mirror/mbedtls
1
0
Fork 0
mirror of https://github.com/Mbed-TLS/mbedtls.git synced 2025-02-03 20:54:00 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity

Merge branch 'development' into default-compiler-all

Browse Source 
Signed-off-by: Dave Rodgman <dave.rodgman@arm.com>
This commit is contained in:
Dave Rodgman 2023-12-21 14:35:14 +00:00 committed by GitHub
commit 3bc249959c
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
38 changed files with 2374 additions and 1004 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitignore vendored
View File

@ -63,5 +63,7 @@ massif-*
/cscope*.out
/tags
# Clangd compilation database
# clangd compilation database
compile_commands.json
# clangd index files
/.cache/clangd/index/

6
CMakeLists.txt
View File

@ -117,7 +117,7 @@ endif()
# If this is the root project add longer list of available CMAKE_BUILD_TYPE values
if(CMAKE_SOURCE_DIR STREQUAL CMAKE_CURRENT_SOURCE_DIR)
set(CMAKE_BUILD_TYPE ${CMAKE_BUILD_TYPE}
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull"
CACHE STRING "Choose the type of build: None Debug Release Coverage ASan ASanDbg MemSan MemSanDbg Check CheckFull TSan TSanDbg"
FORCE)
endif()
@ -212,6 +212,8 @@ if(CMAKE_COMPILER_IS_GNU)
set(CMAKE_C_FLAGS_COVERAGE "-O0 -g3 --coverage")
set(CMAKE_C_FLAGS_ASAN "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O3")
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
set(CMAKE_C_FLAGS_CHECK "-Os")
set(CMAKE_C_FLAGS_CHECKFULL "${CMAKE_C_FLAGS_CHECK} -Wcast-qual")
endif(CMAKE_COMPILER_IS_GNU)
@ -225,6 +227,8 @@ if(CMAKE_COMPILER_IS_CLANG)
set(CMAKE_C_FLAGS_ASANDBG "-fsanitize=address -fno-common -fsanitize=undefined -fno-sanitize-recover=all -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
set(CMAKE_C_FLAGS_MEMSAN "-fsanitize=memory -O3")
set(CMAKE_C_FLAGS_MEMSANDBG "-fsanitize=memory -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls -fsanitize-memory-track-origins=2")
set(CMAKE_C_FLAGS_TSAN "-fsanitize=thread -O3")
set(CMAKE_C_FLAGS_TSANDBG "-fsanitize=thread -O1 -g3 -fno-omit-frame-pointer -fno-optimize-sibling-calls")
set(CMAKE_C_FLAGS_CHECK "-Os")
endif(CMAKE_COMPILER_IS_CLANG)

3
ChangeLog.d/non-psa-pk-implementation.txt Normal file
View File

@ -0,0 +1,3 @@
Changes
* mbedtls_pk_sign_ext() is now always available, not just when
PSA (MBEDTLS_PSA_CRYPTO_C) is enabled.

1341
docs/psa-transition.md Normal file
View File

File diff suppressed because it is too large Load Diff

6
include/mbedtls/config_adjust_legacy_crypto.h
View File

@ -235,9 +235,9 @@
#define MBEDTLS_PSA_CRYPTO_CLIENT
#endif /* MBEDTLS_PSA_CRYPTO_C */
/* The PK wrappers need pk_write functions to format RSA key objects
* when they are dispatching to the PSA API. This happens under USE_PSA_CRYPTO,
* and also even without USE_PSA_CRYPTO for mbedtls_pk_sign_ext(). */
/* The PK wrappers need pk_write/pk_parse functions to format RSA key objects
* when they are dispatching to the PSA API. This happens under MBEDTLS_USE_PSA_CRYPTO,
* and even under just MBEDTLS_PSA_CRYPTO_C in psa_crypto_rsa.c. */
#if defined(MBEDTLS_PSA_CRYPTO_C) && defined(MBEDTLS_RSA_C)
#define MBEDTLS_PK_C
#define MBEDTLS_PK_WRITE_C

2
include/mbedtls/debug.h
View File

@ -230,7 +230,7 @@ void mbedtls_debug_print_mpi(const mbedtls_ssl_context *ssl, int level,
const char *text, const mbedtls_mpi *X);
#endif
#if defined(MBEDTLS_ECP_C)
#if defined(MBEDTLS_ECP_LIGHT)
/**
* \brief Print an ECP point to the debug output. This function is always
* used through the MBEDTLS_SSL_DEBUG_ECP() macro, which supplies the

2
include/mbedtls/mbedtls_config.h
View File

@ -2191,6 +2191,8 @@
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
* signed with RSASSA-PSS (aka PKCS#1 v2.1).
*
* Requires: MBEDTLS_PKCS1_V21
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/
#define MBEDTLS_X509_RSASSA_PSS_SUPPORT

17
include/mbedtls/pk.h
View File

@ -28,7 +28,7 @@
#include "mbedtls/ecdsa.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#endif
@ -229,7 +229,7 @@ typedef struct mbedtls_pk_context {
void *MBEDTLS_PRIVATE(pk_ctx); /**< Underlying public key context */
/* The following field is used to store the ID of a private key in the
* following cases:
* - opaque key when MBEDTLS_PSA_CRYPTO_C is defined
* - opaque key when MBEDTLS_USE_PSA_CRYPTO is defined
* - normal key when MBEDTLS_PK_USE_PSA_EC_DATA is defined. In this case:
* - the pk_ctx above is not not used to store the private key anymore.
* Actually that field not populated at all in this case because also
@ -239,15 +239,10 @@ typedef struct mbedtls_pk_context {
*
* Note: this private key storing solution only affects EC keys, not the
* other ones. The latters still use the pk_ctx to store their own
* context.
*
* Note: this priv_id is guarded by MBEDTLS_PSA_CRYPTO_C and not by
* MBEDTLS_PK_USE_PSA_EC_DATA (as the public counterpart below) because,
* when working with opaque keys, it can be used also in
* mbedtls_pk_sign_ext for RSA keys. */
#if defined(MBEDTLS_PSA_CRYPTO_C)
* context. */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t MBEDTLS_PRIVATE(priv_id); /**< Key ID for opaque keys */
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* The following fields are meant for storing the public key in raw format
* which is handy for:
* - easily importing it into the PSA context
@ -615,7 +610,6 @@ int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
unsigned char *sig, size_t sig_size, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t), void *p_rng);
#if defined(MBEDTLS_PSA_CRYPTO_C)
/**
* \brief Make signature given a signature type.
*
@ -652,7 +646,6 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
unsigned char *sig, size_t sig_size, size_t *sig_len,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng);
#endif /* MBEDTLS_PSA_CRYPTO_C */
/**
* \brief Restartable version of \c mbedtls_pk_sign()

2
include/mbedtls/rsa.h
View File

@ -869,6 +869,7 @@ int mbedtls_rsa_rsassa_pkcs1_v15_sign(mbedtls_rsa_context *ctx,
const unsigned char *hash,
unsigned char *sig);
#if defined(MBEDTLS_PKCS1_V21)
/**
* \brief This function performs a PKCS#1 v2.1 PSS signature
* operation (RSASSA-PSS-SIGN).
@ -969,6 +970,7 @@ int mbedtls_rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig);
#endif /* MBEDTLS_PKCS1_V21 */
/**
* \brief This function performs a public RSA operation and checks

35
include/psa/crypto_extra.h
View File

@ -428,6 +428,7 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
* of psa_set_key_type() when you need to specify domain parameters.
*
* The format for the required domain parameters varies based on the key type.
* Mbed TLS supports the following key type with domain parameters:
*
* - For RSA keys (#PSA_KEY_TYPE_RSA_PUBLIC_KEY or #PSA_KEY_TYPE_RSA_KEY_PAIR),
* the domain parameter data consists of the public exponent,
@ -437,32 +438,6 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
* key data and the exponent recorded in the attribute structure is ignored.
* As an exception, the public exponent 65537 is represented by an empty
* byte string.
* - For DSA keys (#PSA_KEY_TYPE_DSA_PUBLIC_KEY or #PSA_KEY_TYPE_DSA_KEY_PAIR),
* the `Dss-Params` format as defined by RFC 3279 &sect;2.3.2.
* ```
* Dss-Params ::= SEQUENCE {
* p INTEGER,
* q INTEGER,
* g INTEGER
* }
* ```
* - For Diffie-Hellman key exchange keys
* (#PSA_KEY_TYPE_DH_PUBLIC_KEY(#PSA_DH_FAMILY_CUSTOM) or
* #PSA_KEY_TYPE_DH_KEY_PAIR(#PSA_DH_FAMILY_CUSTOM)), the
* `DomainParameters` format as defined by RFC 3279 &sect;2.3.3.
* ```
* DomainParameters ::= SEQUENCE {
* p INTEGER, -- odd prime, p=jq +1
* g INTEGER, -- generator, g
* q INTEGER, -- factor of p-1
* j INTEGER OPTIONAL, -- subgroup factor
* validationParams ValidationParams OPTIONAL
* }
* ValidationParams ::= SEQUENCE {
* seed BIT STRING,
* pgenCounter INTEGER
* }
* ```
*
* \note This function may allocate memory or other resources.
* Once you have called this function on an attribute structure,
@ -471,6 +446,9 @@ psa_status_t mbedtls_psa_inject_entropy(const uint8_t *seed,
* \note This is an experimental extension to the interface. It may change
* in future versions of the library.
*
* \note Due to an implementation limitation, domain parameters are ignored
* for keys that are managed by a driver.
*
* \param[in,out] attributes Attribute structure where the specified domain
* parameters will be stored.
* If this function fails, the content of
@ -501,6 +479,9 @@ psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
* \note This is an experimental extension to the interface. It may change
* in future versions of the library.
*
* \note Due to an implementation limitation, domain parameters are not
* supported with keys that are managed by a driver.
*
* \param[in] attributes The key attribute structure to query.
* \param[out] data On success, the key domain parameters.
* \param data_size Size of the \p data buffer in bytes.
@ -513,6 +494,8 @@ psa_status_t psa_set_key_domain_parameters(psa_key_attributes_t *attributes,
*
* \retval #PSA_SUCCESS \emptydescription
* \retval #PSA_ERROR_BUFFER_TOO_SMALL \emptydescription
* \retval #PSA_ERROR_NOT_SUPPORTED
* The key is managed by a driver.
*/
psa_status_t psa_get_key_domain_parameters(
const psa_key_attributes_t *attributes,

12
include/psa/crypto_struct.h
View File

@ -254,6 +254,18 @@ struct psa_key_attributes_s {
#if defined(MBEDTLS_PSA_CRYPTO_SE_C)
psa_key_slot_number_t MBEDTLS_PRIVATE(slot_number);
#endif /* MBEDTLS_PSA_CRYPTO_SE_C */
/* Unlike normal buffers, there are three cases for domain_parameters
* and domain_parameters_size:
* - domain_parameters_size == SIZE_MAX && domain_parameters == NULL:
* Access to domain parameters is not supported for this key.
* This is a hack which should not exist, intended for keys managed
* by a driver, because drivers don't support domain parameters.
* - domain_parameters_size == 0 && domain_parameters == NULL:
* The domain parameters are empty.
* - domain_parameters_size > 0 &&
* domain_parameters == valid pointer to domain_parameters_size bytes:
* The domain parameters are non-empty.
*/
void *MBEDTLS_PRIVATE(domain_parameters);
size_t MBEDTLS_PRIVATE(domain_parameters_size);
};

27
library/alignment.h
View File

@ -180,6 +180,16 @@ inline void mbedtls_put_unaligned_uint64(void *p, uint64_t x)
#define MBEDTLS_BSWAP32 __rev
#endif
/* Detect IAR built-in byteswap routine */
#if defined(__IAR_SYSTEMS_ICC__)
#if defined(__ARM_ACLE)
#include <arm_acle.h>
#define MBEDTLS_BSWAP16(x) ((uint16_t) __rev16((uint32_t) (x)))
#define MBEDTLS_BSWAP32 __rev
#define MBEDTLS_BSWAP64 __revll
#endif
#endif
/*
* Where compiler built-ins are not present, fall back to C code that the
* compiler may be able to detect and transform into the relevant bswap or
@ -224,10 +234,25 @@ static inline uint64_t mbedtls_bswap64(uint64_t x)
#endif /* !defined(MBEDTLS_BSWAP64) */
#if !defined(__BYTE_ORDER__)
#if defined(__LITTLE_ENDIAN__)
/* IAR defines __xxx_ENDIAN__, but not __BYTE_ORDER__ */
#define MBEDTLS_IS_BIG_ENDIAN 0
#elif defined(__BIG_ENDIAN__)
#define MBEDTLS_IS_BIG_ENDIAN 1
#else
static const uint16_t mbedtls_byte_order_detector = { 0x100 };
#define MBEDTLS_IS_BIG_ENDIAN (*((unsigned char *) (&mbedtls_byte_order_detector)) == 0x01)
#endif
#else
#define MBEDTLS_IS_BIG_ENDIAN ((__BYTE_ORDER__) == (__ORDER_BIG_ENDIAN__))
#if (__BYTE_ORDER__) == (__ORDER_BIG_ENDIAN__)
#define MBEDTLS_IS_BIG_ENDIAN 1
#else
#define MBEDTLS_IS_BIG_ENDIAN 0
#endif
#endif /* !defined(__BYTE_ORDER__) */
/**

2
library/ccm.c
View File

@ -91,7 +91,7 @@ int mbedtls_ccm_setkey(mbedtls_ccm_context *ctx,
}
#endif
return 0;
return ret;
}
/*

50
library/pk.c
View File

@ -18,6 +18,9 @@
#if defined(MBEDTLS_RSA_C)
#include "mbedtls/rsa.h"
#if defined(MBEDTLS_PKCS1_V21) && !defined(MBEDTLS_USE_PSA_CRYPTO)
#include "rsa_internal.h"
#endif
#endif
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "mbedtls/ecp.h"
@ -26,7 +29,7 @@
#include "mbedtls/ecdsa.h"
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#include "md_psa.h"
#endif
@ -41,9 +44,9 @@ void mbedtls_pk_init(mbedtls_pk_context *ctx)
{
ctx->pk_info = NULL;
ctx->pk_ctx = NULL;
#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
ctx->priv_id = MBEDTLS_SVC_KEY_ID_INIT;
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
memset(ctx->pub_raw, 0, sizeof(ctx->pub_raw));
ctx->pub_raw_len = 0;
@ -579,7 +582,7 @@ int mbedtls_pk_verify_ext(mbedtls_pk_type_t type, const void *options,
return PSA_PK_RSA_TO_MBEDTLS_ERR(status);
} else
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
if (sig_len < mbedtls_pk_get_len(ctx)) {
return MBEDTLS_ERR_RSA_VERIFY_FAILED;
@ -672,7 +675,6 @@ int mbedtls_pk_sign(mbedtls_pk_context *ctx, mbedtls_md_type_t md_alg,
f_rng, p_rng, NULL);
}
#if defined(MBEDTLS_PSA_CRYPTO_C)
/*
* Make a signature given a signature type.
*/
@ -684,11 +686,6 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng)
{
#if defined(MBEDTLS_RSA_C)
psa_algorithm_t psa_md_alg;
#endif /* MBEDTLS_RSA_C */
*sig_len = 0;
if (ctx->pk_info == NULL) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
@ -702,8 +699,10 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
sig, sig_size, sig_len, f_rng, p_rng);
}
#if defined(MBEDTLS_RSA_C)
psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PKCS1_V21)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
const psa_algorithm_t psa_md_alg = mbedtls_md_psa_alg_from_type(md_alg);
if (psa_md_alg == 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
@ -720,12 +719,31 @@ int mbedtls_pk_sign_ext(mbedtls_pk_type_t pk_type,
return mbedtls_pk_psa_rsa_sign_ext(PSA_ALG_RSA_PSS(psa_md_alg),
ctx->pk_ctx, hash, hash_len,
sig, sig_size, sig_len);
#else /* MBEDTLS_RSA_C */
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
#endif /* !MBEDTLS_RSA_C */
#else /* MBEDTLS_USE_PSA_CRYPTO */
if (sig_size < mbedtls_pk_get_len(ctx)) {
return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
}
if (pk_hashlen_helper(md_alg, &hash_len) != 0) {
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
}
mbedtls_rsa_context *const rsa_ctx = mbedtls_pk_rsa(*ctx);
const int ret = mbedtls_rsa_rsassa_pss_sign_no_mode_check(rsa_ctx, f_rng, p_rng, md_alg,
(unsigned int) hash_len, hash, sig);
if (ret == 0) {
*sig_len = rsa_ctx->len;
}
return ret;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
#endif /* MBEDTLS_RSA_C && MBEDTLS_PKCS1_V21 */
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
/*
* Decrypt message

34
library/pk_internal.h
View File

@ -19,9 +19,7 @@
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa_util_internal.h"
#define PSA_PK_TO_MBEDTLS_ERR(status) psa_pk_status_to_mbedtls(status)
#define PSA_PK_RSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
@ -30,9 +28,23 @@
#define PSA_PK_ECDSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_pk_ecdsa_errors, \
psa_pk_status_to_mbedtls)
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
/* Headers/footers for PEM files */
#define PEM_BEGIN_PUBLIC_KEY "-----BEGIN PUBLIC KEY-----"
#define PEM_END_PUBLIC_KEY "-----END PUBLIC KEY-----"
#define PEM_BEGIN_PRIVATE_KEY_RSA "-----BEGIN RSA PRIVATE KEY-----"
#define PEM_END_PRIVATE_KEY_RSA "-----END RSA PRIVATE KEY-----"
#define PEM_BEGIN_PUBLIC_KEY_RSA "-----BEGIN RSA PUBLIC KEY-----"
#define PEM_END_PUBLIC_KEY_RSA "-----END RSA PUBLIC KEY-----"
#define PEM_BEGIN_PRIVATE_KEY_EC "-----BEGIN EC PRIVATE KEY-----"
#define PEM_END_PRIVATE_KEY_EC "-----END EC PRIVATE KEY-----"
#define PEM_BEGIN_PRIVATE_KEY_PKCS8 "-----BEGIN PRIVATE KEY-----"
#define PEM_END_PRIVATE_KEY_PKCS8 "-----END PRIVATE KEY-----"
#define PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8 "-----BEGIN ENCRYPTED PRIVATE KEY-----"
#define PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8 "-----END ENCRYPTED PRIVATE KEY-----"
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS) && !defined(MBEDTLS_PK_USE_PSA_EC_DATA)
/**
* Public function mbedtls_pk_ec() can be used to get direct access to the
* wrapped ecp_keypair structure pointed to the pk_ctx. However this is not
@ -68,10 +80,10 @@ static inline mbedtls_ecp_keypair *mbedtls_pk_ec_rw(const mbedtls_pk_context pk)
return NULL;
}
}
#endif /* !MBEDTLS_PK_USE_PSA_EC_DATA */
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS && !MBEDTLS_PK_USE_PSA_EC_DATA */
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_context *pk)
static inline mbedtls_ecp_group_id mbedtls_pk_get_ec_group_id(const mbedtls_pk_context *pk)
{
mbedtls_ecp_group_id id;
@ -105,6 +117,16 @@ static inline mbedtls_ecp_group_id mbedtls_pk_get_group_id(const mbedtls_pk_cont
#if defined(MBEDTLS_ECP_HAVE_CURVE25519) || defined(MBEDTLS_ECP_HAVE_CURVE448)
#define MBEDTLS_PK_HAVE_RFC8410_CURVES
#endif /* MBEDTLS_ECP_HAVE_CURVE25519 || MBEDTLS_ECP_DP_CURVE448 */
#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \
((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
static inline int mbedtls_pk_is_rfc8410(const mbedtls_pk_context *pk)
{
mbedtls_ecp_group_id id = mbedtls_pk_get_ec_group_id(pk);
return MBEDTLS_PK_IS_RFC8410_GROUP_ID(id);
}
#endif /* MBEDTLS_PK_HAVE_ECC_KEYS */
/* Helper for (deterministic) ECDSA */

134
library/pk_wrap.c
View File

@ -26,17 +26,14 @@
#include "mbedtls/ecdsa.h"
#endif
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa_util_internal.h"
#include "psa/crypto.h"
#if defined(MBEDTLS_RSA_C)
#include "pkwrite.h"
#endif
#if defined(MBEDTLS_PSA_CRYPTO_C)
#include "psa_util_internal.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
#include "mbedtls/asn1write.h"
#include "mbedtls/asn1.h"
@ -49,123 +46,6 @@
#include <stdint.h>
#include <string.h>
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(MBEDTLS_PSA_CRYPTO_C)
int mbedtls_pk_error_from_psa(psa_status_t status)
{
switch (status) {
case PSA_SUCCESS:
return 0;
case PSA_ERROR_INVALID_HANDLE:
return MBEDTLS_ERR_PK_KEY_INVALID_FORMAT;
case PSA_ERROR_NOT_PERMITTED:
return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
case PSA_ERROR_BUFFER_TOO_SMALL:
return MBEDTLS_ERR_PK_BUFFER_TOO_SMALL;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
case PSA_ERROR_INVALID_ARGUMENT:
return MBEDTLS_ERR_PK_INVALID_ALG;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_PK_ALLOC_FAILED;
case PSA_ERROR_BAD_STATE:
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
case PSA_ERROR_COMMUNICATION_FAILURE:
case PSA_ERROR_HARDWARE_FAILURE:
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
case PSA_ERROR_DATA_CORRUPT:
case PSA_ERROR_DATA_INVALID:
case PSA_ERROR_STORAGE_FAILURE:
return MBEDTLS_ERR_PK_FILE_IO_ERROR;
case PSA_ERROR_CORRUPTION_DETECTED:
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
default:
return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
}
}
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
int mbedtls_pk_error_from_psa_rsa(psa_status_t status)
{
switch (status) {
case PSA_ERROR_NOT_PERMITTED:
case PSA_ERROR_INVALID_ARGUMENT:
case PSA_ERROR_INVALID_HANDLE:
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
case PSA_ERROR_BUFFER_TOO_SMALL:
return MBEDTLS_ERR_RSA_OUTPUT_TOO_LARGE;
case PSA_ERROR_INSUFFICIENT_ENTROPY:
return MBEDTLS_ERR_RSA_RNG_FAILED;
case PSA_ERROR_INVALID_SIGNATURE:
return MBEDTLS_ERR_RSA_VERIFY_FAILED;
case PSA_ERROR_INVALID_PADDING:
return MBEDTLS_ERR_RSA_INVALID_PADDING;
case PSA_SUCCESS:
return 0;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_PK_ALLOC_FAILED;
case PSA_ERROR_BAD_STATE:
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
case PSA_ERROR_COMMUNICATION_FAILURE:
case PSA_ERROR_HARDWARE_FAILURE:
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
case PSA_ERROR_DATA_CORRUPT:
case PSA_ERROR_DATA_INVALID:
case PSA_ERROR_STORAGE_FAILURE:
return MBEDTLS_ERR_PK_FILE_IO_ERROR;
case PSA_ERROR_CORRUPTION_DETECTED:
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
default:
return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
}
}
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
#endif /* MBEDTLS_PSA_CRYPTO_C */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
int mbedtls_pk_error_from_psa_ecdsa(psa_status_t status)
{
switch (status) {
case PSA_ERROR_NOT_PERMITTED:
case PSA_ERROR_INVALID_ARGUMENT:
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
case PSA_ERROR_INVALID_HANDLE:
return MBEDTLS_ERR_ECP_FEATURE_UNAVAILABLE;
case PSA_ERROR_BUFFER_TOO_SMALL:
return MBEDTLS_ERR_ECP_BUFFER_TOO_SMALL;
case PSA_ERROR_INSUFFICIENT_ENTROPY:
return MBEDTLS_ERR_ECP_RANDOM_FAILED;
case PSA_ERROR_INVALID_SIGNATURE:
return MBEDTLS_ERR_ECP_VERIFY_FAILED;
case PSA_SUCCESS:
return 0;
case PSA_ERROR_NOT_SUPPORTED:
return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
case PSA_ERROR_INSUFFICIENT_MEMORY:
return MBEDTLS_ERR_PK_ALLOC_FAILED;
case PSA_ERROR_BAD_STATE:
return MBEDTLS_ERR_PK_BAD_INPUT_DATA;
case PSA_ERROR_COMMUNICATION_FAILURE:
case PSA_ERROR_HARDWARE_FAILURE:
return MBEDTLS_ERR_PLATFORM_HW_ACCEL_FAILED;
case PSA_ERROR_DATA_CORRUPT:
case PSA_ERROR_DATA_INVALID:
case PSA_ERROR_STORAGE_FAILURE:
return MBEDTLS_ERR_PK_FILE_IO_ERROR;
case PSA_ERROR_CORRUPTION_DETECTED:
return MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
default:
return MBEDTLS_ERR_ERROR_GENERIC_ERROR;
}
}
#endif /* PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_RSA_C)
static int rsa_can_do(mbedtls_pk_type_t type)
{
@ -281,7 +161,7 @@ static int rsa_verify_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t alg,
mbedtls_rsa_context *rsa_ctx,
const unsigned char *hash, size_t hash_len,
@ -344,7 +224,7 @@ cleanup:
}
return ret;
}
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
static int rsa_sign_wrap(mbedtls_pk_context *pk, mbedtls_md_type_t md_alg,

24
library/pk_wrap.h
View File

@ -15,9 +15,9 @@
#include "mbedtls/pk.h"
#if defined(MBEDTLS_PSA_CRYPTO_C)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#include "psa/crypto.h"
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif
struct mbedtls_pk_info_t {
/** Public key type */
@ -125,24 +125,6 @@ extern const mbedtls_pk_info_t mbedtls_rsa_alt_info;
extern const mbedtls_pk_info_t mbedtls_ecdsa_opaque_info;
extern const mbedtls_pk_info_t mbedtls_rsa_opaque_info;
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
#if defined(PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY)
int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_ecdsa(psa_status_t status);
#endif
#endif
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PSA_CRYPTO_C)
#if !defined(MBEDTLS_DEPRECATED_REMOVED)
int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa(psa_status_t status);
#if defined(PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY) || \
defined(PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC)
int MBEDTLS_DEPRECATED mbedtls_pk_error_from_psa_rsa(psa_status_t status);
#endif /* PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY || PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC */
#endif /* !MBEDTLS_DEPRECATED_REMOVED */
#if defined(MBEDTLS_RSA_C)
int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
mbedtls_rsa_context *rsa_ctx,
@ -151,6 +133,6 @@ int mbedtls_pk_psa_rsa_sign_ext(psa_algorithm_t psa_alg_md,
size_t *sig_len);
#endif /* MBEDTLS_RSA_C */
#endif /* MBEDTLS_PSA_CRYPTO_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_PK_WRAP_H */

32
library/pkparse.c
View File

@ -15,6 +15,8 @@
#include "mbedtls/platform_util.h"
#include "mbedtls/platform.h"
#include "mbedtls/error.h"
#include "mbedtls/ecp.h"
#include "pk_internal.h"
#include <string.h>
@ -27,10 +29,6 @@
#if defined(MBEDTLS_RSA_C)
#include "mbedtls/rsa.h"
#endif
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
#include "mbedtls/ecp.h"
#include "pk_internal.h"
#endif
/* Extended formats */
#if defined(MBEDTLS_PEM_PARSE_C)
@ -868,12 +866,6 @@ static int pk_get_pk_alg(unsigned char **p,
return 0;
}
/* Helper for Montgomery curves */
#if defined(MBEDTLS_PK_HAVE_RFC8410_CURVES)
#define MBEDTLS_PK_IS_RFC8410_GROUP_ID(id) \
((id == MBEDTLS_ECP_DP_CURVE25519) || (id == MBEDTLS_ECP_DP_CURVE448))
#endif /* MBEDTLS_PK_HAVE_RFC8410_CURVES */
/*
* SubjectPublicKeyInfo ::= SEQUENCE {
* algorithm AlgorithmIdentifier,
@ -1539,8 +1531,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
} else {
ret = mbedtls_pem_read_buffer(&pem,
"-----BEGIN RSA PRIVATE KEY-----",
"-----END RSA PRIVATE KEY-----",
PEM_BEGIN_PRIVATE_KEY_RSA, PEM_END_PRIVATE_KEY_RSA,
key, pwd, pwdlen, &len);
}
@ -1569,8 +1560,8 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
} else {
ret = mbedtls_pem_read_buffer(&pem,
"-----BEGIN EC PRIVATE KEY-----",
"-----END EC PRIVATE KEY-----",
PEM_BEGIN_PRIVATE_KEY_EC,
PEM_END_PRIVATE_KEY_EC,
key, pwd, pwdlen, &len);
}
if (ret == 0) {
@ -1599,8 +1590,7 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
} else {
ret = mbedtls_pem_read_buffer(&pem,
"-----BEGIN PRIVATE KEY-----",
"-----END PRIVATE KEY-----",
PEM_BEGIN_PRIVATE_KEY_PKCS8, PEM_END_PRIVATE_KEY_PKCS8,
key, NULL, 0, &len);
}
if (ret == 0) {
@ -1621,8 +1611,8 @@ int mbedtls_pk_parse_key(mbedtls_pk_context *pk,
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
} else {
ret = mbedtls_pem_read_buffer(&pem,
"-----BEGIN ENCRYPTED PRIVATE KEY-----",
"-----END ENCRYPTED PRIVATE KEY-----",
PEM_BEGIN_ENCRYPTED_PRIVATE_KEY_PKCS8,
PEM_END_ENCRYPTED_PRIVATE_KEY_PKCS8,
key, NULL, 0, &len);
}
if (ret == 0) {
@ -1748,8 +1738,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
} else {
ret = mbedtls_pem_read_buffer(&pem,
"-----BEGIN RSA PUBLIC KEY-----",
"-----END RSA PUBLIC KEY-----",
PEM_BEGIN_PUBLIC_KEY_RSA, PEM_END_PUBLIC_KEY_RSA,
key, NULL, 0, &len);
}
@ -1782,8 +1771,7 @@ int mbedtls_pk_parse_public_key(mbedtls_pk_context *ctx,
ret = MBEDTLS_ERR_PEM_NO_HEADER_FOOTER_PRESENT;
} else {
ret = mbedtls_pem_read_buffer(&pem,
"-----BEGIN PUBLIC KEY-----",
"-----END PUBLIC KEY-----",
PEM_BEGIN_PUBLIC_KEY, PEM_END_PUBLIC_KEY,
key, NULL, 0, &len);
}

999
library/pkwrite.c
View File

File diff suppressed because it is too large Load Diff

65
library/rsa.c
View File

@ -29,6 +29,7 @@
#include "mbedtls/rsa.h"
#include "rsa_alt_helpers.h"
#include "rsa_internal.h"
#include "mbedtls/oid.h"
#include "mbedtls/platform_util.h"
#include "mbedtls/error.h"
@ -1712,14 +1713,14 @@ int mbedtls_rsa_pkcs1_decrypt(mbedtls_rsa_context *ctx,
}
#if defined(MBEDTLS_PKCS1_V21)
static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
int saltlen,
unsigned char *sig)
static int rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
int saltlen,
unsigned char *sig)
{
size_t olen;
unsigned char *p = sig;
@ -1727,15 +1728,12 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
size_t slen, min_slen, hlen, offset = 0;
int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED;
size_t msb;
mbedtls_md_type_t hash_id;
if ((md_alg != MBEDTLS_MD_NONE || hashlen != 0) && hash == NULL) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
if (f_rng == NULL) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1754,7 +1752,11 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
}
}
hlen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) ctx->hash_id);
hash_id = (mbedtls_md_type_t) ctx->hash_id;
if (hash_id == MBEDTLS_MD_NONE) {
hash_id = md_alg;
}
hlen = mbedtls_md_get_size_from_type(hash_id);
if (hlen == 0) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
@ -1797,7 +1799,7 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
p += slen;
/* Generate H = Hash( M' ) */
ret = hash_mprime(hash, hashlen, salt, slen, p, (mbedtls_md_type_t) ctx->hash_id);
ret = hash_mprime(hash, hashlen, salt, slen, p, hash_id);
if (ret != 0) {
return ret;
}
@ -1808,8 +1810,7 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
}
/* maskedDB: Apply dbMask to DB */
ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen,
(mbedtls_md_type_t) ctx->hash_id);
ret = mgf_mask(sig + offset, olen - hlen - 1 - offset, p, hlen, hash_id);
if (ret != 0) {
return ret;
}
@ -1823,6 +1824,37 @@ static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
return mbedtls_rsa_private(ctx, f_rng, p_rng, sig, sig);
}
static int rsa_rsassa_pss_sign(mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
int saltlen,
unsigned char *sig)
{
if (ctx->padding != MBEDTLS_RSA_PKCS_V21) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
if (ctx->hash_id == MBEDTLS_MD_NONE) {
return MBEDTLS_ERR_RSA_BAD_INPUT_DATA;
}
return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg, hashlen, hash, saltlen,
sig);
}
int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig)
{
return rsa_rsassa_pss_sign_no_mode_check(ctx, f_rng, p_rng, md_alg,
hashlen, hash, MBEDTLS_RSA_SALT_LEN_ANY, sig);
}
/*
* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function with
* the option to pass in the salt length.
@ -1840,7 +1872,6 @@ int mbedtls_rsa_rsassa_pss_sign_ext(mbedtls_rsa_context *ctx,
hashlen, hash, saltlen, sig);
}
/*
* Implementation of the PKCS#1 v2.1 RSASSA-PSS-SIGN function
*/

6
library/rsa_alt_helpers.h
View File

@ -37,11 +37,9 @@
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*
*/
#ifndef MBEDTLS_RSA_INTERNAL_H
#define MBEDTLS_RSA_INTERNAL_H
#ifndef MBEDTLS_RSA_ALT_HELPERS_H
#define MBEDTLS_RSA_ALT_HELPERS_H
#include "mbedtls/build_info.h"

42
library/rsa_internal.h Normal file
View File

@ -0,0 +1,42 @@
/**
* \file rsa_internal.h
*
* \brief Internal-only RSA public-key cryptosystem API.
*
* This file declares RSA-related functions that are to be used
* only from within the Mbed TLS library itself.
*
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#ifndef MBEDTLS_RSA_INTERNAL_H
#define MBEDTLS_RSA_INTERNAL_H
#include "mbedtls/rsa.h"
#if defined(MBEDTLS_PKCS1_V21)
/**
* \brief This function is analogue to \c mbedtls_rsa_rsassa_pss_sign().
* The only difference between them is that this function is more flexible
* on the parameters of \p ctx that are set with \c mbedtls_rsa_set_padding().
*
* \note Compared to its counterpart, this function:
* - does not check the padding setting of \p ctx.
* - allows the hash_id of \p ctx to be MBEDTLS_MD_NONE,
* in which case it uses \p md_alg as the hash_id.
*
* \note Refer to \c mbedtls_rsa_rsassa_pss_sign() for a description
* of the functioning and parameters of this function.
*/
int mbedtls_rsa_rsassa_pss_sign_no_mode_check(mbedtls_rsa_context *ctx,
int (*f_rng)(void *, unsigned char *, size_t),
void *p_rng,
mbedtls_md_type_t md_alg,
unsigned int hashlen,
const unsigned char *hash,
unsigned char *sig);
#endif /* MBEDTLS_PKCS1_V21 */
#endif /* rsa_internal.h */

2
library/ssl_tls.c
View File

@ -7419,7 +7419,7 @@ static int ssl_parse_certificate_verify(mbedtls_ssl_context *ssl,
/* and in the unlikely case the above assumption no longer holds
* we are making sure that pk_ec() here does not return a NULL
*/
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
if (grp_id == MBEDTLS_ECP_DP_NONE) {
MBEDTLS_SSL_DEBUG_MSG(1, ("invalid group ID"));
return MBEDTLS_ERR_SSL_INTERNAL_ERROR;

2
library/ssl_tls12_client.c
View File

@ -2012,7 +2012,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
uint16_t tls_id = 0;
psa_key_type_t key_type = PSA_KEY_TYPE_NONE;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(peer_pk);
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(peer_pk);
if (mbedtls_ssl_check_curve(ssl, grp_id) != 0) {
MBEDTLS_SSL_DEBUG_MSG(1, ("bad server certificate (ECDH curve)"));

4
library/ssl_tls12_server.c
View File

@ -664,7 +664,7 @@ static int ssl_check_key_curve(mbedtls_pk_context *pk,
uint16_t *curves_tls_id)
{
uint16_t *curr_tls_id = curves_tls_id;
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_group_id(pk);
mbedtls_ecp_group_id grp_id = mbedtls_pk_get_ec_group_id(pk);
mbedtls_ecp_group_id curr_grp_id;
while (*curr_tls_id != 0) {
@ -2678,7 +2678,7 @@ static int ssl_get_ecdh_params_from_cert(mbedtls_ssl_context *ssl)
case MBEDTLS_PK_ECKEY_DH:
case MBEDTLS_PK_ECDSA:
key = mbedtls_pk_ec_rw(*pk);
grp_id = mbedtls_pk_get_group_id(pk);
grp_id = mbedtls_pk_get_ec_group_id(pk);
if (grp_id == MBEDTLS_ECP_DP_NONE) {
return MBEDTLS_ERR_ECP_BAD_INPUT_DATA;
}

10
library/ssl_tls13_keys.c
View File

@ -1140,8 +1140,8 @@ static int ssl_tls13_generate_early_key(mbedtls_ssl_context *ssl,
size_t hash_len;
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
size_t key_len;
size_t iv_len;
size_t key_len = 0;
size_t iv_len = 0;
mbedtls_ssl_tls13_early_secrets tls13_early_secrets;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
@ -1341,8 +1341,8 @@ static int ssl_tls13_generate_handshake_keys(mbedtls_ssl_context *ssl,
size_t hash_len;
unsigned char transcript[MBEDTLS_TLS1_3_MD_MAX_SIZE];
size_t transcript_len;
size_t key_len;
size_t iv_len;
size_t key_len = 0;
size_t iv_len = 0;
mbedtls_ssl_handshake_params *handshake = ssl->handshake;
const mbedtls_ssl_ciphersuite_t *ciphersuite_info =
@ -1592,7 +1592,7 @@ static int ssl_tls13_generate_application_keys(
size_t hash_len;
/* Variables relating to the cipher for the chosen ciphersuite. */
size_t key_len, iv_len;
size_t key_len = 0, iv_len = 0;
MBEDTLS_SSL_DEBUG_MSG(2, ("=> derive application traffic keys"));

2
library/x509_crt.c
View File

@ -222,7 +222,7 @@ static int x509_profile_check_key(const mbedtls_x509_crt_profile *profile,
if (pk_alg == MBEDTLS_PK_ECDSA ||
pk_alg == MBEDTLS_PK_ECKEY ||
pk_alg == MBEDTLS_PK_ECKEY_DH) {
const mbedtls_ecp_group_id gid = mbedtls_pk_get_group_id(pk);
const mbedtls_ecp_group_id gid = mbedtls_pk_get_ec_group_id(pk);
if (gid == MBEDTLS_ECP_DP_NONE) {
return -1;

2
programs/Makefile
View File

@ -139,7 +139,7 @@ APPS = \
x509/req_app \
# End of APPS
ifdef PTHREAD
ifeq ($(THREADING),pthread)
APPS += ssl/ssl_pthread_server
endif

6
programs/aes/crypt_and_hash.c
View File

@ -103,7 +103,11 @@ int main(int argc, char *argv[])
list = mbedtls_cipher_list();
while (*list) {
cipher_info = mbedtls_cipher_info_from_type(*list);
mbedtls_printf(" %s\n", mbedtls_cipher_info_get_name(cipher_info));
const char *name = mbedtls_cipher_info_get_name(cipher_info);
if (name) {
mbedtls_printf(" %s\n", mbedtls_cipher_info_get_name(cipher_info));
}
list++;
}

3
tests/CMakeLists.txt
View File

@ -1,5 +1,8 @@
find_package(Threads)
set(libs
${mbedtls_target}
${CMAKE_THREAD_LIBS_INIT}
)
# Set the project root directory if it's not already defined, as may happen if

4
tests/Makefile
View File

@ -57,6 +57,10 @@ else
DLEXT ?= so
EXEXT=
SHARED_SUFFIX=
ifeq ($(THREADING),pthread)
LOCAL_LDFLAGS += -lpthread
endif
endif
ifdef WINDOWS

182
tests/scripts/all.sh
View File

@ -220,6 +220,9 @@ pre_initialize_variables () {
esac
SUPPORTED_COMPONENTS="$SUPPORTED_COMPONENTS $component"
done
# Option to enable linking with pthreads under make
MAKE_THREADING_FLAGS="THREADING=pthread"
}
# Test whether the component $1 is included in the command line patterns.
@ -934,7 +937,7 @@ helper_get_psa_key_type_list() {
# Here "things" are PSA_WANT_ symbols but with PSA_WANT_ removed.
helper_libtestdriver1_make_drivers() {
loc_accel_flags=$( echo "$1 ${2-}" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC -C tests libtestdriver1.a CFLAGS=" $ASAN_CFLAGS $loc_accel_flags" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# Build the main libraries, programs and tests,
@ -952,7 +955,7 @@ helper_libtestdriver1_make_main() {
# we need flags both with and without the LIBTESTDRIVER1_ prefix
loc_accel_flags=$( echo "$loc_accel_list" | sed 's/[^ ]* */-DLIBTESTDRIVER1_MBEDTLS_PSA_ACCEL_&/g' )
loc_accel_flags="$loc_accel_flags $( echo "$loc_accel_list" | sed 's/[^ ]* */-DMBEDTLS_PSA_ACCEL_&/g' )"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" "$@"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -I../tests/include -I../tests -I../../tests -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_TEST_LIBTESTDRIVER1 $loc_accel_flags" LDFLAGS="-ltestdriver1 $ASAN_CFLAGS" $MAKE_THREADING_FLAGS "$@"
}
################################################################
@ -1447,7 +1450,7 @@ component_test_psa_external_rng_no_drbg_classic () {
# When MBEDTLS_USE_PSA_CRYPTO is disabled and there is no DRBG,
# the SSL test programs don't have an RNG and can't work. Explicitly
# make them use the PSA RNG with -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG.
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DMBEDTLS_TEST_USE_PSA_CRYPTO_RNG" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, classic crypto - main suites"
make test
@ -1466,7 +1469,7 @@ component_test_psa_external_rng_no_drbg_use_psa () {
scripts/config.py unset MBEDTLS_CTR_DRBG_C
scripts/config.py unset MBEDTLS_HMAC_DRBG_C
scripts/config.py unset MBEDTLS_ECDSA_DETERMINISTIC # requires HMAC_DRBG
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: PSA_CRYPTO_EXTERNAL_RNG minus *_DRBG, PSA crypto - main suites"
make test
@ -1481,7 +1484,7 @@ component_test_psa_external_rng_use_psa_crypto () {
scripts/config.py set MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG
scripts/config.py set MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_CTR_DRBG_C
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: full + PSA_CRYPTO_EXTERNAL_RNG + USE_PSA_CRYPTO minus CTR_DRBG"
make test
@ -1499,7 +1502,7 @@ component_test_psa_inject_entropy () {
scripts/config.py unset MBEDTLS_PLATFORM_NV_SEED_ALT
scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_READ
scripts/config.py unset MBEDTLS_PLATFORM_STD_NV_SEED_WRITE
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: full + MBEDTLS_PSA_INJECT_ENTROPY"
make test
@ -1533,14 +1536,14 @@ component_test_crypto_full_md_light_only () {
# Note: MD-light is auto-enabled in build_info.h by modules that need it,
# which we haven't disabled, so no need to explicitly enable it.
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
# Make sure we don't have the HMAC functions, but the hashing functions
not grep mbedtls_md_hmac library/md.o
grep mbedtls_md library/md.o
msg "test: crypto_full with only the light subset of MD"
make test
make $MAKE_THREADING_FLAGS test
}
component_test_full_no_cipher () {
@ -1566,7 +1569,7 @@ component_test_full_no_cipher () {
scripts/config.py unset MBEDTLS_LMS_PRIVATE
msg "test: full no CIPHER no PSA_CRYPTO_C"
make test
make $MAKE_THREADING_FLAGS test
}
# This is a common configurator and test function that is used in:
@ -1615,7 +1618,7 @@ common_test_full_no_cipher_with_psa_crypto () {
scripts/config.py unset MBEDTLS_PKCS12_C
scripts/config.py unset MBEDTLS_PKCS5_C
make
make $MAKE_THREADING_FLAGS
# Ensure that CIPHER_C was not re-enabled
not grep mbedtls_cipher_init library/cipher.o
@ -1648,7 +1651,7 @@ component_test_full_no_ccm() {
# PSA_WANT_ALG_CCM to be re-enabled.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM
make
make $MAKE_THREADING_FLAGS
msg "test: full no PSA_WANT_ALG_CCM"
make test
@ -1676,7 +1679,7 @@ component_test_full_no_ccm_star_no_tag() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
make
make $MAKE_THREADING_FLAGS
# Ensure MBEDTLS_PSA_BUILTIN_CIPHER was not enabled
not grep mbedtls_psa_cipher library/psa_crypto_cipher.o
@ -1733,7 +1736,7 @@ component_test_full_no_bignum () {
scripts/config.py unset MBEDTLS_SSL_ASYNC_PRIVATE
scripts/config.py unset MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK
make
make $MAKE_THREADING_FLAGS
msg "test: full minus bignum"
make test
@ -2011,7 +2014,7 @@ component_test_small_mbedtls_ssl_dtls_max_buffering () {
component_test_psa_collect_statuses () {
msg "build+test: psa_collect_statuses" # ~30s
scripts/config.py full
tests/scripts/psa_collect_statuses.py
tests/scripts/psa_collect_statuses.py --make-vars="$MAKE_THREADING_FLAGS"
# Check that psa_crypto_init() succeeded at least once
grep -q '^0:psa_crypto_init:' tests/statuses.log
rm -f tests/statuses.log
@ -2163,6 +2166,19 @@ component_release_test_valgrind_constant_flow_psa () {
make memcheck
}
component_test_tsan () {
msg "build: TSan (clang)"
scripts/config.py full
scripts/config.py set MBEDTLS_THREADING_C
scripts/config.py set MBEDTLS_THREADING_PTHREAD
CC=clang cmake -D CMAKE_BUILD_TYPE:String=TSan .
make
msg "test: main suites (TSan)"
make test
}
component_test_default_no_deprecated () {
# Test that removing the deprecated features from the default
# configuration leaves something consistent.
@ -2177,7 +2193,7 @@ component_test_default_no_deprecated () {
component_test_full_no_deprecated () {
msg "build: make, full_no_deprecated config" # ~ 30s
scripts/config.py full_no_deprecated
make CFLAGS='-O -Werror -Wall -Wextra'
make CFLAGS='-O -Werror -Wall -Wextra' $MAKE_THREADING_FLAGS
msg "test: make, full_no_deprecated config" # ~ 5s
make test
@ -2194,7 +2210,7 @@ component_test_full_no_deprecated_deprecated_warning () {
scripts/config.py full_no_deprecated
scripts/config.py unset MBEDTLS_DEPRECATED_REMOVED
scripts/config.py set MBEDTLS_DEPRECATED_WARNING
make CFLAGS='-O -Werror -Wall -Wextra'
make CFLAGS='-O -Werror -Wall -Wextra' $MAKE_THREADING_FLAGS
msg "test: make, full_no_deprecated config, MBEDTLS_DEPRECATED_WARNING" # ~ 5s
make test
@ -2216,7 +2232,7 @@ component_test_full_deprecated_warning () {
# By default those are disabled when MBEDTLS_DEPRECATED_WARNING is set.
# Expect warnings from '#warning' directives in check_config.h and
# from the use of deprecated functions in test suites.
make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' tests
make CC=gcc CFLAGS='-O -Werror -Wall -Wextra -Wno-error=deprecated-declarations -Wno-error=cpp -DMBEDTLS_TEST_DEPRECATED' $MAKE_THREADING_FLAGS tests
msg "test: full config + MBEDTLS_TEST_DEPRECATED" # ~ 30s
make test
@ -2241,7 +2257,7 @@ component_build_crypto_default () {
component_build_crypto_full () {
msg "build: make, crypto only, full config"
scripts/config.py crypto_full
make CFLAGS='-O1 -Werror'
make CFLAGS='-O1 -Werror' $MAKE_THREADING_FLAGS
are_empty_libraries library/libmbedx509.* library/libmbedtls.*
}
@ -2301,73 +2317,73 @@ support_build_baremetal () {
# depends.py family of tests
component_test_depends_py_cipher_id () {
msg "test/build: depends.py cipher_id (gcc)"
tests/scripts/depends.py cipher_id --unset-use-psa
tests/scripts/depends.py cipher_id --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_cipher_chaining () {
msg "test/build: depends.py cipher_chaining (gcc)"
tests/scripts/depends.py cipher_chaining --unset-use-psa
tests/scripts/depends.py cipher_chaining --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_cipher_padding () {
msg "test/build: depends.py cipher_padding (gcc)"
tests/scripts/depends.py cipher_padding --unset-use-psa
tests/scripts/depends.py cipher_padding --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_curves () {
msg "test/build: depends.py curves (gcc)"
tests/scripts/depends.py curves --unset-use-psa
tests/scripts/depends.py curves --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_hashes () {
msg "test/build: depends.py hashes (gcc)"
tests/scripts/depends.py hashes --unset-use-psa
tests/scripts/depends.py hashes --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_kex () {
msg "test/build: depends.py kex (gcc)"
tests/scripts/depends.py kex --unset-use-psa
tests/scripts/depends.py kex --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_pkalgs () {
msg "test/build: depends.py pkalgs (gcc)"
tests/scripts/depends.py pkalgs --unset-use-psa
tests/scripts/depends.py pkalgs --unset-use-psa --make-vars="$MAKE_THREADING_FLAGS"
}
# PSA equivalents of the depends.py tests
component_test_depends_py_cipher_id_psa () {
msg "test/build: depends.py cipher_id (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py cipher_id
tests/scripts/depends.py cipher_id --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_cipher_chaining_psa () {
msg "test/build: depends.py cipher_chaining (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py cipher_chaining
tests/scripts/depends.py cipher_chaining --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_cipher_padding_psa () {
msg "test/build: depends.py cipher_padding (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py cipher_padding
tests/scripts/depends.py cipher_padding --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_curves_psa () {
msg "test/build: depends.py curves (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py curves
tests/scripts/depends.py curves --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_hashes_psa () {
msg "test/build: depends.py hashes (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py hashes
tests/scripts/depends.py hashes --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_kex_psa () {
msg "test/build: depends.py kex (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py kex
tests/scripts/depends.py kex --make-vars="$MAKE_THREADING_FLAGS"
}
component_test_depends_py_pkalgs_psa () {
msg "test/build: depends.py pkalgs (gcc) with MBEDTLS_USE_PSA_CRYPTO defined"
tests/scripts/depends.py pkalgs
tests/scripts/depends.py pkalgs --make-vars="$MAKE_THREADING_FLAGS"
}
component_build_no_pk_rsa_alt_support () {
@ -2379,7 +2395,7 @@ component_build_no_pk_rsa_alt_support () {
scripts/config.py set MBEDTLS_X509_CRT_WRITE_C
# Only compile - this is primarily to test for compile issues
make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy'
make CFLAGS='-Werror -Wall -Wextra -I../tests/include/alt-dummy' $MAKE_THREADING_FLAGS
}
component_build_module_alt () {
@ -2593,7 +2609,7 @@ component_test_psa_crypto_config_reference_ffdh () {
# Disable things that are not supported
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_PSK_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_DHE_RSA_ENABLED
make
make $MAKE_THREADING_FLAGS
msg "test suites: full with non-accelerated FFDH alg"
make test
@ -2632,7 +2648,7 @@ component_test_psa_crypto_config_accel_pake() {
# -------------
msg "test: full with accelerated PAKE"
make test
make $MAKE_THREADING_FLAGS test
}
component_test_psa_crypto_config_accel_ecc_some_key_types () {
@ -2692,7 +2708,7 @@ component_test_psa_crypto_config_accel_ecc_some_key_types () {
# -------------
msg "test suites: full with accelerated EC algs and some key types"
make test
make $MAKE_THREADING_FLAGS test
}
# Run tests with only (non-)Weierstrass accelerated
@ -2891,7 +2907,7 @@ component_test_psa_crypto_config_accel_ecc_ecp_light_only () {
# -------------
msg "test suites: full with accelerated EC algs"
make test
make $MAKE_THREADING_FLAGS test
msg "ssl-opt: full with accelerated EC algs"
tests/ssl-opt.sh
@ -2903,7 +2919,7 @@ component_test_psa_crypto_config_reference_ecc_ecp_light_only () {
config_psa_crypto_config_ecp_light_only 0
make
make $MAKE_THREADING_FLAGS
msg "test suites: full with non-accelerated EC algs"
make test
@ -2996,7 +3012,7 @@ component_test_psa_crypto_config_accel_ecc_no_ecp_at_all () {
# -------------
msg "test: full + accelerated EC algs - ECP"
make test
make $MAKE_THREADING_FLAGS test
msg "ssl-opt: full + accelerated EC algs - ECP"
tests/ssl-opt.sh
@ -3010,7 +3026,7 @@ component_test_psa_crypto_config_reference_ecc_no_ecp_at_all () {
config_psa_crypto_no_ecp_at_all 0
make
make $MAKE_THREADING_FLAGS
msg "test: full + non accelerated EC algs"
make test
@ -3173,7 +3189,7 @@ common_test_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
msg "test suites: full + accelerated $accel_text algs + USE_PSA - $removed_text - DHM - BIGNUM"
make test
make $MAKE_THREADING_FLAGS test
msg "ssl-opt: full + accelerated $accel_text algs + USE_PSA - $removed_text - BIGNUM"
tests/ssl-opt.sh
@ -3204,7 +3220,7 @@ common_test_psa_crypto_config_reference_ecc_ffdh_no_bignum () {
config_psa_crypto_config_accel_ecc_ffdh_no_bignum 0 "$test_target"
make
make $MAKE_THREADING_FLAGS
msg "test suites: full + non accelerated EC algs + USE_PSA"
make test
@ -3323,7 +3339,7 @@ build_full_minus_something_and_test_tls () {
scripts/config.py unset $sym
done
make
make $MAKE_THREADING_FLAGS
msg "test: full minus something, test TLS"
( cd tests; ./test_suite_ssl )
@ -3362,7 +3378,7 @@ build_and_test_psa_want_key_pair_partial() {
# crypto_config.h so we just disable the one we don't want.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset "$disabled_psa_want"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: full - MBEDTLS_USE_PSA_CRYPTO - ${disabled_psa_want}"
make test
@ -3428,7 +3444,7 @@ component_test_psa_crypto_config_accel_rsa_crypto () {
# -------------
msg "test: crypto_full with accelerated RSA"
make test
make $MAKE_THREADING_FLAGS test
}
component_test_psa_crypto_config_reference_rsa_crypto () {
@ -3440,7 +3456,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () {
# Build
# -----
make
make $MAKE_THREADING_FLAGS
# Run the tests
# -------------
@ -3642,7 +3658,7 @@ component_test_psa_crypto_config_reference_hash_use_psa() {
config_psa_crypto_hash_use_psa 0
make
make $MAKE_THREADING_FLAGS
msg "test: full without accelerated hashes"
make test
@ -3807,7 +3823,7 @@ component_test_psa_crypto_config_accel_cipher_aead () {
# -------------
msg "test: full config with accelerated cipher and AEAD"
make test
make $MAKE_THREADING_FLAGS test
msg "ssl-opt: full config with accelerated cipher and AEAD"
tests/ssl-opt.sh
@ -3820,7 +3836,7 @@ component_test_psa_crypto_config_reference_cipher_aead () {
msg "build: full config with non-accelerated cipher and AEAD"
common_psa_crypto_config_accel_cipher_aead
make
make $MAKE_THREADING_FLAGS
msg "test: full config with non-accelerated cipher and AEAD"
make test
@ -3837,7 +3853,7 @@ component_test_aead_chachapoly_disabled() {
scripts/config.py full
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: full minus CHACHAPOLY"
make test
@ -3850,7 +3866,7 @@ component_test_aead_only_ccm() {
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: full minus CHACHAPOLY and GCM"
make test
@ -3881,7 +3897,7 @@ component_build_psa_accel_alg_ecdh() {
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_PSK_ENABLED
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_ECDH -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator HMAC code is in place and ready to test.
@ -3891,7 +3907,7 @@ component_build_psa_accel_alg_hmac() {
scripts/config.py unset MBEDTLS_USE_PSA_CRYPTO
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HMAC -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator HKDF code is in place and ready to test.
@ -3904,7 +3920,7 @@ component_build_psa_accel_alg_hkdf() {
# Make sure to unset TLS1_3 since it requires HKDF_C and will not build properly without it.
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_HKDF -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator MD5 code is in place and ready to test.
@ -3923,7 +3939,7 @@ component_build_psa_accel_alg_md5() {
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_MD5 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RIPEMD160 code is in place and ready to test.
@ -3942,7 +3958,7 @@ component_build_psa_accel_alg_ripemd160() {
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RIPEMD160 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator SHA1 code is in place and ready to test.
@ -3961,7 +3977,7 @@ component_build_psa_accel_alg_sha1() {
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_1 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator SHA224 code is in place and ready to test.
@ -3977,7 +3993,7 @@ component_build_psa_accel_alg_sha224() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_224 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator SHA256 code is in place and ready to test.
@ -3993,7 +4009,7 @@ component_build_psa_accel_alg_sha256() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_384
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_SHA_512
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_256 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator SHA384 code is in place and ready to test.
@ -4011,7 +4027,7 @@ component_build_psa_accel_alg_sha384() {
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_384 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator SHA512 code is in place and ready to test.
@ -4030,7 +4046,7 @@ component_build_psa_accel_alg_sha512() {
scripts/config.py unset MBEDTLS_LMS_C
scripts/config.py unset MBEDTLS_LMS_PRIVATE
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_SHA_512 -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@ -4044,7 +4060,7 @@ component_build_psa_accel_alg_rsa_pkcs1v15_crypt() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_CRYPT -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@ -4058,7 +4074,7 @@ component_build_psa_accel_alg_rsa_pkcs1v15_sign() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PKCS1V15_SIGN -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@ -4072,7 +4088,7 @@ component_build_psa_accel_alg_rsa_oaep() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PSS
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_OAEP -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@ -4086,7 +4102,7 @@ component_build_psa_accel_alg_rsa_pss() {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_PKCS1V15_SIGN
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_RSA_OAEP
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_ALG_RSA_PSS -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@ -4101,7 +4117,7 @@ component_build_psa_accel_key_type_rsa_key_pair() {
scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT 1
scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE 1
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_KEY_PAIR -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
# This should be renamed to test and updated once the accelerator RSA code is in place and ready to test.
@ -4113,7 +4129,7 @@ component_build_psa_accel_key_type_rsa_public_key() {
scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_ALG_RSA_PSS 1
scripts/config.py -f "$CRYPTO_CONFIG_H" set PSA_WANT_KEY_TYPE_RSA_PUBLIC_KEY 1
# Need to define the correct symbol and include the test driver header path in order to build with the test driver
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS -DPSA_CRYPTO_DRIVER_TEST -DMBEDTLS_PSA_ACCEL_KEY_TYPE_RSA_PUBLIC_KEY -I../tests/include" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
}
@ -4282,7 +4298,7 @@ component_test_no_platform () {
# Note, _DEFAULT_SOURCE needs to be defined for platforms using glibc version >2.19,
# to re-enable platform integration features otherwise disabled in C99 builds
make CC=gcc CFLAGS='-Werror -Wall -Wextra -std=c99 -pedantic -Os -D_DEFAULT_SOURCE' lib programs
make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' test
make CC=gcc CFLAGS='-Werror -Wall -Wextra -Os' $MAKE_THREADING_FLAGS test
}
component_build_no_std_function () {
@ -4300,14 +4316,14 @@ component_build_no_ssl_srv () {
msg "build: full config except SSL server, make, gcc" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_SRV_C
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' $MAKE_THREADING_FLAGS
}
component_build_no_ssl_cli () {
msg "build: full config except SSL client, make, gcc" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_SSL_CLI_C
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1'
make CC=gcc CFLAGS='-Werror -Wall -Wextra -O1' $MAKE_THREADING_FLAGS
}
component_build_no_sockets () {
@ -4482,7 +4498,7 @@ component_test_platform_calloc_macro () {
component_test_malloc_0_null () {
msg "build: malloc(0) returns NULL (ASan+UBSan build)"
scripts/config.py full
make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"$PWD/tests/configs/user-config-malloc-0-null.h\"' $ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: malloc(0) returns NULL (ASan+UBSan build)"
make test
@ -5098,7 +5114,7 @@ component_test_psa_crypto_drivers () {
loc_cflags="${loc_cflags} '-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-for-test.h\"'"
loc_cflags="${loc_cflags} -I../tests/include -O2"
make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS"
make CC=$ASAN_CC CFLAGS="${loc_cflags}" LDFLAGS="$ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: full + test drivers dispatching to builtins"
make test
@ -5125,7 +5141,7 @@ test_build_opt () {
$cc --version
for opt in "$@"; do
msg "build/test: $cc $opt, $info" # ~ 30s
make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror"
make CC="$cc" CFLAGS="$opt -std=c99 -pedantic -Wall -Wextra -Werror" $MAKE_THREADING_FLAGS
# We're confident enough in compilers to not run _all_ the tests,
# but at least run the unit tests. In particular, runs with
# optimizations use inline assembly whereas runs with -O0
@ -5180,7 +5196,7 @@ component_build_mbedtls_config_file () {
msg "build: make with MBEDTLS_CONFIG_FILE" # ~40s
scripts/config.py -w full_config.h full
echo '#error "MBEDTLS_CONFIG_FILE is not working"' >"$CONFIG_H"
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'"
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"'" $MAKE_THREADING_FLAGS
# Make sure this feature is enabled. We'll disable it in the next phase.
programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
make clean
@ -5189,7 +5205,7 @@ component_build_mbedtls_config_file () {
# In the user config, disable one feature (for simplicity, pick a feature
# that nothing else depends on).
echo '#undef MBEDTLS_NIST_KW_C' >user_config.h
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'"
make CFLAGS="-I '$PWD' -DMBEDTLS_CONFIG_FILE='\"full_config.h\"' -DMBEDTLS_USER_CONFIG_FILE='\"user_config.h\"'" $MAKE_THREADING_FLAGS
not programs/test/query_compile_time_config MBEDTLS_NIST_KW_C
rm -f user_config.h full_config.h
@ -5248,7 +5264,7 @@ component_test_m32_no_asm () {
scripts/config.py unset MBEDTLS_HAVE_ASM
scripts/config.py unset MBEDTLS_PADLOCK_C
scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: i386, make, gcc, no asm (ASan build)"
make test
@ -5266,7 +5282,7 @@ component_test_m32_o2 () {
msg "build: i386, make, gcc -O2 (ASan build)" # ~ 30s
scripts/config.py full
scripts/config.py unset MBEDTLS_AESNI_C # AESNI for 32-bit is tested in test_aesni_m32
make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS"
make CC=gcc CFLAGS="$ASAN_CFLAGS -m32" LDFLAGS="-m32 $ASAN_CFLAGS" $MAKE_THREADING_FLAGS
msg "test: i386, make, gcc -O2 (ASan build)"
make test
@ -5301,7 +5317,7 @@ support_test_m32_everest () {
component_test_mx32 () {
msg "build: 64-bit ILP32, make, gcc" # ~ 30s
scripts/config.py full
make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32'
make CC=gcc CFLAGS='-O2 -Werror -Wall -Wextra -mx32' LDFLAGS='-mx32' $MAKE_THREADING_FLAGS
msg "test: 64-bit ILP32, make, gcc"
make test
@ -5365,7 +5381,7 @@ component_test_no_udbl_division () {
msg "build: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
scripts/config.py full
scripts/config.py set MBEDTLS_NO_UDBL_DIVISION
make CFLAGS='-Werror -O1'
make CFLAGS='-Werror -O1' $MAKE_THREADING_FLAGS
msg "test: MBEDTLS_NO_UDBL_DIVISION native" # ~ 10s
make test
@ -5375,7 +5391,7 @@ component_test_no_64bit_multiplication () {
msg "build: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
scripts/config.py full
scripts/config.py set MBEDTLS_NO_64BIT_MULTIPLICATION
make CFLAGS='-Werror -O1'
make CFLAGS='-Werror -O1' $MAKE_THREADING_FLAGS
msg "test: MBEDTLS_NO_64BIT_MULTIPLICATION native" # ~ 10s
make test
@ -5389,7 +5405,7 @@ component_test_no_strings () {
scripts/config.py unset MBEDTLS_ERROR_C
scripts/config.py set MBEDTLS_ERROR_STRERROR_DUMMY
scripts/config.py unset MBEDTLS_VERSION_FEATURES
make CFLAGS='-Werror -Os'
make CFLAGS='-Werror -Os' $MAKE_THREADING_FLAGS
msg "test: no strings" # ~ 10s
make test
@ -5400,7 +5416,7 @@ component_test_no_x509_info () {
scripts/config.pl full
scripts/config.pl unset MBEDTLS_MEMORY_BACKTRACE # too slow for tests
scripts/config.pl set MBEDTLS_X509_REMOVE_INFO
make CFLAGS='-Werror -O2'
make CFLAGS='-Werror -O2' $MAKE_THREADING_FLAGS
msg "test: full + MBEDTLS_X509_REMOVE_INFO" # ~ 10s
make test
@ -6003,7 +6019,7 @@ component_build_zeroize_checks () {
scripts/config.py full
# Only compile - we're looking for sizeof-pointer-memaccess warnings
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess"
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/user-config-zeroize-memset.h\"' -DMBEDTLS_TEST_DEFINES_ZEROIZE -Werror -Wsizeof-pointer-memaccess" $MAKE_THREADING_FLAGS
}

5
tests/scripts/depends.py
View File

@ -381,7 +381,7 @@ class DomainData:
def __init__(self, options, conf):
"""Gather data about the library and establish a list of domains to test."""
build_command = [options.make_command, 'CFLAGS=-Werror -O2']
build_command = [options.make_command] + options.make_vars.split(' ') + ['CFLAGS=-Werror -O2']
build_and_test = [build_command, [options.make_command, 'test']]
self.all_config_symbols = set(conf.settings.keys())
# Find hash modules by name.
@ -526,6 +526,9 @@ def main():
parser.add_argument('--make-command', metavar='CMD',
help='Command to run instead of make (e.g. gmake)',
action='store', default='make')
parser.add_argument('--make-vars',
help='optional variable/value pairs to pass to make',
action='store', default='')
parser.add_argument('--unset-use-psa',
help='Unset MBEDTLS_USE_PSA_CRYPTO before any test',
action='store_true', dest='unset_use_psa')

14
tests/scripts/psa_collect_statuses.py
View File

@ -82,10 +82,15 @@ def collect_status_logs(options):
cwd='tests',
stdout=sys.stderr)
with open(os.devnull, 'w') as devnull:
make_q_ret = subprocess.call(['make', '-q', 'lib', 'tests'],
stdout=devnull, stderr=devnull)
build_command = ['make', '-q'] + options.make_vars.split(' ') + \
['lib', 'tests']
make_q_ret = subprocess.call(build_command, stdout=devnull,
stderr=devnull)
print("blagh")
if make_q_ret != 0:
subprocess.check_call(['make', 'RECORD_PSA_STATUS_COVERAGE_LOG=1'],
build_command = ['make'] + options.make_vars.split(' ') + \
['RECORD_PSA_STATUS_COVERAGE_LOG=1']
subprocess.check_call(build_command,
stdout=sys.stderr)
rebuilt = True
subprocess.check_call(['make', 'test'],
@ -112,6 +117,9 @@ def main():
help='Log file location (default: {})'.format(
DEFAULT_STATUS_LOG_FILE
))
parser.add_argument('--make-vars',
help='optional variable/value pairs to pass to make',
action='store', default='')
parser.add_argument('--psa-constant-names', metavar='PROGRAM',
default=DEFAULT_PSA_CONSTANT_NAMES,
help='Path to psa_constant_names (default: {})'.format(

7
tests/suites/test_suite_ctr_drbg.data
View File

@ -1096,5 +1096,12 @@ ctr_drbg_seed_file:"no_such_dir/file":MBEDTLS_ERR_CTR_DRBG_FILE_IO_ERROR
CTR_DRBG Special Behaviours
ctr_drbg_special_behaviours:
CTR_DRBG Threads: no reseed
ctr_drbg_threads:"1fafa98bc83d95e10f2d5ed339a553e1":0:5
CTR_DRBG Threads: reseed
depends_on:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
ctr_drbg_threads:"B10A961F2EA39927B4C48AEDDD299026":1:5
CTR_DRBG self test
ctr_drbg_selftest:

90
tests/suites/test_suite_ctr_drbg.function
View File

@ -3,6 +3,10 @@
#include "mbedtls/ctr_drbg.h"
#include "string.h"
#if defined(MBEDTLS_THREADING_PTHREAD)
#include "mbedtls/threading.h"
#endif
/* Modes for ctr_drbg_validate */
enum reseed_mode {
RESEED_NEVER, /* never reseed */
@ -90,6 +94,19 @@ exit:
mbedtls_ctr_drbg_free(&ctx);
}
static const int thread_random_reps = 10;
void *thread_random_function(void *ctx)
{
unsigned char out[16];
memset(out, 0, sizeof(out));
for (int i = 0; i < thread_random_reps; i++) {
TEST_EQUAL(mbedtls_ctr_drbg_random((mbedtls_ctr_drbg_context *) ctx, out, sizeof(out)), 0);
}
exit:
return NULL;
}
/* END_HEADER */
/* BEGIN_DEPENDENCIES
@ -325,6 +342,79 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_THREADING_PTHREAD:!MBEDTLS_CTR_DRBG_USE_128_BIT_KEY:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH */
void ctr_drbg_threads(data_t *expected_result, int reseed, int arg_thread_count)
{
size_t thread_count = (size_t) arg_thread_count;
pthread_t *threads = NULL;
unsigned char out[16];
unsigned char *entropy = NULL;
const size_t n_random_calls = thread_count * thread_random_reps + 1;
/* Based on the size of MBEDTLS_CTR_DRBG_ENTROPY_LEN for SHA512. */
const size_t entropy_len = 48;
AES_PSA_INIT();
TEST_CALLOC(threads, sizeof(pthread_t) * thread_count);
memset(out, 0, sizeof(out));
mbedtls_ctr_drbg_context ctx;
mbedtls_ctr_drbg_init(&ctx);
test_offset_idx = 0;
/* Need to do this, otherwise if we are forced into using SHA256 for
* whaever reason, output will differ. */
mbedtls_ctr_drbg_set_entropy_len(&ctx, entropy_len);
if (reseed == 0) {
mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_OFF);
mbedtls_ctr_drbg_set_reseed_interval(&ctx, n_random_calls + 1);
TEST_CALLOC(entropy, entropy_len + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN);
test_max_idx = entropy_len + MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
} else {
const size_t entropy_size = ((n_random_calls + 1) * entropy_len)
+ MBEDTLS_CTR_DRBG_ENTROPY_NONCE_LEN;
mbedtls_ctr_drbg_set_prediction_resistance(&ctx, MBEDTLS_CTR_DRBG_PR_ON);
TEST_CALLOC(entropy, entropy_size);
test_max_idx = entropy_size;
}
TEST_EQUAL(
mbedtls_ctr_drbg_seed(&ctx, mbedtls_test_entropy_func, entropy, NULL, 0),
0);
for (size_t i = 0; i < thread_count; i++) {
TEST_EQUAL(
pthread_create(&threads[i], NULL,
thread_random_function, (void *) &ctx),
0);
}
for (size_t i = 0; i < thread_count; i++) {
TEST_EQUAL(pthread_join(threads[i], NULL), 0);
}
/* Take a last output for comparing and thus verifying the DRBG state */
TEST_EQUAL(mbedtls_ctr_drbg_random(&ctx, out, sizeof(out)), 0);
TEST_MEMORY_COMPARE(out, sizeof(out), expected_result->x, expected_result->len);
exit:
mbedtls_ctr_drbg_free(&ctx);
mbedtls_free(entropy);
mbedtls_free(threads);
AES_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_FS_IO */
void ctr_drbg_seed_file(char *path, int ret)
{

48
tests/suites/test_suite_pk.data
View File

@ -621,62 +621,62 @@ PSA wrapped sign: RSA PKCS1 v1.5
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:MBEDTLS_GENPRIME:MBEDTLS_PK_WRITE_C
pk_psa_sign:1024:PSA_KEY_TYPE_RSA_KEY_PAIR:1024
PK Sign ext:RSA2048,PK_RSA,MD_SHA256
PK sign ext: RSA2048, PK_RSA, MD_SHA256
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256
pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256
PK Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA256
PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA256
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256
pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256
PK Sign ext:RSA2048,PK_RSA,MD_SHA384
PK sign ext: RSA2048, PK_RSA, MD_SHA384
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384
pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384
PK Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA384
PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA384
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384
pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384
PK Sign ext:RSA2048,PK_RSA,MD_SHA512
PK sign ext: RSA2048, PK_RSA, MD_SHA512
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512
pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512
PK Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA512
PK sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C:MBEDTLS_RSA_GEN_KEY_MIN_BITS <= 2048
pk_psa_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
pk_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512
PK Sign ext:SECP256R1,PK_ECDSA,MD_SHA256
PK sign ext: SECP256R1, PK_ECDSA, MD_SHA256
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP256R1:MBEDTLS_MD_CAN_SHA256
pk_psa_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA256
pk_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP256R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA256
PK Sign ext:SECP384R1,PK_ECDSA,MD_SHA384
PK sign ext: SECP384R1, PK_ECDSA, MD_SHA384
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP384R1:MBEDTLS_MD_CAN_SHA384
pk_psa_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA384
pk_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP384R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA384
PK Sign ext:SECP521R1,PK_ECDSA,MD_SHA512
PK sign ext: SECP521R1, PK_ECDSA, MD_SHA512
depends_on:MBEDTLS_PK_CAN_ECDSA_SIGN:MBEDTLS_ECP_HAVE_SECP521R1:MBEDTLS_MD_CAN_SHA512
pk_psa_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA512
pk_sign_ext:MBEDTLS_PK_ECDSA:MBEDTLS_ECP_DP_SECP521R1:MBEDTLS_PK_ECDSA:MBEDTLS_MD_SHA512
PK wrapped Sign ext:RSA2048,PK_RSA,MD_SHA256
PSA wrapped sign ext: RSA2048, PK_RSA, MD_SHA256
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA256
PK wrapped Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA256
PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA256
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA256:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA256
PK wrapped Sign ext:RSA2048,PK_RSA,MD_SHA384
PSA wrapped sign ext: RSA2048, PK_RSA, MD_SHA384
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA384
PK wrapped Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA384
PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA384
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA384:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA384
PK wrapped Sign ext:RSA2048,PK_RSA,MD_SHA512
PSA wrapped sign ext: RSA2048, PK_RSA, MD_SHA512
depends_on:MBEDTLS_PKCS1_V15:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSA:MBEDTLS_MD_SHA512
PK wrapped Sign ext:RSA2048,PK_RSASSA_PSS,MD_SHA512
PSA wrapped sign ext: RSA2048, PK_RSASSA_PSS, MD_SHA512
depends_on:MBEDTLS_PKCS1_V21:MBEDTLS_MD_CAN_SHA512:MBEDTLS_RSA_C
pk_psa_wrap_sign_ext:MBEDTLS_PK_RSA:2048:MBEDTLS_PK_RSASSA_PSS:MBEDTLS_MD_SHA512

152
tests/suites/test_suite_pk.function
View File

@ -84,25 +84,25 @@ exit:
/** Generate a key of the desired type.
*
* \param pk The PK object to fill. It must have been initialized
* with mbedtls_pk_setup().
* \param parameter - For RSA keys, the key size in bits.
* - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx).
* \param pk The PK object to fill. It must have been initialized
* with mbedtls_pk_setup().
* \param curve_or_keybits - For RSA keys, the key size in bits.
* - For EC keys, the curve (\c MBEDTLS_ECP_DP_xxx).
*
* \return The status from the underlying type-specific key
* generation function.
* \return -1 if the key type is not recognized.
* \return The status from the underlying type-specific key
* generation function.
* \return -1 if the key type is not recognized.
*/
static int pk_genkey(mbedtls_pk_context *pk, int parameter)
static int pk_genkey(mbedtls_pk_context *pk, int curve_or_keybits)
{
((void) pk);
(void) parameter;
(void) pk;
(void) curve_or_keybits;
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
if (mbedtls_pk_get_type(pk) == MBEDTLS_PK_RSA) {
return mbedtls_rsa_gen_key(mbedtls_pk_rsa(*pk),
mbedtls_test_rnd_std_rand, NULL,
parameter, 3);
curve_or_keybits, 3);
}
#endif
#if defined(MBEDTLS_PK_HAVE_ECC_KEYS)
@ -112,7 +112,7 @@ static int pk_genkey(mbedtls_pk_context *pk, int parameter)
int ret;
#if defined(MBEDTLS_ECP_C)
ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, parameter);
ret = mbedtls_ecp_group_load(&mbedtls_pk_ec_rw(*pk)->grp, curve_or_keybits);
if (ret != 0) {
return ret;
}
@ -123,7 +123,7 @@ static int pk_genkey(mbedtls_pk_context *pk, int parameter)
#endif /* MBEDTLS_ECP_C */
#if defined(MBEDTLS_PK_USE_PSA_EC_DATA)
ret = pk_genkey_ec(pk, parameter);
ret = pk_genkey_ec(pk, curve_or_keybits);
if (ret != 0) {
return ret;
}
@ -319,7 +319,7 @@ exit:
/* BEGIN_CASE depends_on:MBEDTLS_USE_PSA_CRYPTO */
void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
int key_alg2, int parameter, int alg_check, int usage_check,
int key_alg2, int curve_or_keybits, int alg_check, int usage_check,
int result)
{
mbedtls_pk_context pk;
@ -336,7 +336,7 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
psa_set_key_enrollment_algorithm(&attributes, key_alg2);
}
psa_set_key_type(&attributes, key_type);
psa_set_key_bits(&attributes, parameter);
psa_set_key_bits(&attributes, curve_or_keybits);
PSA_ASSERT(psa_generate_key(&attributes, &key));
@ -350,7 +350,7 @@ void pk_can_do_ext(int opaque_key, int key_type, int key_usage, int key_alg,
} else {
TEST_EQUAL(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(key_type)), 0);
TEST_EQUAL(pk_genkey(&pk, parameter), 0);
TEST_EQUAL(pk_genkey(&pk, curve_or_keybits), 0);
TEST_EQUAL(mbedtls_pk_get_type(&pk), key_type);
}
@ -407,6 +407,16 @@ void pk_invalid_param()
buf, buf_size, &buf_size,
NULL, NULL,
NULL));
TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
mbedtls_pk_sign_ext(pk_type, &ctx, MBEDTLS_MD_NONE,
NULL, buf_size,
buf, buf_size, &buf_size,
NULL, NULL));
TEST_EQUAL(MBEDTLS_ERR_PK_BAD_INPUT_DATA,
mbedtls_pk_sign_ext(pk_type, &ctx, MBEDTLS_MD_SHA256,
NULL, 0,
buf, buf_size, &buf_size,
NULL, NULL));
exit:
mbedtls_pk_free(&ctx);
USE_PSA_DONE();
@ -435,14 +445,6 @@ void valid_parameters()
TEST_ASSERT(mbedtls_pk_get_len(NULL) == 0);
TEST_ASSERT(mbedtls_pk_can_do(NULL, MBEDTLS_PK_NONE) == 0);
TEST_ASSERT(mbedtls_pk_sign_restartable(&pk,
MBEDTLS_MD_NONE,
NULL, 0,
buf, sizeof(buf), &len,
mbedtls_test_rnd_std_rand, NULL,
NULL) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_ASSERT(mbedtls_pk_sign_restartable(&pk,
MBEDTLS_MD_NONE,
NULL, 0,
@ -458,6 +460,13 @@ void valid_parameters()
mbedtls_test_rnd_std_rand, NULL) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_ASSERT(mbedtls_pk_sign_ext(MBEDTLS_PK_NONE, &pk,
MBEDTLS_MD_NONE,
NULL, 0,
buf, sizeof(buf), &len,
mbedtls_test_rnd_std_rand, NULL) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_ASSERT(mbedtls_pk_verify_restartable(&pk,
MBEDTLS_MD_NONE,
NULL, 0,
@ -536,7 +545,7 @@ exit:
/* END_CASE */
/* BEGIN_CASE */
void pk_utils(int type, int parameter, int bitlen, int len, char *name)
void pk_utils(int type, int curve_or_keybits, int bitlen, int len, char *name)
{
mbedtls_pk_context pk;
@ -544,7 +553,7 @@ void pk_utils(int type, int parameter, int bitlen, int len, char *name)
USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0);
TEST_ASSERT((int) mbedtls_pk_get_type(&pk) == type);
TEST_ASSERT(mbedtls_pk_can_do(&pk, type));
@ -848,7 +857,7 @@ exit:
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256 */
void pk_sign_verify(int type, int parameter, int sign_ret, int verify_ret)
void pk_sign_verify(int type, int curve_or_keybits, int sign_ret, int verify_ret)
{
mbedtls_pk_context pk;
size_t sig_len;
@ -874,7 +883,7 @@ void pk_sign_verify(int type, int parameter, int sign_ret, int verify_ret)
memset(sig, 0, sizeof(sig));
TEST_ASSERT(mbedtls_pk_setup(&pk, mbedtls_pk_info_from_type(type)) == 0);
TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
TEST_ASSERT(pk_genkey(&pk, curve_or_keybits) == 0);
TEST_ASSERT(mbedtls_pk_sign_restartable(&pk, MBEDTLS_MD_SHA256,
hash, hash_len,
@ -1175,22 +1184,31 @@ void pk_rsa_overflow()
memset(hash, 0x2a, sizeof(hash));
memset(sig, 0, sizeof(sig));
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
TEST_EQUAL(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)), 0);
#if defined(MBEDTLS_PKCS1_V21)
TEST_ASSERT(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk,
MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len) ==
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_EQUAL(mbedtls_pk_verify_ext(MBEDTLS_PK_RSASSA_PSS, NULL, &pk,
MBEDTLS_MD_NONE, hash, hash_len, sig, sig_len),
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
#endif /* MBEDTLS_PKCS1_V21 */
TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len,
sig, sig_len) == MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_EQUAL(mbedtls_pk_verify(&pk, MBEDTLS_MD_NONE, hash, hash_len,
sig, sig_len),
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
TEST_ASSERT(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len,
sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL)
== MBEDTLS_ERR_PK_BAD_INPUT_DATA);
#if defined(MBEDTLS_PKCS1_V21)
TEST_EQUAL(mbedtls_pk_sign_ext(MBEDTLS_PK_RSASSA_PSS, &pk,
MBEDTLS_MD_NONE, hash, hash_len,
sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL),
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
#endif /* MBEDTLS_PKCS1_V21 */
TEST_EQUAL(mbedtls_pk_sign(&pk, MBEDTLS_MD_NONE, hash, hash_len,
sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL),
MBEDTLS_ERR_PK_BAD_INPUT_DATA);
exit:
mbedtls_pk_free(&pk);
@ -1286,8 +1304,7 @@ exit:
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_MD_CAN_SHA256:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_TEST_PK_PSA_SIGN */
void pk_psa_sign(int parameter_arg,
int psa_type_arg, int expected_bits_arg)
void pk_psa_sign(int curve_or_keybits, int psa_type, int expected_bits)
{
mbedtls_pk_context pk;
unsigned char hash[32];
@ -1300,8 +1317,6 @@ void pk_psa_sign(int parameter_arg,
int ret;
mbedtls_svc_key_id_t key_id;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_type_t expected_type = psa_type_arg;
size_t expected_bits = expected_bits_arg;
/*
* This tests making signatures with a wrapped PSA key:
@ -1315,19 +1330,19 @@ void pk_psa_sign(int parameter_arg,
USE_PSA_INIT();
#if defined(MBEDTLS_RSA_C) && defined(MBEDTLS_GENPRIME)
if (PSA_KEY_TYPE_IS_RSA(psa_type_arg)) {
if (PSA_KEY_TYPE_IS_RSA(psa_type)) {
/* Create legacy RSA public/private key in PK context. */
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(MBEDTLS_PK_RSA)) == 0);
TEST_ASSERT(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
mbedtls_test_rnd_std_rand, NULL,
parameter_arg, 3) == 0);
curve_or_keybits, 3) == 0);
alg_psa = PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256);
} else
#endif /* MBEDTLS_RSA_C && MBEDTLS_GENPRIME */
#if defined(MBEDTLS_PK_CAN_ECDSA_SIGN)
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) {
mbedtls_ecp_group_id grpid = parameter_arg;
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) {
mbedtls_ecp_group_id grpid = curve_or_keybits;
/* Create legacy EC public/private key in PK context. */
TEST_ASSERT(mbedtls_pk_setup(&pk,
@ -1338,7 +1353,7 @@ void pk_psa_sign(int parameter_arg,
} else
#endif /* MBEDTLS_PK_CAN_ECDSA_SIGN */
{
(void) parameter_arg;
(void) curve_or_keybits;
TEST_ASSUME(!"Opaque PK key not supported in this configuration");
}
@ -1366,8 +1381,8 @@ void pk_psa_sign(int parameter_arg,
PSA_ALG_NONE) == 0);
PSA_ASSERT(psa_get_key_attributes(key_id, &attributes));
TEST_EQUAL(psa_get_key_type(&attributes), expected_type);
TEST_EQUAL(psa_get_key_bits(&attributes), expected_bits);
TEST_EQUAL(psa_get_key_type(&attributes), (psa_key_type_t) psa_type);
TEST_EQUAL(psa_get_key_bits(&attributes), (size_t) expected_bits);
TEST_EQUAL(psa_get_key_lifetime(&attributes),
PSA_KEY_LIFETIME_VOLATILE);
@ -1378,7 +1393,7 @@ void pk_psa_sign(int parameter_arg,
hash, sizeof(hash), sig, sizeof(sig), &sig_len,
NULL, NULL) == 0);
/* Only opaque EC keys support verification. */
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type_arg)) {
if (PSA_KEY_TYPE_IS_ECC_KEY_PAIR(psa_type)) {
TEST_ASSERT(mbedtls_pk_verify(&pk, MBEDTLS_MD_SHA256,
hash, sizeof(hash), sig, sig_len) == 0);
}
@ -1420,7 +1435,7 @@ void pk_psa_sign(int parameter_arg,
mbedtls_pk_info_from_type(MBEDTLS_PK_ECKEY)), 0);
TEST_EQUAL(mbedtls_ecp_group_load(
&(mbedtls_pk_ec_rw(pk)->grp),
(mbedtls_ecp_group_id) parameter_arg), 0);
(mbedtls_ecp_group_id) curve_or_keybits), 0);
TEST_EQUAL(mbedtls_ecp_point_read_binary(&(mbedtls_pk_ec_ro(pk)->grp),
&(mbedtls_pk_ec_rw(pk)->Q),
pkey_legacy_start, klen_legacy), 0);
@ -1440,14 +1455,13 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_GENPRIME */
void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
/* BEGIN_CASE depends_on:MBEDTLS_GENPRIME */
void pk_sign_ext(int pk_type, int curve_or_keybits, int key_pk_type, int md_alg)
{
/* See the description of pk_genkey() for the description of the `parameter` argument. */
mbedtls_pk_context pk;
size_t sig_len;
unsigned char sig[MBEDTLS_PK_SIGNATURE_MAX_SIZE];
unsigned char hash[PSA_HASH_MAX_SIZE];
unsigned char hash[MBEDTLS_MD_MAX_SIZE];
size_t hash_len = mbedtls_md_get_size_from_type(md_alg);
void const *options = NULL;
mbedtls_pk_rsassa_pss_options rsassa_pss_options;
@ -1455,16 +1469,15 @@ void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
memset(sig, 0, sizeof(sig));
mbedtls_pk_init(&pk);
PSA_INIT();
MD_OR_USE_PSA_INIT();
TEST_ASSERT(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(pk_type)) == 0);
TEST_EQUAL(mbedtls_pk_setup(&pk,
mbedtls_pk_info_from_type(pk_type)), 0);
TEST_EQUAL(pk_genkey(&pk, curve_or_keybits), 0);
TEST_ASSERT(pk_genkey(&pk, parameter) == 0);
TEST_ASSERT(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL) == 0);
TEST_EQUAL(mbedtls_pk_sign_ext(key_pk_type, &pk, md_alg, hash, hash_len,
sig, sizeof(sig), &sig_len,
mbedtls_test_rnd_std_rand, NULL), 0);
if (key_pk_type == MBEDTLS_PK_RSASSA_PSS) {
rsassa_pss_options.mgf1_hash_id = md_alg;
@ -1472,18 +1485,17 @@ void pk_psa_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
rsassa_pss_options.expected_salt_len = hash_len;
options = (const void *) &rsassa_pss_options;
}
TEST_ASSERT(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
hash, hash_len, sig, sig_len) == 0);
TEST_EQUAL(mbedtls_pk_verify_ext(key_pk_type, options, &pk, md_alg,
hash, hash_len, sig, sig_len), 0);
exit:
mbedtls_pk_free(&pk);
PSA_DONE();
MD_OR_USE_PSA_DONE();
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_RSA_C:MBEDTLS_GENPRIME:MBEDTLS_USE_PSA_CRYPTO */
void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_alg)
void pk_psa_wrap_sign_ext(int pk_type, int key_bits, int key_pk_type, int md_alg)
{
/* See the description of mbedtls_rsa_gen_key() for the description of the `parameter` argument. */
mbedtls_pk_context pk;
size_t sig_len, pkey_len;
mbedtls_svc_key_id_t key_id;
@ -1507,7 +1519,7 @@ void pk_psa_wrap_sign_ext(int pk_type, int parameter, int key_pk_type, int md_al
mbedtls_pk_info_from_type(pk_type)), 0);
TEST_EQUAL(mbedtls_rsa_gen_key(mbedtls_pk_rsa(pk),
mbedtls_test_rnd_std_rand, NULL,
parameter, 3), 0);
key_bits, 3), 0);
/* Export underlying public key for re-importing in a legacy context. */
ret = mbedtls_pk_write_pubkey_der(&pk, pkey, sizeof(pkey));