A large block of code is only reachable if MBEDTLS_PK_USE_PSA_EC_DATA is
enabled, i.e. if MBEDTLS_USE_PSA_CRYPTO is enabled with driver-only ECC.
Compilers are likely to figure it out, but still, for clarity and
robustness, do guard that block of code with the appropriate conditional
compilation guard.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
On the CI, the git version when running on
Ubuntu 16.04 is 2.7 and it does not support
the "--recurse-submodules" option of
"git ls-files" thus do not use it.
Another argument to not use it is that
when TF-PSA-Crypto will be a submodule of
mbedtls we will not want check_files.py to
check the TF-PSA-Crypto files as well.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
The Mbed TLS implementations of ALG_TLS12_PRF,
ALG_TLS12_PSK_TO_MS, ALG_HKDF, ALG_HKDF_EXTRACT,
ALG_HKDF_EXPAND and ALG_PBKDF2 rely on HMAC
operations through the driver interface. Thus
if one of these algorithms is enabled and not
accelerated, we need ALG_HMAC to be enabled
(PSA_WANT_ALG_HMAC and PSA_WANT_KEY_TYPE_HMAC
defined). As HMAC operations occur through
the driver interface, HMAC operations can be
accelerated even if the caller algorithm
is not.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Change the way we decide if for a given
configuration we need to run tests with
and without MBEDTLS_USE_PSA_CRYPTO enabled.
That makes the script suitable for 3.6 and
development branch.
Signed-off-by: Ronald Cron <ronald.cron@arm.com>
Replace more sample PSK by longer (GnuTLS-compatible) strings, taking care
of keeping distinct PSK distinct for wrong-PSK tests.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This allows many tests to pass with the system openssl and gnutls-*. As
before, not all test cases will pass due to differences between versions and
build options.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Some OpenSSL or GnuTLS interoperability test cases fail if the other
implementation is recent enough to support TLS 1.3. Force those test cases
to use TLS 1.2 so that the script works with more recent $OPENSSL or
$GNUTLS_CLI or $GNUTLS_SERV than our official CI versions.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
ssl-opt.sh uses a 3-byte PSK in many test cases. Unfortunately GnuTLS >=3.4.0
rejects a PSK that is less than 4 bytes long:
> Error setting the PSK credentials: The request is invalid.
Use a longer PSK throughout ssl-opt. Only the test cases involving GnuTLS
need to change, but it's easier to do a global search-and-replace, and it's
easier to not have to worry about mismatches in constructed test cases
later, so replace everything.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
When given a PSK key but no username, gnutls-cli prompts for a password.
Prevent that by passing --pskusername with the same identity that
ssl_server2 uses by default.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Only s_server has a -nocert option, s_client doesn't. Fixes OpenSSL client
test cases in PSK-only builds.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
It isn't detected on the CI because we only test this with an ancient Clang
that doesn't warn. Old GCC, modern GCC and modern Clang do
warn (-Wunused-but-set-variable).
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
Tighten the matching when detecting which certificates are in use to
determine algorithm requirements. This fixes a bug whereby all tests were
skipped in configurations without RSA except for an Mbed TLS client against
a GnuTLS or OpenSSL server, due to *server2* matching ssl_server2.
Fixes#8366.
Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
This name is more descriptive of its purpose, since it actually adds
framework/scripts to the path rather than just framework/
Signed-off-by: David Horstmann <david.horstmann@arm.com>
Since this python module resides in the framework submodule we must
add an extra explicit path to it for mypy.
Signed-off-by: David Horstmann <david.horstmann@arm.com>
This allows scripts in the scripts/ directory to get the path to the
mbedtls_framework module in framework/scripts/
Signed-off-by: David Horstmann <david.horstmann@arm.com>
