From 47c7a732d28696b9ff4ebd90f45ba4d96d6cfd78 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:34:23 -0300 Subject: [PATCH 01/17] Print RFC 4108 hwSerialNum in hex format Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- library/x509_crt.c | 14 ++----- tests/suites/test_suite_x509parse.data | 8 ++-- tests/suites/test_suite_x509parse.function | 46 ++++++++++------------ 3 files changed, 28 insertions(+), 40 deletions(-) diff --git a/library/x509_crt.c b/library/x509_crt.c index af1e487dbf..d17a952b7c 100644 --- a/library/x509_crt.c +++ b/library/x509_crt.c @@ -1854,6 +1854,7 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, const char *prefix ) { int ret = MBEDTLS_ERR_ERROR_CORRUPTION_DETECTED; + size_t i; size_t n = *size; char *p = *buf; const mbedtls_x509_sequence *cur = subject_alt_name; @@ -1906,18 +1907,11 @@ static int x509_info_subject_alt_name( char **buf, size_t *size, ret = mbedtls_snprintf( p, n, "\n%s hardware serial number : ", prefix ); MBEDTLS_X509_SAFE_SNPRINTF; - if( other_name->value.hardware_module_name.val.len >= n ) + for( i = 0; i < other_name->value.hardware_module_name.val.len; i++ ) { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); + ret = mbedtls_snprintf( p, n, "%02X", other_name->value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; } - - memcpy( p, other_name->value.hardware_module_name.val.p, - other_name->value.hardware_module_name.val.len ); - p += other_name->value.hardware_module_name.val.len; - - n -= other_name->value.hardware_module_name.val.len; - }/* MBEDTLS_OID_ON_HW_MODULE_NAME */ } break; diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 6263fba2cd..a4908a61e5 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -88,7 +88,7 @@ x509_cert_info:"data_files/server5-sha512.crt":"cert. version \: 3\nserial n X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n" +x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -112,7 +112,7 @@ x509_cert_info:"data_files/cert_example_multi.crt":"cert. version \: 3\nseri X509 CRT information, Multiple different Subject Alt Name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 123456\n dNSName \: example.net\n dNSName \: *.example.org\n" +x509_cert_info:"data_files/multiple_san.crt":"cert. version \: 3\nserial number \: 04\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS multiple othername SAN\nissued on \: 2019-04-22 16\:10\:48\nexpires on \: 2029-04-19 16\:10\:48\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n dNSName \: example.com\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n dNSName \: example.net\n dNSName \: *.example.org\n" X509 CRT information, Subject Alt Name + Key Usage depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_1_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -172,7 +172,7 @@ x509_cert_info:"data_files/non-ascii-string-in-issuer.crt":"cert. version \: X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\n" +x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA @@ -180,7 +180,7 @@ x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: exampl X509 SAN parsing Multiple different types depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA -x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 123456\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" +x509_parse_san:"data_files/multiple_san.crt":"type \: 2\ndNSName \: example.com\ntype \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" X509 SAN parsing, no subject alt name depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA:MBEDTLS_ECDSA_C diff --git a/tests/suites/test_suite_x509parse.function b/tests/suites/test_suite_x509parse.function index 60e703a948..df4b03e0ec 100644 --- a/tests/suites/test_suite_x509parse.function +++ b/tests/suites/test_suite_x509parse.function @@ -246,36 +246,30 @@ int verify_parse_san( mbedtls_x509_subject_alternative_name *san, switch( san->type ) { - case( MBEDTLS_X509_SAN_OTHER_NAME ): - ret = mbedtls_snprintf( p, n, "\notherName :"); - MBEDTLS_X509_SAFE_SNPRINTF; + case( MBEDTLS_X509_SAN_OTHER_NAME ): + ret = mbedtls_snprintf( p, n, "\notherName :"); + MBEDTLS_X509_SAFE_SNPRINTF; - if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, - &san->san.other_name.value.hardware_module_name.oid ) != 0 ) - { - ret = mbedtls_snprintf( p, n, " hardware module name :" ); - MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_snprintf( p, n, " hardware type : " ); - MBEDTLS_X509_SAFE_SNPRINTF; + if( MBEDTLS_OID_CMP( MBEDTLS_OID_ON_HW_MODULE_NAME, + &san->san.other_name.value.hardware_module_name.oid ) != 0 ) + { + ret = mbedtls_snprintf( p, n, " hardware module name :" ); + MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, " hardware type : " ); + MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_oid_get_numeric_string( p, n, - &san->san.other_name.value.hardware_module_name.oid ); - MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_oid_get_numeric_string( p, n, + &san->san.other_name.value.hardware_module_name.oid ); + MBEDTLS_X509_SAFE_SNPRINTF; - ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); - MBEDTLS_X509_SAFE_SNPRINTF; + ret = mbedtls_snprintf( p, n, ", hardware serial number : " ); + MBEDTLS_X509_SAFE_SNPRINTF; - if( san->san.other_name.value.hardware_module_name.val.len >= n ) - { - *p = '\0'; - return( MBEDTLS_ERR_X509_BUFFER_TOO_SMALL ); - } - - for( i=0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) - { - *p++ = san->san.other_name.value.hardware_module_name.val.p[i]; - } - n -= san->san.other_name.value.hardware_module_name.val.len; + for( i = 0; i < san->san.other_name.value.hardware_module_name.val.len; i++ ) + { + ret = mbedtls_snprintf( p, n, "%02X", san->san.other_name.value.hardware_module_name.val.p[i] ); + MBEDTLS_X509_SAFE_SNPRINTF; + } } break;/* MBEDTLS_OID_ON_HW_MODULE_NAME */ case( MBEDTLS_X509_SAN_DNS_NAME ): From d0225afcb62573774df307389352c336b97a9e54 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:40:20 -0300 Subject: [PATCH 02/17] Add a new test with a binary hwSerialNum Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- tests/data_files/Makefile | 3 +++ tests/data_files/server5-nonprintable_othername.crt | 12 ++++++++++++ tests/data_files/test-ca.opensslconf | 7 +++++++ tests/suites/test_suite_x509parse.data | 8 ++++++++ 4 files changed, 30 insertions(+) create mode 100644 tests/data_files/server5-nonprintable_othername.crt diff --git a/tests/data_files/Makefile b/tests/data_files/Makefile index 6187d17bc3..09a0689462 100644 --- a/tests/data_files/Makefile +++ b/tests/data_files/Makefile @@ -276,6 +276,9 @@ all_final += server5-ss-forgeca.crt server5-othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions othername_san -days 3650 -sha256 -key $< -out $@ +server5-nonprintable_othername.crt: server5.key + $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS non-printable othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions nonprintable_othername_san -days 3650 -sha256 -key $< -out $@ + server5-unsupported_othername.crt: server5.key $(OPENSSL) req -x509 -new -subj "/C=UK/O=Mbed TLS/CN=Mbed TLS unsupported othername SAN" -set_serial 77 -config $(test_ca_config_file) -extensions unsupoported_othername_san -days 3650 -sha256 -key $< -out $@ diff --git a/tests/data_files/server5-nonprintable_othername.crt b/tests/data_files/server5-nonprintable_othername.crt new file mode 100644 index 0000000000..9470bbe9cc --- /dev/null +++ b/tests/data_files/server5-nonprintable_othername.crt @@ -0,0 +1,12 @@ +-----BEGIN CERTIFICATE----- +MIIBwTCCAWagAwIBAgIBTTAKBggqhkjOPQQDAjBPMQswCQYDVQQGEwJVSzERMA8G +A1UECgwITWJlZCBUTFMxLTArBgNVBAMMJE1iZWQgVExTIG5vbi1wcmludGFibGUg +b3RoZXJuYW1lIFNBTjAeFw0yMjA5MDYxNTU2NDdaFw0zMjA5MDMxNTU2NDdaME8x +CzAJBgNVBAYTAlVLMREwDwYDVQQKDAhNYmVkIFRMUzEtMCsGA1UEAwwkTWJlZCBU +TFMgbm9uLXByaW50YWJsZSBvdGhlcm5hbWUgU0FOMFkwEwYHKoZIzj0CAQYIKoZI +zj0DAQcDQgAEN8xW2XYJHlpyPsdZLf8gbu58+QaRdNCtFLX3aCJZYpJO5QDYIxH/ +6i/SNF1dFr2KiMJrdw1VzYoqDvoByLTt/6MzMDEwLwYDVR0RBCgwJqAkBggrBgEF +BQcIBKAYMBYGBysGAQQBEQMECzEyM4CBAIGAMzIxMAoGCCqGSM49BAMCA0kAMEYC +IQDATir07PTj5gtf+HAyI+nd27AH9+bdaWdOI2t2bAwUWgIhAO7kvdcsa++yfJdT +3vnWdvcHRIAdXA0kh+mcBMaXk9B0 +-----END CERTIFICATE----- diff --git a/tests/data_files/test-ca.opensslconf b/tests/data_files/test-ca.opensslconf index 64347de830..3bb237903c 100644 --- a/tests/data_files/test-ca.opensslconf +++ b/tests/data_files/test-ca.opensslconf @@ -15,6 +15,9 @@ basicConstraints = CA:true [othername_san] subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:hw_module_name +[nonprintable_othername_san] +subjectAltName=otherName:1.3.6.1.5.5.7.8.4;SEQ:nonprintable_hw_module_name + [unsupoported_othername_san] subjectAltName=otherName:1.2.3.4;UTF8:some other identifier @@ -34,6 +37,10 @@ subjectAltName=@alt_names hwtype = OID:1.3.6.1.4.1.17.3 hwserial = OCT:123456 +[nonprintable_hw_module_name] +hwtype = OID:1.3.6.1.4.1.17.3 +hwserial = FORMAT:HEX, OCT:3132338081008180333231 + [v3_any_policy_ca] basicConstraints = CA:true certificatePolicies = 2.5.29.32.0 diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index a4908a61e5..69f745f462 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -90,6 +90,10 @@ X509 CRT information EC, SHA256 Digest, hardware module name SAN depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS othername SAN\nissued on \: 2019-03-24 09\:06\:02\nexpires on \: 2029-03-21 09\:06\:02\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 313233343536\n" +X509 CRT information EC, SHA256 Digest, binary hardware module name SAN +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_cert_info:"data_files/server5-nonprintable_othername.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS non-printable othername SAN\nissued on \: 2022-09-06 15\:56\:47\nexpires on \: 2032-09-03 15\:56\:47\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\nsubject alt name \:\n otherName \:\n hardware module name \:\n hardware type \: 1.3.6.1.4.1.17.3\n hardware serial number \: 3132338081008180333231\n" + X509 CRT information EC, SHA256 Digest, Wisun Fan device depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_cert_info:"data_files/server5-fan.crt":"cert. version \: 3\nserial number \: 4D\nissuer name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nsubject name \: C=UK, O=Mbed TLS, CN=Mbed TLS FAN\nissued on \: 2019-03-25 09\:03\:46\nexpires on \: 2029-03-22 09\:03\:46\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\next key usage \: Wi-SUN Alliance Field Area Network (FAN)\n" @@ -174,6 +178,10 @@ X509 SAN parsing otherName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/server5-othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 313233343536\n" +X509 SAN parsing binary otherName +depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA +x509_parse_san:"data_files/server5-nonprintable_othername.crt":"type \: 0\notherName \: hardware module name \: hardware type \: 1.3.6.1.4.1.17.3, hardware serial number \: 3132338081008180333231\n" + X509 SAN parsing dNSName depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_RSA_C:MBEDTLS_HAS_ALG_SHA_256_VIA_MD_OR_PSA_BASED_ON_USE_PSA x509_parse_san:"data_files/cert_example_multi.crt":"type \: 2\ndNSName \: example.com\ntype \: 2\ndNSName \: example.net\ntype \: 2\ndNSName \: *.example.org\n" From 00a02b1468e95e0c0bf66e513beb919733e78050 Mon Sep 17 00:00:00 2001 From: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> Date: Thu, 29 Sep 2022 11:40:39 -0300 Subject: [PATCH 03/17] Add Changelog entry Signed-off-by: Victor Barpp Gomes <17840319+Kabbah@users.noreply.github.com> --- ChangeLog.d/fix_x509_info_hwmodulename.txt | 5 +++++ 1 file changed, 5 insertions(+) create mode 100644 ChangeLog.d/fix_x509_info_hwmodulename.txt diff --git a/ChangeLog.d/fix_x509_info_hwmodulename.txt b/ChangeLog.d/fix_x509_info_hwmodulename.txt new file mode 100644 index 0000000000..8b227cec34 --- /dev/null +++ b/ChangeLog.d/fix_x509_info_hwmodulename.txt @@ -0,0 +1,5 @@ +Bugfix + * Fix a bug in which mbedtls_x509_crt_info() would produce non-printable + bytes when parsing certificates containing a binary RFC 4108 + HardwareModuleName as a Subject Alternative Name extension. Hardware + serial numbers are now rendered in hex format. Fixes #6262. From d976673dd60ed3a0566419196f7e47d720ecc842 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Mon, 17 Oct 2022 15:13:30 +0800 Subject: [PATCH 04/17] Add build version to the output of ssl_client2 Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 30 ++++++++++++++++++++++++++++++ 1 file changed, 30 insertions(+) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index be474d4737..451e232643 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -25,6 +25,10 @@ #include "test/psa_crypto_helpers.h" #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_VERSION_C) +#include "mbedtls/build_info.h" +#endif /* MBEDTLS_VERSION_C */ + #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main( void ) { @@ -360,6 +364,14 @@ int main( void ) #define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ +#if defined(MBEDTLS_VERSION_C) +#define USAGE_BUILD_VERSION \ + " build_version=%%d default: none (disabled)\n" \ + " option: 1 (print the build version only a stop)\n" +#else +#define USAGE_BUILD_VERSION "" +#endif /* MBEDTLS_VERSION_C */ + /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -375,6 +387,7 @@ int main( void ) " application data message is sent followed by\n" \ " a second non-empty message before attempting\n" \ " to read a response from the server\n" \ + USAGE_BUILD_VERSION \ " debug_level=%%d default: 0 (disabled)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ @@ -984,6 +997,18 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } +#if defined(MBEDTLS_VERSION_C) + else if( strcmp( p, "build_version" ) == 0 ) + { + if( strcmp( q, "1" ) == 0 ) + { + mbedtls_printf( "build version: %s (build %u)\n", + MBEDTLS_VERSION_STRING, + MBEDTLS_VERSION_NUMBER ); + goto exit; + } + } +#endif /* MBEDTLS_VERSION_C */ else if( strcmp( p, "context_crt_cb" ) == 0 ) { opt.context_crt_cb = atoi( q ); @@ -2454,6 +2479,11 @@ int main( int argc, char *argv[] ) } } +#if defined(MBEDTLS_VERSION_C) + mbedtls_printf( "build version: %s (build %u)\n", + MBEDTLS_VERSION_STRING, MBEDTLS_VERSION_NUMBER ); +#endif /* MBEDTLS_VERSION_C */ + #if defined(MBEDTLS_X509_CRT_PARSE_C) /* * 5. Verify the server certificate From ff4181e2460f6370d46caf16e2d1b3ecd729153a Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Tue, 18 Oct 2022 18:16:08 +0800 Subject: [PATCH 05/17] Fix build error in cmake while printing digital build version Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 451e232643..59a96d2126 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -27,6 +27,7 @@ #if defined(MBEDTLS_VERSION_C) #include "mbedtls/build_info.h" +#include "mbedtls/version.h" #endif /* MBEDTLS_VERSION_C */ #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) @@ -1004,7 +1005,7 @@ int main( int argc, char *argv[] ) { mbedtls_printf( "build version: %s (build %u)\n", MBEDTLS_VERSION_STRING, - MBEDTLS_VERSION_NUMBER ); + mbedtls_version_get_number() ); goto exit; } } @@ -2481,7 +2482,7 @@ int main( int argc, char *argv[] ) #if defined(MBEDTLS_VERSION_C) mbedtls_printf( "build version: %s (build %u)\n", - MBEDTLS_VERSION_STRING, MBEDTLS_VERSION_NUMBER ); + MBEDTLS_VERSION_STRING, mbedtls_version_get_number() ); #endif /* MBEDTLS_VERSION_C */ #if defined(MBEDTLS_X509_CRT_PARSE_C) From 076b2d062f4e33776be5d05795386c341d71c4e1 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 21 Oct 2022 11:09:45 +0800 Subject: [PATCH 06/17] Improve the method of printing string build version Following changes are introduced with this commit: - Call mbedtls_version_get_string before printing string build version instead of printing macro directly - Output build version in the beginning of ssl_client2 program Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 20 ++++++++++++-------- 1 file changed, 12 insertions(+), 8 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index 59a96d2126..ae4bb57021 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -26,7 +26,6 @@ #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ #if defined(MBEDTLS_VERSION_C) -#include "mbedtls/build_info.h" #include "mbedtls/version.h" #endif /* MBEDTLS_VERSION_C */ @@ -1003,9 +1002,11 @@ int main( int argc, char *argv[] ) { if( strcmp( q, "1" ) == 0 ) { + char version_str[10]; + memset( version_str, 0, 10 ); + mbedtls_version_get_string( version_str ); mbedtls_printf( "build version: %s (build %u)\n", - MBEDTLS_VERSION_STRING, - mbedtls_version_get_number() ); + version_str, mbedtls_version_get_number() ); goto exit; } } @@ -1722,6 +1723,14 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ +#if defined(MBEDTLS_VERSION_C) + char version_str[10]; + memset( version_str, 0, 10 ); + mbedtls_version_get_string( version_str ); + mbedtls_printf( "build version: %s (build %u)\n", + version_str, mbedtls_version_get_number() ); +#endif /* MBEDTLS_VERSION_C */ + /* * 0. Initialize the RNG and the session data */ @@ -2480,11 +2489,6 @@ int main( int argc, char *argv[] ) } } -#if defined(MBEDTLS_VERSION_C) - mbedtls_printf( "build version: %s (build %u)\n", - MBEDTLS_VERSION_STRING, mbedtls_version_get_number() ); -#endif /* MBEDTLS_VERSION_C */ - #if defined(MBEDTLS_X509_CRT_PARSE_C) /* * 5. Verify the server certificate From 84645e92c61d91e2ee8b40053cb83336a77e33a9 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Thu, 27 Oct 2022 10:17:09 +0800 Subject: [PATCH 07/17] Simplify code of adding output in ssl_client2 - print build version macro defined in build_info.h directly - Remove all the MBEDTLS_VERSION_C guards as build version information is always available in build_info.h Signed-off-by: Yanray Wang --- programs/ssl/ssl_client2.c | 34 +++++++--------------------------- 1 file changed, 7 insertions(+), 27 deletions(-) diff --git a/programs/ssl/ssl_client2.c b/programs/ssl/ssl_client2.c index e74656ee78..e3fdb1f7c5 100644 --- a/programs/ssl/ssl_client2.c +++ b/programs/ssl/ssl_client2.c @@ -25,10 +25,6 @@ #include "test/psa_crypto_helpers.h" #endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_VERSION_C) -#include "mbedtls/version.h" -#endif /* MBEDTLS_VERSION_C */ - #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE) int main( void ) { @@ -364,14 +360,6 @@ int main( void ) #define USAGE_TLS1_3_KEY_EXCHANGE_MODES "" #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */ -#if defined(MBEDTLS_VERSION_C) -#define USAGE_BUILD_VERSION \ - " build_version=%%d default: none (disabled)\n" \ - " option: 1 (print the build version only a stop)\n" -#else -#define USAGE_BUILD_VERSION "" -#endif /* MBEDTLS_VERSION_C */ - /* USAGE is arbitrarily split to stay under the portable string literal * length limit: 4095 bytes in C99. */ #define USAGE1 \ @@ -387,8 +375,9 @@ int main( void ) " application data message is sent followed by\n" \ " a second non-empty message before attempting\n" \ " to read a response from the server\n" \ - USAGE_BUILD_VERSION \ " debug_level=%%d default: 0 (disabled)\n" \ + " build_version=%%d default: none (disabled)\n" \ + " option: 1 (print build version only and stop)\n" \ " nbio=%%d default: 0 (blocking I/O)\n" \ " options: 1 (non-blocking), 2 (added delays)\n" \ " event=%%d default: 0 (loop)\n" \ @@ -995,20 +984,16 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } -#if defined(MBEDTLS_VERSION_C) else if( strcmp( p, "build_version" ) == 0 ) { if( strcmp( q, "1" ) == 0 ) { - char version_str[10]; - memset( version_str, 0, 10 ); - mbedtls_version_get_string( version_str ); - mbedtls_printf( "build version: %s (build %u)\n", - version_str, mbedtls_version_get_number() ); + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, + MBEDTLS_VERSION_NUMBER ); goto exit; } } -#endif /* MBEDTLS_VERSION_C */ else if( strcmp( p, "context_crt_cb" ) == 0 ) { opt.context_crt_cb = atoi( q ); @@ -1721,13 +1706,8 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ -#if defined(MBEDTLS_VERSION_C) - char version_str[10]; - memset( version_str, 0, 10 ); - mbedtls_version_get_string( version_str ); - mbedtls_printf( "build version: %s (build %u)\n", - version_str, mbedtls_version_get_number() ); -#endif /* MBEDTLS_VERSION_C */ + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, MBEDTLS_VERSION_NUMBER ); /* * 0. Initialize the RNG and the session data From eaf46d1291d57ed36d31cf14ca61edf5505b9972 Mon Sep 17 00:00:00 2001 From: Yanray Wang Date: Fri, 28 Oct 2022 10:38:37 +0800 Subject: [PATCH 08/17] Add output of build version in ssl_server2 Usage: - By default, build version is printed out in the beginning of ssl_server2 application. - ./ssl_server2 build_version=1 only prints build verison and stop Signed-off-by: Yanray Wang --- programs/ssl/ssl_server2.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/programs/ssl/ssl_server2.c b/programs/ssl/ssl_server2.c index 1fd63d2d0d..7aead3ade0 100644 --- a/programs/ssl/ssl_server2.c +++ b/programs/ssl/ssl_server2.c @@ -489,6 +489,8 @@ int main( void ) " server_addr=%%s default: (all interfaces)\n" \ " server_port=%%d default: 4433\n" \ " debug_level=%%d default: 0 (disabled)\n" \ + " build_version=%%d default: none (disabled)\n" \ + " option: 1 (print build version only and stop)\n" \ " buffer_size=%%d default: 200 \n" \ " (minimum: 1)\n" \ " response_size=%%d default: about 152 (basic response)\n" \ @@ -1745,6 +1747,16 @@ int main( int argc, char *argv[] ) if( opt.debug_level < 0 || opt.debug_level > 65535 ) goto usage; } + else if( strcmp( p, "build_version" ) == 0 ) + { + if( strcmp( q, "1" ) == 0 ) + { + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, + MBEDTLS_VERSION_NUMBER ); + goto exit; + } + } else if( strcmp( p, "nbio" ) == 0 ) { opt.nbio = atoi( q ); @@ -2576,6 +2588,9 @@ int main( int argc, char *argv[] ) } #endif /* MBEDTLS_SSL_ALPN */ + mbedtls_printf( "build version: %s (build %d)\n", + MBEDTLS_VERSION_STRING_FULL, MBEDTLS_VERSION_NUMBER ); + /* * 0. Initialize the RNG and the session data */ From b85838f2f4ce9289061fd0bf07c51bb596af2ca7 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Thu, 3 Nov 2022 17:49:29 +0000 Subject: [PATCH 09/17] Change test templating syntax to be valid C For the benefit of auto-formatting tools, move from the '$placeholder' templating syntax to a new syntax of the form: __MBEDTLS_TEST_TEMPLATE__PLACEHOLDER This change allows the test code template to be almost entirely valid C. Signed-off-by: David Horstmann --- tests/scripts/generate_test_code.py | 75 ++++++++++++++++++----------- tests/suites/main_test.function | 44 ++++++++--------- 2 files changed, 69 insertions(+), 50 deletions(-) diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py index f5750aacfa..6d65986c88 100755 --- a/tests/scripts/generate_test_code.py +++ b/tests/scripts/generate_test_code.py @@ -126,33 +126,33 @@ code that is generated or read from helpers and platform files. This script replaces following fields in the template and generates the test source file: -$test_common_helpers <-- All common code from helpers.function - is substituted here. -$functions_code <-- Test functions are substituted here - from the input test_suit_xyz.function - file. C preprocessor checks are generated - for the build dependencies specified - in the input file. This script also - generates wrappers for the test - functions with code to expand the - string parameters read from the data - file. -$expression_code <-- This script enumerates the - expressions in the .data file and - generates code to handle enumerated - expression Ids and return the values. -$dep_check_code <-- This script enumerates all - build dependencies and generate - code to handle enumerated build - dependency Id and return status: if - the dependency is defined or not. -$dispatch_code <-- This script enumerates the functions - specified in the input test data file - and generates the initializer for the - function table in the template - file. -$platform_code <-- Platform specific setup and test - dispatch code. +__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS <-- All common code from helpers.function + is substituted here. +__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE <-- Test functions are substituted here + from the input test_suit_xyz.function + file. C preprocessor checks are generated + for the build dependencies specified + in the input file. This script also + generates wrappers for the test + functions with code to expand the + string parameters read from the data + file. +__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE <-- This script enumerates the + expressions in the .data file and + generates code to handle enumerated + expression Ids and return the values. +__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE <-- This script enumerates all + build dependencies and generate + code to handle enumerated build + dependency Id and return status: if + the dependency is defined or not. +__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE <-- This script enumerates the functions + specified in the input test data file + and generates the initializer for the + function table in the template + file. +__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE <-- Platform specific setup and test + dispatch code. """ @@ -974,11 +974,30 @@ def write_test_source_file(template_file, c_file, snippets): :param snippets: Generated and code snippets :return: """ + + # Create a placeholder pattern with the correct named capture groups + # to override the default provided with Template. + # Match nothing (no way of escaping placeholders). + escaped = "(?P(?!))" + # Match the "__MBEDTLS_TEST_TEMPLATE__PLACEHOLDER_NAME" pattern. + named = "__MBEDTLS_TEST_TEMPLATE__(?P[A-Z][_A-Z0-9]*)" + # Match nothing (no braced placeholder syntax). + braced = "(?P(?!))" + # If not already matched, a "__MBEDTLS_TEST_TEMPLATE__" prefix is invalid. + invalid = "(?P__MBEDTLS_TEST_TEMPLATE__)" + placeholder_pattern = re.compile(escaped \ + + "|" + named \ + + "|" + braced \ + + "|" + invalid) + with open(template_file, 'r') as template_f, open(c_file, 'w') as c_f: for line_no, line in enumerate(template_f.readlines(), 1): # Update line number. +1 as #line directive sets next line number snippets['line_no'] = line_no + 1 - code = string.Template(line).substitute(**snippets) + template = string.Template(line) + template.pattern = placeholder_pattern + snippets = {k.upper():v for (k, v) in snippets.items()} + code = template.substitute(**snippets) c_f.write(code) diff --git a/tests/suites/main_test.function b/tests/suites/main_test.function index e016865348..48003d4f27 100644 --- a/tests/suites/main_test.function +++ b/tests/suites/main_test.function @@ -3,17 +3,17 @@ * *** THIS FILE HAS BEEN MACHINE GENERATED *** * * This file has been machine generated using the script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * - * Test file : $test_file + * Test file : __MBEDTLS_TEST_TEMPLATE__TEST_FILE * * The following files were used to create this file. * - * Main code file : $test_main_file - * Platform code file : $test_platform_file - * Helper file : $test_common_helper_file - * Test suite file : $test_case_file - * Test suite data : $test_case_data_file + * Main code file : __MBEDTLS_TEST_TEMPLATE__TEST_MAIN_FILE + * Platform code file : __MBEDTLS_TEST_TEMPLATE__TEST_PLATFORM_FILE + * Helper file : __MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPER_FILE + * Test suite file : __MBEDTLS_TEST_TEMPLATE__TEST_CASE_FILE + * Test suite data : __MBEDTLS_TEST_TEMPLATE__TEST_CASE_DATA_FILE * */ @@ -37,9 +37,9 @@ /*----------------------------------------------------------------------------*/ /* Common helper code */ -$test_common_helpers +__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS -#line $line_no "suites/main_test.function" +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" /*----------------------------------------------------------------------------*/ @@ -48,9 +48,9 @@ $test_common_helpers #define TEST_SUITE_ACTIVE -$functions_code +__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE -#line $line_no "suites/main_test.function" +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" /*----------------------------------------------------------------------------*/ @@ -62,7 +62,7 @@ $functions_code * For optimizing space for embedded targets each expression/macro * is identified by a unique identifier instead of string literals. * Identifiers and evaluation code is generated by script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * * \param exp_id Expression identifier. * \param out_value Pointer to int to hold the integer. @@ -78,8 +78,8 @@ int get_expression( int32_t exp_id, int32_t * out_value ) switch( exp_id ) { -$expression_code -#line $line_no "suites/main_test.function" +__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" default: { ret = KEY_VALUE_MAPPING_NOT_FOUND; @@ -95,7 +95,7 @@ $expression_code * For optimizing space for embedded targets each dependency * is identified by a unique identifier instead of string literals. * Identifiers and check code is generated by script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * * \param dep_id Dependency identifier. * @@ -109,8 +109,8 @@ int dep_check( int dep_id ) switch( dep_id ) { -$dep_check_code -#line $line_no "suites/main_test.function" +__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" default: break; } @@ -137,13 +137,13 @@ typedef void (*TestWrapper_t)( void **param_array ); /** * \brief Table of test function wrappers. Used by dispatch_test(). * This table is populated by script: - * $generator_script + * __MBEDTLS_TEST_TEMPLATE__GENERATOR_SCRIPT * */ TestWrapper_t test_funcs[] = { -$dispatch_code -#line $line_no "suites/main_test.function" +__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" }; /** @@ -219,9 +219,9 @@ int check_test( size_t func_idx ) } -$platform_code +__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE -#line $line_no "suites/main_test.function" +#line __MBEDTLS_TEST_TEMPLATE__LINE_NO "suites/main_test.function" /*----------------------------------------------------------------------------*/ /* Main Test code */ From 38860e2f1952ba6179ef24604c2ef9abb04ae9c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Manuel=20P=C3=A9gouri=C3=A9-Gonnard?= Date: Mon, 7 Nov 2022 10:05:49 +0100 Subject: [PATCH 10/17] Improve test suite detection in run-test-suites.pl MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Looking for executables causes problems with leftover compiled test suites from other branches when we forget to run make clean before switching branches. Using the .data files is more robust as most of them are tracked, so will be removed when switching branches. Signed-off-by: Manuel Pégourié-Gonnard --- tests/scripts/run-test-suites.pl | 12 +++++++----- 1 file changed, 7 insertions(+), 5 deletions(-) diff --git a/tests/scripts/run-test-suites.pl b/tests/scripts/run-test-suites.pl index 22eadd1805..8a5bb937dc 100755 --- a/tests/scripts/run-test-suites.pl +++ b/tests/scripts/run-test-suites.pl @@ -50,11 +50,13 @@ GetOptions( 'verbose|v:1' => \$verbose, ) or die; -# All test suites = executable files, excluding source files, debug -# and profiling information, etc. We can't just grep {! /\./} because -# some of our test cases' base names contain a dot. -my @suites = grep { -x $_ || /\.exe$/ } glob 'test_suite_*'; -@suites = grep { !/\.c$/ && !/\.data$/ && -f } @suites; +# All test suites = executable files derived from a .data file. +my @suites = (); +for my $data_file (glob 'suites/test_suite_*.data') { + (my $base = $data_file) =~ s#^suites/(.*)\.data$#$1#; + push @suites, $base if -x $base; + push @suites, "$base.exe" if -e "$base.exe"; +} die "$0: no test suite found\n" unless @suites; # "foo" as a skip pattern skips "test_suite_foo" and "test_suite_foo.bar" From f869bfdfefa375d049841cc18fdd3223f392c8b2 Mon Sep 17 00:00:00 2001 From: Jan Bruckner Date: Mon, 7 Nov 2022 15:28:49 +0100 Subject: [PATCH 11/17] Fix outdated reference in debug message Signed-off-by: Jan Bruckner --- library/ssl_msg.c | 6 ++---- 1 file changed, 2 insertions(+), 4 deletions(-) diff --git a/library/ssl_msg.c b/library/ssl_msg.c index 4cd4107ca1..dbc6391885 100644 --- a/library/ssl_msg.c +++ b/library/ssl_msg.c @@ -1797,8 +1797,7 @@ int mbedtls_ssl_fetch_input( mbedtls_ssl_context *ssl, size_t nb_want ) if( ssl->f_recv == NULL && ssl->f_recv_timeout == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } @@ -2013,8 +2012,7 @@ int mbedtls_ssl_flush_output( mbedtls_ssl_context *ssl ) if( ssl->f_send == NULL ) { - MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " - "or mbedtls_ssl_set_bio()" ) ); + MBEDTLS_SSL_DEBUG_MSG( 1, ( "Bad usage of mbedtls_ssl_set_bio() " ) ); return( MBEDTLS_ERR_SSL_BAD_INPUT_DATA ); } From 0750d08601df0c68f25ee0f929732f67c252f7ed Mon Sep 17 00:00:00 2001 From: Glenn Strauss Date: Tue, 8 Nov 2022 02:25:01 -0500 Subject: [PATCH 12/17] Add comments for some forbidden aliasing in bignum Signed-off-by: Glenn Strauss --- include/mbedtls/bignum.h | 11 ++++++----- 1 file changed, 6 insertions(+), 5 deletions(-) diff --git a/include/mbedtls/bignum.h b/include/mbedtls/bignum.h index ee37430488..9d15955f34 100644 --- a/include/mbedtls/bignum.h +++ b/include/mbedtls/bignum.h @@ -758,11 +758,11 @@ int mbedtls_mpi_mul_int( mbedtls_mpi *X, const mbedtls_mpi *A, * * \param Q The destination MPI for the quotient. * This may be \c NULL if the value of the - * quotient is not needed. + * quotient is not needed. This must not alias A or B. * \param R The destination MPI for the remainder value. * This may be \c NULL if the value of the - * remainder is not needed. - * \param A The dividend. This must point to an initialized MPi. + * remainder is not needed. This must not alias A or B. + * \param A The dividend. This must point to an initialized MPI. * \param B The divisor. This must point to an initialized MPI. * * \return \c 0 if successful. @@ -779,10 +779,10 @@ int mbedtls_mpi_div_mpi( mbedtls_mpi *Q, mbedtls_mpi *R, const mbedtls_mpi *A, * * \param Q The destination MPI for the quotient. * This may be \c NULL if the value of the - * quotient is not needed. + * quotient is not needed. This must not alias A. * \param R The destination MPI for the remainder value. * This may be \c NULL if the value of the - * remainder is not needed. + * remainder is not needed. This must not alias A. * \param A The dividend. This must point to an initialized MPi. * \param b The divisor. * @@ -837,6 +837,7 @@ int mbedtls_mpi_mod_int( mbedtls_mpi_uint *r, const mbedtls_mpi *A, * \brief Perform a sliding-window exponentiation: X = A^E mod N * * \param X The destination MPI. This must point to an initialized MPI. + * This must not alias E or N. * \param A The base of the exponentiation. * This must point to an initialized MPI. * \param E The exponent MPI. This must point to an initialized MPI. From c018204019a6a935ae0bf3ab888cd7a6d7fc2039 Mon Sep 17 00:00:00 2001 From: Andrzej Kurek Date: Tue, 8 Nov 2022 08:12:56 -0500 Subject: [PATCH 13/17] Improve error injection in EC J-PAKE tests Instead of corrupting the public key part of the message, corrupt the proof part. A proof is conceptually similar to a signature, and changing anything in it should make it invalid with a high probability. Also, instead of shifting data, perform a bitflip. Signed-off-by: Andrzej Kurek --- tests/suites/test_suite_psa_crypto.function | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto.function b/tests/suites/test_suite_psa_crypto.function index 36a8efaae5..779f594dca 100644 --- a/tests/suites/test_suite_psa_crypto.function +++ b/tests/suites/test_suite_psa_crypto.function @@ -790,8 +790,8 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, if( inject_error == 1 ) { - buffer0[s_x1_pk_off + 8] >>= 4; - buffer0[s_x2_pk_off + 7] <<= 4; + buffer0[s_x1_pr_off + 8] ^= 1; + buffer0[s_x2_pr_off + 7] ^= 1; expected_status = PSA_ERROR_DATA_INVALID; } @@ -1013,8 +1013,8 @@ static void ecjpake_do_round( psa_algorithm_t alg, unsigned int primitive, if( inject_error == 2 ) { - buffer1[c_x1_pk_off + 12] >>= 4; - buffer1[c_x2_pk_off + 7] <<= 4; + buffer1[c_x1_pr_off + 12] ^= 1; + buffer1[c_x2_pr_off + 7] ^= 1; expected_status = PSA_ERROR_DATA_INVALID; } From ab45425623fa487e423070df499017e65a210c0a Mon Sep 17 00:00:00 2001 From: Moritz Fischer Date: Tue, 8 Nov 2022 14:55:32 -0800 Subject: [PATCH 14/17] include: mbedtls: Add missing private_access header This adds a missing private access header. Signed-off-by: Moritz Fischer --- include/mbedtls/lms.h | 1 + 1 file changed, 1 insertion(+) diff --git a/include/mbedtls/lms.h b/include/mbedtls/lms.h index 5e03d9b5f9..fe87d40a5a 100644 --- a/include/mbedtls/lms.h +++ b/include/mbedtls/lms.h @@ -30,6 +30,7 @@ #include #include +#include "mbedtls/private_access.h" #include "mbedtls/build_info.h" #define MBEDTLS_ERR_LMS_BAD_INPUT_DATA -0x0011 /**< Bad data has been input to an LMS function */ From 0b7e07904e6c325c6cb1a581e1cb3925e792296a Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 10:45:15 +0100 Subject: [PATCH 15/17] Forbid empty mpi_core in test data This way static analyzers have a chance of knowing we don't expect the bignum functions to support empty inputs. As things are, Coverity keeps complaining about it. Signed-off-by: Gilles Peskine --- tests/src/helpers.c | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/tests/src/helpers.c b/tests/src/helpers.c index b7c83646c1..cc23fd7c4d 100644 --- a/tests/src/helpers.c +++ b/tests/src/helpers.c @@ -357,8 +357,12 @@ int mbedtls_test_read_mpi_core( mbedtls_mpi_uint **pX, size_t *plimbs, size_t hex_len = strlen( input ); size_t byte_len = ( hex_len + 1 ) / 2; *plimbs = CHARS_TO_LIMBS( byte_len ); + + /* A core bignum is not allowed to be empty. Forbid it as test data, + * this way static analyzers have a chance of knowing we don't expect + * the bignum functions to support empty inputs. */ if( *plimbs == 0 ) - return( 0 ); + return( MBEDTLS_ERR_MPI_BAD_INPUT_DATA ); *pX = mbedtls_calloc( *plimbs, sizeof( **pX ) ); if( *pX == NULL ) From 95b5addcd63dfccd6ac7470983bbdefa36e9c255 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Nov 2022 11:18:38 +0100 Subject: [PATCH 16/17] Don't test mbedtls_mpi_core_lt_ct with 0 limbs A core MPI must have at least 1 limb. We can no longer test with 0 limbs, and we don't need to anyway, so don't try. Signed-off-by: Gilles Peskine --- library/constant_time_internal.h | 1 + tests/suites/test_suite_bignum_core.misc.data | 3 --- 2 files changed, 1 insertion(+), 3 deletions(-) diff --git a/library/constant_time_internal.h b/library/constant_time_internal.h index 9cc63c2308..1e4a3ab0be 100644 --- a/library/constant_time_internal.h +++ b/library/constant_time_internal.h @@ -138,6 +138,7 @@ unsigned mbedtls_ct_mpi_uint_lt( const mbedtls_mpi_uint x, * \param B The right-hand MPI. This must point to an array of limbs * with the same allocated length as \p A. * \param limbs The number of limbs in \p A and \p B. + * This must not be 0. * * \return The result of the comparison: * \c 1 if \p A is less than \p B. diff --git a/tests/suites/test_suite_bignum_core.misc.data b/tests/suites/test_suite_bignum_core.misc.data index 30c767c742..62480e47f7 100644 --- a/tests/suites/test_suite_bignum_core.misc.data +++ b/tests/suites/test_suite_bignum_core.misc.data @@ -167,9 +167,6 @@ mpi_core_lt_ct:"2B5":"2B4":0 mbedtls_mpi_core_lt_ct: xy (63 bit x, y first byte greater) mpi_core_lt_ct:"7FFFFFFFFFFFFFFF":"00000000000000FF":0 From 360f8e442971fcb8f48820d6138ee4b8405befb9 Mon Sep 17 00:00:00 2001 From: David Horstmann Date: Wed, 9 Nov 2022 17:27:33 +0000 Subject: [PATCH 17/17] Minor improvements to test code script Signed-off-by: David Horstmann --- tests/scripts/generate_test_code.py | 65 +++++++++++++++-------------- 1 file changed, 34 insertions(+), 31 deletions(-) diff --git a/tests/scripts/generate_test_code.py b/tests/scripts/generate_test_code.py index 6d65986c88..938f24cf4f 100755 --- a/tests/scripts/generate_test_code.py +++ b/tests/scripts/generate_test_code.py @@ -126,33 +126,39 @@ code that is generated or read from helpers and platform files. This script replaces following fields in the template and generates the test source file: -__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS <-- All common code from helpers.function - is substituted here. -__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE <-- Test functions are substituted here - from the input test_suit_xyz.function - file. C preprocessor checks are generated - for the build dependencies specified - in the input file. This script also - generates wrappers for the test - functions with code to expand the - string parameters read from the data - file. -__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE <-- This script enumerates the - expressions in the .data file and - generates code to handle enumerated - expression Ids and return the values. -__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE <-- This script enumerates all - build dependencies and generate - code to handle enumerated build - dependency Id and return status: if - the dependency is defined or not. -__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE <-- This script enumerates the functions - specified in the input test data file - and generates the initializer for the - function table in the template - file. -__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE <-- Platform specific setup and test - dispatch code. +__MBEDTLS_TEST_TEMPLATE__TEST_COMMON_HELPERS + All common code from helpers.function + is substituted here. +__MBEDTLS_TEST_TEMPLATE__FUNCTIONS_CODE + Test functions are substituted here + from the input test_suit_xyz.function + file. C preprocessor checks are generated + for the build dependencies specified + in the input file. This script also + generates wrappers for the test + functions with code to expand the + string parameters read from the data + file. +__MBEDTLS_TEST_TEMPLATE__EXPRESSION_CODE + This script enumerates the + expressions in the .data file and + generates code to handle enumerated + expression Ids and return the values. +__MBEDTLS_TEST_TEMPLATE__DEP_CHECK_CODE + This script enumerates all + build dependencies and generate + code to handle enumerated build + dependency Id and return status: if + the dependency is defined or not. +__MBEDTLS_TEST_TEMPLATE__DISPATCH_CODE + This script enumerates the functions + specified in the input test data file + and generates the initializer for the + function table in the template + file. +__MBEDTLS_TEST_TEMPLATE__PLATFORM_CODE + Platform specific setup and test + dispatch code. """ @@ -985,10 +991,7 @@ def write_test_source_file(template_file, c_file, snippets): braced = "(?P(?!))" # If not already matched, a "__MBEDTLS_TEST_TEMPLATE__" prefix is invalid. invalid = "(?P__MBEDTLS_TEST_TEMPLATE__)" - placeholder_pattern = re.compile(escaped \ - + "|" + named \ - + "|" + braced \ - + "|" + invalid) + placeholder_pattern = re.compile("|".join([escaped, named, braced, invalid])) with open(template_file, 'r') as template_f, open(c_file, 'w') as c_f: for line_no, line in enumerate(template_f.readlines(), 1):