From 734d22c03ee68192393ec660b3512a425c17e4aa Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Mon, 30 Oct 2023 15:15:45 +0000 Subject: [PATCH 01/15] Move PSA information and dependency automation into their own module MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit This will let us use these features from other modules (yet to be created). Signed-off-by: Gilles Peskine Signed-off-by: Tomás González --- scripts/mbedtls_dev/psa_information.py | 117 ++++++++++++++++++++ tests/scripts/generate_psa_tests.py | 147 +++++-------------------- 2 files changed, 144 insertions(+), 120 deletions(-) create mode 100644 scripts/mbedtls_dev/psa_information.py diff --git a/scripts/mbedtls_dev/psa_information.py b/scripts/mbedtls_dev/psa_information.py new file mode 100644 index 000000000..0d3b246ee --- /dev/null +++ b/scripts/mbedtls_dev/psa_information.py @@ -0,0 +1,117 @@ +"""Collect information about PSA cryptographic mechanisms. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import re +from typing import Dict, FrozenSet, List, Optional + +from . import macro_collector + + +def psa_want_symbol(name: str) -> str: + """Return the PSA_WANT_xxx symbol associated with a PSA crypto feature.""" + if name.startswith('PSA_'): + return name[:4] + 'WANT_' + name[4:] + else: + raise ValueError('Unable to determine the PSA_WANT_ symbol for ' + name) + +def finish_family_dependency(dep: str, bits: int) -> str: + """Finish dep if it's a family dependency symbol prefix. + A family dependency symbol prefix is a PSA_WANT_ symbol that needs to be + qualified by the key size. If dep is such a symbol, finish it by adjusting + the prefix and appending the key size. Other symbols are left unchanged. + """ + return re.sub(r'_FAMILY_(.*)', r'_\1_' + str(bits), dep) + +def finish_family_dependencies(dependencies: List[str], bits: int) -> List[str]: + """Finish any family dependency symbol prefixes. + Apply `finish_family_dependency` to each element of `dependencies`. + """ + return [finish_family_dependency(dep, bits) for dep in dependencies] + +SYMBOLS_WITHOUT_DEPENDENCY = frozenset([ + 'PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG', # modifier, only in policies + 'PSA_ALG_AEAD_WITH_SHORTENED_TAG', # modifier + 'PSA_ALG_ANY_HASH', # only in policies + 'PSA_ALG_AT_LEAST_THIS_LENGTH_MAC', # modifier, only in policies + 'PSA_ALG_KEY_AGREEMENT', # chaining + 'PSA_ALG_TRUNCATED_MAC', # modifier +]) + +def automatic_dependencies(*expressions: str) -> List[str]: + """Infer dependencies of a test case by looking for PSA_xxx symbols. + The arguments are strings which should be C expressions. Do not use + string literals or comments as this function is not smart enough to + skip them. + """ + used = set() + for expr in expressions: + used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|KEY_TYPE)_\w+', expr)) + used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY) + return sorted(psa_want_symbol(name) for name in used) + +# A temporary hack: at the time of writing, not all dependency symbols +# are implemented yet. Skip test cases for which the dependency symbols are +# not available. Once all dependency symbols are available, this hack must +# be removed so that a bug in the dependency symbols properly leads to a test +# failure. +def read_implemented_dependencies(filename: str) -> FrozenSet[str]: + return frozenset(symbol + for line in open(filename) + for symbol in re.findall(r'\bPSA_WANT_\w+\b', line)) +_implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name + +def hack_dependencies_not_implemented(dependencies: List[str]) -> None: + global _implemented_dependencies #pylint: disable=global-statement,invalid-name + if _implemented_dependencies is None: + _implemented_dependencies = \ + read_implemented_dependencies('include/psa/crypto_config.h') + if not all((dep.lstrip('!') in _implemented_dependencies or + not dep.lstrip('!').startswith('PSA_WANT')) + for dep in dependencies): + dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET') + +class Information: + """Gather information about PSA constructors.""" + + def __init__(self) -> None: + self.constructors = self.read_psa_interface() + + @staticmethod + def remove_unwanted_macros( + constructors: macro_collector.PSAMacroEnumerator + ) -> None: + # Mbed TLS doesn't support finite-field DH yet and will not support + # finite-field DSA. Don't attempt to generate any related test case. + constructors.key_types.discard('PSA_KEY_TYPE_DH_KEY_PAIR') + constructors.key_types.discard('PSA_KEY_TYPE_DH_PUBLIC_KEY') + constructors.key_types.discard('PSA_KEY_TYPE_DSA_KEY_PAIR') + constructors.key_types.discard('PSA_KEY_TYPE_DSA_PUBLIC_KEY') + + def read_psa_interface(self) -> macro_collector.PSAMacroEnumerator: + """Return the list of known key types, algorithms, etc.""" + constructors = macro_collector.InputsForTest() + header_file_names = ['include/psa/crypto_values.h', + 'include/psa/crypto_extra.h'] + test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data'] + for header_file_name in header_file_names: + constructors.parse_header(header_file_name) + for test_cases in test_suites: + constructors.parse_test_cases(test_cases) + self.remove_unwanted_macros(constructors) + constructors.gather_arguments() + return constructors diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index f5b921eff..5f350d83a 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -27,108 +27,13 @@ from typing import Callable, Dict, FrozenSet, Iterable, Iterator, List, Optional import scripts_path # pylint: disable=unused-import from mbedtls_dev import crypto_knowledge -from mbedtls_dev import macro_collector +from mbedtls_dev import macro_collector #pylint: disable=unused-import +from mbedtls_dev import psa_information from mbedtls_dev import psa_storage from mbedtls_dev import test_case from mbedtls_dev import test_data_generation -def psa_want_symbol(name: str) -> str: - """Return the PSA_WANT_xxx symbol associated with a PSA crypto feature.""" - if name.startswith('PSA_'): - return name[:4] + 'WANT_' + name[4:] - else: - raise ValueError('Unable to determine the PSA_WANT_ symbol for ' + name) - -def finish_family_dependency(dep: str, bits: int) -> str: - """Finish dep if it's a family dependency symbol prefix. - - A family dependency symbol prefix is a PSA_WANT_ symbol that needs to be - qualified by the key size. If dep is such a symbol, finish it by adjusting - the prefix and appending the key size. Other symbols are left unchanged. - """ - return re.sub(r'_FAMILY_(.*)', r'_\1_' + str(bits), dep) - -def finish_family_dependencies(dependencies: List[str], bits: int) -> List[str]: - """Finish any family dependency symbol prefixes. - - Apply `finish_family_dependency` to each element of `dependencies`. - """ - return [finish_family_dependency(dep, bits) for dep in dependencies] - -SYMBOLS_WITHOUT_DEPENDENCY = frozenset([ - 'PSA_ALG_AEAD_WITH_AT_LEAST_THIS_LENGTH_TAG', # modifier, only in policies - 'PSA_ALG_AEAD_WITH_SHORTENED_TAG', # modifier - 'PSA_ALG_ANY_HASH', # only in policies - 'PSA_ALG_AT_LEAST_THIS_LENGTH_MAC', # modifier, only in policies - 'PSA_ALG_KEY_AGREEMENT', # chaining - 'PSA_ALG_TRUNCATED_MAC', # modifier -]) -def automatic_dependencies(*expressions: str) -> List[str]: - """Infer dependencies of a test case by looking for PSA_xxx symbols. - - The arguments are strings which should be C expressions. Do not use - string literals or comments as this function is not smart enough to - skip them. - """ - used = set() - for expr in expressions: - used.update(re.findall(r'PSA_(?:ALG|ECC_FAMILY|KEY_TYPE)_\w+', expr)) - used.difference_update(SYMBOLS_WITHOUT_DEPENDENCY) - return sorted(psa_want_symbol(name) for name in used) - -# A temporary hack: at the time of writing, not all dependency symbols -# are implemented yet. Skip test cases for which the dependency symbols are -# not available. Once all dependency symbols are available, this hack must -# be removed so that a bug in the dependency symbols properly leads to a test -# failure. -def read_implemented_dependencies(filename: str) -> FrozenSet[str]: - return frozenset(symbol - for line in open(filename) - for symbol in re.findall(r'\bPSA_WANT_\w+\b', line)) -_implemented_dependencies = None #type: Optional[FrozenSet[str]] #pylint: disable=invalid-name -def hack_dependencies_not_implemented(dependencies: List[str]) -> None: - global _implemented_dependencies #pylint: disable=global-statement,invalid-name - if _implemented_dependencies is None: - _implemented_dependencies = \ - read_implemented_dependencies('include/psa/crypto_config.h') - if not all((dep.lstrip('!') in _implemented_dependencies or 'PSA_WANT' not in dep) - for dep in dependencies): - dependencies.append('DEPENDENCY_NOT_IMPLEMENTED_YET') - - -class Information: - """Gather information about PSA constructors.""" - - def __init__(self) -> None: - self.constructors = self.read_psa_interface() - - @staticmethod - def remove_unwanted_macros( - constructors: macro_collector.PSAMacroEnumerator - ) -> None: - # Mbed TLS doesn't support finite-field DH yet and will not support - # finite-field DSA. Don't attempt to generate any related test case. - constructors.key_types.discard('PSA_KEY_TYPE_DH_KEY_PAIR') - constructors.key_types.discard('PSA_KEY_TYPE_DH_PUBLIC_KEY') - constructors.key_types.discard('PSA_KEY_TYPE_DSA_KEY_PAIR') - constructors.key_types.discard('PSA_KEY_TYPE_DSA_PUBLIC_KEY') - - def read_psa_interface(self) -> macro_collector.PSAMacroEnumerator: - """Return the list of known key types, algorithms, etc.""" - constructors = macro_collector.InputsForTest() - header_file_names = ['include/psa/crypto_values.h', - 'include/psa/crypto_extra.h'] - test_suites = ['tests/suites/test_suite_psa_crypto_metadata.data'] - for header_file_name in header_file_names: - constructors.parse_header(header_file_name) - for test_cases in test_suites: - constructors.parse_test_cases(test_cases) - self.remove_unwanted_macros(constructors) - constructors.gather_arguments() - return constructors - - def test_case_for_key_type_not_supported( verb: str, key_type: str, bits: int, dependencies: List[str], @@ -138,7 +43,7 @@ def test_case_for_key_type_not_supported( """Return one test case exercising a key creation method for an unsupported key type or size. """ - hack_dependencies_not_implemented(dependencies) + psa_information.hack_dependencies_not_implemented(dependencies) tc = test_case.TestCase() short_key_type = crypto_knowledge.short_expression(key_type) adverb = 'not' if dependencies else 'never' @@ -154,7 +59,7 @@ def test_case_for_key_type_not_supported( class KeyTypeNotSupported: """Generate test cases for when a key type is not supported.""" - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: self.constructors = info.constructors ALWAYS_SUPPORTED = frozenset([ @@ -178,10 +83,10 @@ class KeyTypeNotSupported: # They would be skipped in all configurations, which is noise. return import_dependencies = [('!' if param is None else '') + - psa_want_symbol(kt.name)] + psa_information.psa_want_symbol(kt.name)] if kt.params is not None: import_dependencies += [('!' if param == i else '') + - psa_want_symbol(sym) + psa_information.psa_want_symbol(sym) for i, sym in enumerate(kt.params)] if kt.name.endswith('_PUBLIC_KEY'): generate_dependencies = [] @@ -190,7 +95,7 @@ class KeyTypeNotSupported: for bits in kt.sizes_to_test(): yield test_case_for_key_type_not_supported( 'import', kt.expression, bits, - finish_family_dependencies(import_dependencies, bits), + psa_information.finish_family_dependencies(import_dependencies, bits), test_case.hex_string(kt.key_material(bits)), param_descr=param_descr, ) @@ -204,7 +109,7 @@ class KeyTypeNotSupported: if not kt.is_public(): yield test_case_for_key_type_not_supported( 'generate', kt.expression, bits, - finish_family_dependencies(generate_dependencies, bits), + psa_information.finish_family_dependencies(generate_dependencies, bits), str(bits), param_descr=param_descr, ) @@ -236,7 +141,7 @@ def test_case_for_key_generation( ) -> test_case.TestCase: """Return one test case exercising a key generation. """ - hack_dependencies_not_implemented(dependencies) + psa_information.hack_dependencies_not_implemented(dependencies) tc = test_case.TestCase() short_key_type = crypto_knowledge.short_expression(key_type) tc.set_description('PSA {} {}-bit' @@ -250,7 +155,7 @@ def test_case_for_key_generation( class KeyGenerate: """Generate positive and negative (invalid argument) test cases for key generation.""" - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: self.constructors = info.constructors ECC_KEY_TYPES = ('PSA_KEY_TYPE_ECC_KEY_PAIR', @@ -267,9 +172,9 @@ class KeyGenerate: """ result = 'PSA_SUCCESS' - import_dependencies = [psa_want_symbol(kt.name)] + import_dependencies = [psa_information.psa_want_symbol(kt.name)] if kt.params is not None: - import_dependencies += [psa_want_symbol(sym) + import_dependencies += [psa_information.psa_want_symbol(sym) for i, sym in enumerate(kt.params)] if kt.name.endswith('_PUBLIC_KEY'): # The library checks whether the key type is a public key generically, @@ -284,7 +189,7 @@ class KeyGenerate: for bits in kt.sizes_to_test(): yield test_case_for_key_generation( kt.expression, bits, - finish_family_dependencies(generate_dependencies, bits), + psa_information.finish_family_dependencies(generate_dependencies, bits), str(bits), result ) @@ -311,7 +216,7 @@ class OpFail: INCOMPATIBLE = 2 PUBLIC = 3 - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: self.constructors = info.constructors key_type_expressions = self.constructors.generate_expressions( sorted(self.constructors.key_types) @@ -348,7 +253,7 @@ class OpFail: pretty_alg, pretty_reason, ' with ' + pretty_type if pretty_type else '')) - dependencies = automatic_dependencies(alg.base_expression, key_type) + dependencies = psa_information.automatic_dependencies(alg.base_expression, key_type) for i, dep in enumerate(dependencies): if dep in not_deps: dependencies[i] = '!' + dep @@ -375,7 +280,7 @@ class OpFail: """Generate failure test cases for keyless operations with the specified algorithm.""" if alg.can_do(category): # Compatible operation, unsupported algorithm - for dep in automatic_dependencies(alg.base_expression): + for dep in psa_information.automatic_dependencies(alg.base_expression): yield self.make_test_case(alg, category, self.Reason.NOT_SUPPORTED, not_deps=frozenset([dep])) @@ -393,7 +298,7 @@ class OpFail: key_is_compatible = kt.can_do(alg) if key_is_compatible and alg.can_do(category): # Compatible key and operation, unsupported algorithm - for dep in automatic_dependencies(alg.base_expression): + for dep in psa_information.automatic_dependencies(alg.base_expression): yield self.make_test_case(alg, category, self.Reason.NOT_SUPPORTED, kt=kt, not_deps=frozenset([dep])) @@ -499,10 +404,10 @@ class StorageTestData(StorageKey): class StorageFormat: """Storage format stability test cases.""" - def __init__(self, info: Information, version: int, forward: bool) -> None: + def __init__(self, info: psa_information.Information, version: int, forward: bool) -> None: """Prepare to generate test cases for storage format stability. - * `info`: information about the API. See the `Information` class. + * `info`: information about the API. See the `psa_information.Information` class. * `version`: the storage format version to generate test cases for. * `forward`: if true, generate forward compatibility test cases which save a key and check that its representation is as intended. Otherwise @@ -569,11 +474,11 @@ class StorageFormat: verb = 'save' if self.forward else 'read' tc = test_case.TestCase() tc.set_description(verb + ' ' + key.description) - dependencies = automatic_dependencies( + dependencies = psa_information.automatic_dependencies( key.lifetime.string, key.type.string, key.alg.string, key.alg2.string, ) - dependencies = finish_family_dependencies(dependencies, key.bits) + dependencies = psa_information.finish_family_dependencies(dependencies, key.bits) tc.set_dependencies(dependencies) tc.set_function('key_storage_' + verb) if self.forward: @@ -778,13 +683,13 @@ class StorageFormat: class StorageFormatForward(StorageFormat): """Storage format stability test cases for forward compatibility.""" - def __init__(self, info: Information, version: int) -> None: + def __init__(self, info: psa_information.Information, version: int) -> None: super().__init__(info, version, True) class StorageFormatV0(StorageFormat): """Storage format stability test cases for version 0 compatibility.""" - def __init__(self, info: Information) -> None: + def __init__(self, info: psa_information.Information) -> None: super().__init__(info, 0, False) def all_keys_for_usage_flags(self) -> Iterator[StorageTestData]: @@ -894,6 +799,7 @@ class StorageFormatV0(StorageFormat): yield from super().generate_all_keys() yield from self.all_keys_for_implicit_usage() + class PSATestGenerator(test_data_generation.TestGenerator): """Test generator subclass including PSA targets and info.""" # Note that targets whose names contain 'test_format' have their content @@ -909,14 +815,15 @@ class PSATestGenerator(test_data_generation.TestGenerator): lambda info: StorageFormatForward(info, 0).all_test_cases(), 'test_suite_psa_crypto_storage_format.v0': lambda info: StorageFormatV0(info).all_test_cases(), - } #type: Dict[str, Callable[[Information], Iterable[test_case.TestCase]]] + } #type: Dict[str, Callable[[psa_information.Information], Iterable[test_case.TestCase]]] def __init__(self, options): super().__init__(options) - self.info = Information() + self.info = psa_information.Information() def generate_target(self, name: str, *target_args) -> None: super().generate_target(name, self.info) + if __name__ == '__main__': test_data_generation.main(sys.argv[1:], __doc__, PSATestGenerator) From 2bff1bfd472c103ca4809daa5283e05d6748a7c2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Mon, 30 Oct 2023 15:29:23 +0000 Subject: [PATCH 02/15] New test suite for the low-level hash interface MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Some basic test coverage for now: * Nominal operation. * Larger output buffer. * Clone an operation and use it after the original operation stops. Generate test data automatically. For the time being, only do that for hashes that Python supports natively. Supporting all algorithms is future work. Signed-off-by: Gilles Peskine Signed-off-by: Tomás González --- scripts/mbedtls_dev/crypto_data_tests.py | 123 ++++++++++ tests/scripts/generate_psa_tests.py | 3 + .../test_suite_psa_crypto_low_hash.function | 226 ++++++++++++++++++ ...t_suite_psa_crypto_low_hash.generated.data | 171 +++++++++++++ 4 files changed, 523 insertions(+) create mode 100644 scripts/mbedtls_dev/crypto_data_tests.py create mode 100644 tests/suites/test_suite_psa_crypto_low_hash.function create mode 100644 tests/suites/test_suite_psa_crypto_low_hash.generated.data diff --git a/scripts/mbedtls_dev/crypto_data_tests.py b/scripts/mbedtls_dev/crypto_data_tests.py new file mode 100644 index 000000000..99c4e3db3 --- /dev/null +++ b/scripts/mbedtls_dev/crypto_data_tests.py @@ -0,0 +1,123 @@ +"""Generate test data for cryptographic mechanisms. +This module is a work in progress, only implementing a few cases for now. +""" + +# Copyright The Mbed TLS Contributors +# SPDX-License-Identifier: Apache-2.0 +# +# Licensed under the Apache License, Version 2.0 (the "License"); you may +# not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT +# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +import hashlib +from typing import Callable, Dict, Iterator, List, Optional #pylint: disable=unused-import + +from . import crypto_knowledge +from . import psa_information +from . import test_case + + +def psa_low_level_dependencies(*expressions: str) -> List[str]: + """Infer dependencies of a PSA low-level test case by looking for PSA_xxx symbols. + This function generates MBEDTLS_PSA_BUILTIN_xxx symbols. + """ + high_level = psa_information.automatic_dependencies(*expressions) + for dep in high_level: + assert dep.startswith('PSA_WANT_') + return ['MBEDTLS_PSA_BUILTIN_' + dep[9:] for dep in high_level] + + +class HashPSALowLevel: + """Generate test cases for the PSA low-level hash interface.""" + + def __init__(self, info: psa_information.Information) -> None: + self.info = info + base_algorithms = sorted(info.constructors.algorithms) + all_algorithms = \ + [crypto_knowledge.Algorithm(expr) + for expr in info.constructors.generate_expressions(base_algorithms)] + self.algorithms = \ + [alg + for alg in all_algorithms + if (not alg.is_wildcard and + alg.can_do(crypto_knowledge.AlgorithmCategory.HASH))] + + # CALCULATE[alg] = function to return the hash of its argument in hex + # TO-DO: implement the None entries with a third-party library, because + # hashlib might not have everything, depending on the Python version and + # the underlying OpenSSL. On Ubuntu 16.04, truncated sha512 and sha3/shake + # are not available. On Ubuntu 22.04, md2, md4 and ripemd160 are not + # available. + CALCULATE = { + 'PSA_ALG_MD2': None, + 'PSA_ALG_MD4': None, + 'PSA_ALG_MD5': lambda data: hashlib.md5(data).hexdigest(), + 'PSA_ALG_RIPEMD160': None, #lambda data: hashlib.new('ripdemd160').hexdigest() + 'PSA_ALG_SHA_1': lambda data: hashlib.sha1(data).hexdigest(), + 'PSA_ALG_SHA_224': lambda data: hashlib.sha224(data).hexdigest(), + 'PSA_ALG_SHA_256': lambda data: hashlib.sha256(data).hexdigest(), + 'PSA_ALG_SHA_384': lambda data: hashlib.sha384(data).hexdigest(), + 'PSA_ALG_SHA_512': lambda data: hashlib.sha512(data).hexdigest(), + 'PSA_ALG_SHA_512_224': None, #lambda data: hashlib.new('sha512_224').hexdigest() + 'PSA_ALG_SHA_512_256': None, #lambda data: hashlib.new('sha512_256').hexdigest() + 'PSA_ALG_SHA3_224': None, #lambda data: hashlib.sha3_224(data).hexdigest(), + 'PSA_ALG_SHA3_256': None, #lambda data: hashlib.sha3_256(data).hexdigest(), + 'PSA_ALG_SHA3_384': None, #lambda data: hashlib.sha3_384(data).hexdigest(), + 'PSA_ALG_SHA3_512': None, #lambda data: hashlib.sha3_512(data).hexdigest(), + 'PSA_ALG_SHAKE256_512': None, #lambda data: hashlib.shake_256(data).hexdigest(64), + } #typing: Optional[Dict[str, Callable[[bytes], str]]] + + @staticmethod + def one_test_case(alg: crypto_knowledge.Algorithm, + function: str, note: str, + arguments: List[str]) -> test_case.TestCase: + """Construct one test case involving a hash.""" + tc = test_case.TestCase() + tc.set_description('{}{} {}' + .format(function, + ' ' + note if note else '', + alg.short_expression())) + tc.set_dependencies(psa_low_level_dependencies(alg.expression)) + tc.set_function(function) + tc.set_arguments([alg.expression] + + ['"{}"'.format(arg) for arg in arguments]) + return tc + + def test_cases_for_hash(self, + alg: crypto_knowledge.Algorithm + ) -> Iterator[test_case.TestCase]: + """Enumerate all test cases for one hash algorithm.""" + calc = self.CALCULATE[alg.expression] + if calc is None: + return # not implemented yet + + short = b'abc' + hash_short = calc(short) + long = (b'Hello, world. Here are 16 unprintable bytes: [' + b'\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a' + b'\x80\x81\x82\x83\xfe\xff]. ' + b' This message was brought to you by a natural intelligence. ' + b' If you can read this, good luck with your debugging!') + hash_long = calc(long) + + yield self.one_test_case(alg, 'hash_empty', '', [calc(b'')]) + yield self.one_test_case(alg, 'hash_valid_one_shot', '', + [short.hex(), hash_short]) + for n in [0, 1, 64, len(long) - 1, len(long)]: + yield self.one_test_case(alg, 'hash_valid_multipart', + '{} + {}'.format(n, len(long) - n), + [long[:n].hex(), calc(long[:n]), + long[n:].hex(), hash_long]) + + def all_test_cases(self) -> Iterator[test_case.TestCase]: + """Enumerate all test cases for all hash algorithms.""" + for alg in self.algorithms: + yield from self.test_cases_for_hash(alg) diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 5f350d83a..872d21472 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -26,6 +26,7 @@ import sys from typing import Callable, Dict, FrozenSet, Iterable, Iterator, List, Optional import scripts_path # pylint: disable=unused-import +from mbedtls_dev import crypto_data_tests from mbedtls_dev import crypto_knowledge from mbedtls_dev import macro_collector #pylint: disable=unused-import from mbedtls_dev import psa_information @@ -809,6 +810,8 @@ class PSATestGenerator(test_data_generation.TestGenerator): lambda info: KeyGenerate(info).test_cases_for_key_generation(), 'test_suite_psa_crypto_not_supported.generated': lambda info: KeyTypeNotSupported(info).test_cases_for_not_supported(), + 'test_suite_psa_crypto_low_hash.generated': + lambda info: crypto_data_tests.HashPSALowLevel(info).all_test_cases(), 'test_suite_psa_crypto_op_fail.generated': lambda info: OpFail(info).all_test_cases(), 'test_suite_psa_crypto_storage_format.current': diff --git a/tests/suites/test_suite_psa_crypto_low_hash.function b/tests/suites/test_suite_psa_crypto_low_hash.function new file mode 100644 index 000000000..6bdbefa1e --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_low_hash.function @@ -0,0 +1,226 @@ +/* BEGIN_HEADER */ +/* + * Test suite for the PSA hash built-in driver + * + * This test suite exercises some aspects of the built-in PSA driver for + * hash algorithms (psa_crypto_hash.c). This code is mostly tested via + * the application interface (above the PSA API layer) and via tests of + * individual hash modules. The goal of this test suite is to ensure that + * the driver dispatch layer behaves correctly even when not invoked via + * the API layer, but directly from another driver. + * + * This test suite is currently incomplete. It focuses on non-regression + * tests for past bugs or near misses. + */ + +#include + +/* END_HEADER */ + +/* BEGIN_DEPENDENCIES + * depends_on:MBEDTLS_PSA_BUILTIN_HASH + * END_DEPENDENCIES + */ + +/* BEGIN_CASE */ +void hash_valid_one_shot(int alg_arg, data_t *input, + data_t *expected) +{ + psa_algorithm_t alg = alg_arg; + uint8_t *output = NULL; + size_t output_size = expected->len; + size_t length = SIZE_MAX; + + /* Nominal case */ + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + mbedtls_free(output); + output = NULL; + + /* Larger output buffer */ + output_size = expected->len + 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + mbedtls_free(output); + output = NULL; + +#if 0 + + /* Smaller output buffer (does not have to work!) */ + output_size = expected->len - 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, + output, output_size, &length), + PSA_ERROR_BUFFER_TOO_SMALL); + mbedtls_free(output); + output = NULL; +#endif + +exit: + mbedtls_free(output); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void hash_valid_multipart(int alg_arg, + data_t *input1, data_t *expected1, + data_t *input2, data_t *expected2) +{ + psa_algorithm_t alg = alg_arg; + uint8_t *output = NULL; + size_t output_size = expected1->len; + size_t length = SIZE_MAX; + mbedtls_psa_hash_operation_t operation0; // original + memset(&operation0, 0, sizeof(operation0)); + mbedtls_psa_hash_operation_t clone_start; // cloned after setup + memset(&clone_start, 0, sizeof(clone_start)); + mbedtls_psa_hash_operation_t clone_middle; // cloned between updates + memset(&clone_middle, 0, sizeof(clone_middle)); + mbedtls_psa_hash_operation_t clone_end; // cloned before finish + memset(&clone_end, 0, sizeof(clone_end)); + mbedtls_psa_hash_operation_t clone_more; // cloned before finish + memset(&clone_more, 0, sizeof(clone_more)); + + /* Nominal case with two update calls */ + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_setup(&operation0, alg), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_clone(&operation0, &clone_start), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_update(&operation0, input1->x, input1->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_clone(&operation0, &clone_middle), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_update(&operation0, input2->x, input2->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_clone(&operation0, &clone_end), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&operation0, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + + /* Nominal case with an operation cloned after setup */ + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_update(&clone_start, input1->x, input1->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_start, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected1->x, expected1->len, output, length); + + /* Nominal case with an operation cloned between updates */ + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_update(&clone_middle, input2->x, input2->len), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_middle, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + + /* Nominal case with an operation cloned before finish */ + TEST_EQUAL(mbedtls_psa_hash_clone(&clone_end, &clone_more), + PSA_SUCCESS); + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + mbedtls_free(output); + output = NULL; + + /* Larger output buffer */ + TEST_EQUAL(mbedtls_psa_hash_clone(&clone_more, &clone_end), + PSA_SUCCESS); + output_size = expected2->len + 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + mbedtls_free(output); + output = NULL; + +#if 0 + /* Smaller output buffer (does not have to work!) */ + TEST_EQUAL(mbedtls_psa_hash_clone(&clone_more, &clone_end), + PSA_SUCCESS); + output_size = expected2->len - 1; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, + output, output_size, &length), + PSA_ERROR_BUFFER_TOO_SMALL); + mbedtls_free(output); + output = NULL; +#endif + + /* Nominal case again after an error in a cloned operation */ + output_size = expected2->len; + ASSERT_ALLOC(output, output_size); + TEST_EQUAL(mbedtls_psa_hash_finish(&clone_more, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected2->x, expected2->len, output, length); + mbedtls_free(output); + output = NULL; + +exit: + mbedtls_free(output); + mbedtls_psa_hash_abort(&operation0); + mbedtls_psa_hash_abort(&clone_start); + mbedtls_psa_hash_abort(&clone_middle); + mbedtls_psa_hash_abort(&clone_end); + mbedtls_psa_hash_abort(&clone_more); +} +/* END_CASE */ + +/* BEGIN_CASE */ +void hash_empty(int alg_arg, data_t *expected) +{ + psa_algorithm_t alg = alg_arg; + uint8_t *output = NULL; + size_t output_size = expected->len; + size_t length = SIZE_MAX; + mbedtls_psa_hash_operation_t operation; + memset(&operation, 0, sizeof(operation)); + + ASSERT_ALLOC(output, output_size); + + /* One-shot */ + TEST_EQUAL(mbedtls_psa_hash_compute(alg, NULL, 0, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + + /* Multipart, no update */ + memset(output, 0, output_size); + TEST_EQUAL(mbedtls_psa_hash_setup(&operation, alg), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&operation, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + + /* Multipart, one update */ + memset(output, 0, output_size); + memset(&operation, 0, sizeof(operation)); + TEST_EQUAL(mbedtls_psa_hash_setup(&operation, alg), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_update(&operation, NULL, 0), + PSA_SUCCESS); + TEST_EQUAL(mbedtls_psa_hash_finish(&operation, + output, output_size, &length), + PSA_SUCCESS); + ASSERT_COMPARE(expected->x, expected->len, output, length); + +exit: + mbedtls_free(output); + mbedtls_psa_hash_abort(&operation); +} +/* END_CASE */ diff --git a/tests/suites/test_suite_psa_crypto_low_hash.generated.data b/tests/suites/test_suite_psa_crypto_low_hash.generated.data new file mode 100644 index 000000000..30cc9cfce --- /dev/null +++ b/tests/suites/test_suite_psa_crypto_low_hash.generated.data @@ -0,0 +1,171 @@ +# Automatically generated by generate_psa_tests.py. Do not edit! + +hash_empty MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_empty:PSA_ALG_MD5:"d41d8cd98f00b204e9800998ecf8427e" + +hash_valid_one_shot MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_valid_one_shot:PSA_ALG_MD5:"616263":"900150983cd24fb0d6963f7d28e17f72" + +hash_valid_multipart 0 + 179 MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_valid_multipart:PSA_ALG_MD5:"":"d41d8cd98f00b204e9800998ecf8427e":"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"581d07c1c1cf41c302d587ca06659166" + +hash_valid_multipart 1 + 178 MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_valid_multipart:PSA_ALG_MD5:"48":"c1d9f50f86825a1a2302ec2449c17196":"656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"581d07c1c1cf41c302d587ca06659166" + +hash_valid_multipart 64 + 115 MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_valid_multipart:PSA_ALG_MD5:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d":"f643f3cdd664a99674b060a871e5cdf6":"2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"581d07c1c1cf41c302d587ca06659166" + +hash_valid_multipart 178 + 1 MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_valid_multipart:PSA_ALG_MD5:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e67":"484d9ce483e5d65fa93622e5e0502163":"21":"581d07c1c1cf41c302d587ca06659166" + +hash_valid_multipart 179 + 0 MD5 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_MD5 +hash_valid_multipart:PSA_ALG_MD5:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"581d07c1c1cf41c302d587ca06659166":"":"581d07c1c1cf41c302d587ca06659166" + +hash_empty SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_empty:PSA_ALG_SHA_1:"da39a3ee5e6b4b0d3255bfef95601890afd80709" + +hash_valid_one_shot SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_valid_one_shot:PSA_ALG_SHA_1:"616263":"a9993e364706816aba3e25717850c26c9cd0d89d" + +hash_valid_multipart 0 + 179 SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_valid_multipart:PSA_ALG_SHA_1:"":"da39a3ee5e6b4b0d3255bfef95601890afd80709":"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"68e3b2a18096d66916a64b84085772c1ee2b7e72" + +hash_valid_multipart 1 + 178 SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_valid_multipart:PSA_ALG_SHA_1:"48":"7cf184f4c67ad58283ecb19349720b0cae756829":"656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"68e3b2a18096d66916a64b84085772c1ee2b7e72" + +hash_valid_multipart 64 + 115 SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_valid_multipart:PSA_ALG_SHA_1:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d":"750ba870591b392b0a82a93715018733809d6d60":"2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"68e3b2a18096d66916a64b84085772c1ee2b7e72" + +hash_valid_multipart 178 + 1 SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_valid_multipart:PSA_ALG_SHA_1:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e67":"95147c023be4f648064a8003d856901dd4cae0aa":"21":"68e3b2a18096d66916a64b84085772c1ee2b7e72" + +hash_valid_multipart 179 + 0 SHA_1 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_1 +hash_valid_multipart:PSA_ALG_SHA_1:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"68e3b2a18096d66916a64b84085772c1ee2b7e72":"":"68e3b2a18096d66916a64b84085772c1ee2b7e72" + +hash_empty SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_empty:PSA_ALG_SHA_224:"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f" + +hash_valid_one_shot SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_valid_one_shot:PSA_ALG_SHA_224:"616263":"23097d223405d8228642a477bda255b32aadbce4bda0b3f7e36c9da7" + +hash_valid_multipart 0 + 179 SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_valid_multipart:PSA_ALG_SHA_224:"":"d14a028c2a3a2bc9476102bb288234c415a2b01f828ea62ac5b3e42f":"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"6e2ca0f9c283b6c8759e761d8bd1dd5dba0a49af1dff64f9beb2e444" + +hash_valid_multipart 1 + 178 SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_valid_multipart:PSA_ALG_SHA_224:"48":"7e27c59a202f5e2b2b3b5458300140ef7aa7edc3a97a605b788546a1":"656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"6e2ca0f9c283b6c8759e761d8bd1dd5dba0a49af1dff64f9beb2e444" + +hash_valid_multipart 64 + 115 SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_valid_multipart:PSA_ALG_SHA_224:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d":"ee50241ec35c16da236ed1d98a67635ec684dcaa205d59ef91a0bc95":"2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"6e2ca0f9c283b6c8759e761d8bd1dd5dba0a49af1dff64f9beb2e444" + +hash_valid_multipart 178 + 1 SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_valid_multipart:PSA_ALG_SHA_224:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e67":"b28b9b1080f8ba1f274c41ad40823dca0d6e575abaa42c5b01588cd2":"21":"6e2ca0f9c283b6c8759e761d8bd1dd5dba0a49af1dff64f9beb2e444" + +hash_valid_multipart 179 + 0 SHA_224 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_224 +hash_valid_multipart:PSA_ALG_SHA_224:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"6e2ca0f9c283b6c8759e761d8bd1dd5dba0a49af1dff64f9beb2e444":"":"6e2ca0f9c283b6c8759e761d8bd1dd5dba0a49af1dff64f9beb2e444" + +hash_empty SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_empty:PSA_ALG_SHA_256:"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855" + +hash_valid_one_shot SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_valid_one_shot:PSA_ALG_SHA_256:"616263":"ba7816bf8f01cfea414140de5dae2223b00361a396177a9cb410ff61f20015ad" + +hash_valid_multipart 0 + 179 SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_valid_multipart:PSA_ALG_SHA_256:"":"e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855":"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"4d30d19911e5974d669fa735cbd7a5b03dbea5754fc1d52f8c2a5d08ae7110dc" + +hash_valid_multipart 1 + 178 SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_valid_multipart:PSA_ALG_SHA_256:"48":"44bd7ae60f478fae1061e11a7739f4b94d1daf917982d33b6fc8a01a63f89c21":"656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"4d30d19911e5974d669fa735cbd7a5b03dbea5754fc1d52f8c2a5d08ae7110dc" + +hash_valid_multipart 64 + 115 SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_valid_multipart:PSA_ALG_SHA_256:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d":"ac068007f505c49f58818543ba0566528b54caffe65494da3515a8295ca986ad":"2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"4d30d19911e5974d669fa735cbd7a5b03dbea5754fc1d52f8c2a5d08ae7110dc" + +hash_valid_multipart 178 + 1 SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_valid_multipart:PSA_ALG_SHA_256:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e67":"82effb9677d08d1ef33f578433cfcfb96355fe19372808e0711d72337671f152":"21":"4d30d19911e5974d669fa735cbd7a5b03dbea5754fc1d52f8c2a5d08ae7110dc" + +hash_valid_multipart 179 + 0 SHA_256 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_256 +hash_valid_multipart:PSA_ALG_SHA_256:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"4d30d19911e5974d669fa735cbd7a5b03dbea5754fc1d52f8c2a5d08ae7110dc":"":"4d30d19911e5974d669fa735cbd7a5b03dbea5754fc1d52f8c2a5d08ae7110dc" + +hash_empty SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_empty:PSA_ALG_SHA_384:"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b" + +hash_valid_one_shot SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_valid_one_shot:PSA_ALG_SHA_384:"616263":"cb00753f45a35e8bb5a03d699ac65007272c32ab0eded1631a8b605a43ff5bed8086072ba1e7cc2358baeca134c825a7" + +hash_valid_multipart 0 + 179 SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_valid_multipart:PSA_ALG_SHA_384:"":"38b060a751ac96384cd9327eb1b1e36a21fdb71114be07434c0cc7bf63f6e1da274edebfe76f65fbd51ad2f14898b95b":"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"23d654bbaa58d813adce62c4a6e94a5589d9104b0c908173c583eb1aefe08f884b2c90e945e9c27ac3cdfa80fb8e1efd" + +hash_valid_multipart 1 + 178 SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_valid_multipart:PSA_ALG_SHA_384:"48":"72df8089b04fd6038238731b218a64da29bd83a34bced02a29f3139833671028584a653f74f1afecfac51064a0e6416c":"656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"23d654bbaa58d813adce62c4a6e94a5589d9104b0c908173c583eb1aefe08f884b2c90e945e9c27ac3cdfa80fb8e1efd" + +hash_valid_multipart 64 + 115 SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_valid_multipart:PSA_ALG_SHA_384:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d":"fced26dd21bb61dbb69f704e8aa6cd6e00da4ceecfc55dc94fe48458bc72fb603c23186150923578e4a7237af0e6105c":"2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"23d654bbaa58d813adce62c4a6e94a5589d9104b0c908173c583eb1aefe08f884b2c90e945e9c27ac3cdfa80fb8e1efd" + +hash_valid_multipart 178 + 1 SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_valid_multipart:PSA_ALG_SHA_384:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e67":"30d426688d31277644b0aa8c32435a36c17f2b8ef20c17e2069405951d01d0e66983e4f98ae1103f85b5e94862ea8b59":"21":"23d654bbaa58d813adce62c4a6e94a5589d9104b0c908173c583eb1aefe08f884b2c90e945e9c27ac3cdfa80fb8e1efd" + +hash_valid_multipart 179 + 0 SHA_384 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_384 +hash_valid_multipart:PSA_ALG_SHA_384:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"23d654bbaa58d813adce62c4a6e94a5589d9104b0c908173c583eb1aefe08f884b2c90e945e9c27ac3cdfa80fb8e1efd":"":"23d654bbaa58d813adce62c4a6e94a5589d9104b0c908173c583eb1aefe08f884b2c90e945e9c27ac3cdfa80fb8e1efd" + +hash_empty SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_empty:PSA_ALG_SHA_512:"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e" + +hash_valid_one_shot SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_valid_one_shot:PSA_ALG_SHA_512:"616263":"ddaf35a193617abacc417349ae20413112e6fa4e89a97ea20a9eeee64b55d39a2192992a274fc1a836ba3c23a3feebbd454d4423643ce80e2a9ac94fa54ca49f" + +hash_valid_multipart 0 + 179 SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_valid_multipart:PSA_ALG_SHA_512:"":"cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e":"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"f01271da8ba8505cc60393b497939b10a7e8c9e4fb4e636bac3ca92d5bec0d6d3d9f19ee9229173e40840e14740214fe454893a044d1da5aca4ef9b830d0dab0" + +hash_valid_multipart 1 + 178 SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_valid_multipart:PSA_ALG_SHA_512:"48":"9032fb94055d4d14e42185bdff59642b98fe6073f68f29d394620c4e698a86fb2e51351ca6997e6a164aae0b871cf789fbc6e0d863733d05903b4eb11be58d9c":"656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"f01271da8ba8505cc60393b497939b10a7e8c9e4fb4e636bac3ca92d5bec0d6d3d9f19ee9229173e40840e14740214fe454893a044d1da5aca4ef9b830d0dab0" + +hash_valid_multipart 64 + 115 SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_valid_multipart:PSA_ALG_SHA_512:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d":"98cde721bfa735807497358c48c5e5d4302410f30c3afc3b08f40da267d23a28a88ecdd9d52711189fa2ddca54343e37a14d401aee3ac47df3b469c15906bce1":"2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"f01271da8ba8505cc60393b497939b10a7e8c9e4fb4e636bac3ca92d5bec0d6d3d9f19ee9229173e40840e14740214fe454893a044d1da5aca4ef9b830d0dab0" + +hash_valid_multipart 178 + 1 SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_valid_multipart:PSA_ALG_SHA_512:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e67":"0d86ca214f7634d86c13f95068b226d16bd1e65337da4983ce88e82fa2515957495fc6c50b2afb677bea54de9e1b8e7c694591605c514abed7fdc18f181fe01c":"21":"f01271da8ba8505cc60393b497939b10a7e8c9e4fb4e636bac3ca92d5bec0d6d3d9f19ee9229173e40840e14740214fe454893a044d1da5aca4ef9b830d0dab0" + +hash_valid_multipart 179 + 0 SHA_512 +depends_on:MBEDTLS_PSA_BUILTIN_ALG_SHA_512 +hash_valid_multipart:PSA_ALG_SHA_512:"48656c6c6f2c20776f726c642e20486572652061726520313620756e7072696e7461626c652062797465733a205b000102030405060708090a80818283feff5d2e202054686973206d657373616765207761732062726f7567687420746f20796f752062792061206e61747572616c20696e74656c6c6967656e63652e2020496620796f752063616e207265616420746869732c20676f6f64206c75636b207769746820796f757220646562756767696e6721":"f01271da8ba8505cc60393b497939b10a7e8c9e4fb4e636bac3ca92d5bec0d6d3d9f19ee9229173e40840e14740214fe454893a044d1da5aca4ef9b830d0dab0":"":"f01271da8ba8505cc60393b497939b10a7e8c9e4fb4e636bac3ca92d5bec0d6d3d9f19ee9229173e40840e14740214fe454893a044d1da5aca4ef9b830d0dab0" + +# End of automatically generated file. From e25a6198245aa2385d3693fbe34a87ea9cf3e0be Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Mon, 7 Aug 2023 21:21:21 +0200 Subject: [PATCH 03/15] Remove dead code MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Do explain why we don't test a smaller buffer in addition to testing the nominal size and a larger buffer. Signed-off-by: Gilles Peskine Signed-off-by: Tomás González --- .../test_suite_psa_crypto_low_hash.function | 29 ++++--------------- 1 file changed, 6 insertions(+), 23 deletions(-) diff --git a/tests/suites/test_suite_psa_crypto_low_hash.function b/tests/suites/test_suite_psa_crypto_low_hash.function index 6bdbefa1e..6dabceff9 100644 --- a/tests/suites/test_suite_psa_crypto_low_hash.function +++ b/tests/suites/test_suite_psa_crypto_low_hash.function @@ -50,17 +50,9 @@ void hash_valid_one_shot(int alg_arg, data_t *input, mbedtls_free(output); output = NULL; -#if 0 - - /* Smaller output buffer (does not have to work!) */ - output_size = expected->len - 1; - ASSERT_ALLOC(output, output_size); - TEST_EQUAL(mbedtls_psa_hash_compute(alg, input->x, input->len, - output, output_size, &length), - PSA_ERROR_BUFFER_TOO_SMALL); - mbedtls_free(output); - output = NULL; -#endif + /* We don't test with a smaller output buffer because this isn't + * guaranteed to work: the core must pass a sufficiently large + * output buffer to the driver. */ exit: mbedtls_free(output); @@ -147,18 +139,9 @@ void hash_valid_multipart(int alg_arg, mbedtls_free(output); output = NULL; -#if 0 - /* Smaller output buffer (does not have to work!) */ - TEST_EQUAL(mbedtls_psa_hash_clone(&clone_more, &clone_end), - PSA_SUCCESS); - output_size = expected2->len - 1; - ASSERT_ALLOC(output, output_size); - TEST_EQUAL(mbedtls_psa_hash_finish(&clone_end, - output, output_size, &length), - PSA_ERROR_BUFFER_TOO_SMALL); - mbedtls_free(output); - output = NULL; -#endif + /* We don't test with a smaller output buffer because this isn't + * guaranteed to work: the core must pass a sufficiently large + * output buffer to the driver. */ /* Nominal case again after an error in a cloned operation */ output_size = expected2->len; From 9043a2fc0b4188e738fe35807474c3a71f5a83a8 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 9 Aug 2023 10:50:58 +0200 Subject: [PATCH 04/15] Fix type annotation Signed-off-by: Gilles Peskine --- scripts/mbedtls_dev/crypto_data_tests.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/mbedtls_dev/crypto_data_tests.py b/scripts/mbedtls_dev/crypto_data_tests.py index 99c4e3db3..2036ea3ea 100644 --- a/scripts/mbedtls_dev/crypto_data_tests.py +++ b/scripts/mbedtls_dev/crypto_data_tests.py @@ -73,7 +73,7 @@ class HashPSALowLevel: 'PSA_ALG_SHA3_384': None, #lambda data: hashlib.sha3_384(data).hexdigest(), 'PSA_ALG_SHA3_512': None, #lambda data: hashlib.sha3_512(data).hexdigest(), 'PSA_ALG_SHAKE256_512': None, #lambda data: hashlib.shake_256(data).hexdigest(64), - } #typing: Optional[Dict[str, Callable[[bytes], str]]] + } #type: Dict[str, Optional[Callable[[bytes], str]]] @staticmethod def one_test_case(alg: crypto_knowledge.Algorithm, From 5240ab0c9896bec20556bcdbfd6ef37ad71d0230 Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Tue, 7 Nov 2023 16:21:49 +0100 Subject: [PATCH 05/15] Backported test cases from https://github.com/Mbed-TLS/mbedtls/pull/8378 Signed-off-by: Matthias Schulz --- tests/suites/test_suite_x509parse.data | 12 ++++++++++++ 1 file changed, 12 insertions(+) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 406a06385..2c6d9e32a 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2781,6 +2781,18 @@ X509 CSR ASN.1 (OK) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0 +X509 CSR ASN.1 (Unsupported critical extension, critical=true) +depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +mbedtls_x509_csr_parse:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG + +X509 CSR ASN.1 (Unsupported non-critical extension, critical=false) +depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +mbedtls_x509_csr_parse:"308201243081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004b5e718a7df6b21912733e77c42f266b8283e6cae7adf8afd56b990c1c6232ea0a2a46097c218353bc948444aea3d00423e84802e28c48099641fe9977cdfb505a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101000403010101300a06082a8648ce3d0403020348003045022100f0ba9a0846ad0a7cefd0a61d5fc92194dc06037a44158de2d0c569912c058d430220421f27a9f249c1687e2fa34db3f543c8512fd925dfe5ae00867f13963ffd4f8d":"CSR version \: 1\nsubject name \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n":0 + +X509 CSR ASN.1 (Unsupported non-critical extension, critical undefined) +depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C +mbedtls_x509_csr_parse:"308201223081c802010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d030107034200045f94b28d133418833bf10c442d91306459d3925e7cea06ebb9220932e7de116fb671c5d2d6c0a3784a12897217aef8432e7228fcea0ab016bdb67b67ced4c612a025302306092a864886f70d01090e311630143012060b2b0601040183890c8622020403010101300a06082a8648ce3d04030203490030460221009b1e8b25775c18525e96753e1ed55875f8d62f026c5b7f70eb5037ad27dc92de022100ba1dfe14de6af6a603f763563fd046b1cd3714b54d6daf5d8a72076497f11014":"CSR version \: 1\nsubject name \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n":0 + X509 CSR ASN.1 (bad first tag) mbedtls_x509_csr_parse:"3100":"":MBEDTLS_ERR_X509_INVALID_FORMAT From 9a0ad5c42797d34f88864108ad2a3ce48f8d0dcc Mon Sep 17 00:00:00 2001 From: Matthias Schulz Date: Tue, 7 Nov 2023 16:40:22 +0100 Subject: [PATCH 06/15] Changed the test to reflect mbedTLS's current behavior. Signed-off-by: Matthias Schulz --- tests/suites/test_suite_x509parse.data | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/tests/suites/test_suite_x509parse.data b/tests/suites/test_suite_x509parse.data index 2c6d9e32a..6ffba8460 100644 --- a/tests/suites/test_suite_x509parse.data +++ b/tests/suites/test_suite_x509parse.data @@ -2781,9 +2781,9 @@ X509 CSR ASN.1 (OK) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA1_C mbedtls_x509_csr_parse:"308201183081bf0201003034310b3009060355040613024e4c3111300f060355040a1308506f6c617253534c31123010060355040313096c6f63616c686f73743059301306072a8648ce3d020106082a8648ce3d0301070342000437cc56d976091e5a723ec7592dff206eee7cf9069174d0ad14b5f768225962924ee500d82311ffea2fd2345d5d16bd8a88c26b770d55cd8a2a0efa01c8b4edffa029302706092a864886f70d01090e311a301830090603551d1304023000300b0603551d0f0404030205e0300906072a8648ce3d04010349003046022100b49fd8c8f77abfa871908dfbe684a08a793d0f490a43d86fcf2086e4f24bb0c2022100f829d5ccd3742369299e6294394717c4b723a0f68b44e831b6e6c3bcabf97243":"CSR version \: 1\nsubject name \: C=NL, O=PolarSSL, CN=localhost\nsigned using \: ECDSA with SHA1\nEC key size \: 256 bits\n":0 -X509 CSR ASN.1 (Unsupported critical extension, critical=true) +X509 CSR ASN.1 (Unsupported critical extension, critical=true, ignore for backwards compatibility) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C -mbedtls_x509_csr_parse:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"":MBEDTLS_ERR_X509_INVALID_EXTENSIONS+MBEDTLS_ERR_ASN1_UNEXPECTED_TAG +mbedtls_x509_csr_parse:"308201233081cb02010030413119301706035504030c1053656c66207369676e65642074657374310b300906035504061302444531173015060355040a0c0e41757468437274444220546573743059301306072a8648ce3d020106082a8648ce3d03010703420004c11ebb9951848a436ca2c8a73382f24bbb6c28a92e401d4889b0c361f377b92a8b0497ff2f5a5f6057ae85f704ab1850bef075914f68ed3aeb15a1ff1ebc0dc6a028302606092a864886f70d01090e311930173015060b2b0601040183890c8622020101ff0403010101300a06082a8648ce3d040302034700304402200c4108fd098525993d3fd5b113f0a1ead8750852baf55a2f8e670a22cabc0ba1022034db93a0fcb993912adcf2ea8cb4b66389af30e264d43c0daea03255e45d2ccc":"CSR version \: 1\nsubject name \: CN=Self signed test, C=DE, O=AuthCrtDB Test\nsigned using \: ECDSA with SHA256\nEC key size \: 256 bits\n":0 X509 CSR ASN.1 (Unsupported non-critical extension, critical=false) depends_on:MBEDTLS_ECDSA_C:MBEDTLS_ECP_DP_SECP256R1_ENABLED:MBEDTLS_SHA256_C From eb8f498ef1d69e375e2cb882e7af682619b968ff Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Wed, 8 Nov 2023 10:08:09 +0100 Subject: [PATCH 07/15] Remove unused *.cocci files Signed-off-by: Ronald Cron --- scripts/find-mem-leak.cocci | 20 -------------------- scripts/rm-calloc-cast.cocci | 7 ------- 2 files changed, 27 deletions(-) delete mode 100644 scripts/find-mem-leak.cocci delete mode 100644 scripts/rm-calloc-cast.cocci diff --git a/scripts/find-mem-leak.cocci b/scripts/find-mem-leak.cocci deleted file mode 100644 index 8179e2b3e..000000000 --- a/scripts/find-mem-leak.cocci +++ /dev/null @@ -1,20 +0,0 @@ -@@ -expression x, y; -statement S; -@@ - x = mbedtls_calloc(...); - y = mbedtls_calloc(...); - ... -* if (x == NULL || y == NULL) - S - -@@ -expression x, y; -statement S; -@@ - if ( -* (x = mbedtls_calloc(...)) == NULL - || -* (y = mbedtls_calloc(...)) == NULL - ) - S diff --git a/scripts/rm-calloc-cast.cocci b/scripts/rm-calloc-cast.cocci deleted file mode 100644 index 89481c01a..000000000 --- a/scripts/rm-calloc-cast.cocci +++ /dev/null @@ -1,7 +0,0 @@ -@rm_calloc_cast@ -expression x, n, m; -type T; -@@ - x = -- (T *) - mbedtls_calloc(n, m) From 5fae560b4a054a69587a8574a60eb5c6f54af5f2 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Tom=C3=A1s=20Gonz=C3=A1lez?= Date: Mon, 13 Nov 2023 11:45:12 +0000 Subject: [PATCH 08/15] Update new license headers MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Signed-off-by: Tomás González --- scripts/mbedtls_dev/crypto_data_tests.py | 15 ++------------- scripts/mbedtls_dev/psa_information.py | 15 ++------------- tests/scripts/generate_psa_tests.py | 14 +------------- 3 files changed, 5 insertions(+), 39 deletions(-) diff --git a/scripts/mbedtls_dev/crypto_data_tests.py b/scripts/mbedtls_dev/crypto_data_tests.py index 2036ea3ea..bad26fdd7 100644 --- a/scripts/mbedtls_dev/crypto_data_tests.py +++ b/scripts/mbedtls_dev/crypto_data_tests.py @@ -3,19 +3,8 @@ This module is a work in progress, only implementing a few cases for now. """ # Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + import hashlib from typing import Callable, Dict, Iterator, List, Optional #pylint: disable=unused-import diff --git a/scripts/mbedtls_dev/psa_information.py b/scripts/mbedtls_dev/psa_information.py index 0d3b246ee..a3a84f6db 100644 --- a/scripts/mbedtls_dev/psa_information.py +++ b/scripts/mbedtls_dev/psa_information.py @@ -2,19 +2,8 @@ """ # Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later + import re from typing import Dict, FrozenSet, List, Optional diff --git a/tests/scripts/generate_psa_tests.py b/tests/scripts/generate_psa_tests.py index 872d21472..faebe510c 100755 --- a/tests/scripts/generate_psa_tests.py +++ b/tests/scripts/generate_psa_tests.py @@ -6,19 +6,7 @@ generate only the specified files. """ # Copyright The Mbed TLS Contributors -# SPDX-License-Identifier: Apache-2.0 -# -# Licensed under the Apache License, Version 2.0 (the "License"); you may -# not use this file except in compliance with the License. -# You may obtain a copy of the License at -# -# http://www.apache.org/licenses/LICENSE-2.0 -# -# Unless required by applicable law or agreed to in writing, software -# distributed under the License is distributed on an "AS IS" BASIS, WITHOUT -# WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -# See the License for the specific language governing permissions and -# limitations under the License. +# SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later import enum import re From e9616fdbc940d885a6de1a2b7719f85d77379966 Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Tue, 21 Nov 2023 13:42:40 +0100 Subject: [PATCH 09/15] Fix the build with gcc-12 -Wuse-after-free Signed-off-by: Gilles Peskine --- programs/test/metatest.c | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/programs/test/metatest.c b/programs/test/metatest.c index 2973cce3f..b8dffa9bb 100644 --- a/programs/test/metatest.c +++ b/programs/test/metatest.c @@ -46,6 +46,12 @@ */ volatile int false_but_the_compiler_does_not_know = 0; +/* Hide calls to calloc/free from static checkers such as + * `gcc-12 -Wuse-after-free`, to avoid compile-time complaints about + * code where we do mean to cause a runtime error. */ +void * (* volatile calloc_but_the_compiler_does_not_know)(size_t, size_t) = mbedtls_calloc; +void(*volatile free_but_the_compiler_does_not_know)(void *) = mbedtls_free; + /* Set n bytes at the address p to all-bits-zero, in such a way that * the compiler should not know that p is all-bits-zero. */ static void set_to_zero_but_the_compiler_does_not_know(volatile void *p, size_t n) @@ -98,9 +104,9 @@ void null_pointer_call(const char *name) void read_after_free(const char *name) { (void) name; - volatile char *p = mbedtls_calloc(1, 1); + volatile char *p = calloc_but_the_compiler_does_not_know(1, 1); *p = 'a'; - mbedtls_free((void *) p); + free_but_the_compiler_does_not_know((void *) p); /* Undefined behavior (read after free) */ mbedtls_printf("%u\n", (unsigned) *p); } @@ -108,11 +114,11 @@ void read_after_free(const char *name) void double_free(const char *name) { (void) name; - volatile char *p = mbedtls_calloc(1, 1); + volatile char *p = calloc_but_the_compiler_does_not_know(1, 1); *p = 'a'; - mbedtls_free((void *) p); + free_but_the_compiler_does_not_know((void *) p); /* Undefined behavior (double free) */ - mbedtls_free((void *) p); + free_but_the_compiler_does_not_know((void *) p); } void read_uninitialized_stack(const char *name) @@ -132,7 +138,7 @@ void read_uninitialized_stack(const char *name) void memory_leak(const char *name) { (void) name; - volatile char *p = mbedtls_calloc(1, 1); + volatile char *p = calloc_but_the_compiler_does_not_know(1, 1); mbedtls_printf("%u\n", (unsigned) *p); /* Leak of a heap object */ } From c3a9bdb2b5b8370c92cba7e1b44c1fe5dc4d8e0b Mon Sep 17 00:00:00 2001 From: Gilles Peskine Date: Wed, 22 Nov 2023 17:55:43 +0100 Subject: [PATCH 10/15] Detect enabled GCC/Clang sanitizers Occasionally we want tests to take advantage of sanitizers, or work around them. Signed-off-by: Gilles Peskine --- tests/include/test/helpers.h | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/tests/include/test/helpers.h b/tests/include/test/helpers.h index fde8cc5c2..17153b7d6 100644 --- a/tests/include/test/helpers.h +++ b/tests/include/test/helpers.h @@ -19,6 +19,21 @@ #include MBEDTLS_CONFIG_FILE #endif +#if defined(__SANITIZE_ADDRESS__) /* gcc -fsanitize=address */ +# define MBEDTLS_TEST_HAVE_ASAN +#endif +#if defined(__has_feature) +# if __has_feature(address_sanitizer) /* clang -fsanitize=address */ +# define MBEDTLS_TEST_HAVE_ASAN +# endif +# if __has_feature(memory_sanitizer) /* clang -fsanitize=memory */ +# define MBEDTLS_TEST_HAVE_MSAN +# endif +# if __has_feature(thread_sanitizer) /* clang -fsanitize=thread */ +# define MBEDTLS_TEST_HAVE_TSAN +# endif +#endif + #if defined(MBEDTLS_THREADING_C) && defined(MBEDTLS_THREADING_PTHREAD) && \ defined(MBEDTLS_TEST_HOOKS) #define MBEDTLS_TEST_MUTEX_USAGE From 46a660a2c5768cb65b12733115dc3fefbe8808f3 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Thu, 23 Nov 2023 17:20:19 +0100 Subject: [PATCH 11/15] ssl-opt.sh: Fix getting the list of supported ciphersuites. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 401b89dbb..55e465ad0 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -279,7 +279,7 @@ requires_protocol_version() { # Space-separated list of ciphersuites supported by this build of # Mbed TLS. -P_CIPHERSUITES=" $($P_CLI --help 2>/dev/null | +P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | grep TLS- | tr -s ' \n' ' ')" requires_ciphersuite_enabled() { From a8b474f42f30f932adc709f1629b98bb181c5017 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 15:49:25 +0100 Subject: [PATCH 12/15] ssl-opt.sh: Add a check of the list of supported ciphersuites Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 15 ++++++++++++--- 1 file changed, 12 insertions(+), 3 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 55e465ad0..81c6c6033 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -279,9 +279,18 @@ requires_protocol_version() { # Space-separated list of ciphersuites supported by this build of # Mbed TLS. -P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | - grep TLS- | - tr -s ' \n' ' ')" +P_CIPHERSUITES="" +if [ "$LIST_TESTS" -eq 0 ]; then + P_CIPHERSUITES=" $($P_CLI help_ciphersuites 2>/dev/null | + grep 'TLS-' | + tr -s ' \n' ' ')" + + if [ -z "${P_CIPHERSUITES# }" ]; then + echo >&2 "$0: fatal error: no cipher suites found!" + exit 125 + fi +fi + requires_ciphersuite_enabled() { case $P_CIPHERSUITES in *" $1 "*) :;; From 237e3f8e5311f91db745c06931342489e385b4ad Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 15:03:57 +0100 Subject: [PATCH 13/15] ssl-opt.sh: Fix some symmetric crypto dependencies Fix some dependencies on symmetric crypto that were not correct in case of driver but not builtin support. Revealed by "Analyze driver test_psa_crypto_config_accel_cipher_aead vs reference test_psa_crypto_config_reference_cipher_aead" in analyze_outcomes.py. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 14 +++++--------- 1 file changed, 5 insertions(+), 9 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 81c6c6033..dca13a136 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9006,7 +9006,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_CHACHAPOLY_C +requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ @@ -9038,8 +9038,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_GCM_C +requires_config_enabled PSA_WANT_ALG_GCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ @@ -9071,8 +9070,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CCM_C +requires_config_enabled PSA_WANT_ALG_CCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ @@ -9104,8 +9102,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC +requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ @@ -9138,8 +9135,7 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled MBEDTLS_AES_C -requires_config_enabled MBEDTLS_CIPHER_MODE_CBC +requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ From 6f2183f7568b732ced98d6797dd48fb2f96e8cc5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 17:43:49 +0100 Subject: [PATCH 14/15] ssl-opt.sh: Remove unnecessary symmetric crypto dependencies Same test cases as in the previous commit. Remove the redundant symmetric crypto dependency. The dependency is ensured by the fact that: 1) the test case forces a cipher suite 2) ssl-opt.sh enforces automatically that the forced ciphersuite is available. 3) The fact that the forced ciphersuite is available implies that the symmetric cipher algorithm it uses is available as well. Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 5 ----- 1 file changed, 5 deletions(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index dca13a136..05978cd70 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9006,7 +9006,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CHACHA20_POLY1305 requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ -p "$P_PXY mtu=512" \ @@ -9038,7 +9037,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_GCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-GCM renego" \ -p "$P_PXY mtu=512" \ @@ -9070,7 +9068,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CCM requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CCM renego" \ -p "$P_PXY mtu=1024" \ @@ -9102,7 +9099,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_config_enabled MBEDTLS_SSL_ENCRYPT_THEN_MAC requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC EtM renego" \ @@ -9135,7 +9131,6 @@ requires_config_enabled MBEDTLS_ECDSA_C requires_config_enabled MBEDTLS_SHA256_C requires_config_enabled MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED requires_config_enabled MBEDTLS_SSL_RENEGOTIATION -requires_config_enabled PSA_WANT_ALG_CBC_NO_PADDING requires_max_content_len 2048 run_test "DTLS fragmenting: proxy MTU, AES-CBC non-EtM renego" \ -p "$P_PXY mtu=1024" \ From ba77a66475fef2dfcb0028fd16870ba19fca27c5 Mon Sep 17 00:00:00 2001 From: Ronald Cron Date: Tue, 28 Nov 2023 17:52:42 +0100 Subject: [PATCH 15/15] Align forced ciphersuite with test description Signed-off-by: Ronald Cron --- tests/ssl-opt.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/tests/ssl-opt.sh b/tests/ssl-opt.sh index 05978cd70..0edb62655 100755 --- a/tests/ssl-opt.sh +++ b/tests/ssl-opt.sh @@ -9019,7 +9019,7 @@ run_test "DTLS fragmenting: proxy MTU, ChachaPoly renego" \ crt_file=data_files/server8_int-ca2.crt \ key_file=data_files/server8.key \ exchanges=2 renegotiation=1 renegotiate=1 \ - force_ciphersuite=TLS-ECDHE-ECDSA-WITH-AES-128-GCM-SHA256 \ + force_ciphersuite=TLS-ECDHE-ECDSA-WITH-CHACHA20-POLY1305-SHA256 \ hs_timeout=10000-60000 \ mtu=512" \ 0 \