver_wrappers.py
$(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
$(GENERATED_WRAPPER_FILES): ../scripts/data_files/driver_templates/psa_crypto_driver_wrappers_no_static.c.jinja
$(GENERATED_WRAPPER_FILES):
echo " Gen $(GENERATED_WRAPPER_FILES)"
$(PYTHON) ../scripts/generate_driver_wrappers.py
$(PYTHON) ../scripts/generate_driver_wrappers.py $(TF_PSA_CRYPTO_CORE_PATH)
psa_crypto.o:psa_crypto_driver_wrappers.h
$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto.o:$(TF_PSA_CRYPTO_CORE_PATH)/psa_crypto_driver_wrappers.h
clean:
ifndef WINDOWS
rm -f *.o libmbed*
rm -f $(THIRDPARTY_CRYPTO_OBJECTS)
rm -f $(OBJS_CRYPTO)
else
if exist *.o del /Q /F *.o
if exist libmbed* del /Q /F libmbed*
del /Q /F del_errors_out_if_the_file_list_is_empty_but_not_if_a_file_does_not_exist $(subst /,\,$(THIRDPARTY_CRYPTO_OBJECTS))
del /Q /F del_errors_out_if_the_file_list_is_empty_but_not_if_a_file_does_not_exist $(subst /,\,$(OBJS_CRYPTO))
endif
neat: clean

287
library/ecp_internal_alt.h
View File

@ -1,287 +0,0 @@
/**
* \file ecp_internal_alt.h
*
* \brief Function declarations for alternative implementation of elliptic curve
* point arithmetic.
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
/*
* References:
*
* [1] BERNSTEIN, Daniel J. Curve25519: new Diffie-Hellman speed records.
* <http://cr.yp.to/ecdh/curve25519-20060209.pdf>
*
* [2] CORON, Jean-S'ebastien. Resistance against differential power analysis
* for elliptic curve cryptosystems. In : Cryptographic Hardware and
* Embedded Systems. Springer Berlin Heidelberg, 1999. p. 292-302.
* <http://link.springer.com/chapter/10.1007/3-540-48059-5_25>
*
* [3] HEDABOU, Mustapha, PINEL, Pierre, et B'EN'ETEAU, Lucien. A comb method to
* render ECC resistant against Side Channel Attacks. IACR Cryptology
* ePrint Archive, 2004, vol. 2004, p. 342.
* <http://eprint.iacr.org/2004/342.pdf>
*
* [4] Certicom Research. SEC 2: Recommended Elliptic Curve Domain Parameters.
* <http://www.secg.org/sec2-v2.pdf>
*
* [5] HANKERSON, Darrel, MENEZES, Alfred J., VANSTONE, Scott. Guide to Elliptic
* Curve Cryptography.
*
* [6] Digital Signature Standard (DSS), FIPS 186-4.
* <http://nvlpubs.nist.gov/nistpubs/FIPS/NIST.FIPS.186-4.pdf>
*
* [7] Elliptic Curve Cryptography (ECC) Cipher Suites for Transport Layer
* Security (TLS), RFC 4492.
* <https://tools.ietf.org/search/rfc4492>
*
* [8] <http://www.hyperelliptic.org/EFD/g1p/auto-shortw-jacobian.html>
*
* [9] COHEN, Henri. A Course in Computational Algebraic Number Theory.
* Springer Science & Business Media, 1 Aug 2000
*/
#ifndef MBEDTLS_ECP_INTERNAL_H
#define MBEDTLS_ECP_INTERNAL_H
#include "mbedtls/build_info.h"
#if defined(MBEDTLS_ECP_INTERNAL_ALT)
/**
* \brief Indicate if the Elliptic Curve Point module extension can
* handle the group.
*
* \param grp The pointer to the elliptic curve group that will be the
* basis of the cryptographic computations.
*
* \return Non-zero if successful.
*/
unsigned char mbedtls_internal_ecp_grp_capable(const mbedtls_ecp_group *grp);
/**
* \brief Initialise the Elliptic Curve Point module extension.
*
* If mbedtls_internal_ecp_grp_capable returns true for a
* group, this function has to be able to initialise the
* module for it.
*
* This module can be a driver to a crypto hardware
* accelerator, for which this could be an initialise function.
*
* \param grp The pointer to the group the module needs to be
* initialised for.
*
* \return 0 if successful.
*/
int mbedtls_internal_ecp_init(const mbedtls_ecp_group *grp);
/**
* \brief Frees and deallocates the Elliptic Curve Point module
* extension.
*
* \param grp The pointer to the group the module was initialised for.
*/
void mbedtls_internal_ecp_free(const mbedtls_ecp_group *grp);
#if defined(MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED)
#if defined(MBEDTLS_ECP_RANDOMIZE_JAC_ALT)
/**
* \brief Randomize jacobian coordinates:
* (X, Y, Z) -> (l^2 X, l^3 Y, l Z) for random l.
*
* \param grp Pointer to the group representing the curve.
*
* \param pt The point on the curve to be randomised, given with Jacobian
* coordinates.
*
* \param f_rng A function pointer to the random number generator.
*
* \param p_rng A pointer to the random number generator state.
*
* \return 0 if successful.
*/
int mbedtls_internal_ecp_randomize_jac(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *pt, int (*f_rng)(void *,
unsigned char *,
size_t),
void *p_rng);
#endif
#if defined(MBEDTLS_ECP_ADD_MIXED_ALT)
/**
* \brief Addition: R = P + Q, mixed affine-Jacobian coordinates.
*
* The coordinates of Q must be normalized (= affine),
* but those of P don't need to. R is not normalized.
*
* This function is used only as a subrutine of
* ecp_mul_comb().
*
* Special cases: (1) P or Q is zero, (2) R is zero,
* (3) P == Q.
* None of these cases can happen as intermediate step in
* ecp_mul_comb():
* - at each step, P, Q and R are multiples of the base
* point, the factor being less than its order, so none of
* them is zero;
* - Q is an odd multiple of the base point, P an even
* multiple, due to the choice of precomputed points in the
* modified comb method.
* So branches for these cases do not leak secret information.
*
* We accept Q->Z being unset (saving memory in tables) as
* meaning 1.
*
* Cost in field operations if done by [5] 3.22:
* 1A := 8M + 3S
*
* \param grp Pointer to the group representing the curve.
*
* \param R Pointer to a point structure to hold the result.
*
* \param P Pointer to the first summand, given with Jacobian
* coordinates
*
* \param Q Pointer to the second summand, given with affine
* coordinates.
*
* \return 0 if successful.
*/
int mbedtls_internal_ecp_add_mixed(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *R, const mbedtls_ecp_point *P,
const mbedtls_ecp_point *Q);
#endif
/**
* \brief Point doubling R = 2 P, Jacobian coordinates.
*
* Cost: 1D := 3M + 4S (A == 0)
* 4M + 4S (A == -3)
* 3M + 6S + 1a otherwise
* when the implementation is based on the "dbl-1998-cmo-2"
* doubling formulas in [8] and standard optimizations are
* applied when curve parameter A is one of { 0, -3 }.
*
* \param grp Pointer to the group representing the curve.
*
* \param R Pointer to a point structure to hold the result.
*
* \param P Pointer to the point that has to be doubled, given with
* Jacobian coordinates.
*
* \return 0 if successful.
*/
#if defined(MBEDTLS_ECP_DOUBLE_JAC_ALT)
int mbedtls_internal_ecp_double_jac(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *R, const mbedtls_ecp_point *P);
#endif
/**
* \brief Normalize jacobian coordinates of an array of (pointers to)
* points.
*
* Using Montgomery's trick to perform only one inversion mod P
* the cost is:
* 1N(t) := 1I + (6t - 3)M + 1S
* (See for example Algorithm 10.3.4. in [9])
*
* This function is used only as a subrutine of
* ecp_mul_comb().
*
* Warning: fails (returning an error) if one of the points is
* zero!
* This should never happen, see choice of w in ecp_mul_comb().
*
* \param grp Pointer to the group representing the curve.
*
* \param T Array of pointers to the points to normalise.
*
* \param t_len Number of elements in the array.
*
* \return 0 if successful,
* an error if one of the points is zero.
*/
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_MANY_ALT)
int mbedtls_internal_ecp_normalize_jac_many(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *T[], size_t t_len);
#endif
/**
* \brief Normalize jacobian coordinates so that Z == 0 || Z == 1.
*
* Cost in field operations if done by [5] 3.2.1:
* 1N := 1I + 3M + 1S
*
* \param grp Pointer to the group representing the curve.
*
* \param pt pointer to the point to be normalised. This is an
* input/output parameter.
*
* \return 0 if successful.
*/
#if defined(MBEDTLS_ECP_NORMALIZE_JAC_ALT)
int mbedtls_internal_ecp_normalize_jac(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *pt);
#endif
#endif /* MBEDTLS_ECP_SHORT_WEIERSTRASS_ENABLED */
#if defined(MBEDTLS_ECP_MONTGOMERY_ENABLED)
#if defined(MBEDTLS_ECP_DOUBLE_ADD_MXZ_ALT)
int mbedtls_internal_ecp_double_add_mxz(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *R,
mbedtls_ecp_point *S,
const mbedtls_ecp_point *P,
const mbedtls_ecp_point *Q,
const mbedtls_mpi *d);
#endif
/**
* \brief Randomize projective x/z coordinates:
* (X, Z) -> (l X, l Z) for random l
*
* \param grp pointer to the group representing the curve
*
* \param P the point on the curve to be randomised given with
* projective coordinates. This is an input/output parameter.
*
* \param f_rng a function pointer to the random number generator
*
* \param p_rng a pointer to the random number generator state
*
* \return 0 if successful
*/
#if defined(MBEDTLS_ECP_RANDOMIZE_MXZ_ALT)
int mbedtls_internal_ecp_randomize_mxz(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *P, int (*f_rng)(void *,
unsigned char *,
size_t),
void *p_rng);
#endif
/**
* \brief Normalize Montgomery x/z coordinates: X = X/Z, Z = 1.
*
* \param grp pointer to the group representing the curve
*
* \param P pointer to the point to be normalised. This is an
* input/output parameter.
*
* \return 0 if successful
*/
#if defined(MBEDTLS_ECP_NORMALIZE_MXZ_ALT)
int mbedtls_internal_ecp_normalize_mxz(const mbedtls_ecp_group *grp,
mbedtls_ecp_point *P);
#endif
#endif /* MBEDTLS_ECP_MONTGOMERY_ENABLED */
#endif /* MBEDTLS_ECP_INTERNAL_ALT */
#endif /* ecp_internal_alt.h */

548
library/ssl_ciphersuites.c
View File

File diff suppressed because it is too large Load Diff

2
library/ssl_cookie.c
View File

@ -40,7 +40,7 @@ static int local_err_translation(psa_status_t status)
* If DTLS is in use, then at least one of SHA-256 or SHA-384 is
* available. Try SHA-256 first as 384 wastes resources
*/
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#define COOKIE_MD MBEDTLS_MD_SHA256
#define COOKIE_MD_OUTLEN 32
#define COOKIE_HMAC_LEN 28

26
library/ssl_misc.h
View File

@ -22,7 +22,7 @@
#include "psa_util_internal.h"
#endif
#if defined(MBEDTLS_MD_CAN_MD5)
#if defined(PSA_WANT_ALG_MD5)
#include "mbedtls/md5.h"
#endif
@ -30,7 +30,7 @@
#include "mbedtls/sha1.h"
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#include "mbedtls/sha256.h"
#endif
@ -254,8 +254,8 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
/* This macro determines whether CBC is supported. */
#if defined(MBEDTLS_SSL_HAVE_CBC) && \
(defined(MBEDTLS_SSL_HAVE_AES) || \
#if defined(PSA_WANT_ALG_CBC_NO_PADDING) && \
(defined(PSA_WANT_KEY_TYPE_AES) || \
defined(MBEDTLS_SSL_HAVE_CAMELLIA) || \
defined(MBEDTLS_SSL_HAVE_ARIA))
#define MBEDTLS_SSL_SOME_SUITES_USE_CBC
@ -290,7 +290,7 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
/* Ciphersuites using HMAC */
#if defined(PSA_WANT_ALG_SHA_384)
#define MBEDTLS_SSL_MAC_ADD 48 /* SHA-384 used for HMAC */
#elif defined(MBEDTLS_MD_CAN_SHA256)
#elif defined(PSA_WANT_ALG_SHA_256)
#define MBEDTLS_SSL_MAC_ADD 32 /* SHA-256 used for HMAC */
#else
#define MBEDTLS_SSL_MAC_ADD 20 /* SHA-1 used for HMAC */
@ -300,7 +300,7 @@ uint32_t mbedtls_ssl_get_extension_mask(unsigned int extension_type);
#define MBEDTLS_SSL_MAC_ADD 16
#endif
#if defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(PSA_WANT_ALG_CBC_NO_PADDING)
#define MBEDTLS_SSL_PADDING_ADD 256
#else
#define MBEDTLS_SSL_PADDING_ADD 0
@ -922,7 +922,7 @@ struct mbedtls_ssl_handshake_params {
/*
* Checksum contexts
*/
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_operation_t fin_sha256_psa;
#else
@ -2429,10 +2429,10 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
{
switch (sig_alg) {
#if defined(MBEDTLS_PKCS1_V15)
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
#endif /* MBEDTLS_MD_CAN_SHA256 */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384:
break;
@ -2483,12 +2483,12 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
switch (sig_alg) {
#if defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* MBEDTLS_MD_CAN_SHA256 */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384:
*md_alg = MBEDTLS_MD_SHA384;
@ -2517,7 +2517,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
unsigned char sig = MBEDTLS_BYTE_0(sig_alg);
switch (hash) {
#if defined(MBEDTLS_MD_CAN_MD5)
#if defined(PSA_WANT_ALG_MD5)
case MBEDTLS_SSL_HASH_MD5:
break;
#endif
@ -2532,7 +2532,7 @@ static inline int mbedtls_ssl_tls12_sig_alg_is_supported(
break;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_SSL_HASH_SHA256:
break;
#endif

188
library/ssl_tls.c
View File

@ -425,7 +425,7 @@ static int ssl_tls12_populate_transform(mbedtls_ssl_transform *transform,
unsigned endpoint,
const mbedtls_ssl_context *ssl);
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_sha256(const unsigned char *secret, size_t slen,
const char *label,
@ -434,7 +434,7 @@ static int tls_prf_sha256(const unsigned char *secret, size_t slen,
static int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *, unsigned char *, size_t *);
static int ssl_calc_finished_tls_sha256(mbedtls_ssl_context *, unsigned char *, int);
#endif /* MBEDTLS_MD_CAN_SHA256*/
#endif /* PSA_WANT_ALG_SHA_256*/
#if defined(PSA_WANT_ALG_SHA_384)
MBEDTLS_CHECK_RETURN_CRITICAL
@ -455,9 +455,9 @@ static int ssl_tls12_session_load(mbedtls_ssl_session *session,
static int ssl_update_checksum_start(mbedtls_ssl_context *, const unsigned char *, size_t);
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
static int ssl_update_checksum_sha256(mbedtls_ssl_context *, const unsigned char *, size_t);
#endif /* MBEDTLS_MD_CAN_SHA256*/
#endif /* PSA_WANT_ALG_SHA_256*/
#if defined(PSA_WANT_ALG_SHA_384)
static int ssl_update_checksum_sha384(mbedtls_ssl_context *, const unsigned char *, size_t);
@ -478,11 +478,11 @@ int mbedtls_ssl_tls_prf(const mbedtls_tls_prf_types prf,
tls_prf = tls_prf_sha384;
break;
#endif /* PSA_WANT_ALG_SHA_384*/
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_SSL_TLS_PRF_SHA256:
tls_prf = tls_prf_sha256;
break;
#endif /* MBEDTLS_MD_CAN_SHA256*/
#endif /* PSA_WANT_ALG_SHA_256*/
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 */
default:
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
@ -789,7 +789,7 @@ void mbedtls_ssl_optimize_checksum(mbedtls_ssl_context *ssl,
ssl->handshake->update_checksum = ssl_update_checksum_sha384;
} else
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
if (ciphersuite_info->mac != MBEDTLS_MD_SHA384) {
ssl->handshake->update_checksum = ssl_update_checksum_sha256;
} else
@ -830,7 +830,7 @@ int mbedtls_ssl_add_hs_msg_to_checksum(mbedtls_ssl_context *ssl,
int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
{
#if defined(MBEDTLS_MD_CAN_SHA256) || \
#if defined(PSA_WANT_ALG_SHA_256) || \
defined(PSA_WANT_ALG_SHA_384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status;
@ -840,7 +840,7 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
#else /* SHA-256 or SHA-384 */
((void) ssl);
#endif /* SHA-256 or SHA-384 */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_abort(&ssl->handshake->fin_sha256_psa);
if (status != PSA_SUCCESS) {
@ -895,7 +895,7 @@ int mbedtls_ssl_reset_checksum(mbedtls_ssl_context *ssl)
static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len)
{
#if defined(MBEDTLS_MD_CAN_SHA256) || \
#if defined(PSA_WANT_ALG_SHA_256) || \
defined(PSA_WANT_ALG_SHA_384)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status;
@ -907,7 +907,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
(void) buf;
(void) len;
#endif /* SHA-256 or SHA-384 */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = psa_hash_update(&ssl->handshake->fin_sha256_psa, buf, len);
if (status != PSA_SUCCESS) {
@ -936,7 +936,7 @@ static int ssl_update_checksum_start(mbedtls_ssl_context *ssl,
return 0;
}
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
static int ssl_update_checksum_sha256(mbedtls_ssl_context *ssl,
const unsigned char *buf, size_t len)
{
@ -966,7 +966,7 @@ static void ssl_handshake_params_init(mbedtls_ssl_handshake_params *handshake)
{
memset(handshake, 0, sizeof(mbedtls_ssl_handshake_params));
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
handshake->fin_sha256_psa = psa_hash_operation_init();
#else
@ -2482,179 +2482,179 @@ psa_status_t mbedtls_ssl_cipher_to_psa(mbedtls_cipher_type_t mbedtls_cipher_type
psa_key_type_t *key_type,
size_t *key_size)
{
#if !defined(MBEDTLS_SSL_HAVE_CCM)
#if !defined(PSA_WANT_ALG_CCM)
(void) taglen;
#endif
switch (mbedtls_cipher_type) {
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
case MBEDTLS_CIPHER_AES_128_CBC:
*alg = PSA_ALG_CBC_NO_PADDING;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_AES_128_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_AES_128_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_AES_192_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 192;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_AES_192_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 192;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
case MBEDTLS_CIPHER_AES_256_CBC:
*alg = PSA_ALG_CBC_NO_PADDING;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_AES_256_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_AES) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(PSA_WANT_KEY_TYPE_AES) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_AES_256_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_AES;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
case MBEDTLS_CIPHER_ARIA_128_CBC:
*alg = PSA_ALG_CBC_NO_PADDING;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_ARIA_128_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_ARIA_128_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_ARIA_192_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 192;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_ARIA_192_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 192;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
case MBEDTLS_CIPHER_ARIA_256_CBC:
*alg = PSA_ALG_CBC_NO_PADDING;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_ARIA_256_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(MBEDTLS_SSL_HAVE_ARIA) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_ARIA_256_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_ARIA;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
case MBEDTLS_CIPHER_CAMELLIA_128_CBC:
*alg = PSA_ALG_CBC_NO_PADDING;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_CAMELLIA_128_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_CAMELLIA_128_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 128;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_CAMELLIA_192_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 192;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_CAMELLIA_192_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 192;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CBC)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_CBC_NO_PADDING)
case MBEDTLS_CIPHER_CAMELLIA_256_CBC:
*alg = PSA_ALG_CBC_NO_PADDING;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_CCM)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_CCM)
case MBEDTLS_CIPHER_CAMELLIA_256_CCM:
*alg = taglen ? PSA_ALG_AEAD_WITH_SHORTENED_TAG(PSA_ALG_CCM, taglen) : PSA_ALG_CCM;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(MBEDTLS_SSL_HAVE_GCM)
#if defined(MBEDTLS_SSL_HAVE_CAMELLIA) && defined(PSA_WANT_ALG_GCM)
case MBEDTLS_CIPHER_CAMELLIA_256_GCM:
*alg = PSA_ALG_GCM;
*key_type = PSA_KEY_TYPE_CAMELLIA;
*key_size = 256;
break;
#endif
#if defined(MBEDTLS_SSL_HAVE_CHACHAPOLY)
#if defined(PSA_WANT_ALG_CHACHA20_POLY1305)
case MBEDTLS_CIPHER_CHACHA20_POLY1305:
*alg = PSA_ALG_CHACHA20_POLY1305;
*key_type = PSA_KEY_TYPE_CHACHA20;
@ -4795,7 +4795,7 @@ void mbedtls_ssl_handshake_free(mbedtls_ssl_context *ssl)
}
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_hash_abort(&handshake->fin_sha256_psa);
#else
@ -5611,28 +5611,28 @@ void mbedtls_ssl_config_init(mbedtls_ssl_config *conf)
* about this list.
*/
static const uint16_t ssl_preset_default_groups[] = {
#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
MBEDTLS_SSL_IANA_TLS_GROUP_X25519,
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
#if defined(PSA_WANT_ECC_SECP_R1_256)
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
MBEDTLS_SSL_IANA_TLS_GROUP_SECP384R1,
#endif
#if defined(MBEDTLS_ECP_HAVE_CURVE448)
#if defined(PSA_WANT_ECC_MONTGOMERY_448)
MBEDTLS_SSL_IANA_TLS_GROUP_X448,
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
#if defined(PSA_WANT_ECC_SECP_R1_521)
MBEDTLS_SSL_IANA_TLS_GROUP_SECP521R1,
#endif
#if defined(MBEDTLS_ECP_HAVE_BP256R1)
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
MBEDTLS_SSL_IANA_TLS_GROUP_BP256R1,
#endif
#if defined(MBEDTLS_ECP_HAVE_BP384R1)
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
MBEDTLS_SSL_IANA_TLS_GROUP_BP384R1,
#endif
#if defined(MBEDTLS_ECP_HAVE_BP512R1)
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
MBEDTLS_SSL_IANA_TLS_GROUP_BP512R1,
#endif
#if defined(PSA_WANT_ALG_FFDH)
@ -5664,7 +5664,7 @@ static const int ssl_preset_suiteb_ciphersuites[] = {
static const uint16_t ssl_preset_default_sig_algs[] = {
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA256) && \
defined(PSA_WANT_ALG_SHA_256) && \
defined(PSA_WANT_ECC_SECP_R1_256)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
@ -5692,7 +5692,7 @@ static const uint16_t ssl_preset_default_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384,
#endif
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT) && defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif
@ -5704,9 +5704,9 @@ static const uint16_t ssl_preset_default_sig_algs[] = {
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384,
#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_384 */
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */
MBEDTLS_TLS_SIG_NONE
};
@ -5739,7 +5739,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#endif
#endif /* PSA_WANT_ALG_SHA_384 */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
#endif
@ -5749,7 +5749,7 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
#if defined(MBEDTLS_RSA_C)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_RSA, MBEDTLS_SSL_HASH_SHA256),
#endif
#endif /* MBEDTLS_MD_CAN_SHA256 */
#endif /* PSA_WANT_ALG_SHA_256 */
MBEDTLS_TLS_SIG_NONE
};
@ -5759,8 +5759,8 @@ static uint16_t ssl_tls12_preset_default_sig_algs[] = {
static const uint16_t ssl_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ANY_ALLOWED_ENABLED) && \
defined(MBEDTLS_MD_CAN_SHA256) && \
defined(MBEDTLS_ECP_HAVE_SECP256R1)
defined(PSA_WANT_ALG_SHA_256) && \
defined(PSA_WANT_ECC_SECP_R1_256)
MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256,
// == MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256)
#endif
@ -5779,11 +5779,11 @@ static const uint16_t ssl_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_SSL_PROTO_TLS1_2)
static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
MBEDTLS_SSL_TLS12_SIG_AND_HASH_ALG(MBEDTLS_SSL_SIG_ECDSA, MBEDTLS_SSL_HASH_SHA256),
#endif
#endif /* MBEDTLS_MD_CAN_SHA256 */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
#if defined(MBEDTLS_KEY_EXCHANGE_ECDSA_CERT_REQ_ALLOWED_ENABLED)
@ -5798,7 +5798,7 @@ static uint16_t ssl_tls12_preset_suiteb_sig_algs[] = {
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
static const uint16_t ssl_preset_suiteb_groups[] = {
#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
#if defined(PSA_WANT_ECC_SECP_R1_256)
MBEDTLS_SSL_IANA_TLS_GROUP_SECP256R1,
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
@ -6132,7 +6132,7 @@ mbedtls_pk_type_t mbedtls_ssl_pk_alg_from_sig(unsigned char sig)
mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
{
switch (hash) {
#if defined(MBEDTLS_MD_CAN_MD5)
#if defined(PSA_WANT_ALG_MD5)
case MBEDTLS_SSL_HASH_MD5:
return MBEDTLS_MD_MD5;
#endif
@ -6144,7 +6144,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
case MBEDTLS_SSL_HASH_SHA224:
return MBEDTLS_MD_SHA224;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_SSL_HASH_SHA256:
return MBEDTLS_MD_SHA256;
#endif
@ -6167,7 +6167,7 @@ mbedtls_md_type_t mbedtls_ssl_md_alg_from_hash(unsigned char hash)
unsigned char mbedtls_ssl_hash_from_md_alg(int md)
{
switch (md) {
#if defined(MBEDTLS_MD_CAN_MD5)
#if defined(PSA_WANT_ALG_MD5)
case MBEDTLS_MD_MD5:
return MBEDTLS_SSL_HASH_MD5;
#endif
@ -6179,7 +6179,7 @@ unsigned char mbedtls_ssl_hash_from_md_alg(int md)
case MBEDTLS_MD_SHA224:
return MBEDTLS_SSL_HASH_SHA224;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_MD_SHA256:
return MBEDTLS_SSL_HASH_SHA256;
#endif
@ -6240,43 +6240,43 @@ static const struct {
uint16_t bits;
} tls_id_match_table[] =
{
#if defined(MBEDTLS_ECP_HAVE_SECP521R1)
#if defined(PSA_WANT_ECC_SECP_R1_521)
{ 25, MBEDTLS_ECP_DP_SECP521R1, PSA_ECC_FAMILY_SECP_R1, 521 },
#endif
#if defined(MBEDTLS_ECP_HAVE_BP512R1)
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_512)
{ 28, MBEDTLS_ECP_DP_BP512R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 512 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP384R1)
{ 24, MBEDTLS_ECP_DP_SECP384R1, PSA_ECC_FAMILY_SECP_R1, 384 },
#endif
#if defined(MBEDTLS_ECP_HAVE_BP384R1)
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_384)
{ 27, MBEDTLS_ECP_DP_BP384R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 384 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP256R1)
#if defined(PSA_WANT_ECC_SECP_R1_256)
{ 23, MBEDTLS_ECP_DP_SECP256R1, PSA_ECC_FAMILY_SECP_R1, 256 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP256K1)
#if defined(PSA_WANT_ECC_SECP_K1_256)
{ 22, MBEDTLS_ECP_DP_SECP256K1, PSA_ECC_FAMILY_SECP_K1, 256 },
#endif
#if defined(MBEDTLS_ECP_HAVE_BP256R1)
#if defined(PSA_WANT_ECC_BRAINPOOL_P_R1_256)
{ 26, MBEDTLS_ECP_DP_BP256R1, PSA_ECC_FAMILY_BRAINPOOL_P_R1, 256 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP224R1)
#if defined(PSA_WANT_ECC_SECP_R1_224)
{ 21, MBEDTLS_ECP_DP_SECP224R1, PSA_ECC_FAMILY_SECP_R1, 224 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP224K1)
{ 20, MBEDTLS_ECP_DP_SECP224K1, PSA_ECC_FAMILY_SECP_K1, 224 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP192R1)
#if defined(PSA_WANT_ECC_SECP_R1_192)
{ 19, MBEDTLS_ECP_DP_SECP192R1, PSA_ECC_FAMILY_SECP_R1, 192 },
#endif
#if defined(MBEDTLS_ECP_HAVE_SECP192K1)
#if defined(PSA_WANT_ECC_SECP_K1_192)
{ 18, MBEDTLS_ECP_DP_SECP192K1, PSA_ECC_FAMILY_SECP_K1, 192 },
#endif
#if defined(MBEDTLS_ECP_HAVE_CURVE25519)
#if defined(PSA_WANT_ECC_MONTGOMERY_255)
{ 29, MBEDTLS_ECP_DP_CURVE25519, PSA_ECC_FAMILY_MONTGOMERY, 255 },
#endif
#if defined(MBEDTLS_ECP_HAVE_CURVE448)
#if defined(PSA_WANT_ECC_MONTGOMERY_448)
{ 30, MBEDTLS_ECP_DP_CURVE448, PSA_ECC_FAMILY_MONTGOMERY, 448 },
#endif
{ 0, MBEDTLS_ECP_DP_NONE, 0, 0 },
@ -6443,7 +6443,7 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
break;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_MD_SHA256:
hash_operation_to_clone = &ssl->handshake->fin_sha256_psa;
break;
@ -6465,7 +6465,7 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
exit:
#if !defined(PSA_WANT_ALG_SHA_384) && \
!defined(MBEDTLS_MD_CAN_SHA256)
!defined(PSA_WANT_ALG_SHA_256)
(void) ssl;
#endif
return PSA_TO_MBEDTLS_ERR(status);
@ -6510,7 +6510,7 @@ exit:
}
#endif /* PSA_WANT_ALG_SHA_384 */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_CHECK_RETURN_CRITICAL
static int ssl_get_handshake_transcript_sha256(mbedtls_ssl_context *ssl,
unsigned char *dst,
@ -6546,7 +6546,7 @@ exit:
mbedtls_md_free(&sha256);
return ret;
}
#endif /* MBEDTLS_MD_CAN_SHA256 */
#endif /* PSA_WANT_ALG_SHA_256 */
int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
const mbedtls_md_type_t md,
@ -6561,14 +6561,14 @@ int mbedtls_ssl_get_handshake_transcript(mbedtls_ssl_context *ssl,
return ssl_get_handshake_transcript_sha384(ssl, dst, dst_len, olen);
#endif /* PSA_WANT_ALG_SHA_384*/
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_MD_SHA256:
return ssl_get_handshake_transcript_sha256(ssl, dst, dst_len, olen);
#endif /* MBEDTLS_MD_CAN_SHA256*/
#endif /* PSA_WANT_ALG_SHA_256*/
default:
#if !defined(PSA_WANT_ALG_SHA_384) && \
!defined(MBEDTLS_MD_CAN_SHA256)
!defined(PSA_WANT_ALG_SHA_256)
(void) ssl;
(void) dst;
(void) dst_len;
@ -6834,7 +6834,7 @@ static int tls_prf_generic(mbedtls_md_type_t md_type,
#else /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_MD_C) && \
(defined(MBEDTLS_MD_CAN_SHA256) || \
(defined(PSA_WANT_ALG_SHA_256) || \
defined(PSA_WANT_ALG_SHA_384))
MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_generic(mbedtls_md_type_t md_type,
@ -6939,10 +6939,10 @@ exit:
return ret;
}
#endif /* MBEDTLS_MD_C && ( MBEDTLS_MD_CAN_SHA256 || PSA_WANT_ALG_SHA_384 ) */
#endif /* MBEDTLS_MD_C && ( PSA_WANT_ALG_SHA_256 || PSA_WANT_ALG_SHA_384 ) */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_CHECK_RETURN_CRITICAL
static int tls_prf_sha256(const unsigned char *secret, size_t slen,
const char *label,
@ -6952,7 +6952,7 @@ static int tls_prf_sha256(const unsigned char *secret, size_t slen,
return tls_prf_generic(MBEDTLS_MD_SHA256, secret, slen,
label, random, rlen, dstbuf, dlen);
}
#endif /* MBEDTLS_MD_CAN_SHA256*/
#endif /* PSA_WANT_ALG_SHA_256*/
#if defined(PSA_WANT_ALG_SHA_384)
MBEDTLS_CHECK_RETURN_CRITICAL
@ -6986,7 +6986,7 @@ static int ssl_set_handshake_prfs(mbedtls_ssl_handshake_params *handshake,
handshake->calc_finished = ssl_calc_finished_tls_sha384;
} else
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
{
(void) hash;
handshake->tls_prf = tls_prf_sha256;
@ -7281,7 +7281,7 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
ssl->handshake->calc_verify = ssl_calc_verify_tls_sha384;
break;
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_SSL_HASH_SHA256:
ssl->handshake->calc_verify = ssl_calc_verify_tls_sha256;
break;
@ -7290,7 +7290,7 @@ int mbedtls_ssl_set_calc_verify_md(mbedtls_ssl_context *ssl, int md)
return -1;
}
#if !defined(PSA_WANT_ALG_SHA_384) && \
!defined(MBEDTLS_MD_CAN_SHA256)
!defined(PSA_WANT_ALG_SHA_256)
(void) ssl;
#endif
return 0;
@ -7368,7 +7368,7 @@ exit:
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
unsigned char *hash,
size_t *hlen)
@ -7381,7 +7381,7 @@ int ssl_calc_verify_tls_sha256(const mbedtls_ssl_context *ssl,
hash, hlen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_MD_CAN_SHA256 */
#endif /* PSA_WANT_ALG_SHA_256 */
#if defined(PSA_WANT_ALG_SHA_384)
int ssl_calc_verify_tls_sha384(const mbedtls_ssl_context *ssl,
@ -8418,7 +8418,7 @@ exit:
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
static int ssl_calc_finished_tls_sha256(
mbedtls_ssl_context *ssl, unsigned char *buf, int from)
{
@ -8432,7 +8432,7 @@ static int ssl_calc_finished_tls_sha256(
padbuf, sizeof(padbuf),
buf, from);
}
#endif /* MBEDTLS_MD_CAN_SHA256*/
#endif /* PSA_WANT_ALG_SHA_256*/
#if defined(PSA_WANT_ALG_SHA_384)
@ -8747,7 +8747,7 @@ static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
return tls_prf_sha384;
} else
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
{
if (ciphersuite_info != NULL && ciphersuite_info->mac == MBEDTLS_MD_SHA256) {
return tls_prf_sha256;
@ -8755,7 +8755,7 @@ static tls_prf_fn ssl_tls12prf_from_cs(int ciphersuite_id)
}
#endif
#if !defined(PSA_WANT_ALG_SHA_384) && \
!defined(MBEDTLS_MD_CAN_SHA256)
!defined(PSA_WANT_ALG_SHA_256)
(void) ciphersuite_info;
#endif
@ -8771,7 +8771,7 @@ static mbedtls_tls_prf_types tls_prf_get_type(mbedtls_ssl_tls_prf_cb *tls_prf)
return MBEDTLS_SSL_TLS_PRF_SHA384;
} else
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
if (tls_prf == tls_prf_sha256) {
return MBEDTLS_SSL_TLS_PRF_SHA256;
} else

4
library/x509.c
View File

@ -129,7 +129,7 @@ int mbedtls_x509_get_alg(unsigned char **p, const unsigned char *end,
static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
{
switch (md_alg) {
#if defined(MBEDTLS_MD_CAN_MD5)
#if defined(PSA_WANT_ALG_MD5)
case MBEDTLS_MD_MD5:
return "MD5";
#endif
@ -141,7 +141,7 @@ static inline const char *md_type_to_string(mbedtls_md_type_t md_alg)
case MBEDTLS_MD_SHA224:
return "SHA224";
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_MD_SHA256:
return "SHA256";
#endif

5
programs/Makefile
View File

@ -129,7 +129,7 @@ generated_files: $(GENERATED_FILES)
psa/psa_constant_names_generated.c: $(gen_file_dep) ../scripts/generate_psa_constants.py
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_values.h
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/include/psa/crypto_extra.h
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tests/suites/test_suite_psa_crypto_metadata.data
psa/psa_constant_names_generated.c: $(gen_file_dep) ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data
psa/psa_constant_names_generated.c:
echo " Gen $@"
$(PYTHON) ../scripts/generate_psa_constants.py
@ -356,7 +356,7 @@ endif
test/metatest$(EXEXT): test/metatest.c $(DEP)
echo " CC test/metatest.c"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I ../library test/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -I../library -I../tf-psa-crypto/core test/metatest.c $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
test/query_config.o: test/query_config.c test/query_config.h $(DEP)
echo " CC test/query_config.c"
@ -417,6 +417,7 @@ x509/req_app$(EXEXT): x509/req_app.c $(DEP)
clean:
ifndef WINDOWS
rm -f $(EXES)
rm -f */*.o
-rm -f ssl/ssl_pthread_server$(EXEXT)
-rm -f test/cpp_dummy_build.cpp test/cpp_dummy_build$(EXEXT)
-rm -f test/dlopen$(EXEXT)

4
programs/fuzz/Makefile
View File

@ -9,9 +9,7 @@ ifdef FUZZINGENGINE
LOCAL_LDFLAGS += -lFuzzingEngine
endif
# A test application is built for each suites/test_suite_*.data file.
# Application name is same as .data file's base name and can be
# constructed by stripping path 'suites/' and extension .data.
# A test application is built for each fuzz_*.c file.
APPS = $(basename $(wildcard fuzz_*.c))
# Construct executable name by adding OS specific suffix $(EXEXT).

4
programs/fuzz/fuzz_dtlsserver.c
View File

@ -15,7 +15,7 @@
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_TIMING_C) && \
(defined(PSA_WANT_ALG_SHA_384) || \
defined(MBEDTLS_MD_CAN_SHA256))
defined(PSA_WANT_ALG_SHA_256))
const char *pers = "fuzz_dtlsserver";
const unsigned char client_ip[4] = { 0x7F, 0, 0, 1 };
static int initialized = 0;
@ -34,7 +34,7 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
defined(MBEDTLS_CTR_DRBG_C) && \
defined(MBEDTLS_TIMING_C) && \
(defined(PSA_WANT_ALG_SHA_384) || \
defined(MBEDTLS_MD_CAN_SHA256))
defined(PSA_WANT_ALG_SHA_256))
int ret;
size_t len;
mbedtls_ssl_context ssl;

4
programs/pkey/dh_client.c
View File

@ -38,7 +38,7 @@ int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
"PSA_WANT_ALG_SHA_256 and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
mbedtls_exit(0);
}
@ -284,5 +284,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

4
programs/pkey/dh_server.c
View File

@ -38,7 +38,7 @@ int main(void)
{
mbedtls_printf("MBEDTLS_AES_C and/or MBEDTLS_DHM_C and/or MBEDTLS_ENTROPY_C "
"and/or MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO and/or "
"PSA_WANT_ALG_SHA_256 and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_SHA1_C not defined.\n");
mbedtls_exit(0);
}
@ -302,5 +302,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_AES_C && MBEDTLS_DHM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
MBEDTLS_NET_C && MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 &&
MBEDTLS_FS_IO && MBEDTLS_CTR_DRBG_C */

6
programs/pkey/pk_sign.c
View File

@ -12,13 +12,13 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
!defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_MD_C and/or "
"PSA_WANT_ALG_SHA_256 and/or MBEDTLS_MD_C and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
@ -151,5 +151,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C &&
MBEDTLS_MD_CAN_SHA256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
PSA_WANT_ALG_SHA_256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_CTR_DRBG_C */

6
programs/pkey/pk_verify.c
View File

@ -12,12 +12,12 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_PK_PARSE_C) || \
!defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_PK_PARSE_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_MD_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_PK_PARSE_C and/or "
"PSA_WANT_ALG_SHA_256 and/or MBEDTLS_PK_PARSE_C and/or "
"MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
@ -124,5 +124,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_MD_CAN_SHA256 &&
#endif /* MBEDTLS_BIGNUM_C && PSA_WANT_ALG_SHA_256 &&
MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */

6
programs/pkey/rsa_sign.c
View File

@ -12,13 +12,13 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
!defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO not defined.\n");
"PSA_WANT_ALG_SHA_256 and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
@ -151,5 +151,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 &&
MBEDTLS_FS_IO */

6
programs/pkey/rsa_sign_pss.c
View File

@ -12,13 +12,13 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_RSA_C) || !defined(PSA_WANT_ALG_SHA_256) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_RSA_C and/or MBEDTLS_MD_CAN_SHA256 and/or "
"MBEDTLS_RSA_C and/or PSA_WANT_ALG_SHA_256 and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
@ -157,5 +157,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_RSA_C &&
MBEDTLS_MD_CAN_SHA256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
PSA_WANT_ALG_SHA_256 && MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO &&
MBEDTLS_CTR_DRBG_C */

6
programs/pkey/rsa_verify.c
View File

@ -12,13 +12,13 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_RSA_C) || \
!defined(MBEDTLS_MD_CAN_SHA256) || !defined(MBEDTLS_MD_C) || \
!defined(PSA_WANT_ALG_SHA_256) || !defined(MBEDTLS_MD_C) || \
!defined(MBEDTLS_FS_IO)
int main(void)
{
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_RSA_C and/or "
"MBEDTLS_MD_C and/or "
"MBEDTLS_MD_CAN_SHA256 and/or MBEDTLS_FS_IO not defined.\n");
"PSA_WANT_ALG_SHA_256 and/or MBEDTLS_FS_IO not defined.\n");
mbedtls_exit(0);
}
#else
@ -130,5 +130,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 &&
MBEDTLS_FS_IO */

6
programs/pkey/rsa_verify_pss.c
View File

@ -12,13 +12,13 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_MD_C) || !defined(MBEDTLS_ENTROPY_C) || \
!defined(MBEDTLS_RSA_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_RSA_C) || !defined(PSA_WANT_ALG_SHA_256) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_CTR_DRBG_C)
int main(void)
{
mbedtls_printf("MBEDTLS_MD_C and/or MBEDTLS_ENTROPY_C and/or "
"MBEDTLS_RSA_C and/or MBEDTLS_MD_CAN_SHA256 and/or "
"MBEDTLS_RSA_C and/or PSA_WANT_ALG_SHA_256 and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_CTR_DRBG_C not defined.\n");
mbedtls_exit(0);
@ -132,5 +132,5 @@ exit:
mbedtls_exit(exit_code);
}
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 &&
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 &&
MBEDTLS_PK_PARSE_C && MBEDTLS_FS_IO */

2
programs/ssl/mini_client.c
View File

@ -70,7 +70,7 @@ const char psk_id[] = "Client_identity";
#endif
#if defined(MBEDTLS_X509_CRT_PARSE_C)
/* This is tests/data_files/test-ca2.crt, a CA using EC secp384r1 */
/* This is framework/data_files/test-ca2.crt, a CA using EC secp384r1 */
const unsigned char ca_cert[] = {
0x30, 0x82, 0x02, 0x52, 0x30, 0x82, 0x01, 0xd7, 0xa0, 0x03, 0x02, 0x01,
0x02, 0x02, 0x09, 0x00, 0xc1, 0x43, 0xe2, 0x7e, 0x62, 0x43, 0xcc, 0xe8,

6
programs/ssl/ssl_test_common_source.c
View File

@ -298,15 +298,15 @@ uint16_t ssl_sig_algs_for_test[] = {
#if defined(PSA_WANT_ALG_SHA_384)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA384)
#endif
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA256)
#endif
#if defined(PSA_WANT_ALG_SHA_224)
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA224)
#endif
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_MD_CAN_SHA256)
#if defined(MBEDTLS_RSA_C) && defined(PSA_WANT_ALG_SHA_256)
MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256,
#endif /* MBEDTLS_RSA_C && MBEDTLS_MD_CAN_SHA256 */
#endif /* MBEDTLS_RSA_C && PSA_WANT_ALG_SHA_256 */
#if defined(MBEDTLS_MD_CAN_SHA1)
/* Allow SHA-1 as we use it extensively in tests. */
MBEDTLS_SSL_SIG_ALG(MBEDTLS_SSL_HASH_SHA1)

2
programs/ssl/ssl_test_lib.c
View File

@ -113,7 +113,7 @@ int rng_seed(rng_context_t *rng, int reproducible, const char *pers)
(const unsigned char *) pers,
strlen(pers));
#elif defined(MBEDTLS_HMAC_DRBG_C)
#if defined(MBEDTLS_MD_CAN_SHA256)
#if defined(PSA_WANT_ALG_SHA_256)
const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA256;
#elif defined(MBEDTLS_MD_CAN_SHA512)
const mbedtls_md_type_t md_type = MBEDTLS_MD_SHA512;

2
programs/ssl/ssl_test_lib.h
View File

@ -21,7 +21,7 @@
#elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
#define HAVE_RNG
#elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_HMAC_DRBG_C) && \
(defined(MBEDTLS_MD_CAN_SHA256) || defined(MBEDTLS_MD_CAN_SHA512))
(defined(PSA_WANT_ALG_SHA_256) || defined(MBEDTLS_MD_CAN_SHA512))
#define HAVE_RNG
#endif

7
programs/test/CMakeLists.txt
View File

@ -78,8 +78,11 @@ foreach(exe IN LISTS executables_libs executables_mbedcrypto)
endif()
add_executable(${exe} ${exe}.c $<TARGET_OBJECTS:mbedtls_test>
${extra_sources})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library)
target_include_directories(${exe}
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
target_include_directories(${exe}
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../library
${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/core)
if(exe STREQUAL "query_compile_time_config")
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR})
endif()

2
programs/test/metatest.c
View File

@ -381,7 +381,7 @@ typedef struct {
void (*entry_point)(const char *name);
} metatest_t;
/* The list of availble meta-tests. Remember to register new functions here!
/* The list of available meta-tests. Remember to register new functions here!
*
* Note that we always compile all the functions, so that `metatest --list`
* will always list all the available meta-tests.

4
programs/x509/cert_req.c
View File

@ -12,14 +12,14 @@
#include "mbedtls/md.h"
#if !defined(MBEDTLS_X509_CSR_WRITE_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_PK_PARSE_C) || !defined(PSA_WANT_ALG_SHA_256) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_MD_C)
int main(void)
{
mbedtls_printf("MBEDTLS_X509_CSR_WRITE_C and/or MBEDTLS_FS_IO and/or "
"MBEDTLS_PK_PARSE_C and/or MBEDTLS_MD_CAN_SHA256 and/or "
"MBEDTLS_PK_PARSE_C and/or PSA_WANT_ALG_SHA_256 and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C "
"not defined.\n");
mbedtls_exit(0);

4
programs/x509/cert_write.c
View File

@ -14,12 +14,12 @@
#if !defined(MBEDTLS_X509_CRT_WRITE_C) || \
!defined(MBEDTLS_X509_CRT_PARSE_C) || !defined(MBEDTLS_FS_IO) || \
!defined(MBEDTLS_ENTROPY_C) || !defined(MBEDTLS_CTR_DRBG_C) || \
!defined(MBEDTLS_ERROR_C) || !defined(MBEDTLS_MD_CAN_SHA256) || \
!defined(MBEDTLS_ERROR_C) || !defined(PSA_WANT_ALG_SHA_256) || \
!defined(MBEDTLS_PEM_WRITE_C) || !defined(MBEDTLS_MD_C)
int main(void)
{
mbedtls_printf("MBEDTLS_X509_CRT_WRITE_C and/or MBEDTLS_X509_CRT_PARSE_C and/or "
"MBEDTLS_FS_IO and/or MBEDTLS_MD_CAN_SHA256 and/or "
"MBEDTLS_FS_IO and/or PSA_WANT_ALG_SHA_256 and/or "
"MBEDTLS_ENTROPY_C and/or MBEDTLS_CTR_DRBG_C and/or "
"MBEDTLS_ERROR_C not defined.\n");
mbedtls_exit(0);

12
scripts/abi_check.py
View File

@ -350,9 +350,15 @@ class AbiChecker:
"""
# Existing test data files. This may be missing some automatically
# generated files if they haven't been generated yet.
storage_data_files = set(glob.glob(
'tests/suites/test_suite_*storage_format*.data'
))
if os.path.isdir(os.path.join(git_worktree_path, 'tf-psa-crypto',
'tests', 'suites')):
storage_data_files = set(glob.glob(
'tf-psa-crypto/tests/suites/test_suite_*storage_format*.data'
))
else:
storage_data_files = set(glob.glob(
'tests/suites/test_suite_*storage_format*.data'
))
# Discover and (re)generate automatically generated data files.
to_be_generated = set()
for filename in self._list_generated_test_data_files(git_worktree_path):

4
scripts/bump_version.sh
View File

@ -124,8 +124,8 @@ cat include/mbedtls/build_info.h | \
mv tmp include/mbedtls/build_info.h
[ $VERBOSE ] && echo "Bumping version in tests/suites/test_suite_version.data"
sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tests/suites/test_suite_version.data > tmp
mv tmp tests/suites/test_suite_version.data
sed -e "s/version:\".\{1,\}/version:\"$VERSION\"/g" < tf-psa-crypto/tests/suites/test_suite_version.data > tmp
mv tmp tf-psa-crypto/tests/suites/test_suite_version.data
[ $VERBOSE ] && echo "Bumping PROJECT_NAME in doxygen/mbedtls.doxyfile and doxygen/input/doc_mainpage.h"
for i in doxygen/mbedtls.doxyfile doxygen/input/doc_mainpage.h;

2
scripts/ci.requirements.txt
View File

@ -19,6 +19,6 @@ mypy >= 0.780
# to run audit-validity-dates.py on Python >=3.6.
cryptography # >= 35.0.0
# For building `tests/data_files/server9-bad-saltlen.crt` and check python
# For building `framework/data_files/server9-bad-saltlen.crt` and check python
# files.
asn1crypto

6
scripts/code_style.py
View File

@ -66,11 +66,12 @@ def get_src_files(since: Optional[str]) -> List[str]:
that have changed since that commit. Without this argument, list all
files known to git.
Only C files are included, and certain files (generated, or 3rdparty)
Only C files are included, and certain files (generated, or third party)
are excluded.
"""
file_patterns = ["*.[hc]",
"tests/suites/*.function",
"tf-psa-crypto/tests/suites/*.function",
"scripts/data_files/*.fmt"]
output = subprocess.check_output(["git", "ls-files"] + file_patterns,
universal_newlines=True)
@ -130,7 +131,8 @@ def get_src_files(since: Optional[str]) -> List[str]:
# companion files in the same subtree), or for automatically
# generated files (we're correcting the templates instead).
src_files = [filename for filename in src_files
if not (filename.startswith("3rdparty/") or
if not (filename.startswith("tf-psa-crypto/drivers/everest/") or
filename.startswith("tf-psa-crypto/drivers/p256-m/") or
filename in generated_files or
is_file_autogenerated(filename))]
return src_files

8
scripts/common.make
View File

@ -20,14 +20,14 @@ include $(MBEDTLS_PATH)/framework/exported.make
CFLAGS ?= -O2
WARNING_CFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral
WARNING_CXXFLAGS ?= -Wall -Wextra -Wformat=2 -Wno-format-nonliteral -std=c++11 -pedantic
LDFLAGS ?=
LOCAL_CFLAGS = $(WARNING_CFLAGS) -I$(MBEDTLS_TEST_PATH)/include \
-I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tf-psa-crypto/include \
-I$(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/include \
-D_FILE_OFFSET_BITS=64
LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) -I$(MBEDTLS_PATH)/include -I$(MBEDTLS_PATH)/tests/include -D_FILE_OFFSET_BITS=64
LOCAL_CXXFLAGS = $(WARNING_CXXFLAGS) $(LOCAL_CFLAGS)
ifdef PSASIM
LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \
@ -44,7 +44,9 @@ LOCAL_LDFLAGS = ${MBEDTLS_TEST_OBJS} \
-lmbedcrypto$(SHARED_SUFFIX)
endif
include $(MBEDTLS_PATH)/3rdparty/Makefile.inc
THIRDPARTY_DIR = $(MBEDTLS_PATH)/tf-psa-crypto/drivers
include $(THIRDPARTY_DIR)/everest/Makefile.inc
include $(THIRDPARTY_DIR)/p256-m/Makefile.inc
LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
ifdef PSASIM

366
scripts/config.py
View File

@ -19,6 +19,8 @@ Basic usage, to read the Mbed TLS configuration:
import os
import re
from abc import ABCMeta
class Setting:
"""Representation of one Mbed TLS mbedtls_config.h setting.
@ -30,12 +32,13 @@ class Setting:
present in mbedtls_config.h but commented out.
* section: the name of the section that contains this symbol.
"""
# pylint: disable=too-few-public-methods
def __init__(self, active, name, value='', section=None):
# pylint: disable=too-few-public-methods, too-many-arguments
def __init__(self, active, name, value='', section=None, configfile=None):
self.active = active
self.name = name
self.value = value
self.section = section
self.configfile = configfile
class Config:
"""Representation of the Mbed TLS configuration.
@ -54,6 +57,7 @@ class Config:
name to become set.
"""
# pylint: disable=unused-argument
def __init__(self):
self.settings = {}
@ -125,7 +129,13 @@ class Config:
"""
if name not in self.settings:
return
self.settings[name].active = False
setting = self.settings[name]
# Check if modifying the config file
if setting.configfile and setting.active:
setting.configfile.modified = True
setting.active = False
def adapt(self, adapter):
"""Run adapter on each known symbol and (de)activate it accordingly.
@ -138,8 +148,12 @@ class Config:
otherwise unset `name` (i.e. make it known but inactive).
"""
for setting in self.settings.values():
is_active = setting.active
setting.active = adapter(setting.name, setting.active,
setting.section)
# Check if modifying the config file
if setting.configfile and setting.active != is_active:
setting.configfile.modified = True
def change_matching(self, regexs, enable):
"""Change all symbols matching one of the regexs to the desired state."""
@ -148,11 +162,18 @@ class Config:
regex = re.compile('|'.join(regexs))
for setting in self.settings.values():
if regex.search(setting.name):
# Check if modifying the config file
if setting.configfile and setting.active != enable:
setting.configfile.modified = True
setting.active = enable
def is_full_section(section):
"""Is this section affected by "config.py full" and friends?"""
return section.endswith('support') or section.endswith('modules')
"""Is this section affected by "config.py full" and friends?
In a config file where the sections are not used the whole config file
is an empty section (with value None) and the whole file is affected.
"""
return section is None or section.endswith('support') or section.endswith('modules')
def realfull_adapter(_name, active, section):
"""Activate all symbols found in the global and boolean feature sections.
@ -168,6 +189,26 @@ def realfull_adapter(_name, active, section):
return active
return True
PSA_UNSUPPORTED_FEATURE = frozenset([
'PSA_WANT_ALG_CBC_MAC',
'PSA_WANT_ALG_XTS',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_DERIVE',
'PSA_WANT_KEY_TYPE_DH_KEY_PAIR_DERIVE'
])
PSA_DEPRECATED_FEATURE = frozenset([
'PSA_WANT_KEY_TYPE_ECC_KEY_PAIR',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR'
])
PSA_UNSTABLE_FEATURE = frozenset([
'PSA_WANT_ECC_SECP_K1_224'
])
EXCLUDE_FROM_CRYPTO = PSA_UNSUPPORTED_FEATURE | \
PSA_DEPRECATED_FEATURE | \
PSA_UNSTABLE_FEATURE
# The goal of the full configuration is to have everything that can be tested
# together. This includes deprecated or insecure options. It excludes:
# * Options that require additional build dependencies or unusual hardware.
@ -185,7 +226,6 @@ EXCLUDE_FROM_FULL = frozenset([
'MBEDTLS_DEPRECATED_REMOVED', # conflicts with deprecated options
'MBEDTLS_DEPRECATED_WARNING', # conflicts with deprecated options
'MBEDTLS_ECDH_VARIANT_EVEREST_ENABLED', # influences the use of ECDH in TLS
'MBEDTLS_ECP_NO_FALLBACK', # removes internal ECP implementation
'MBEDTLS_ECP_WITH_MPI_UINT', # disables the default ECP and is experimental
'MBEDTLS_ENTROPY_FORCE_SHA256', # interacts with CTR_DRBG_128_BIT_KEY
'MBEDTLS_HAVE_SSE2', # hardware dependency
@ -211,6 +251,9 @@ EXCLUDE_FROM_FULL = frozenset([
'MBEDTLS_TEST_CONSTANT_FLOW_MEMSAN', # build dependency (clang+memsan)
'MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND', # build dependency (valgrind headers)
'MBEDTLS_X509_REMOVE_INFO', # removes a feature
*PSA_UNSUPPORTED_FEATURE,
*PSA_DEPRECATED_FEATURE,
*PSA_UNSTABLE_FEATURE
])
def is_seamless_alt(name):
@ -317,6 +360,8 @@ def include_in_crypto(name):
'MBEDTLS_PKCS7_C', # part of libmbedx509
]:
return False
if name in EXCLUDE_FROM_CRYPTO:
return False
return True
def crypto_adapter(adapter):
@ -335,6 +380,7 @@ def crypto_adapter(adapter):
DEPRECATED = frozenset([
'MBEDTLS_PSA_CRYPTO_SE_C',
*PSA_DEPRECATED_FEATURE
])
def no_deprecated_adapter(adapter):
"""Modify an adapter to disable deprecated symbols.
@ -369,43 +415,25 @@ def no_platform_adapter(adapter):
return adapter(name, active, section)
return continuation
class ConfigFile(Config):
"""Representation of the Mbed TLS configuration read for a file.
class ConfigFile(metaclass=ABCMeta):
"""Representation of a configuration file."""
See the documentation of the `Config` class for methods to query
and modify the configuration.
"""
_path_in_tree = 'include/mbedtls/mbedtls_config.h'
default_path = [_path_in_tree,
os.path.join(os.path.dirname(__file__),
os.pardir,
_path_in_tree),
os.path.join(os.path.dirname(os.path.abspath(os.path.dirname(__file__))),
_path_in_tree)]
def __init__(self, filename=None):
"""Read the Mbed TLS configuration file."""
def __init__(self, default_path, name, filename=None):
"""Check if the config file exists."""
if filename is None:
for candidate in self.default_path:
for candidate in default_path:
if os.path.lexists(candidate):
filename = candidate
break
else:
raise Exception('Mbed TLS configuration file not found',
self.default_path)
super().__init__()
self.filename = filename
self.inclusion_guard = None
self.current_section = 'header'
with open(filename, 'r', encoding='utf-8') as file:
self.templates = [self._parse_line(line) for line in file]
self.current_section = None
raise FileNotFoundError(f'{name} configuration file not found: '
f'{filename if filename else default_path}')
def set(self, name, value=None):
if name not in self.settings:
self.templates.append((name, '', '#define ' + name + ' '))
super().set(name, value)
self.filename = filename
self.templates = []
self.current_section = None
self.inclusion_guard = None
self.modified = False
_define_line_regexp = (r'(?P<indentation>\s*)' +
r'(?P<commented_out>(//\s*)?)' +
@ -421,39 +449,57 @@ class ConfigFile(Config):
_ifndef_line_regexp,
_section_line_regexp]))
def _parse_line(self, line):
"""Parse a line in mbedtls_config.h and return the corresponding template."""
"""Parse a line in the config file, save the templates representing the lines
and return the corresponding setting element.
"""
line = line.rstrip('\r\n')
m = re.match(self._config_line_regexp, line)
if m is None:
return line
self.templates.append(line)
return None
elif m.group('section'):
self.current_section = m.group('section')
return line
self.templates.append(line)
return None
elif m.group('inclusion_guard') and self.inclusion_guard is None:
self.inclusion_guard = m.group('inclusion_guard')
return line
self.templates.append(line)
return None
else:
active = not m.group('commented_out')
name = m.group('name')
value = m.group('value')
if name == self.inclusion_guard and value == '':
# The file double-inclusion guard is not an option.
return line
self.templates.append(line)
return None
template = (name,
m.group('indentation'),
m.group('define') + name +
m.group('arguments') + m.group('separator'))
self.settings[name] = Setting(active, name, value,
self.current_section)
return template
self.templates.append(template)
def _format_template(self, name, indent, middle):
"""Build a line for mbedtls_config.h for the given setting.
return (active, name, value, self.current_section)
def parse_file(self):
"""Parse the whole file and return the settings."""
with open(self.filename, 'r', encoding='utf-8') as file:
for line in file:
setting = self._parse_line(line)
if setting is not None:
yield setting
self.current_section = None
#pylint: disable=no-self-use
def _format_template(self, setting, indent, middle):
"""Build a line for the config file for the given setting.
The line has the form "<indent>#define <name> <value>"
where <middle> is "#define <name> ".
"""
setting = self.settings[name]
value = setting.value
if value is None:
value = ''
@ -471,26 +517,230 @@ class ConfigFile(Config):
middle,
value]).rstrip()
def write_to_stream(self, output):
def write_to_stream(self, settings, output):
"""Write the whole configuration to output."""
for template in self.templates:
if isinstance(template, str):
line = template
else:
line = self._format_template(*template)
name, indent, middle = template
line = self._format_template(settings[name], indent, middle)
output.write(line + '\n')
def write(self, settings, filename=None):
"""Write the whole configuration to the file it was read from.
If filename is specified, write to this file instead.
"""
if filename is None:
filename = self.filename
# Not modified so no need to write to the file
if not self.modified and filename == self.filename:
return
with open(filename, 'w', encoding='utf-8') as output:
self.write_to_stream(settings, output)
class MbedTLSConfigFile(ConfigFile):
"""Representation of an MbedTLS configuration file."""
_path_in_tree = 'include/mbedtls/mbedtls_config.h'
default_path = [_path_in_tree,
os.path.join(os.path.dirname(__file__),
os.pardir,
_path_in_tree),
os.path.join(os.path.dirname(os.path.abspath(os.path.dirname(__file__))),
_path_in_tree)]
def __init__(self, filename=None):
super().__init__(self.default_path, 'Mbed TLS', filename)
self.current_section = 'header'
class CryptoConfigFile(ConfigFile):
"""Representation of a Crypto configuration file."""
# Temporary, while Mbed TLS does not just rely on the TF-PSA-Crypto
# build system to build its crypto library. When it does, the
# condition can just be removed.
_path_in_tree = 'include/psa/crypto_config.h' \
if os.path.isfile('include/psa/crypto_config.h') else \
'tf-psa-crypto/include/psa/crypto_config.h'
default_path = [_path_in_tree,
os.path.join(os.path.dirname(__file__),
os.pardir,
_path_in_tree),
os.path.join(os.path.dirname(os.path.abspath(os.path.dirname(__file__))),
_path_in_tree)]
def __init__(self, filename=None):
super().__init__(self.default_path, 'Crypto', filename)
class MbedTLSConfig(Config):
"""Representation of the Mbed TLS configuration.
See the documentation of the `Config` class for methods to query
and modify the configuration.
"""
def __init__(self, filename=None):
"""Read the Mbed TLS configuration file."""
super().__init__()
self.configfile = MbedTLSConfigFile(filename)
self.settings.update({name: Setting(active, name, value, section, self.configfile)
for (active, name, value, section)
in self.configfile.parse_file()})
def set(self, name, value=None):
"""Set name to the given value and make it active."""
if name not in self.settings:
self.configfile.templates.append((name, '', '#define ' + name + ' '))
super().set(name, value)
def write(self, filename=None):
"""Write the whole configuration to the file it was read from.
If filename is specified, write to this file instead.
"""
if filename is None:
filename = self.filename
with open(filename, 'w', encoding='utf-8') as output:
self.write_to_stream(output)
self.configfile.write(self.settings, filename)
def filename(self):
"""Get the name of the config file."""
return self.configfile.filename
class CryptoConfig(Config):
"""Representation of the PSA crypto configuration.
See the documentation of the `Config` class for methods to query
and modify the configuration.
"""
def __init__(self, filename=None):
"""Read the PSA crypto configuration file."""
super().__init__()
self.configfile = CryptoConfigFile(filename)
self.settings.update({name: Setting(active, name, value, section, self.configfile)
for (active, name, value, section)
in self.configfile.parse_file()})
def set(self, name, value='1'):
"""Set name to the given value and make it active."""
if name in PSA_UNSUPPORTED_FEATURE:
raise ValueError(f'Feature is unsupported: \'{name}\'')
if name in PSA_UNSTABLE_FEATURE:
raise ValueError(f'Feature is unstable: \'{name}\'')
if name not in self.settings:
self.configfile.templates.append((name, '', '#define ' + name + ' '))
super().set(name, value)
def write(self, filename=None):
"""Write the whole configuration to the file it was read from.
If filename is specified, write to this file instead.
"""
self.configfile.write(self.settings, filename)
def filename(self):
"""Get the name of the config file."""
return self.configfile.filename
class CombinedConfig(Config):
"""Representation of MbedTLS and PSA crypto configuration
See the documentation of the `Config` class for methods to query
and modify the configuration.
"""
def __init__(self, *configs):
super().__init__()
for config in configs:
if isinstance(config, MbedTLSConfigFile):
self.mbedtls_configfile = config
elif isinstance(config, CryptoConfigFile):
self.crypto_configfile = config
else:
raise ValueError(f'Invalid configfile: {config}')
self.settings.update({name: Setting(active, name, value, section, configfile)
for configfile in [self.mbedtls_configfile, self.crypto_configfile]
for (active, name, value, section) in configfile.parse_file()})
_crypto_regexp = re.compile(r'$PSA_.*')
def _get_configfile(self, name):
"""Find a config type for a setting name"""
if name in self.settings:
return self.settings[name].configfile
elif re.match(self._crypto_regexp, name):
return self.crypto_configfile
else:
return self.mbedtls_configfile
def __setitem__(self, name, value):
super().__setitem__(name, value)
self.settings[name].configfile.modified = True
def set(self, name, value=None):
"""Set name to the given value and make it active."""
configfile = self._get_configfile(name)
if configfile == self.crypto_configfile:
if name in PSA_UNSUPPORTED_FEATURE:
raise ValueError(f'Feature is unsupported: \'{name}\'')
if name in PSA_UNSTABLE_FEATURE:
raise ValueError(f'Feature is unstable: \'{name}\'')
# The default value in the crypto config is '1'
if not value:
value = '1'
if name in self.settings:
setting = self.settings[name]
if not setting.active or (value is not None and setting.value != value):
configfile.modified = True
else:
configfile.templates.append((name, '', '#define ' + name + ' '))
configfile.modified = True
super().set(name, value)
def write(self, mbedtls_file=None, crypto_file=None):
"""Write the whole configuration to the file it was read from.
If mbedtls_file or crypto_file is specified, write the specific configuration
to the corresponding file instead.
"""
self.mbedtls_configfile.write(self.settings, mbedtls_file)
self.crypto_configfile.write(self.settings, crypto_file)
def filename(self, name=None):
"""Get the names of the config files.
If 'name' is specified return the name of the config file where it is defined.
"""
if not name:
return [config.filename for config in [self.mbedtls_configfile, self.crypto_configfile]]
return self._get_configfile(name).filename
if __name__ == '__main__':
#pylint: disable=too-many-statements
def main():
"""Command line mbedtls_config.h manipulation tool."""
parser = argparse.ArgumentParser(description="""
@ -499,7 +749,11 @@ if __name__ == '__main__':
parser.add_argument('--file', '-f',
help="""File to read (and modify if requested).
Default: {}.
""".format(ConfigFile.default_path))
""".format(MbedTLSConfigFile.default_path))
parser.add_argument('--cryptofile', '-c',
help="""Crypto file to read (and modify if requested).
Default: {}.
""".format(CryptoConfigFile.default_path))
parser.add_argument('--force', '-o',
action='store_true',
help="""For the set command, if SYMBOL is not
@ -577,7 +831,7 @@ if __name__ == '__main__':
excluding X.509 and TLS.""")
args = parser.parse_args()
config = ConfigFile(args.file)
config = CombinedConfig(MbedTLSConfigFile(args.file), CryptoConfigFile(args.cryptofile))
if args.command is None:
parser.print_help()
return 1
@ -591,7 +845,7 @@ if __name__ == '__main__':
if not args.force and args.symbol not in config.settings:
sys.stderr.write("A #define for the symbol {} "
"was not found in {}\n"
.format(args.symbol, config.filename))
.format(args.symbol, config.filename(args.symbol)))
return 1
config.set(args.symbol, value=args.value)
elif args.command == 'set-all':

2
scripts/data_files/driver_jsons/p256_transparent_driver.json
View File

@ -2,7 +2,7 @@
"prefix": "p256",
"type": "transparent",
"mbedtls/h_condition": "defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)",
"headers": ["../3rdparty/p256-m/p256-m_driver_entrypoints.h"],
"headers": ["../tf-psa-crypto/drivers/p256-m/p256-m_driver_entrypoints.h"],
"capabilities": [
{
"mbedtls/c_condition": "defined(MBEDTLS_PSA_P256M_DRIVER_ENABLED)",

7
scripts/data_files/driver_templates/psa_crypto_driver_wrappers.h.jinja
View File

@ -731,7 +731,8 @@ static inline psa_status_t psa_driver_wrapper_get_key_buffer_size_from_key_data(
static inline psa_status_t psa_driver_wrapper_generate_key(
const psa_key_attributes_t *attributes,
const psa_key_production_parameters_t *params, size_t params_data_length,
const psa_custom_key_parameters_t *custom,
const uint8_t *custom_data, size_t custom_data_length,
uint8_t *key_buffer, size_t key_buffer_size, size_t *key_buffer_length )
{
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
@ -740,7 +741,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
#if defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE)
int is_default_production =
psa_key_production_parameters_are_default(params, params_data_length);
psa_custom_key_parameters_are_default(custom, custom_data_length);
if( location != PSA_KEY_LOCATION_LOCAL_STORAGE && !is_default_production )
{
/* We don't support passing custom production parameters
@ -811,7 +812,7 @@ static inline psa_status_t psa_driver_wrapper_generate_key(
/* Software fallback */
status = psa_generate_key_internal(
attributes, params, params_data_length,
attributes, custom, custom_data, custom_data_length,
key_buffer, key_buffer_size, key_buffer_length );
break;

4
scripts/generate_driver_wrappers.py
View File

@ -1,6 +1,6 @@
#!/usr/bin/env python3
"""Generate library/psa_crypto_driver_wrappers.h
library/psa_crypto_driver_wrappers_no_static.c
"""Generate psa_crypto_driver_wrappers.h
psa_crypto_driver_wrappers_no_static.c
This module is invoked by the build scripts to auto generate the
psa_crypto_driver_wrappers.h and psa_crypto_driver_wrappers_no_static

2
scripts/generate_errors.pl
View File

@ -24,7 +24,7 @@ if( @ARGV ) {
$crypto_include_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
$tls_include_dir = 'include/mbedtls';
$data_dir = 'scripts/data_files';
$error_file = 'library/error.c';
$error_file = 'tf-psa-crypto/drivers/builtin/src/error.c';
unless( -d $crypto_include_dir && -d $tls_include_dir && -d $data_dir ) {
chdir '..' or die;

2
scripts/generate_features.pl
View File

@ -16,7 +16,7 @@ if( @ARGV ) {
} else {
$include_dir = 'include/mbedtls';
$data_dir = 'scripts/data_files';
$feature_file = 'library/version_features.c';
$feature_file = 'tf-psa-crypto/drivers/builtin/src/version_features.c';
unless( -d $include_dir && -d $data_dir ) {
chdir '..' or die;

38
scripts/generate_visualc_files.pl
View File

@ -25,19 +25,21 @@ my $programs_dir = 'programs';
my $mbedtls_header_dir = 'include/mbedtls';
my $drivers_builtin_header_dir = 'tf-psa-crypto/drivers/builtin/include/mbedtls';
my $psa_header_dir = 'tf-psa-crypto/include/psa';
my $source_dir = 'library';
my $tls_source_dir = 'library';
my $crypto_core_source_dir = 'tf-psa-crypto/core';
my $crypto_source_dir = 'tf-psa-crypto/drivers/builtin/src';
my $test_source_dir = 'tests/src';
my $test_header_dir = 'tests/include/test';
my $test_drivers_header_dir = 'tests/include/test/drivers';
my $test_drivers_source_dir = 'tests/src/drivers';
my @thirdparty_header_dirs = qw(
3rdparty/everest/include/everest
tf-psa-crypto/drivers/everest/include/everest
);
my @thirdparty_source_dirs = qw(
3rdparty/everest/library
3rdparty/everest/library/kremlib
3rdparty/everest/library/legacy
tf-psa-crypto/drivers/everest/library
tf-psa-crypto/drivers/everest/library/kremlib
tf-psa-crypto/drivers/everest/library/legacy
);
# Directories to add to the include path.
@ -47,25 +49,27 @@ my @include_directories = qw(
include
tf-psa-crypto/include
tf-psa-crypto/drivers/builtin/include
3rdparty/everest/include/
3rdparty/everest/include/everest
3rdparty/everest/include/everest/vs2013
3rdparty/everest/include/everest/kremlib
tf-psa-crypto/drivers/everest/include/
tf-psa-crypto/drivers/everest/include/everest
tf-psa-crypto/drivers/everest/include/everest/vs2013
tf-psa-crypto/drivers/everest/include/everest/kremlib
tests/include
);
my $include_directories = join(';', map {"../../$_"} @include_directories);
# Directories to add to the include path when building the library, but not
# Directories to add to the include path when building the libraries, but not
# when building tests or applications.
my @library_include_directories = qw(
library
tf-psa-crypto/core
tf-psa-crypto/drivers/builtin/src
);
my $library_include_directories =
join(';', map {"../../$_"} (@library_include_directories,
@include_directories));
my @excluded_files = qw(
3rdparty/everest/library/Hacl_Curve25519.c
tf-psa-crypto/drivers/everest/library/Hacl_Curve25519.c
);
my %excluded_files = ();
foreach (@excluded_files) { $excluded_files{$_} = 1 }
@ -106,7 +110,9 @@ sub check_dirs {
&& -d $mbedtls_header_dir
&& -d $drivers_builtin_header_dir
&& -d $psa_header_dir
&& -d $source_dir
&& -d $tls_source_dir
&& -d $crypto_core_source_dir
&& -d $crypto_source_dir
&& -d $test_source_dir
&& -d $test_drivers_source_dir
&& -d $test_header_dir
@ -265,12 +271,16 @@ sub main {
$psa_header_dir,
$test_header_dir,
$test_drivers_header_dir,
$source_dir,
$tls_source_dir,
$crypto_core_source_dir,
$crypto_source_dir,
@thirdparty_header_dirs,
);
my @headers = (map { <$_/*.h> } @header_dirs);
my @source_dirs = (
$source_dir,
$tls_source_dir,
$crypto_core_source_dir,
$crypto_source_dir,
$test_source_dir,
$test_drivers_source_dir,
@thirdparty_source_dirs,

14
scripts/lcov.sh
View File

@ -30,9 +30,15 @@ EOF
set -eu
# Repository detection
in_mbedtls_build_dir () {
test -d library
# Project detection
PROJECT_NAME_FILE='./scripts/project_name.txt'
if read -r PROJECT_NAME < "$PROJECT_NAME_FILE"; then :; else
echo "$PROJECT_NAME_FILE does not exist... Exiting..." >&2
exit 1
fi
in_mbedtls_repo () {
test "$PROJECT_NAME" = "Mbed TLS"
}
# Collect stats and build a HTML report.
@ -68,7 +74,7 @@ if [ $# -gt 0 ] && [ "$1" = "--help" ]; then
exit
fi
if in_mbedtls_build_dir; then
if in_mbedtls_repo; then
library_dir='library'
title='Mbed TLS'
else

9
scripts/make_generated_files.bat
View File

@ -10,9 +10,10 @@ perl scripts\generate_features.pl || exit /b 1
python scripts\generate_ssl_debug_helpers.py || exit /b 1
perl scripts\generate_visualc_files.pl || exit /b 1
python scripts\generate_psa_constants.py || exit /b 1
python framework\scripts\generate_bignum_tests.py || exit /b 1
python framework\scripts\generate_config_tests.py || exit /b 1
python framework\scripts\generate_ecp_tests.py || exit /b 1
python framework\scripts\generate_psa_tests.py || exit /b 1
python framework\scripts\generate_bignum_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
python framework\scripts\generate_config_tests.py tests\suites\test_suite_config.mbedtls_boolean.data || exit /b 1
python framework\scripts\generate_config_tests.py --directory tf-psa-crypto\tests\suites tests\suites\test_suite_config.psa_boolean.data || exit /b 1
python framework\scripts\generate_ecp_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
python framework\scripts\generate_psa_tests.py --directory tf-psa-crypto\tests\suites || exit /b 1
python framework\scripts\generate_test_keys.py --output tests\src\test_keys.h || exit /b 1
python framework\scripts\generate_test_cert_macros.py --output tests\src\test_certs.h || exit /b 1

1
scripts/project_name.txt Normal file
View File

@ -0,0 +1 @@
Mbed TLS

3
tests/.gitignore vendored
View File

@ -20,9 +20,6 @@
# Generated source files
/suites/*.generated.data
/suites/test_suite_config.mbedtls_boolean.data
/suites/test_suite_config.psa_boolean.data
/suites/test_suite_psa_crypto_storage_format.v[0-9]*.data
/suites/test_suite_psa_crypto_storage_format.current.data
/src/test_keys.h
/src/test_certs.h
###END_GENERATED_FILES###

186
tests/CMakeLists.txt
View File

@ -18,18 +18,6 @@ endif()
file(MAKE_DIRECTORY ${CMAKE_CURRENT_BINARY_DIR}/suites)
# Get base names for generated files
execute_process(
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
OUTPUT_VARIABLE
base_bignum_generated_data_files)
string(REGEX REPLACE "[^;]*/" ""
base_bignum_generated_data_files "${base_bignum_generated_data_files}")
execute_process(
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
@ -38,76 +26,28 @@ execute_process(
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
OUTPUT_VARIABLE
base_config_generated_data_files)
base_config_generated_data_files_raw)
string(REGEX REPLACE "[^;]*/" ""
base_config_generated_data_files "${base_config_generated_data_files}")
execute_process(
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
OUTPUT_VARIABLE
base_ecp_generated_data_files)
string(REGEX REPLACE "[^;]*/" ""
base_ecp_generated_data_files "${base_ecp_generated_data_files}")
execute_process(
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py
--list-for-cmake
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
OUTPUT_VARIABLE
base_psa_generated_data_files)
string(REGEX REPLACE "[^;]*/" ""
base_psa_generated_data_files "${base_psa_generated_data_files}")
base_config_generated_data_files_raw "${base_config_generated_data_files_raw}")
# Can be replace by list(FILTER ...) when CI CMake version is >=3.6
foreach(file ${base_config_generated_data_files_raw})
if(${file} MATCHES "mbedtls")
list(APPEND base_config_generated_data_files ${file})
endif()
endforeach()
# Derive generated file paths in the build directory. The generated data
# files go into the suites/ subdirectory.
set(base_generated_data_files
${base_bignum_generated_data_files} ${base_ecp_generated_data_files} ${base_psa_generated_data_files})
${base_config_generated_data_files})
string(REGEX REPLACE "([^;]+)" "suites/\\1"
all_generated_data_files "${base_generated_data_files}")
set(bignum_generated_data_files "")
set(config_generated_data_files "")
set(ecp_generated_data_files "")
set(psa_generated_data_files "")
foreach(file ${base_bignum_generated_data_files})
list(APPEND bignum_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
foreach(file ${base_config_generated_data_files})
list(APPEND config_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
foreach(file ${base_ecp_generated_data_files})
list(APPEND ecp_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
foreach(file ${base_psa_generated_data_files})
list(APPEND psa_generated_data_files ${CMAKE_CURRENT_BINARY_DIR}/suites/${file})
endforeach()
if(GEN_FILES)
add_custom_command(
OUTPUT
${bignum_generated_data_files}
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_bignum_tests.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_common.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_core.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_mod_raw.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_mod.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
)
add_custom_command(
OUTPUT
${config_generated_data_files}
@ -117,51 +57,13 @@ if(GEN_FILES)
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
${config_generated_data_files}
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_config_tests.py
# Do not declare the configuration files as dependencies: they
# change too often in ways that don't affect the result
# ((un)commenting some options).
)
add_custom_command(
OUTPUT
${ecp_generated_data_files}
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_ecp_tests.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/bignum_common.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/ecp.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
)
add_custom_command(
OUTPUT
${psa_generated_data_files}
WORKING_DIRECTORY
${CMAKE_CURRENT_SOURCE_DIR}/..
COMMAND
${MBEDTLS_PYTHON_EXECUTABLE}
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py
--directory ${CMAKE_CURRENT_BINARY_DIR}/suites
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_psa_tests.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/crypto_data_tests.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/crypto_knowledge.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/macro_collector.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_information.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/psa_storage.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_case.py
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/mbedtls_framework/test_data_generation.py
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/include/psa/crypto_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/include/psa/crypto_values.h
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/include/psa/crypto_extra.h
)
else()
foreach(file ${all_generated_data_files})
link_to_source(${file})
@ -172,10 +74,7 @@ endif()
# they can cause race conditions in parallel builds.
# With this line, only 4 sub-makefiles include the above command, that reduces
# the risk of a race.
add_custom_target(test_suite_bignum_generated_data DEPENDS ${bignum_generated_data_files})
add_custom_target(test_suite_config_generated_data DEPENDS ${config_generated_data_files})
add_custom_target(test_suite_ecp_generated_data DEPENDS ${ecp_generated_data_files})
add_custom_target(test_suite_psa_generated_data DEPENDS ${psa_generated_data_files})
# If SKIP_TEST_SUITES is not defined with -D, get it from the environment.
if((NOT DEFINED SKIP_TEST_SUITES) AND (DEFINED ENV{SKIP_TEST_SUITES}))
set(SKIP_TEST_SUITES $ENV{SKIP_TEST_SUITES})
@ -196,61 +95,26 @@ function(add_test_suite suite_name)
# Get the test names of the tests with generated .data files
# from the generated_data_files list in parent scope.
set(bignum_generated_data_names "")
set(ecp_generated_data_names "")
set(psa_generated_data_names "")
foreach(generated_data_file ${bignum_generated_data_files})
set(config_generated_data_names "")
foreach(generated_data_file ${config_generated_data_files})
# Get the plain filename
get_filename_component(generated_data_name ${generated_data_file} NAME)
# Remove the ".data" extension
get_name_without_last_ext(generated_data_name ${generated_data_name})
# Remove leading "test_suite_"
string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
list(APPEND bignum_generated_data_names ${generated_data_name})
endforeach()
foreach(generated_data_file ${ecp_generated_data_files})
# Get the plain filename
get_filename_component(generated_data_name ${generated_data_file} NAME)
# Remove the ".data" extension
get_name_without_last_ext(generated_data_name ${generated_data_name})
# Remove leading "test_suite_"
string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
list(APPEND ecp_generated_data_names ${generated_data_name})
endforeach()
foreach(generated_data_file ${psa_generated_data_files})
# Get the plain filename
get_filename_component(generated_data_name ${generated_data_file} NAME)
# Remove the ".data" extension
get_name_without_last_ext(generated_data_name ${generated_data_name})
# Remove leading "test_suite_"
string(SUBSTRING ${generated_data_name} 11 -1 generated_data_name)
list(APPEND psa_generated_data_names ${generated_data_name})
list(APPEND config_generated_data_names ${generated_data_name})
endforeach()
if(";${bignum_generated_data_names};" MATCHES ";${data_name};")
if(";${config_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
set(dependency test_suite_bignum_generated_data)
elseif(";${config_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
set(dependency test_suite_bignum_generated_data)
elseif(";${ecp_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
set(dependency test_suite_ecp_generated_data)
elseif(";${psa_generated_data_names};" MATCHES ";${data_name};")
set(data_file
${CMAKE_CURRENT_BINARY_DIR}/suites/test_suite_${data_name}.data)
set(dependency test_suite_psa_generated_data)
set(dependency test_suite_config_generated_data)
else()
set(data_file
${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${data_name}.data)
set(dependency
test_suite_bignum_generated_data
test_suite_config_generated_data
test_suite_ecp_generated_data
test_suite_psa_generated_data)
test_suite_config_generated_data)
endif()
add_custom_command(
@ -263,18 +127,18 @@ function(add_test_suite suite_name)
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_test_code.py
-f ${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function
-d ${data_file}
-t ${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
-p ${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function
-t ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/tests/suites/main_test.function
-p ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/tests/suites/host_test.function
-s ${CMAKE_CURRENT_SOURCE_DIR}/suites
--helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function
--helpers-file ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/tests/suites/helpers.function
-o .
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../framework/scripts/generate_test_code.py
${CMAKE_CURRENT_SOURCE_DIR}/suites/test_suite_${suite_name}.function
${data_file}
${CMAKE_CURRENT_SOURCE_DIR}/suites/main_test.function
${CMAKE_CURRENT_SOURCE_DIR}/suites/host_test.function
${CMAKE_CURRENT_SOURCE_DIR}/suites/helpers.function
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/tests/suites/main_test.function
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/tests/suites/host_test.function
${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/tests/suites/helpers.function
${mbedtls_target}
BYPRODUCTS
test_suite_${data_name}.datax
@ -291,7 +155,9 @@ function(add_test_suite suite_name)
# them as PUBLIC.
target_include_directories(test_suite_${data_name}
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/include
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../library)
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../library
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/core
PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../tf-psa-crypto/drivers/builtin/src)
# Request C11, which is needed for memory poisoning tests
set_target_properties(test_suite_${data_name} PROPERTIES C_STANDARD 11)
@ -340,7 +206,7 @@ if (NOT ${CMAKE_CURRENT_BINARY_DIR} STREQUAL ${CMAKE_CURRENT_SOURCE_DIR})
link_to_source(Descriptions.txt)
link_to_source(compat.sh)
link_to_source(context-info.sh)
link_to_source(data_files)
link_to_source(../framework/data_files)
link_to_source(scripts)
link_to_source(ssl-opt.sh)
link_to_source(opt-testcases)

99
tests/Makefile
View File

@ -4,9 +4,8 @@ include ../scripts/common.make
# Set this to -v to see the details of failing test cases
TEST_FLAGS ?= $(if $(filter-out 0 OFF Off off NO No no FALSE False false N n,$(CTEST_OUTPUT_ON_FAILURE)),-v,)
# Also include library headers, for the sake of invasive tests.
LOCAL_CFLAGS += -I../library
# Also include private headers, for the sake of invasive tests.
LOCAL_CFLAGS += -I$(MBEDTLS_PATH)/library -I$(MBEDTLS_PATH)/tf-psa-crypto/core -I$(MBEDTLS_PATH)/tf-psa-crypto/drivers/builtin/src
# Enable definition of various functions used throughout the testsuite
# (gethostname, strdup, fileno...) even when compiling with -std=c99. Harmless
@ -17,43 +16,47 @@ ifdef RECORD_PSA_STATUS_COVERAGE_LOG
LOCAL_CFLAGS += -Werror -DRECORD_PSA_STATUS_COVERAGE_LOG
endif
GENERATED_BIGNUM_DATA_FILES := $(patsubst tests/%,%,$(shell \
GENERATED_BIGNUM_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \
$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list || \
echo FAILED \
))
ifeq ($(GENERATED_BIGNUM_DATA_FILES),FAILED)
$(error "$(PYTHON) ../framework/scripts/generate_bignum_tests.py --list" failed)
endif
GENERATED_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES)
GENERATED_CRYPTO_DATA_FILES += $(GENERATED_BIGNUM_DATA_FILES)
GENERATED_CONFIG_DATA_FILES := $(patsubst tests/%,%,$(shell \
GENERATED_CONFIG_DATA_FILES_RAW := $(patsubst tests/%,%,$(shell \
$(PYTHON) ../framework/scripts/generate_config_tests.py --list || \
echo FAILED \
))
ifeq ($(GENERATED_CONFIG_DATA_FILES),FAILED)
$(error "$(PYTHON) ../framework/scripts/generate_config_tests.py --list" failed)
endif
GENERATED_DATA_FILES += $(GENERATED_CONFIG_DATA_FILES)
GENERATED_MBEDTLS_CONFIG_DATA_FILES := $(foreach file,$(GENERATED_CONFIG_DATA_FILES_RAW),$(if $(findstring mbedtls,$(file)),$(file),))
GENERATED_PSA_CONFIG_DATA_FILES := $(foreach file,$(GENERATED_CONFIG_DATA_FILES_RAW),$(if $(findstring psa,$(file)),$(addprefix ../tf-psa-crypto/tests/,$(file)),))
GENERATED_CONFIG_DATA_FILES := $(GENERATED_MBEDTLS_CONFIG_DATA_FILES)$(GENERATED_PSA_CONFIG_DATA_FILES)
GENERATED_DATA_FILES += $(GENERATED_MBEDTLS_CONFIG_DATA_FILES)
GENERATED_CRYPTO_DATA_FILES += $(GENERATED_PSA_CONFIG_DATA_FILES)
GENERATED_ECP_DATA_FILES := $(patsubst tests/%,%,$(shell \
GENERATED_ECP_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \
$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list || \
echo FAILED \
))
ifeq ($(GENERATED_ECP_DATA_FILES),FAILED)
$(error "$(PYTHON) ../framework/scripts/generate_ecp_tests.py --list" failed)
endif
GENERATED_DATA_FILES += $(GENERATED_ECP_DATA_FILES)
GENERATED_CRYPTO_DATA_FILES += $(GENERATED_ECP_DATA_FILES)
GENERATED_PSA_DATA_FILES := $(patsubst tests/%,%,$(shell \
GENERATED_PSA_DATA_FILES := $(addprefix ../tf-psa-crypto/,$(shell \
$(PYTHON) ../framework/scripts/generate_psa_tests.py --list || \
echo FAILED \
))
ifeq ($(GENERATED_PSA_DATA_FILES),FAILED)
$(error "$(PYTHON) ../framework/scripts/generate_psa_tests.py --list" failed)
endif
GENERATED_DATA_FILES += $(GENERATED_PSA_DATA_FILES)
GENERATED_CRYPTO_DATA_FILES += $(GENERATED_PSA_DATA_FILES)
GENERATED_FILES = $(GENERATED_DATA_FILES)
GENERATED_FILES = $(GENERATED_DATA_FILES) $(GENERATED_CRYPTO_DATA_FILES)
GENERATED_FILES += src/test_keys.h src/test_certs.h
.PHONY: generated_files
@ -75,7 +78,7 @@ generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_case.py
generated_bignum_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
generated_bignum_test_data:
echo " Gen $(GENERATED_BIGNUM_DATA_FILES)"
$(PYTHON) ../framework/scripts/generate_bignum_tests.py
$(PYTHON) ../framework/scripts/generate_bignum_tests.py --directory ../tf-psa-crypto/tests/suites
.SECONDARY: generated_bignum_test_data
# We deliberately omit the configuration files (mbedtls_config.h,
@ -91,7 +94,8 @@ generated_config_test_data: ../framework/scripts/mbedtls_framework/test_case.py
generated_config_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
generated_config_test_data:
echo " Gen $(GENERATED_CONFIG_DATA_FILES)"
$(PYTHON) ../framework/scripts/generate_config_tests.py
$(PYTHON) ../framework/scripts/generate_config_tests.py $(GENERATED_MBEDTLS_CONFIG_DATA_FILES)
$(PYTHON) ../framework/scripts/generate_config_tests.py --directory ../tf-psa-crypto/tests/suites $(GENERATED_PSA_CONFIG_DATA_FILES)
.SECONDARY: generated_config_test_data
$(GENERATED_ECP_DATA_FILES): $(gen_file_dep) generated_ecp_test_data
@ -102,7 +106,7 @@ generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_case.py
generated_ecp_test_data: ../framework/scripts/mbedtls_framework/test_data_generation.py
generated_ecp_test_data:
echo " Gen $(GENERATED_ECP_DATA_FILES)"
$(PYTHON) ../framework/scripts/generate_ecp_tests.py
$(PYTHON) ../framework/scripts/generate_ecp_tests.py --directory ../tf-psa-crypto/tests/suites
.SECONDARY: generated_ecp_test_data
$(GENERATED_PSA_DATA_FILES): $(gen_file_dep) generated_psa_test_data
@ -122,29 +126,35 @@ generated_psa_test_data: ../framework/scripts/mbedtls_framework/test_data_genera
#generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_config.h
generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_values.h
generated_psa_test_data: ../tf-psa-crypto/include/psa/crypto_extra.h
generated_psa_test_data: suites/test_suite_psa_crypto_metadata.data
generated_psa_test_data: ../tf-psa-crypto/tests/suites/test_suite_psa_crypto_metadata.data
generated_psa_test_data:
echo " Gen $(GENERATED_PSA_DATA_FILES) ..."
$(PYTHON) ../framework/scripts/generate_psa_tests.py
$(PYTHON) ../framework/scripts/generate_psa_tests.py --directory ../tf-psa-crypto/tests/suites
.SECONDARY: generated_psa_test_data
# A test application is built for each suites/test_suite_*.data file.
# Application name is same as .data file's base name and can be
# constructed by stripping path 'suites/' and extension .data.
DATA_FILES := $(wildcard suites/test_suite_*.data)
DATA_FILES = $(filter-out $(GENERATED_DATA_FILES), $(wildcard suites/test_suite_*.data))
CRYPTO_DATA_FILES = $(filter-out $(GENERATED_CRYPTO_DATA_FILES), $(wildcard ../tf-psa-crypto/tests/suites/test_suite_*.data))
# Make sure that generated data files are included even if they don't
# exist yet when the makefile is parsed.
DATA_FILES += $(filter-out $(DATA_FILES),$(GENERATED_DATA_FILES))
DATA_FILES += $(GENERATED_DATA_FILES)
CRYPTO_DATA_FILES += $(GENERATED_CRYPTO_DATA_FILES)
APPS = $(basename $(subst suites/,,$(DATA_FILES)))
CRYPTO_APPS = $(basename $(subst suites/,,$(CRYPTO_DATA_FILES)))
# Construct executable name by adding OS specific suffix $(EXEXT).
BINARIES := $(addsuffix $(EXEXT),$(APPS))
CRYPTO_BINARIES := $(addsuffix $(EXEXT),$(CRYPTO_APPS))
.SILENT:
.PHONY: all check test clean
all: $(BINARIES)
all: $(BINARIES) $(CRYPTO_BINARIES)
mbedtls_test: $(MBEDTLS_TEST_OBJS)
@ -177,7 +187,7 @@ src/test_helpers/%.o : src/test_helpers/%.c
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) -o $@ -c $<
C_FILES := $(addsuffix .c,$(APPS))
C_FILES := $(addsuffix .c,$(APPS)) $(addsuffix .c,$(CRYPTO_APPS))
c: $(C_FILES)
# Wildcard target for test code generation:
@ -195,9 +205,19 @@ c: $(C_FILES)
# dot in .c file's base name.
#
.SECONDEXPANSION:
%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data ../framework/scripts/generate_test_code.py suites/helpers.function suites/main_test.function suites/host_test.function
%.c: suites/$$(firstword $$(subst ., ,$$*)).function suites/%.data ../framework/scripts/generate_test_code.py ../tf-psa-crypto/tests/suites/helpers.function ../tf-psa-crypto/tests/suites/main_test.function ../tf-psa-crypto/tests/suites/host_test.function
echo " Gen $@"
$(PYTHON) ../framework/scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \
-d suites/$*.data \
-t ../tf-psa-crypto/tests/suites/main_test.function \
-p ../tf-psa-crypto/tests/suites/host_test.function \
-s suites \
--helpers-file ../tf-psa-crypto/tests/suites/helpers.function \
-o .
../tf-psa-crypto/tests/%.c: ../tf-psa-crypto/tests/suites/$$(firstword $$(subst ., ,$$*)).function ../tf-psa-crypto/tests/suites/%.data ../framework/scripts/generate_test_code.py ../tf-psa-crypto/tests/suites/helpers.function ../tf-psa-crypto/tests/suites/main_test.function ../tf-psa-crypto/tests/suites/host_test.function
echo " Gen $@"
cd ../tf-psa-crypto/tests && $(PYTHON) ../../framework/scripts/generate_test_code.py -f suites/$(firstword $(subst ., ,$*)).function \
-d suites/$*.data \
-t suites/main_test.function \
-p suites/host_test.function \
@ -205,15 +225,23 @@ c: $(C_FILES)
--helpers-file suites/helpers.function \
-o .
$(BINARIES): %$(EXEXT): %.c $(MBEDLIBS) $(TEST_OBJS_DEPS) $(MBEDTLS_TEST_OBJS)
echo " CC $<"
echo " CC $<"
$(CC) $(LOCAL_CFLAGS) $(CFLAGS) $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
LOCAL_CRYPTO_CFLAGS = $(patsubst -I./include, -I../../tests/include, $(patsubst -I../%,-I../../%, $(LOCAL_CFLAGS)))
LOCAL_CRYPTO_LDFLAGS = $(patsubst -L../library, -L../../library, \
$(patsubst -L../tests/%, -L../../tests/%, \
$(patsubst ./src/%,../../tests/src/%, $(LOCAL_LDFLAGS))))
$(CRYPTO_BINARIES): %$(EXEXT): %.c $(MBEDLIBS) $(TEST_OBJS_DEPS) $(MBEDTLS_TEST_OBJS)
echo " CC $<"
cd ../tf-psa-crypto/tests && $(CC) $(LOCAL_CRYPTO_CFLAGS) $(CFLAGS) $(subst $(EXEXT),,$(@F)).c $(LOCAL_CRYPTO_LDFLAGS) $(LDFLAGS) -o $(@F)
clean:
ifndef WINDOWS
$(MAKE) -C psa-client-server/psasim clean
rm -rf $(BINARIES) *.c *.datax
rm -rf $(CRYPTO_BINARIES) ../tf-psa-crypto/tests/*.c ../tf-psa-crypto/tests/*.datax
rm -f src/*.o src/drivers/*.o src/test_helpers/*.o src/libmbed* src/test_keys.h src/test_certs.h
rm -f src/test_keys.h src/test_certs.h
rm -f include/test/instrument_record_status.h
@ -225,6 +253,9 @@ else
if exist *.c del /Q /F *.c
if exist *.exe del /Q /F *.exe
if exist *.datax del /Q /F *.datax
if exist ../tf-psa-crypto/tests/*.c del /Q /F ../tf-psa-crypto/tests/*.c
if exist ../tf-psa-crypto/tests/*.exe del /Q /F ../tf-psa-crypto/tests/*.exe
if exist ../tf-psa-crypto/tests/*.datax del /Q /F ../tf-psa-crypto/tests/*.datax
if exist src/*.o del /Q /F src/*.o
if exist src/drivers/*.o del /Q /F src/drivers/*.o
if exist src/test_keys.h del /Q /F src/test_keys.h
@ -235,8 +266,9 @@ else
endif
# Test suites caught by SKIP_TEST_SUITES are built but not executed.
check: $(BINARIES)
check: $(BINARIES) $(CRYPTO_BINARIES)
perl scripts/run-test-suites.pl $(TEST_FLAGS) --skip=$(SKIP_TEST_SUITES)
cd ../tf-psa-crypto/tests && perl ../../tests/scripts/run-test-suites.pl $(TEST_FLAGS) --skip=$(SKIP_TEST_SUITES)
test: check
@ -268,17 +300,22 @@ define libtestdriver1_rewrite :=
s/\b(?=mbedtls_|psa_)/libtestdriver1_/g;
endef
libtestdriver1.a: export MBEDTLS_PATH := $(patsubst ../..//%,/%,../../$(MBEDTLS_PATH))
libtestdriver1.a:
# Copy the library and fake a 3rdparty Makefile include.
rm -Rf ./libtestdriver1
mkdir ./libtestdriver1
mkdir ./libtestdriver1/tf-psa-crypto
mkdir ./libtestdriver1/tf-psa-crypto/drivers
mkdir ./libtestdriver1/tf-psa-crypto/drivers/everest
mkdir ./libtestdriver1/tf-psa-crypto/drivers/p256-m
touch ./libtestdriver1/tf-psa-crypto/drivers/everest/Makefile.inc
touch ./libtestdriver1/tf-psa-crypto/drivers/p256-m/Makefile.inc
cp -Rf ../framework ./libtestdriver1
cp -Rf ../library ./libtestdriver1
cp -Rf ../include ./libtestdriver1
cp -Rf ../tf-psa-crypto ./libtestdriver1
cp -Rf ../tf-psa-crypto/core ./libtestdriver1/tf-psa-crypto
cp -Rf ../tf-psa-crypto/include ./libtestdriver1/tf-psa-crypto
cp -Rf ../tf-psa-crypto/drivers/builtin ./libtestdriver1/tf-psa-crypto/drivers
cp -Rf ../scripts ./libtestdriver1
mkdir ./libtestdriver1/3rdparty
touch ./libtestdriver1/3rdparty/Makefile.inc
# Set the test driver base (minimal) configuration.
cp ./include/test/drivers/config_test_driver.h ./libtestdriver1/include/mbedtls/mbedtls_config.h
@ -298,8 +335,10 @@ libtestdriver1.a:
# when this test driver library is linked with the Mbed TLS library.
perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/library/*.[ch]
perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/include/*/*.h
perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/core/*.[ch]
perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/include/*/*.h
perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/drivers/builtin/include/*/*.h
perl -pi -e '$(libtestdriver1_rewrite)' ./libtestdriver1/tf-psa-crypto/drivers/builtin/src/*.[ch]
$(MAKE) -C ./libtestdriver1/library CFLAGS="-I../../ $(CFLAGS)" LDFLAGS="$(LDFLAGS)" libmbedcrypto.a
cp ./libtestdriver1/library/libmbedcrypto.a ../library/libtestdriver1.a

44
tests/compat.sh
View File

@ -613,6 +613,8 @@ o_check_ciphersuite()
setup_arguments()
{
DATA_FILES_PATH="../framework/data_files"
O_MODE=""
G_MODE=""
case "$MODE" in
@ -651,7 +653,7 @@ setup_arguments()
# force it or not for intermediate versions.
case $($OPENSSL version) in
"OpenSSL 1.0"*)
O_SERVER_ARGS="$O_SERVER_ARGS -dhparam data_files/dhparams.pem"
O_SERVER_ARGS="$O_SERVER_ARGS -dhparam $DATA_FILES_PATH/dhparams.pem"
;;
esac
@ -702,13 +704,13 @@ setup_arguments()
if [ "X$VERIFY" = "XYES" ];
then
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
O_SERVER_ARGS="$O_SERVER_ARGS -CAfile data_files/test-ca_cat12.crt -Verify 10"
G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile data_files/test-ca_cat12.crt --require-client-cert"
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required"
O_SERVER_ARGS="$O_SERVER_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -Verify 10"
G_SERVER_ARGS="$G_SERVER_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt --require-client-cert"
M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=data_files/test-ca_cat12.crt auth_mode=required"
O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile data_files/test-ca_cat12.crt -verify 10"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile data_files/test-ca_cat12.crt"
M_CLIENT_ARGS="$M_CLIENT_ARGS ca_file=$DATA_FILES_PATH/test-ca_cat12.crt auth_mode=required"
O_CLIENT_ARGS="$O_CLIENT_ARGS -CAfile $DATA_FILES_PATH/test-ca_cat12.crt -verify 10"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509cafile $DATA_FILES_PATH/test-ca_cat12.crt"
else
# don't request a client cert at all
M_SERVER_ARGS="$M_SERVER_ARGS ca_file=none auth_mode=none"
@ -721,28 +723,28 @@ setup_arguments()
case $TYPE in
"ECDSA")
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server5.crt key_file=data_files/server5.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server5.crt -key data_files/server5.key"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server5.crt --x509keyfile data_files/server5.key"
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server5.crt key_file=$DATA_FILES_PATH/server5.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server5.crt -key $DATA_FILES_PATH/server5.key"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server5.crt --x509keyfile $DATA_FILES_PATH/server5.key"
if [ "X$VERIFY" = "XYES" ]; then
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/server6.crt key_file=data_files/server6.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/server6.crt -key data_files/server6.key"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/server6.crt --x509keyfile data_files/server6.key"
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/server6.crt key_file=$DATA_FILES_PATH/server6.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/server6.crt -key $DATA_FILES_PATH/server6.key"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/server6.crt --x509keyfile $DATA_FILES_PATH/server6.key"
else
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
fi
;;
"RSA")
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert data_files/server2-sha256.crt -key data_files/server2.key"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key"
M_SERVER_ARGS="$M_SERVER_ARGS crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key"
O_SERVER_ARGS="$O_SERVER_ARGS -cert $DATA_FILES_PATH/server2-sha256.crt -key $DATA_FILES_PATH/server2.key"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key"
if [ "X$VERIFY" = "XYES" ]; then
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=data_files/cert_sha256.crt key_file=data_files/server1.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert data_files/cert_sha256.crt -key data_files/server1.key"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile data_files/cert_sha256.crt --x509keyfile data_files/server1.key"
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=$DATA_FILES_PATH/cert_sha256.crt key_file=$DATA_FILES_PATH/server1.key"
O_CLIENT_ARGS="$O_CLIENT_ARGS -cert $DATA_FILES_PATH/cert_sha256.crt -key $DATA_FILES_PATH/server1.key"
G_CLIENT_ARGS="$G_CLIENT_ARGS --x509certfile $DATA_FILES_PATH/cert_sha256.crt --x509keyfile $DATA_FILES_PATH/server1.key"
else
M_CLIENT_ARGS="$M_CLIENT_ARGS crt_file=none key_file=none"
fi
@ -751,9 +753,9 @@ setup_arguments()
"PSK")
# give RSA-PSK-capable server a RSA cert
# (should be a separate type, but harder to close with openssl)
M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=data_files/server2-sha256.crt key_file=data_files/server2.key"
M_SERVER_ARGS="$M_SERVER_ARGS psk=6162636465666768696a6b6c6d6e6f70 ca_file=none crt_file=$DATA_FILES_PATH/server2-sha256.crt key_file=$DATA_FILES_PATH/server2.key"
O_SERVER_ARGS="$O_SERVER_ARGS -psk 6162636465666768696a6b6c6d6e6f70 -nocert"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile data_files/server2-sha256.crt --x509keyfile data_files/server2.key --pskpasswd data_files/passwd.psk"
G_SERVER_ARGS="$G_SERVER_ARGS --x509certfile $DATA_FILES_PATH/server2-sha256.crt --x509keyfile $DATA_FILES_PATH/server2.key --pskpasswd $DATA_FILES_PATH/passwd.psk"
M_CLIENT_ARGS="$M_CLIENT_ARGS psk=6162636465666768696a6b6c6d6e6f70 crt_file=none key_file=none"
O_CLIENT_ARGS="$O_CLIENT_ARGS -psk 6162636465666768696a6b6c6d6e6f70"

4
tests/context-info.sh
View File

@ -19,7 +19,7 @@ fi
THIS_SCRIPT_NAME=$(basename "$0")
PROG_PATH="../programs/ssl/ssl_context_info"
OUT_FILE="ssl_context_info.log"
IN_DIR="data_files/base64"
IN_DIR="../framework/data_files/base64"
USE_VALGRIND=0
@ -401,7 +401,7 @@ run_test "Empty file as input" \
-u "Finished. No valid base64 code found"
run_test "Not empty file without base64 code" \
"../../context-info.sh" \
"../../../tests/context-info.sh" \
-n "Deserializing"
run_test "Binary file instead of text file" \

3
tests/data_files/.gitignore vendored
View File

@ -1,3 +0,0 @@
cli-rsa.csr
server2-rsa.csr
test-ca.csr

2167
tests/data_files/Makefile
View File

File diff suppressed because it is too large Load Diff

135
tests/data_files/Readme-x509.txt
View File

@ -1,135 +0,0 @@
This documents the X.509 CAs, certificates, and CRLS used for testing.
Certification authorities
-------------------------
There are two main CAs for use as trusted roots:
- test-ca.crt aka "C=NL, O=PolarSSL, CN=PolarSSL Test CA"
uses a RSA-2048 key
test-ca-sha1.crt and test-ca-sha256.crt use the same key, signed with
different hashes.
- test-ca2*.crt aka "C=NL, O=PolarSSL, CN=Polarssl Test EC CA"
uses an EC key with NIST P-384 (aka secp384r1)
variants used to test the keyUsage extension
The files test-ca_cat12 and test-ca_cat21 contain them concatenated both ways.
Two intermediate CAs are signed by them:
- test-int-ca.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate CA"
uses RSA-4096, signed by test-ca2
- test-int-ca-exp.crt is a copy that is expired
- test-int-ca2.crt "C=NL, O=PolarSSL, CN=PolarSSL Test Intermediate EC CA"
uses an EC key with NIST P-384, signed by test-ca
A third intermediate CA is signed by test-int-ca2.crt:
- test-int-ca3.crt "C=UK, O=mbed TLS, CN=mbed TLS Test intermediate CA 3"
uses an EC key with NIST P-256, signed by test-int-ca2
Finally, other CAs for specific purposes:
- enco-ca-prstr.pem: has its CN encoded as a printable string, but child cert
enco-cert-utf8str.pem has its issuer's CN encoded as a UTF-8 string.
- test-ca-v1.crt: v1 "CA", signs
server1-v1.crt: v1 "intermediate CA", signs
server2-v1*.crt: EE cert (without of with chain in same file)
- keyUsage.decipherOnly.crt: has the decipherOnly keyUsage bit set
End-entity certificates
-----------------------
Short information fields:
- name or pattern
- issuing CA: 1 -> test-ca.crt
2 -> test-ca2.crt
I1 -> test-int-ca.crt
I2 -> test-int-ca2.crt
I3 -> test-int-ca3.crt
O -> other
- key type: R -> RSA, E -> EC
- C -> there is a CRL revoking this cert (see below)
- L -> CN=localhost (useful for local test servers)
- P1, P2 if the file includes parent (resp. parent + grandparent)
- free-form comments
List of certificates:
- cert_example_multi*.crt: 1/O R: subjectAltName
- cert_example_wildcard.crt: 1 R: wildcard in subject's CN
- cert_md*.crt, cert_sha*.crt: 1 R: signature hash
- cert_v1_with_ext.crt: 1 R: v1 with extensions (illegal)
- cli2.crt: 2 E: basic
- cli-rsa.key, cli-rsa-*.crt: RSA key used for test clients, signed by
the RSA test CA.
- enco-cert-utf8str.pem: see enco-ca-prstr.pem above
- server1*.crt: 1* R C* P1*: misc *(server1-v1 see test-ca-v1.crt above)
*CRL for: .cert_type.crt, .crt, .key_usage.crt, .v1.crt
P1 only for _ca.crt
- server2-v1*.crt: O R: see test-ca-v1.crt above
- server2*.crt: 1 R L: misc
- server3.crt: 1 E L: EC cert signed by RSA CA
- server4.crt: 2 R L: RSA cert signed by EC CA
- server5*.crt: 2* E L: misc *(except -selfsigned and -ss-*)
-sha*: hashes
.eku*: extendeKeyUsage (cli/srv = www client/server, cs = codesign, etc)
.ku*: keyUsage (ds = signatures, ke/ka = key exchange/agreement)
.req*: CSR, not certificate
-der*: trailing bytes in der (?)
-badsign.crt: S5 with corrupted signature
-expired.crt: S5 with "not after" date in the past
-future.crt: S5 with "not before" date in the future
-non-compliant.crt: S5, RFC non-compliant
(with forbidden EC algorithm identifier NULL parameter)
generated by (before fix):
cert_write subject_key=server5.key subject_name="CN=Test EC RFC non-compliant" issuer_crt=test-ca2.crt issuer_key=test-ca2.key
-selfsigned.crt: Self-signed cert with S5 key
-ss-expired.crt: Self-signed cert with S5 key, expired
-ss-forgeca.crt: Copy of test-int-ca3 self-signed with S5 key
- server6-ss-child.crt: O E: "child" of non-CA server5-selfsigned
- server6.crt, server6.pem: 2 E L C: revoked
- server7.crt: I1 E L P1(usually): EC signed by RSA signed by EC
-badsign.crt: S7 with corrupted signature + I1
-expired.crt: S7 with "not after" date in the past + I1
-future.crt: S7 with "not before" date in the future + I1
_int-ca-exp.crt: S7 + expired I1
_int-ca.crt: S7 + I1
_int-ca_ca2.crt: S7 + I1 + 2
_all_space.crt: S7 + I1 both with misplaced spaces (invalid PEM)
_pem_space.crt: S7 with misplaced space (invalid PEM) + I1
_trailing_space.crt: S7 + I1 both with trailing space (valid PEM)
_spurious_int-ca.crt: S7 + I2(spurious) + I1
- server8*.crt: I2 R L: RSA signed by EC signed by RSA (P1 for _int-ca2)
- server9*.crt: 1 R C* L P1*: signed using RSASSA-PSS
*CRL for: 9.crt, -badsign, -with-ca (P1)
- server10.crt: I3 E L
-badsign.crt: S10 with corrupted signature
-bs_int3.pem: S10-badsign + I3
_int3-bs.pem: S10 + I3-badsign
_int3_int-ca2.crt: S10 + I3 + I2
_int3_int-ca2_ca.crt: S10 + I3 + I2 + 1
_int3_spurious_int-ca2.crt: S10 + I3 + I1(spurious) + I2
Certificate revocation lists
----------------------------
Signing CA in parentheses (same meaning as certificates).
- crl-ec-sha*.pem: (2) server6.crt
- crl-future.pem: (2) server6.crt + unknown
- crl-rsa-pss-*.pem: (1) server9{,badsign,with-ca}.crt + cert_sha384.crt + unknown
- crl.pem, crl-futureRevocationDate.pem, crl_expired.pem: (1) server1{,.cert_type,.key_usage,.v1}.crt + unknown
- crl_md*.pem: crl_sha*.pem: (1) same as crl.pem
- crt_cat_*.pem: (1+2) concatenations in various orders:
ec = crl-ec-sha256.pem, ecfut = crl-future.pem
rsa = crl.pem, rsabadpem = same with pem error, rsaexp = crl_expired.pem
Note: crl_future would revoke server9 and cert_sha384.crt if signed by CA 1
crl-rsa-pss* would revoke server6.crt if signed by CA 2
Generation
----------
Newer test files have been generated through commands in the Makefile. The
resulting files are committed to the repository so that the tests can
run without having to re-do the generation and so that the output is the
same for everyone (the generation process is randomized).
The origin of older certificates has not been recorded.

BIN
tests/data_files/authorityKeyId_no_authorityKeyId.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_no_issuer.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_no_keyid.crt.der
View File

Binary file not shown.

19
tests/data_files/authorityKeyId_subjectKeyId.conf
View File

@ -1,19 +0,0 @@
[req]
distinguished_name = req_distinguished_name
x509_extensions = v3_req
prompt = no
[req_distinguished_name]
countryName = NL
organizationalUnitName = PolarSSL
commonName = PolarSSL Test CA
[v3_req]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always,issuer:always
[v3_req_authorityKeyId_no_keyid]
subjectKeyIdentifier = hash
authorityKeyIdentifier = issuer:always
[v3_req_authorityKeyId_no_issuer]
subjectKeyIdentifier = hash
authorityKeyIdentifier = keyid:always
[v3_req_no_authorityKeyId]
subjectKeyIdentifier = hash

BIN
tests/data_files/authorityKeyId_subjectKeyId.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_issuer_tag1_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_issuer_tag2_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_len_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_keyid_tag_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_length_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_sequence_tag_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_sn_len_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_sn_tag_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_tag_len_malformed.crt.der
View File

Binary file not shown.

BIN
tests/data_files/authorityKeyId_subjectKeyId_tag_malformed.crt.der
View File

Binary file not shown.

2
tests/data_files/base64/cli_cid.txt
View File

@ -1,2 +0,0 @@
// Client, CID 0xBEEF
AhUAAH8AAA8AAAQ8AAAAAF6MZUPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABh7h8/aprLN1fS0KwLkZzKcsa5LNtDW7sYu7d1z7fNetuRjLJpX/A1mTSqeBY7li8AAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJRZtK1pHRuu/Uw+Y91KCaqMAHKWeVJvuqjiTaElrahsx+HYoZ1+8i5BMY1NOL/y4TR9qZdxY+7NvNrEdEoFgcI/DqUN0aKs0zAIPmk92pFnjnbro5LxWRm3JbtIFcG6PdN+9aAbISrewt6EERIPhS45aH+Si08NLrvM+CcEBfqBBqOD+4LCZqT8nDBtALJyRqiykibsAAFRgAAAAF6MZUNak74BhbcgvZ2M8WhZKjQyCix7GJzRs4SqnD7iXoxlQ7YXjsVI0K/xyMOJPkT9ZcPEi/2jHGIte1ZduW4Cvu8C3q0AAAAAAAAAAAAAAAIAAAAAAAAABwAAAQAAAAAAAwAAAA==

2
tests/data_files/base64/cli_ciphersuite.txt
View File

@ -1,2 +0,0 @@
// TLS-RSA-WITH-AES-256-CCM-8
AhUAAH8AAA4AAAQ8AAAAAF6K4ynAoQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAADLBIQUrrPh7jxYz9e55cJvfpOkuBf2ZiVovlYa1Dkwbimp5q/CoWIn48C0x3Yj6N0AAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJQBiQTa148x1XQyGt9vU2JxAHIZ9HxLR87PewpTaslP0qJ4FK6cibG/U4ACVriGQMpNkJo6xRRn5dGyKE5L5iqcLQZ4zwcJT50NYlVQqzlXPArOaAzjVAX4k+TwL/VmNepmn3wvregAADeiGsvvbaAw2P9fhCgwX6Bm0YNzkWQsNwWENa6GoZLzvMM51G44611fFnKoAAFRgAAAAF6K4yksMvMV19qRq+eNokGn0j9Q5tjE88EK8jfM7gksXorjKR6zhXhttFGIFkNNAmmKuuDQGVmX1yCoHiJFonUAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==

2
tests/data_files/base64/cli_def.txt
View File

@ -1,2 +0,0 @@
// Client context with default MbedTLS configuration
AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==

2
tests/data_files/base64/cli_min_cfg.txt
View File

@ -1,2 +0,0 @@
// Minimal configuration
AhUAAAMAAAAAAAOeAAAAAF6LZlLMqAAgUGktPmpSPbzRPipeCpYJtp5SNIIjTr3R121WF9AeWN4tmKbRhhv+yPMjY0yWPrHLy7lLLhwNFBwCD6eQ0ULZZ15Fi2Rhae/4ZkAR0BN2iCMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLdei2ZSQwLppTqzs7kieOYQR6DjJItmQ0N/RS3+zTr9wF6LZlL6SQpLewmyja7jXyOWuUqJ6zJQ5b7FfA4PxthlAAABAAAAAAACAAA=

3
tests/data_files/base64/cli_no_alpn.txt
View File

@ -1,3 +0,0 @@
// Without MBEDTLS_SSL_ALPN
AhUAAH8AAAYAAAQ8AAAAAF6LDSzMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB1lCUO8B/805UzCOLZzWDAEA8anfLpbuWTrnFSR2puZktvEiR8nXdATN0yKS94oSAAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJQVUI/Wwt3q4XiqL74wCmkhAHKj0YgCvjZi3GKw0s7PJqjZzzLt+OuroC8Q2XeDf5nKKk8jkolZ+dXUftsPPizFgb2hGuYa4NhxXjiGlUpFEoXm7r78SwGfWxRgH5vJk6W3TdodkxTZkjMoWjlC2PANOHPeClw0szBmly7+s89LFZqnCXgyxE8xlv+l5IYSEPSj7UsmAAFRgAAAAF6LDSwWt0QWgmNg4Zv2yYhf4Pdexpi/QTIqWyD2AQVjXosNLLK1vz/upFHrJlizjH5uSBUJCpQZJczrBgxBmGoAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAA

2
tests/data_files/base64/cli_no_keep_cert.txt
View File

@ -1,2 +0,0 @@
// Without MBEDTLS_SSL_KEEP_PEER_CERTIFICATE
AhUAAAMAAAAAAACCAAAAAF6MKhTMqAAgSKCqXrcrmjqOBpxsGO3itQB09YgsSJwXmZB12QlB+wwhiof0mzAN0hupkLxu4Yyc9SgyFoEDPKJk8TiRo8bO2rkEfPItB5lUFkJwzdeuGVMAAAAABiCAy8MWqlj4vnIv0mswJvB35hyCOYWZ+fcZ6t5LzZgXPl6MKhRs69b+psiGUAo8OK3fU4HKOHNdi36tk22+ScctXowqFEyvzGcvbtI0VfWLKlOlDv+SwC08ZdCNa+RBZ/AAAAEAAAAAAAIAAA==

2
tests/data_files/base64/cli_no_mfl.txt
View File

@ -1,2 +0,0 @@
// Without MBEDTLS_SSL_MAX_FRAGMENT_LENGTH
AhUAAHcAAA4AAAQ6AAAAAF6LDLPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA0fzGzO1ysljMgZr4gduigvRXr2AK5X8j8c6vHTOpc2ncFS3UN2ojwD2tOaM3+/XIAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJMiPbE45oAjg9Rx0iVnQDg2AHHKrrmSMTfVijgZbdL/ZFWYvFMioa7uqW0NmA0bSTxcsieRarndOq5fIdEIzmAgGkdaxJaGNDT105gwwIzUnLRapgP6H6IImSMFPXVp3Zks0zFfrq7aQnQMgc8o5kPqWq1/eYfdq8lysTO8Rgliv96lA/pe1SQmPL1mdChAwCa/4XEAAVGAAABeiwyzXGz4yPwEgvq/TWq0dZXvD6mzEbAty1oZJIvRpl6LDLOyQ94MIvSKw7OH4mg+DNL+ZW0xzQbKQalloUG6AAAAAAAAAAAAAAABAAAAAAAAAAMAAAEAAAAAAAIAAAA=

2
tests/data_files/base64/cli_no_packing.txt
View File

@ -1,2 +0,0 @@
// Without DTLS packing
AhUAAH8AAA4AAAQ8AAAAAF6LCM/MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACfl0tXNmshIQEqiEflQGnVUKkIFl1on/Mu0pjWes3XwQgdwmy9xMzpVyYU5gBOsOEAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJRTvlE7NmNNLDESUBoGC+K2AHIKA+/lhdRVF4YcMvvqCBYFB5tj0oyCikftfjNbvjl9YPGqcRXk664YieWv/pz8U1FOENipbjXF9lFhgedG2Xanh/2FwHX5txYiHIJxJeLEKCXp5Sjt9XBvQsrryxLyX9l+zkLKm7bCAcrfk4h/YoqxecAI63isG9vnrS7o07iD/3mOAAFRgAAAAF6LCM+1uRpyaoyfzuNGBJK9DgBWIWtrPpu7KM8qsC/FXosIz/YIPhveZ8Z4IR0g/McAMQwzQoK5tScSE0DD3BwAAAAAAAAAAAAAAAEAAAAAAAAAAwEAAQAAAAAAAgAAAA==

5
tests/data_files/base64/def_b64_ff.bin
View File

@ -1,5 +0,0 @@
// Ensure that the b64 parser continues after encountering a 0xFF
// character. Note that this byte is invalid UTF-8, making this
// entire file invalid UTF-8. Use care when editing.
// -> ÿ <-
AhUAAH8AAA4AAABtAAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAACAAAAAAAAAAAAAAAAAAV6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==

2
tests/data_files/base64/def_b64_too_big_1.txt
View File

@ -1,2 +0,0 @@
// Context with added '1234' at the beginning to simulate too much data in the base64 code
1234AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==

2
tests/data_files/base64/def_b64_too_big_2.txt
View File

@ -1,2 +0,0 @@
// Context with added '1234' in the middle of code to simulate too much data
AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7m1234gM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA==

2
tests/data_files/base64/def_b64_too_big_3.txt
View File

@ -1,2 +0,0 @@
// Context with added '1234' before '==' add the end to simulate too much data in the base64 code
AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA1234==

2
tests/data_files/base64/def_bad_b64.txt
View File

@ -1,2 +0,0 @@
// Context with added extra 'A' before '==' add the end to simulate bad length of base64 code
AhUAAH8AAA4AAAQ8AAAAAF6HQx3MqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACG2QbHbUj8eGpdx5KVIebiwk0jvRj9/3m6BOSzpA7qBXeEunhqr3D11NE7ciGjeHMAAAAAAAM7MIIDNzCCAh+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA7MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxGTAXBgNVBAMMEFBvbGFyU1NMIFRlc3QgQ0EwHhcNMTkwMjEwMTQ0NDA2WhcNMjkwMjEwMTQ0NDA2WjA0MQswCQYDVQQGEwJOTDERMA8GA1UECgwIUG9sYXJTU0wxEjAQBgNVBAMMCWxvY2FsaG9zdDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMFNo93nzR3RBNdJcriZrA545Do8Ss86ExbQWuTNowCIp+4ea5anUrSQ7y1yej4kmvy2NKwk9XfgJmSMnLAofaHa6ozmyRyWvP7BBFKzNtSj+uGxdtiQwWG0ZlI2oiZTqqt0Xgd9GYLbKtgfoNkNHC1JZvdbJXNG6AuKT2kMtQCQ4dqCEGZ9rlQri2V5kaHiYcPNQEkI7mgM8YuG0ka/0LiqEQMef1aoGh5EGA8PhYvai0Re4hjGYi/HZo36Xdh98yeJKQHFkA4/J/EwyEoO79bex8cna8cFPXrEAjyaHT4P6DSYW8tzS1KW2BGiLICIaTla0w+w3lkvEcf36hIBMJcCAwEAAaNNMEswCQYDVR0TBAIwADAdBgNVHQ4EFgQUpQXoZLjc32APUBJNYKhkr02LQ5MwHwYDVR0jBBgwFoAUtFrkpbPe0lL2udWmlQ/rPrzH/f8wDQYJKoZIhvcNAQELBQADggEBAC465FJhPqel7zJngHIHJrqj/wVAxGAFOTF396XKATGAp+HRCqJ81Ry60CNK1jDzk8dv6M6UHoS7RIFiM/9rXQCbJfiPD5xMTejZp5n5UYHAmxsxDaazfA5FuBhkfokKK6jD4Eq91C94xGKb6X4/VkaPF7cqoBBw/bHxawXc0UEPjqayiBpCYU/rJoVZgLqFVP7Px3sva1nOrNx8rPPI1hJ+ZOg8maiPTxHZnBVLakSSLQy/sWeWyazO1RnrbxjrbgQtYKz0e3nwGpu1w13vfckFmUSBhHXH7AAS/HpKC4IH7G2GAk3+n8iSSN71sZzpxonQwVbopMZqLmbBm/7WPLcAAJTfQC2Ek91INP5ihHNzImPOAHJCk+YTO/pQuEnNWwXbdmKAi+IRp671iAwtpkjSxCBXVzKX925F1A66caCOQptlw+9zFukDQgblM2JyAJLG0j6B4RtBTDWJ8ZTMUPHUoLJoEpm8APZgRi//DMRyCKP9pbBLGlDzgUvl0w11LzBAlJHkWau5NoqQBlG7w4HFrKweovskAAFRgAAAAF6HQx248L77RH0Z973tSYNQ8zBsz861CZG5/T09TJz3XodDHe/iJ+cgXb5An3zTdnTBtw3EWAb68T+gCE33GN8AAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAAA==

2
tests/data_files/base64/mfl_1024.txt
View File

@ -1,2 +0,0 @@
// MFL=1024
AhUAAH8AAA4AAABtAAAAAF6K+GLMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACHeeQKPVt9RpB8nLTB6C2AhxRzB0r/OBbXbMPm6jb1rkR+qrXZAUFRvGfGxlqqGWwAAACAAAAAAAAAAAAAAAIAAV6K+GJIXNnpKTr9HZQW6WEH7YSYhhRRqOO6xvf8QL6/Xor4YhOxOJYk23w3AwDvVAofeWnVAfJnExe5ipdSxnAAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAgAAAA===

2
tests/data_files/base64/mtu_10000.txt
View File

@ -1,2 +0,0 @@
// MTU=10000
AhUAAH8AAA4AAABtAAAAAF6LDkzMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABx06kxYooMLGPyUMoB46EF2zTJzmZEM4le5aKihcHpFEfgrX/eWQZFWa7cak79ihwAAACAAAAAAAAAAAAAAAAAAV6LDkz9bigMk9q0WiDmgYhX8ppbfgbtMCfruvVQNiFWXosOTJ3R2+J+TaSChmjtS8sD+y1Zruhe/SJE7y9D+5YAAAAAAAAAAAAAAAEAAAAAAAAAAwAAAQAAAAAAAicQAA==

2
tests/data_files/base64/srv_cid.txt
View File

@ -1,2 +0,0 @@
// Server, CID 0xDEAD
AhUAAH8AAA8AAABtAAAAAF6MZUPMqAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABh7h8/aprLN1fS0KwLkZzKcsa5LNtDW7sYu7d1z7fNetuRjLJpX/A1mTSqeBY7li8AAACAAAAAAAAAAAAAAAAAAV6MZUNak74BhbcgvZ2M8WhZKjQyCix7GJzRs4SqnD7iXoxlQ7YXjsVI0K/xyMOJPkT9ZcPEi/2jHGIte1ZduW4C3q0Cvu8AAAAAAAAAAAAAAAIAAAAAAAAABwAAAQAAAAAAAwAAAA==

Some files were not shown because too many files have changed in this diff Show More