cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-23 20:48:33 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #10209 from bjwtaylor/remove-MBEDTLS_USE_PSA_CRYPTO-code

Browse Source 
Remove mbedtls use psa crypto code
This commit is contained in:
Gilles Peskine 2025-07-30 11:46:09 +00:00 committed by GitHub
commit 40486a404d
No known key found for this signature in database
GPG Key ID: B5690EEEBB952194
32 changed files with 83 additions and 511 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
programs/fuzz/fuzz_client.c
View File

@ -78,12 +78,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@ -179,9 +177,7 @@ exit:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;

4
programs/fuzz/fuzz_dtlsclient.c
View File

@ -61,12 +61,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@ -124,9 +122,7 @@ exit:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;

4
programs/fuzz/fuzz_dtlsserver.c
View File

@ -58,12 +58,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
mbedtls_ssl_config_init(&conf);
mbedtls_ssl_cookie_init(&cookie_ctx);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@ -166,9 +164,7 @@ exit:
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else
(void) Data;

10
programs/fuzz/fuzz_server.c
View File

@ -67,12 +67,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_init(&ticket_ctx);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (mbedtls_ctr_drbg_seed(&ctr_drbg, dummy_entropy, &entropy,
(const unsigned char *) pers, strlen(pers)) != 0) {
@ -194,19 +192,17 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
exit:
#if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
mbedtls_ssl_ticket_free(&ticket_ctx);
#endif
#endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
mbedtls_entropy_free(&entropy);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_ssl_config_free(&conf);
#if defined(MBEDTLS_X509_CRT_PARSE_C) && defined(MBEDTLS_PEM_PARSE_C)
mbedtls_x509_crt_free(&srvcert);
mbedtls_pk_free(&pkey);
#endif
#endif /* MBEDTLS_X509_CRT_PARSE_C && MBEDTLS_PEM_PARSE_C */
mbedtls_ssl_free(&ssl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif
#else
#else /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */
(void) Data;
(void) Size;
#endif /* MBEDTLS_SSL_SRV_C && MBEDTLS_ENTROPY_C && MBEDTLS_CTR_DRBG_C */

10
programs/fuzz/fuzz_x509crl.c
View File

@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
unsigned char buf[4096];
mbedtls_x509_crl_init(&crl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_crl_parse(&crl, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
ret = mbedtls_x509_crl_info((char *) buf, sizeof(buf) - 1, " ", &crl);
}
#else
#else /* !MBEDTLS_X509_REMOVE_INFO */
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_crl_free(&crl);
#else
#else /* MBEDTLS_X509_CRL_PARSE_C */
(void) Data;
(void) Size;
#endif
#endif /* MBEDTLS_X509_CRL_PARSE_C */
return 0;
}

8
programs/fuzz/fuzz_x509crt.c
View File

@ -12,12 +12,10 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
unsigned char buf[4096];
mbedtls_x509_crt_init(&crt);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_crt_parse(&crt, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
@ -28,15 +26,13 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_crt_free(&crt);
#else
#else /* MBEDTLS_X509_CRT_PARSE_C */
(void) Data;
(void) Size;
#endif
#endif /* MBEDTLS_X509_CRT_PARSE_C */
return 0;
}

10
programs/fuzz/fuzz_x509csr.c
View File

@ -12,31 +12,27 @@ int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
unsigned char buf[4096];
mbedtls_x509_csr_init(&csr);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
ret = mbedtls_x509_csr_parse(&csr, Data, Size);
#if !defined(MBEDTLS_X509_REMOVE_INFO)
if (ret == 0) {
ret = mbedtls_x509_csr_info((char *) buf, sizeof(buf) - 1, " ", &csr);
}
#else
#else /* !MBEDTLS_X509_REMOVE_INFO */
((void) ret);
((void) buf);
#endif /* !MBEDTLS_X509_REMOVE_INFO */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
exit:
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_x509_csr_free(&csr);
#else
#else /* MBEDTLS_X509_CSR_PARSE_C */
(void) Data;
(void) Size;
#endif
#endif /* MBEDTLS_X509_CSR_PARSE_C */
return 0;
}

4
programs/pkey/gen_key.c
View File

@ -257,14 +257,12 @@ int main(int argc, char *argv[])
mbedtls_ctr_drbg_init(&ctr_drbg);
memset(buf, 0, sizeof(buf));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@ -473,9 +471,7 @@ exit:
mbedtls_pk_free(&key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

4
programs/pkey/pk_sign.c
View File

@ -55,14 +55,12 @@ int main(int argc, char *argv[])
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_sign <key_file> <filename>\n");
@ -139,9 +137,7 @@ exit:
mbedtls_pk_free(&pk);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {

4
programs/pkey/pk_verify.c
View File

@ -47,14 +47,12 @@ int main(int argc, char *argv[])
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: mbedtls_pk_verify <key_file> <filename>\n");
@ -115,9 +113,7 @@ int main(int argc, char *argv[])
exit:
mbedtls_pk_free(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_ERROR_C)
if (exit_code != MBEDTLS_EXIT_SUCCESS) {

4
programs/pkey/rsa_sign_pss.c
View File

@ -57,14 +57,12 @@ int main(int argc, char *argv[])
mbedtls_pk_init(&pk);
mbedtls_ctr_drbg_init(&ctr_drbg);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: rsa_sign_pss <key_file> <filename>\n");
@ -153,9 +151,7 @@ exit:
mbedtls_pk_free(&pk);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

4
programs/pkey/rsa_verify_pss.c
View File

@ -51,14 +51,12 @@ int main(int argc, char *argv[])
mbedtls_pk_init(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc != 3) {
mbedtls_printf("usage: rsa_verify_pss <key_file> <filename>\n");
@ -131,9 +129,7 @@ int main(int argc, char *argv[])
exit:
mbedtls_pk_free(&pk);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

80
programs/ssl/ssl_client2.c
View File

@ -9,9 +9,7 @@
#include "ssl_test_lib.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "test/psa_crypto_helpers.h"
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
int main(void)
@ -145,7 +143,7 @@ int main(void)
#else /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#define USAGE_IO ""
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#define USAGE_KEY_OPAQUE \
" key_opaque=%%d Handle your private key as if it were opaque\n" \
" default: 0 (disabled)\n"
@ -172,7 +170,6 @@ int main(void)
" psk=%%s default: \"\" (disabled)\n" \
" The PSK values are in hex, without 0x.\n" \
" psk_identity=%%s default: \"Client_identity\"\n"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define USAGE_PSK_SLOT \
" psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \
" Enable this to store the PSK configured through command line\n" \
@ -183,9 +180,6 @@ int main(void)
" Note: This is to test integration of PSA-based opaque PSKs with\n" \
" Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \
" with prepopulated key slots instead of importing raw key material.\n"
#else
#define USAGE_PSK_SLOT ""
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
#else
#define USAGE_PSK ""
@ -309,14 +303,9 @@ int main(void)
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define USAGE_ECJPAKE \
" ecjpake_pw=%%s default: none (disabled)\n" \
" ecjpake_pw_opaque=%%d default: 0 (disabled)\n"
#else /* MBEDTLS_USE_PSA_CRYPTO */
#define USAGE_ECJPAKE \
" ecjpake_pw=%%s default: none (disabled)\n"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#define USAGE_ECJPAKE ""
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@ -488,9 +477,7 @@ struct options {
const char *crt_file; /* the file with the client certificate */
const char *key_file; /* the file with the client key */
int key_opaque; /* handle private key as if it were opaque */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int psk_opaque;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback; /* Use callback for trusted certificate list */
#endif
@ -498,9 +485,7 @@ struct options {
const char *psk; /* the pre-shared key */
const char *psk_identity; /* the pre-shared key identity */
const char *ecjpake_pw; /* the EC J-PAKE password */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */
#endif
int ec_max_ops; /* EC consecutive operations limit */
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@ -824,16 +809,12 @@ int main(int argc, char *argv[])
const char *pers = "ssl_client2";
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
mbedtls_svc_key_id_t slot = MBEDTLS_SVC_KEY_ID_INIT;
psa_algorithm_t alg = 0;
psa_key_attributes_t key_attributes;
#endif
psa_status_t status;
#elif defined(MBEDTLS_SSL_PROTO_TLS1_3)
psa_status_t status;
#endif
rng_context_t rng;
mbedtls_ssl_context ssl;
@ -850,9 +831,7 @@ int main(int argc, char *argv[])
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
#endif
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
char *p, *q;
const int *list;
@ -877,10 +856,9 @@ int main(int argc, char *argv[])
MBEDTLS_TLS_SRTP_UNSET
};
#endif /* MBEDTLS_SSL_DTLS_SRTP */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
@ -907,7 +885,6 @@ int main(int argc, char *argv[])
memset((void *) alpn_list, 0, sizeof(alpn_list));
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
@ -915,7 +892,6 @@ int main(int argc, char *argv[])
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
mbedtls_test_enable_insecure_external_rng();
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
@ -942,17 +918,13 @@ int main(int argc, char *argv[])
opt.key_opaque = DFL_KEY_OPAQUE;
opt.key_pwd = DFL_KEY_PWD;
opt.psk = DFL_PSK;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.psk_opaque = DFL_PSK_OPAQUE;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt.ca_callback = DFL_CA_CALLBACK;
#endif
opt.psk_identity = DFL_PSK_IDENTITY;
opt.ecjpake_pw = DFL_ECJPAKE_PW;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE;
#endif
opt.ec_max_ops = DFL_EC_MAX_OPS;
opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
@ -1127,7 +1099,7 @@ usage:
} else if (strcmp(p, "key_pwd") == 0) {
opt.key_pwd = q;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
else if (strcmp(p, "key_opaque") == 0) {
opt.key_opaque = atoi(q);
}
@ -1151,12 +1123,9 @@ usage:
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
else if (strcmp(p, "psk") == 0) {
opt.psk = q;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
else if (strcmp(p, "psk_opaque") == 0) {
} else if (strcmp(p, "psk_opaque") == 0) {
opt.psk_opaque = atoi(q);
}
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if (strcmp(p, "ca_callback") == 0) {
opt.ca_callback = atoi(q);
@ -1166,13 +1135,9 @@ usage:
opt.psk_identity = q;
} else if (strcmp(p, "ecjpake_pw") == 0) {
opt.ecjpake_pw = q;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
} else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
opt.ecjpake_pw_opaque = atoi(q);
}
#endif
else if (strcmp(p, "ec_max_ops") == 0) {
} else if (strcmp(p, "ec_max_ops") == 0) {
opt.ec_max_ops = atoi(q);
} else if (strcmp(p, "force_ciphersuite") == 0) {
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q);
@ -1500,7 +1465,6 @@ usage:
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.psk_opaque != 0) {
if (opt.psk == NULL) {
mbedtls_printf("psk_opaque set but no psk to be imported specified.\n");
@ -1515,7 +1479,6 @@ usage:
goto usage;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (opt.force_ciphersuite[0] > 0) {
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@ -1550,7 +1513,6 @@ usage:
}
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (opt.psk_opaque != 0) {
/* Determine KDF algorithm the opaque PSK will be used in. */
@ -1562,7 +1524,6 @@ usage:
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -1786,7 +1747,6 @@ usage:
goto exit;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.key_opaque != 0) {
psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE;
psa_key_usage_t usage = 0;
@ -1805,7 +1765,6 @@ usage:
}
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf(" ok (key type: %s)\n",
strlen(opt.key_file) || strlen(opt.key_opaque_alg1) ?
@ -2006,7 +1965,6 @@ usage:
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.psk_opaque != 0) {
key_attributes = psa_key_attributes_init();
psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
@ -2027,7 +1985,6 @@ usage:
goto exit;
}
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (psk_len > 0) {
ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len,
(const unsigned char *) opt.psk_identity,
@ -2098,7 +2055,6 @@ usage:
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (opt.ecjpake_pw != DFL_ECJPAKE_PW) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) {
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -2123,9 +2079,7 @@ usage:
goto exit;
}
mbedtls_printf("using opaque password\n");
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
} else {
if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl,
(const unsigned char *) opt.ecjpake_pw,
strlen(opt.ecjpake_pw))) != 0) {
@ -3206,13 +3160,10 @@ exit:
mbedtls_x509_crt_free(&clicert);
mbedtls_x509_crt_free(&cacert);
mbedtls_pk_free(&pkey);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(key_slot);
#endif
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (opt.psk_opaque != 0) {
/* This is ok even if the slot hasn't been
* initialized (we might have jumed here
@ -3229,11 +3180,9 @@ exit:
}
}
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/*
* In case opaque keys it's the user responsibility to keep the key valid
* for the duration of the handshake and destroy it at the end
@ -3252,9 +3201,8 @@ exit:
psa_destroy_key(ecjpake_pw_slot);
}
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
const char *message = mbedtls_test_helper_is_psa_leaking();
if (message) {
if (ret == 0) {
@ -3262,12 +3210,10 @@ exit:
}
mbedtls_printf("PSA memory leak detected: %s\n", message);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO || MBEDTLS_SSL_PROTO_TLS1_3 */
/* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
* resources are freed by rng_free(). */
#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) && \
!defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
mbedtls_psa_crypto_free();
#endif

95
programs/ssl/ssl_server2.c
View File

@ -53,9 +53,7 @@ int main(void)
#include <windows.h>
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
#include "test/psa_crypto_helpers.h"
#endif
#include "mbedtls/pk.h"
#if defined(MBEDTLS_PK_HAVE_PRIVATE_HEADER)
@ -205,7 +203,7 @@ int main(void)
#else
#define USAGE_IO ""
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#define USAGE_KEY_OPAQUE \
" key_opaque=%%d Handle your private keys as if they were opaque\n" \
" default: 0 (disabled)\n"
@ -248,7 +246,6 @@ int main(void)
" The PSK values are in hex, without 0x.\n" \
" id1,psk1[,id2,psk2[,...]]\n" \
" psk_identity=%%s default: \"Client_identity\"\n"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define USAGE_PSK_SLOT \
" psk_opaque=%%d default: 0 (don't use opaque static PSK)\n" \
" Enable this to store the PSK configured through command line\n" \
@ -268,9 +265,6 @@ int main(void)
" Note: This is to test integration of PSA-based opaque PSKs with\n" \
" Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \
" with prepopulated key slots instead of importing raw key material.\n"
#else
#define USAGE_PSK_SLOT ""
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
#else
#define USAGE_PSK ""
@ -419,14 +413,9 @@ int main(void)
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define USAGE_ECJPAKE \
" ecjpake_pw=%%s default: none (disabled)\n" \
" ecjpake_pw_opaque=%%d default: 0 (disabled)\n"
#else /* MBEDTLS_USE_PSA_CRYPTO */
#define USAGE_ECJPAKE \
" ecjpake_pw=%%s default: none (disabled)\n"
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#define USAGE_ECJPAKE ""
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
@ -641,10 +630,8 @@ struct options {
int async_private_delay1; /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
int async_private_delay2; /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
int async_private_error; /* inject error in async private callback */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int psk_opaque;
int psk_list_opaque;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback; /* Use callback for trusted certificate list */
#endif
@ -652,9 +639,7 @@ struct options {
const char *psk_identity; /* the pre-shared key identity */
char *psk_list; /* list of PSK id/key pairs for callback */
const char *ecjpake_pw; /* the EC J-PAKE password */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int ecjpake_pw_opaque; /* set to 1 to use the opaque method for setting the password */
#endif
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
int tls13_kex_modes; /* supported TLS 1.3 key exchange modes */
@ -962,9 +947,7 @@ struct _psk_entry {
const char *name;
size_t key_len;
unsigned char key[MBEDTLS_PSK_MAX_LEN];
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t slot;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
psk_entry *next;
};
@ -976,7 +959,6 @@ static int psk_free(psk_entry *head)
psk_entry *next;
while (head != NULL) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status;
mbedtls_svc_key_id_t const slot = head->slot;
@ -986,7 +968,6 @@ static int psk_free(psk_entry *head)
return status;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
next = head->next;
mbedtls_free(head);
@ -1052,12 +1033,11 @@ static int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
while (cur != NULL) {
if (name_len == strlen(cur->name) &&
memcmp(name, cur->name, name_len) == 0) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) {
return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot);
} else
#endif
return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len);
} else {
return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len);
}
}
cur = cur->next;
@ -1302,7 +1282,6 @@ static void ssl_async_cancel(mbedtls_ssl_context *ssl)
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot,
psa_algorithm_t alg,
@ -1326,7 +1305,6 @@ static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot,
return PSA_SUCCESS;
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
static int report_cid_usage(mbedtls_ssl_context *ssl,
@ -1543,10 +1521,8 @@ int main(int argc, char *argv[])
io_ctx_t io_ctx;
unsigned char *buf = 0;
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t alg = 0;
mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char psk[MBEDTLS_PSK_MAX_LEN];
size_t psk_len = 0;
psk_entry *psk_info = NULL;
@ -1574,10 +1550,8 @@ int main(int argc, char *argv[])
mbedtls_x509_crt srvcert2;
mbedtls_pk_context pkey2;
mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
#endif
int key_cert_init = 0, key_cert_init2 = 0;
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
@ -1609,10 +1583,9 @@ int main(int argc, char *argv[])
unsigned char *context_buf = NULL;
size_t context_buf_len = 0;
#endif
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
@ -1621,9 +1594,7 @@ int main(int argc, char *argv[])
int i;
char *p, *q;
const int *list;
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
psa_status_t status;
#endif
unsigned char eap_tls_keymaterial[16];
unsigned char eap_tls_iv[8];
const char *eap_tls_label = "client EAP encryption";
@ -1684,7 +1655,6 @@ int main(int argc, char *argv[])
mbedtls_ssl_cookie_init(&cookie_ctx);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
@ -1692,7 +1662,6 @@ int main(int argc, char *argv[])
ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
mbedtls_test_enable_insecure_external_rng();
#endif /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
@ -1731,19 +1700,15 @@ int main(int argc, char *argv[])
opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2;
opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR;
opt.psk = DFL_PSK;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.psk_opaque = DFL_PSK_OPAQUE;
opt.psk_list_opaque = DFL_PSK_LIST_OPAQUE;
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
opt.ca_callback = DFL_CA_CALLBACK;
#endif
opt.psk_identity = DFL_PSK_IDENTITY;
opt.psk_list = DFL_PSK_LIST;
opt.ecjpake_pw = DFL_ECJPAKE_PW;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
opt.ecjpake_pw_opaque = DFL_ECJPAKE_PW_OPAQUE;
#endif
opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
opt.tls13_kex_modes = DFL_TLS1_3_KEX_MODES;
@ -1924,7 +1889,7 @@ usage:
} else if (strcmp(p, "key_pwd") == 0) {
opt.key_pwd = q;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
else if (strcmp(p, "key_opaque") == 0) {
opt.key_opaque = atoi(q);
}
@ -1972,14 +1937,11 @@ usage:
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
else if (strcmp(p, "psk") == 0) {
opt.psk = q;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
else if (strcmp(p, "psk_opaque") == 0) {
} else if (strcmp(p, "psk_opaque") == 0) {
opt.psk_opaque = atoi(q);
} else if (strcmp(p, "psk_list_opaque") == 0) {
opt.psk_list_opaque = atoi(q);
}
#endif
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
else if (strcmp(p, "ca_callback") == 0) {
opt.ca_callback = atoi(q);
@ -1991,13 +1953,9 @@ usage:
opt.psk_list = q;
} else if (strcmp(p, "ecjpake_pw") == 0) {
opt.ecjpake_pw = q;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
} else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
opt.ecjpake_pw_opaque = atoi(q);
}
#endif
else if (strcmp(p, "force_ciphersuite") == 0) {
} else if (strcmp(p, "force_ciphersuite") == 0) {
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q);
if (opt.force_ciphersuite[0] == 0) {
@ -2367,7 +2325,6 @@ usage:
goto exit;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.psk_opaque != 0) {
if (strlen(opt.psk) == 0) {
mbedtls_printf("psk_opaque set but no psk to be imported specified.\n");
@ -2397,7 +2354,6 @@ usage:
goto usage;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (opt.force_ciphersuite[0] > 0) {
const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
@ -2427,7 +2383,6 @@ usage:
opt.min_version = ciphersuite_info->min_tls_version;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) {
/* Determine KDF algorithm the opaque PSK will be used in. */
@ -2439,7 +2394,6 @@ usage:
alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
@ -2732,7 +2686,6 @@ usage:
#endif /* PSA_HAVE_ALG_SOME_ECDSA && PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.key_opaque != 0) {
psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE;
psa_key_usage_t psa_usage = 0;
@ -2768,7 +2721,6 @@ usage:
}
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_printf(" ok (key types: %s, %s)\n",
key_cert_init ? mbedtls_pk_get_name(&pkey) : "none",
@ -3182,7 +3134,6 @@ usage:
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.psk_opaque != 0) {
/* The algorithm has already been determined earlier. */
status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len);
@ -3199,7 +3150,6 @@ usage:
goto exit;
}
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (psk_len > 0) {
ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len,
(const unsigned char *) opt.psk_identity,
@ -3213,7 +3163,6 @@ usage:
}
if (opt.psk_list != NULL) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.psk_list_opaque != 0) {
psk_entry *cur_psk;
for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) {
@ -3227,7 +3176,6 @@ usage:
}
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info);
}
@ -3384,7 +3332,6 @@ reset:
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
if (opt.ecjpake_pw != DFL_ECJPAKE_PW) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) {
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -3409,9 +3356,7 @@ reset:
goto exit;
}
mbedtls_printf("using opaque password\n");
} else
#endif /* MBEDTLS_USE_PSA_CRYPTO */
{
} else {
if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl,
(const unsigned char *) opt.ecjpake_pw,
strlen(opt.ecjpake_pw))) != 0) {
@ -4253,11 +4198,9 @@ exit:
mbedtls_pk_free(&pkey);
mbedtls_x509_crt_free(&srvcert2);
mbedtls_pk_free(&pkey2);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(key_slot);
psa_destroy_key(key_slot2);
#endif
#endif
#if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) {
@ -4269,8 +4212,7 @@ exit:
}
#endif
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
if (opt.psk_opaque != 0) {
/* This is ok even if the slot hasn't been
* initialized (we might have jumed here
@ -4284,11 +4226,9 @@ exit:
(int) status);
}
}
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
defined(MBEDTLS_USE_PSA_CRYPTO)
#if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
/*
* In case opaque keys it's the user responsibility to keep the key valid
* for the duration of the handshake and destroy it at the end
@ -4307,9 +4247,8 @@ exit:
psa_destroy_key(ecjpake_pw_slot);
}
}
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
#endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
const char *message = mbedtls_test_helper_is_psa_leaking();
if (message) {
if (ret == 0) {
@ -4317,12 +4256,10 @@ exit:
}
mbedtls_printf("PSA memory leak detected: %s\n", message);
}
#endif
/* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
* resources are freed by rng_free(). */
#if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \
&& !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
#if !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
mbedtls_psa_crypto_free();
#endif

6
programs/ssl/ssl_test_lib.c
View File

@ -83,13 +83,11 @@ void rng_init(rng_context_t *rng)
int rng_seed(rng_context_t *rng, int reproducible, const char *pers)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (reproducible) {
mbedtls_fprintf(stderr,
"MBEDTLS_USE_PSA_CRYPTO does not support reproducible mode.\n");
"reproducible mode is not supported.\n");
return -1;
}
#endif
#if defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
/* The PSA crypto RNG does its own seeding. */
(void) rng;
@ -217,7 +215,6 @@ int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2)
return 0;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
psa_algorithm_t *psa_alg1,
psa_algorithm_t *psa_alg2,
@ -301,7 +298,6 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor
return 0;
}
#endif /* MBEDTLS_PK_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
int ca_callback(void *data, mbedtls_x509_crt const *child,

33
programs/ssl/ssl_test_lib.h
View File

@ -14,9 +14,7 @@
#include "mbedtls/md.h"
#undef HAVE_RNG
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG) && \
(defined(MBEDTLS_USE_PSA_CRYPTO) || \
defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG))
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
#define HAVE_RNG
#elif defined(MBEDTLS_ENTROPY_C) && defined(MBEDTLS_CTR_DRBG_C)
#define HAVE_RNG
@ -55,10 +53,8 @@
#include "mbedtls/base64.h"
#include "test/certs.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
#include "psa/crypto.h"
#include "mbedtls/psa_util.h"
#endif
#if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
#include "mbedtls/memory_buffer_alloc.h"
@ -108,30 +104,7 @@ void my_debug(void *ctx, int level,
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO) && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
/* If MBEDTLS_TEST_USE_PSA_CRYPTO_RNG is defined, the SSL test programs will use
* mbedtls_psa_get_random() rather than entropy+DRBG as a random generator.
*
* The constraints are:
* - Without the entropy module, the PSA RNG is the only option.
* - Without at least one of the DRBG modules, the PSA RNG is the only option.
* - The PSA RNG does not support explicit seeding, so it is incompatible with
* the reproducible mode used by test programs.
* - For good overall test coverage, there should be at least one configuration
* where the test programs use the PSA RNG while the PSA RNG is itself based
* on entropy+DRBG, and at least one configuration where the test programs
* do not use the PSA RNG even though it's there.
*
* A simple choice that meets the constraints is to use the PSA RNG whenever
* MBEDTLS_USE_PSA_CRYPTO is enabled. There's no real technical reason the
* choice to use the PSA RNG in the test programs and the choice to use
* PSA crypto when TLS code needs crypto have to be tied together, but it
* happens to be a good match. It's also a good match from an application
* perspective: either PSA is preferred for TLS (both for crypto and for
* random generation) or it isn't.
*/
#define MBEDTLS_TEST_USE_PSA_CRYPTO_RNG
#endif
/** A context for random number generation (RNG).
*/
@ -213,7 +186,6 @@ int rng_get(void *p_rng, unsigned char *output, size_t output_len);
*/
int key_opaque_alg_parse(const char *arg, const char **alg1, const char **alg2);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/** Parse given opaque key algorithms to obtain psa algs and usage
* that will be passed to mbedtls_pk_wrap_as_opaque().
*
@ -259,9 +231,8 @@ int key_opaque_set_alg_usage(const char *alg1, const char *alg2,
int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algorithm_t psa_alg2,
psa_key_usage_t psa_usage, mbedtls_svc_key_id_t *key_id);
#endif /* MBEDTLS_PK_C */
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
#if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
/* The test implementation of the PSA external RNG is insecure. When
* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG is enabled, before using any PSA crypto
* function that makes use of an RNG, you must call

4
programs/x509/cert_app.c
View File

@ -152,14 +152,12 @@ int main(int argc, char *argv[])
memset(&cacrl, 0, sizeof(mbedtls_x509_crl));
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@ -446,9 +444,7 @@ exit:
#endif
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

4
programs/x509/cert_req.c
View File

@ -162,14 +162,12 @@ int main(int argc, char *argv[])
memset(buf, 0, sizeof(buf));
mbedtls_entropy_init(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@ -502,9 +500,7 @@ exit:
mbedtls_pk_free(&key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
cur = opt.san_list;
while (cur != NULL) {

4
programs/x509/cert_write.c
View File

@ -326,14 +326,12 @@ int main(int argc, char *argv[])
memset(buf, 0, sizeof(buf));
memset(serial, 0, sizeof(serial));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@ -1026,9 +1024,7 @@ exit:
mbedtls_pk_free(&loaded_issuer_key);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

4
programs/x509/crl_app.c
View File

@ -60,14 +60,12 @@ int main(int argc, char *argv[])
*/
mbedtls_x509_crl_init(&crl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@ -124,9 +122,7 @@ usage:
exit:
mbedtls_x509_crl_free(&crl);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

4
programs/x509/load_roots.c
View File

@ -86,14 +86,12 @@ int main(int argc, char *argv[])
struct mbedtls_timing_hr_time timer;
unsigned long ms;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc <= 1) {
mbedtls_printf(USAGE);
@ -159,9 +157,7 @@ int main(int argc, char *argv[])
exit_code = MBEDTLS_EXIT_SUCCESS;
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}
#endif /* necessary configuration */

4
programs/x509/req_app.c
View File

@ -60,14 +60,12 @@ int main(int argc, char *argv[])
*/
mbedtls_x509_csr_init(&csr);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = psa_crypto_init();
if (status != PSA_SUCCESS) {
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
(int) status);
goto exit;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (argc < 2) {
usage:
@ -124,9 +122,7 @@ usage:
exit:
mbedtls_x509_csr_free(&csr);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_psa_crypto_free();
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_exit(exit_code);
}

9
tests/include/test/ssl_helpers.h
View File

@ -31,11 +31,9 @@
#include "mbedtls/ssl_cache.h"
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define PSA_TO_MBEDTLS_ERR(status) PSA_TO_MBEDTLS_ERR_LIST(status, \
psa_to_ssl_errors, \
psa_generic_status_to_mbedtls)
#endif
#if defined(MBEDTLS_SSL_PROTO_TLS1_3)
#if defined(PSA_WANT_KEY_TYPE_AES)
@ -751,18 +749,11 @@ int mbedtls_test_get_tls13_ticket(
#define ECJPAKE_TEST_PWD "bla"
#if defined(MBEDTLS_USE_PSA_CRYPTO)
#define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \
ret = (use_opaque_arg) ? \
mbedtls_ssl_set_hs_ecjpake_password_opaque(&ssl, pwd_slot) : \
mbedtls_ssl_set_hs_ecjpake_password(&ssl, pwd_string, pwd_len); \
TEST_EQUAL(ret, exp_ret_val)
#else
#define ECJPAKE_TEST_SET_PASSWORD(exp_ret_val) \
ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl, \
pwd_string, pwd_len); \
TEST_EQUAL(ret, exp_ret_val)
#endif /* MBEDTLS_USE_PSA_CRYPTO */
#define TEST_AVAILABLE_ECC(tls_id_, group_id_, psa_family_, psa_bits_) \
TEST_EQUAL(mbedtls_ssl_get_ecp_group_id_from_tls_id(tls_id_), \

8
tests/scripts/components-sanitizers.sh
View File

@ -66,7 +66,7 @@ component_release_test_valgrind_constant_flow_no_asm () {
# - or alternatively, build with debug info and manually run the offending
# test suite with valgrind --track-origins=yes, then check if the origin
# was TEST_CF_SECRET() or something else.
msg "build: cmake release GCC, full config minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM with constant flow testing"
msg "build: cmake release GCC, full config minus MBEDTLS_HAVE_ASM with constant flow testing"
scripts/config.py full
scripts/config.py set MBEDTLS_TEST_CONSTANT_FLOW_VALGRIND
scripts/config.py unset MBEDTLS_AESNI_C
@ -77,7 +77,7 @@ component_release_test_valgrind_constant_flow_no_asm () {
# this only shows a summary of the results (how many of each type)
# details are left in Testing/<date>/DynamicAnalysis.xml
msg "test: some suites (full minus MBEDTLS_USE_PSA_CRYPTO, minus MBEDTLS_HAVE_ASM, valgrind + constant flow)"
msg "test: some suites (full minus MBEDTLS_HAVE_ASM, valgrind + constant flow)"
make memcheck
}
@ -150,7 +150,7 @@ component_test_memsan () {
component_release_test_valgrind () {
msg "build: Release (clang)"
# default config, in particular without MBEDTLS_USE_PSA_CRYPTO
# default config
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make
@ -178,7 +178,7 @@ component_release_test_valgrind () {
component_release_test_valgrind_psa () {
msg "build: Release, full (clang)"
# full config, in particular with MBEDTLS_USE_PSA_CRYPTO
# full config
scripts/config.py full
CC=clang cmake -D CMAKE_BUILD_TYPE:String=Release .
make

108
tests/src/test_helpers/ssl_helpers.c
View File

@ -644,11 +644,9 @@ static void test_ssl_endpoint_certificate_free(mbedtls_test_ssl_endpoint *ep)
ep->cert = NULL;
}
if (ep->pkey != NULL) {
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (mbedtls_pk_get_type(ep->pkey) == MBEDTLS_PK_OPAQUE) {
psa_destroy_key(ep->pkey->priv_id);
}
#endif
mbedtls_pk_free(ep->pkey);
mbedtls_free(ep->pkey);
ep->pkey = NULL;
@ -725,9 +723,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
int i = 0;
int ret = -1;
int ok = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT;
#endif
if (ep == NULL) {
return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
@ -759,7 +755,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
TEST_EQUAL(load_endpoint_ecc(ep), 0);
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (opaque_alg != 0) {
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
/* Use a fake key usage to get a successful initial guess for the PSA attributes. */
@ -776,11 +771,6 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
mbedtls_pk_init(ep->pkey);
TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0);
}
#else
(void) opaque_alg;
(void) opaque_alg2;
(void) opaque_usage;
#endif
mbedtls_ssl_conf_ca_chain(&(ep->conf), ep->ca_chain, NULL);
@ -1212,7 +1202,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
unsigned char *output,
size_t *olen)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
psa_cipher_operation_t cipher_op = PSA_CIPHER_OPERATION_INIT;
size_t part_len;
@ -1246,10 +1235,6 @@ int mbedtls_test_psa_cipher_encrypt_helper(mbedtls_ssl_transform *transform,
*olen += part_len;
return 0;
#else
return mbedtls_cipher_crypt(&transform->cipher_ctx_enc,
iv, iv_len, input, ilen, output, olen);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
#endif /* MBEDTLS_SSL_PROTO_TLS1_2 && PSA_WANT_ALG_CBC_NO_PADDING &&
PSA_WANT_KEY_TYPE_AES */
@ -1383,14 +1368,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
size_t key_bits = 0;
int ret = 0;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_key_type_t key_type;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
psa_status_t status = PSA_ERROR_CORRUPTION_DETECTED;
#else
mbedtls_cipher_info_t const *cipher_info;
#endif
size_t keylen, maclen, ivlen = 0;
unsigned char *key0 = NULL, *key1 = NULL;
@ -1422,58 +1403,10 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
memset(key0, 0x1, keylen);
memset(key1, 0x2, keylen);
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
/* Pick cipher */
cipher_info = mbedtls_cipher_info_from_type((mbedtls_cipher_type_t) cipher_type);
CHK(cipher_info != NULL);
CHK(mbedtls_cipher_info_get_iv_size(cipher_info) <= 16);
CHK(mbedtls_cipher_info_get_key_bitlen(cipher_info) % 8 == 0);
/* Setup cipher contexts */
CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_enc, cipher_info) == 0);
CHK(mbedtls_cipher_setup(&t_in->cipher_ctx_dec, cipher_info) == 0);
CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_enc, cipher_info) == 0);
CHK(mbedtls_cipher_setup(&t_out->cipher_ctx_dec, cipher_info) == 0);
#if defined(MBEDTLS_CIPHER_MODE_CBC)
if (cipher_mode == MBEDTLS_MODE_CBC) {
CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_enc,
MBEDTLS_PADDING_NONE) == 0);
CHK(mbedtls_cipher_set_padding_mode(&t_in->cipher_ctx_dec,
MBEDTLS_PADDING_NONE) == 0);
CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_enc,
MBEDTLS_PADDING_NONE) == 0);
CHK(mbedtls_cipher_set_padding_mode(&t_out->cipher_ctx_dec,
MBEDTLS_PADDING_NONE) == 0);
}
#endif /* MBEDTLS_CIPHER_MODE_CBC */
CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_enc, key0,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_ENCRYPT)
== 0);
CHK(mbedtls_cipher_setkey(&t_in->cipher_ctx_dec, key1,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_DECRYPT)
== 0);
CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_enc, key1,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_ENCRYPT)
== 0);
CHK(mbedtls_cipher_setkey(&t_out->cipher_ctx_dec, key0,
(keylen << 3 > INT_MAX) ? INT_MAX : (int) keylen << 3,
MBEDTLS_DECRYPT)
== 0);
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
/* Setup MAC contexts */
#if defined(MBEDTLS_SSL_SOME_SUITES_USE_MAC)
if (cipher_mode == MBEDTLS_MODE_CBC ||
cipher_mode == MBEDTLS_MODE_STREAM) {
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_md_info_t const *md_info = mbedtls_md_info_from_type((mbedtls_md_type_t) hash_id);
CHK(md_info != NULL);
#endif
maclen = mbedtls_md_get_size_from_type((mbedtls_md_type_t) hash_id);
CHK(maclen != 0);
/* Pick hash keys */
@ -1482,7 +1415,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
memset(md0, 0x5, maclen);
memset(md1, 0x6, maclen);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = mbedtls_md_psa_alg_from_type(hash_id);
CHK(alg != 0);
@ -1523,21 +1455,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
CHK(psa_import_key(&attributes,
md0, maclen,
&t_out->psa_mac_dec) == PSA_SUCCESS);
#else
CHK(mbedtls_md_setup(&t_out->md_ctx_enc, md_info, 1) == 0);
CHK(mbedtls_md_setup(&t_out->md_ctx_dec, md_info, 1) == 0);
CHK(mbedtls_md_setup(&t_in->md_ctx_enc, md_info, 1) == 0);
CHK(mbedtls_md_setup(&t_in->md_ctx_dec, md_info, 1) == 0);
CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_enc,
md0, maclen) == 0);
CHK(mbedtls_md_hmac_starts(&t_in->md_ctx_dec,
md1, maclen) == 0);
CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_enc,
md1, maclen) == 0);
CHK(mbedtls_md_hmac_starts(&t_out->md_ctx_dec,
md0, maclen) == 0);
#endif
}
#else
((void) hash_id);
@ -1657,7 +1574,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
t_out->out_cid_len = (uint8_t) cid0_len;
#endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
status = mbedtls_ssl_cipher_to_psa(cipher_type,
t_in->taglen,
&alg,
@ -1720,7 +1636,6 @@ int mbedtls_test_ssl_build_transforms(mbedtls_ssl_transform *t_in,
goto cleanup;
}
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
cleanup:
@ -1737,9 +1652,7 @@ cleanup:
int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
mbedtls_ssl_transform *transform_out)
{
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#endif
/* Serialized version of record header for MAC purposes */
unsigned char add_data[13];
@ -1751,7 +1664,6 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
add_data[12] = (record->data_len >> 0) & 0xff;
/* MAC with additional data */
#if defined(MBEDTLS_USE_PSA_CRYPTO)
size_t sign_mac_length = 0;
TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_setup(&operation,
transform_out->psa_mac_enc,
@ -1767,26 +1679,13 @@ int mbedtls_test_ssl_prepare_record_mac(mbedtls_record *record,
TEST_EQUAL(PSA_SUCCESS, psa_mac_sign_finish(&operation,
mac, sizeof(mac),
&sign_mac_length));
#else
TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc, add_data, 13));
TEST_EQUAL(0, mbedtls_md_hmac_update(&transform_out->md_ctx_enc,
record->buf + record->data_offset,
record->data_len));
/* Use a temporary buffer for the MAC, because with the truncated HMAC
* extension, there might not be enough room in the record for the
* full-length MAC. */
unsigned char mac[MBEDTLS_MD_MAX_SIZE];
TEST_EQUAL(0, mbedtls_md_hmac_finish(&transform_out->md_ctx_enc, mac));
#endif
memcpy(record->buf + record->data_offset + record->data_len, mac, transform_out->maclen);
record->data_len += transform_out->maclen;
return 0;
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_abort(&operation);
#endif
return -1;
}
#endif /* MBEDTLS_SSL_SOME_SUITES_USE_MAC */
@ -1840,7 +1739,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
return -1;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_algorithm_t psa_alg = mbedtls_md_psa_alg_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE);
size_t hash_size = 0;
@ -1851,12 +1749,6 @@ int mbedtls_test_ssl_tls12_populate_session(mbedtls_ssl_session *session,
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_LEN,
&hash_size);
ret = PSA_TO_MBEDTLS_ERR(status);
#else
ret = mbedtls_md(mbedtls_md_info_from_type(
MBEDTLS_SSL_PEER_CERT_DIGEST_DFL_TYPE),
tmp_crt.raw.p, tmp_crt.raw.len,
session->peer_cert_digest);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (ret != 0) {
return ret;
}

4
tests/ssl-opt.sh
View File

@ -9445,12 +9445,12 @@ run_test "EC restart: TLS, max_ops=65535" \
# The following test cases for restartable ECDH come in two variants:
# * The "(USE_PSA)" variant expects the current behavior, which is the behavior
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled. This tests
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled. This tests
# the partial implementation where ECDH in TLS is not actually restartable.
# * The "(no USE_PSA)" variant expects the desired behavior. These test
# cases cannot currently pass because the implementation of restartable ECC
# in TLS is partial: ECDH is not actually restartable. This is the behavior
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is enabled.
# from Mbed TLS 3.x when MBEDTLS_USE_PSA_CRYPTO is disabled.
#
# As part of resolving https://github.com/Mbed-TLS/mbedtls/issues/7294,
# we will remove the "(USE_PSA)" test cases and run the "(no USE_PSA)" test

51
tests/suites/test_suite_constant_time_hmac.function
View File

@ -16,15 +16,10 @@ void ssl_cf_hmac(int hash)
* Test the function mbedtls_ct_hmac() against a reference
* implementation.
*/
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_algorithm_t alg;
psa_mac_operation_t operation = PSA_MAC_OPERATION_INIT;
#else
mbedtls_md_context_t ctx, ref_ctx;
const mbedtls_md_info_t *md_info;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
size_t out_len, block_size;
size_t min_in_len, in_len, max_in_len, i;
/* TLS additional data is 13 bytes (hence the "lucky 13" name) */
@ -36,7 +31,6 @@ void ssl_cf_hmac(int hash)
USE_PSA_INIT();
#if defined(MBEDTLS_USE_PSA_CRYPTO)
alg = PSA_ALG_HMAC(mbedtls_md_psa_alg_from_type(hash));
out_len = PSA_HASH_LENGTH(alg);
@ -47,36 +41,15 @@ void ssl_cf_hmac(int hash)
PSA_KEY_USAGE_VERIFY_HASH);
psa_set_key_algorithm(&attributes, PSA_ALG_HMAC(alg));
psa_set_key_type(&attributes, PSA_KEY_TYPE_HMAC);
#else
mbedtls_md_init(&ctx);
mbedtls_md_init(&ref_ctx);
md_info = mbedtls_md_info_from_type(hash);
TEST_ASSERT(md_info != NULL);
out_len = mbedtls_md_get_size(md_info);
TEST_ASSERT(out_len != 0);
block_size = hash == MBEDTLS_MD_SHA384 ? 128 : 64;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* Use allocated out buffer to catch overwrites */
TEST_CALLOC(out, out_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Set up dummy key */
memset(ref_out, 42, sizeof(ref_out));
TEST_EQUAL(PSA_SUCCESS, psa_import_key(&attributes,
ref_out, out_len,
&key));
#else
/* Set up contexts with the given hash and a dummy key */
TEST_EQUAL(0, mbedtls_md_setup(&ctx, md_info, 1));
TEST_EQUAL(0, mbedtls_md_setup(&ref_ctx, md_info, 1));
memset(ref_out, 42, sizeof(ref_out));
TEST_EQUAL(0, mbedtls_md_hmac_starts(&ctx, ref_out, out_len));
TEST_EQUAL(0, mbedtls_md_hmac_starts(&ref_ctx, ref_out, out_len));
memset(ref_out, 0, sizeof(ref_out));
#endif
/*
* Test all possible lengths up to a point. The difference between
* max_in_len and min_in_len is at most 255, and make sure they both vary
@ -101,22 +74,14 @@ void ssl_cf_hmac(int hash)
/* Get the function's result */
TEST_CF_SECRET(&in_len, sizeof(in_len));
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL(0, mbedtls_ct_hmac(key, PSA_ALG_HMAC(alg),
add_data, sizeof(add_data),
data, in_len,
min_in_len, max_in_len,
out));
#else
TEST_EQUAL(0, mbedtls_ct_hmac(&ctx, add_data, sizeof(add_data),
data, in_len,
min_in_len, max_in_len,
out));
#endif /* MBEDTLS_USE_PSA_CRYPTO */
TEST_CF_PUBLIC(&in_len, sizeof(in_len));
TEST_CF_PUBLIC(out, out_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_setup(&operation,
key, alg));
TEST_EQUAL(PSA_SUCCESS, psa_mac_update(&operation, add_data,
@ -125,17 +90,6 @@ void ssl_cf_hmac(int hash)
data, in_len));
TEST_EQUAL(PSA_SUCCESS, psa_mac_verify_finish(&operation,
out, out_len));
#else
/* Compute the reference result */
TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, add_data,
sizeof(add_data)));
TEST_EQUAL(0, mbedtls_md_hmac_update(&ref_ctx, data, in_len));
TEST_EQUAL(0, mbedtls_md_hmac_finish(&ref_ctx, ref_out));
TEST_EQUAL(0, mbedtls_md_hmac_reset(&ref_ctx));
/* Compare */
TEST_MEMORY_COMPARE(out, out_len, ref_out, out_len);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
}
mbedtls_free(data);
@ -143,13 +97,8 @@ void ssl_cf_hmac(int hash)
}
exit:
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_mac_abort(&operation);
psa_destroy_key(key);
#else
mbedtls_md_free(&ref_ctx);
mbedtls_md_free(&ctx);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_free(data);
mbedtls_free(out);

34
tests/suites/test_suite_ssl.data
View File

@ -440,23 +440,23 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_R
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, PSA_ALG_SHA_384
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_384):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, invalid alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PSS(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-RSA-WITH-AES-256-GCM-SHA384, opaque, bad usage
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_GCM:MBEDTLS_RSA_C:PSA_WANT_KEY_TYPE_ECC_PUBLIC_KEY:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-RSA-WITH-AES-256-GCM-SHA384":MBEDTLS_PK_RSA:"":PSA_ALG_RSA_PKCS1V15_SIGN(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, non-opaque
@ -464,19 +464,19 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, PSA_ALG_SHA_256
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_256):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:0:MBEDTLS_TLS_ECDHE_ECDSA_WITH_AES_256_CCM
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDHE-ECDSA-WITH-AES-256-CCM, opaque, bad usage
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_256:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CCM:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDHE-ECDSA-WITH-AES-256-CCM":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, non-opaque
@ -484,15 +484,15 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDIN
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-RSA-WITH-AES-256-CBC-SHA384, opaque, bad usage
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_AES:PSA_WANT_ALG_CBC_NO_PADDING:MBEDTLS_RSA_C:PSA_HAVE_ALG_ECDSA_VERIFY:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED:!MBEDTLS_AES_ONLY_128_BIT_KEY_LENGTH
handshake_ciphersuite_select:"TLS-ECDH-RSA-WITH-AES-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDH:PSA_ALG_NONE:PSA_KEY_USAGE_DECRYPT:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, non-opaque
@ -500,19 +500,19 @@ depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_P
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_NONE:PSA_ALG_NONE:0:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_ANY_HASH
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_PSA_CRYPTO_C
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, PSA_ALG_SHA_384
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PSA_CRYPTO_C
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_PSA_CRYPTO_C
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_SHA_384):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:0:MBEDTLS_TLS_ECDH_ECDSA_WITH_CAMELLIA_256_CBC_SHA384
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing alg
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_NONE:PSA_KEY_USAGE_SIGN_HASH|PSA_KEY_USAGE_DERIVE:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Handshake, select ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384, opaque, missing usage
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED:MBEDTLS_USE_PSA_CRYPTO
depends_on:PSA_WANT_ALG_SHA_384:PSA_WANT_KEY_TYPE_CAMELLIA:PSA_WANT_ALG_CBC_NO_PADDING:PSA_WANT_ECC_SECP_R1_256:PSA_WANT_ECC_SECP_R1_384:MBEDTLS_KEY_EXCHANGE_ECDH_ECDSA_ENABLED
handshake_ciphersuite_select:"TLS-ECDH-ECDSA-WITH-CAMELLIA-256-CBC-SHA384":MBEDTLS_PK_ECDSA:"":PSA_ALG_ECDSA(PSA_ALG_ANY_HASH):PSA_ALG_ECDH:PSA_KEY_USAGE_SIGN_HASH:MBEDTLS_ERR_SSL_HANDSHAKE_FAILURE:0
Sending app data via TLS, MFL=512 without fragmentation
@ -3236,7 +3236,7 @@ depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
ssl_ecjpake_set_password:0
EC-JPAKE set opaque password
depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED
ssl_ecjpake_set_password:1
Test Elliptic curves' info parsing

12
tests/suites/test_suite_ssl.function
View File

@ -3422,7 +3422,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED:MBEDTLS_USE_PSA_CRYPTO */
/* BEGIN_CASE depends_on:MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
void test_multiple_psks_opaque(int mode)
{
/*
@ -3768,7 +3768,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_USE_PSA_CRYPTO:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
/* BEGIN_CASE depends_on:MBEDTLS_PSA_CRYPTO_C:MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED:MBEDTLS_PKCS1_V15:MBEDTLS_SSL_PROTO_TLS1_2:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_RSA_C:PSA_WANT_ECC_SECP_R1_384:PSA_HAVE_ALG_SOME_ECDSA:PSA_WANT_KEY_TYPE_ECC_KEY_PAIR_IMPORT */
void raw_key_agreement_fail(int bad_server_ecdhe_key)
{
enum { BUFFSIZE = 17000 };
@ -3941,11 +3941,7 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
{
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t pwd_slot = MBEDTLS_SVC_KEY_ID_INIT;
#else /* MBEDTLS_USE_PSA_CRYPTO */
(void) use_opaque_arg;
#endif /* MBEDTLS_USE_PSA_CRYPTO */
unsigned char pwd_string[sizeof(ECJPAKE_TEST_PWD)] = "";
size_t pwd_len = 0;
int ret;
@ -3971,7 +3967,6 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
pwd_len = strlen(ECJPAKE_TEST_PWD);
memcpy(pwd_string, ECJPAKE_TEST_PWD, pwd_len);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (use_opaque_arg) {
psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
@ -3998,16 +3993,13 @@ void ssl_ecjpake_set_password(int use_opaque_arg)
PSA_ASSERT(psa_import_key(&attributes, pwd_string,
pwd_len, &pwd_slot));
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
/* final check which should work without errors */
ECJPAKE_TEST_SET_PASSWORD(0);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
if (use_opaque_arg) {
psa_destroy_key(pwd_slot);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);

2
tests/suites/test_suite_x509parse.data
View File

@ -900,7 +900,7 @@ depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_
x509_verify:"../framework/data_files/server9-defaults.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #68 (RSASSA-PSS, wrong salt_len, USE_PSA)
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_PEM_PARSE_C:MBEDTLS_X509_RSASSA_PSS_SUPPORT:PSA_WANT_ALG_SHA_256:PSA_WANT_ALG_SHA_1
x509_verify:"../framework/data_files/server9-bad-saltlen.crt":"../framework/data_files/test-ca.crt":"../framework/data_files/crl-rsa-pss-sha1.pem":"NULL":0:0:"compat":"NULL"
X509 CRT verification #70 (v1 trusted CA)

12
tests/suites/test_suite_x509write.data
View File

@ -123,23 +123,23 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:0:-1:"../framework/data_files/server1.ca_noauthid.crt":1:1:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, key_usage
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:"NULL":0:0:1:-1:"../framework/data_files/server1.key_usage.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, ns_cert_type
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:1:-1:"../framework/data_files/server1.cert_type.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, version 1
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:MBEDTLS_X509_CRT_VERSION_1:"../framework/data_files/server1.v1.crt":2:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Opaque, CA
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5:MBEDTLS_USE_PSA_CRYPTO
depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.ca.crt":2:1:"../framework/data_files/test-ca.crt":0
Certificate write check Server1 SHA1, Full length serial
@ -159,7 +159,7 @@ depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINIST
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server5 ECDSA, Opaque
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server1 SHA1, SubjectAltNames

46
tests/suites/test_suite_x509write.function
View File

@ -15,8 +15,7 @@
#endif /* MBEDTLS_PK_HAVE_PRIVATE_HEADER */
#include "mbedtls/psa_util.h"
#if defined(MBEDTLS_USE_PSA_CRYPTO) && \
defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
#if defined(MBEDTLS_PEM_WRITE_C) && defined(MBEDTLS_X509_CSR_WRITE_C)
static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
{
unsigned char hash[PSA_HASH_MAX_SIZE];
@ -53,7 +52,7 @@ cleanup:
mbedtls_x509_csr_free(&csr);
return ret;
}
#endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
#endif /* MBEDTLS_PEM_WRITE_C && MBEDTLS_X509_CSR_WRITE_C */
#if defined(MBEDTLS_X509_CSR_WRITE_C)
@ -131,11 +130,9 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
mbedtls_x509write_csr req;
unsigned char buf[4096];
int ret;
#if !defined(MBEDTLS_USE_PSA_CRYPTO)
unsigned char check_buf[4000];
FILE *f;
size_t olen = 0;
#endif /* !MBEDTLS_USE_PSA_CRYPTO */
size_t pem_len = 0, buf_index;
int der_len = -1;
const char *subject_name = "C=NL,O=PolarSSL,CN=PolarSSL Server 1";
@ -215,20 +212,14 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
TEST_ASSERT(buf[buf_index] == 0);
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, so cert_req_check_file can't be used
(void) cert_req_check_file;
buf[pem_len] = '\0';
TEST_ASSERT(x509_crt_verifycsr(buf, pem_len + 1) == 0);
#else
f = fopen(cert_req_check_file, "r");
TEST_ASSERT(f != NULL);
olen = fread(check_buf, 1, sizeof(check_buf), f);
fclose(f);
f = fopen(cert_req_check_file, "r"); //open the file
TEST_ASSERT(f != NULL); //check the file has been opened.
olen = fread(check_buf, 1, sizeof(check_buf), f); // read the file
fclose(f); // close the file
TEST_ASSERT(olen >= pem_len - 1);
TEST_ASSERT(memcmp(buf, check_buf, pem_len - 1) == 0);
#endif /* MBEDTLS_USE_PSA_CRYPTO */
der_len = mbedtls_x509write_csr_der(&req, buf, sizeof(buf));
TEST_ASSERT(der_len >= 0);
@ -237,14 +228,7 @@ void x509_csr_check(char *key_file, char *cert_req_check_file, int md_type,
goto exit;
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, result length isn't
// deterministic over multiple runs, removing a single byte isn't enough to
// go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
der_len /= 2;
#else
der_len -= 1;
#endif
ret = mbedtls_x509write_csr_der(&req, buf, (size_t) (der_len));
TEST_ASSERT(ret == MBEDTLS_ERR_ASN1_BUF_TOO_SMALL);
@ -256,7 +240,7 @@ exit:
}
/* END_CASE */
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C:MBEDTLS_USE_PSA_CRYPTO */
/* BEGIN_CASE depends_on:MBEDTLS_PEM_WRITE_C:MBEDTLS_X509_CSR_WRITE_C */
void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
int cert_type)
{
@ -342,10 +326,8 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
int der_len = -1;
FILE *f;
mbedtls_test_rnd_pseudo_info rnd_info;
#if defined(MBEDTLS_USE_PSA_CRYPTO)
mbedtls_svc_key_id_t key_id = MBEDTLS_SVC_KEY_ID_INIT;
psa_key_attributes_t key_attr = PSA_KEY_ATTRIBUTES_INIT;
#endif
mbedtls_pk_type_t issuer_key_type;
mbedtls_x509_san_list san_ip;
mbedtls_x509_san_list san_dns;
@ -409,7 +391,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
issuer_key_type = mbedtls_pk_get_type(&issuer_key);
#if defined(MBEDTLS_USE_PSA_CRYPTO)
/* Turn the issuer PK context into an opaque one. */
if (pk_wrap == 2) {
TEST_EQUAL(mbedtls_pk_get_psa_attributes(&issuer_key, PSA_KEY_USAGE_SIGN_HASH,
@ -419,7 +400,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
mbedtls_pk_init(&issuer_key);
TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */
if (pk_wrap == 2) {
TEST_ASSERT(mbedtls_pk_get_type(&issuer_key) == MBEDTLS_PK_OPAQUE);
@ -570,14 +550,6 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
TEST_ASSERT(p < end);
}
#if defined(MBEDTLS_USE_PSA_CRYPTO)
// When using PSA crypto, RNG isn't controllable, result length isn't
// deterministic over multiple runs, removing a single byte isn't enough to
// go into the MBEDTLS_ERR_ASN1_BUF_TOO_SMALL error case
if (issuer_key_type != MBEDTLS_PK_RSA) {
der_len /= 2;
} else
#endif
der_len -= 1;
ret = mbedtls_x509write_crt_der(&crt, buf, (size_t) (der_len));
@ -592,9 +564,7 @@ exit:
#if defined(MBEDTLS_TEST_DEPRECATED) && defined(MBEDTLS_BIGNUM_C)
mbedtls_mpi_free(&serial_mpi);
#endif
#if defined(MBEDTLS_USE_PSA_CRYPTO)
psa_destroy_key(key_id);
#endif
MD_OR_USE_PSA_DONE();
}
/* END_CASE */