cuberite/polarssl
1
0
Fork 0
mirror of https://github.com/cuberite/polarssl.git synced 2025-09-22 03:52:16 -04:00
Code Issues Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'development' into dependency-on-generated-files-dev

Browse Source
This commit is contained in:
Gilles Peskine 2025-07-30 11:16:34 +02:00
commit db99ca95a7
50 changed files with 213 additions and 504 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

5
ChangeLog.d/check_config.txt Normal file
View File

@ -0,0 +1,5 @@
Removals
* The header <mbedtls/check_config.h> no longer exists. Including it
from a custom config file was no longer needed since Mbed TLS 3.0,
and could lead to spurious errors. The checks that it performed are
now done automatically when building the library.

2
framework

@ -1 +1 @@
Subproject commit 893ad9e8450a8e7459679d952abd5d6df26c41c4
Subproject commit 87dbfb290fa42ca2ccfb403e8c2fa7334fa4f1dd

2
include/mbedtls/build_info.h
View File

@ -85,6 +85,4 @@
*/
#define MBEDTLS_CONFIG_IS_FINALIZED
#include "mbedtls/check_config.h"
#endif /* MBEDTLS_BUILD_INFO_H */

14
include/mbedtls/mbedtls_config.h
View File

@ -255,7 +255,7 @@
*
* Requires: MBEDTLS_ECDH_C or PSA_WANT_ALG_ECDH
* MBEDTLS_RSA_C
* MBEDTLS_PKCS1_V15
* PSA_WANT_ALG_RSA_PKCS1V15_SIGN
* MBEDTLS_X509_CRT_PARSE_C
*
* This enables the following ciphersuites (if other requisites are
@ -331,7 +331,7 @@
* might still happen. For this reason, this is disabled by default.
*
* Requires: MBEDTLS_ECJPAKE_C or PSA_WANT_ALG_JPAKE
* SHA-256 (via MBEDTLS_SHA256_C or a PSA driver)
* PSA_WANT_ALG_SHA_256
* MBEDTLS_ECP_DP_SECP256R1_ENABLED
*
* This enables the following ciphersuites (if other requisites are
@ -446,7 +446,7 @@
* saved after the handshake to allow for more efficient serialization, so if
* you don't need this feature you'll save RAM by disabling it.
*
* Requires: MBEDTLS_GCM_C or MBEDTLS_CCM_C or MBEDTLS_CHACHAPOLY_C
* Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
*
* Comment to disable the context serialization APIs.
*/
@ -824,7 +824,7 @@
* Module: library/ssl_ticket.c
* Caller:
*
* Requires: MBEDTLS_GCM_C || MBEDTLS_CCM_C || MBEDTLS_CHACHAPOLY_C
* Requires: PSA_WANT_ALG_GCM or PSA_WANT_ALG_CCM or PSA_WANT_ALG_CHACHA20_POLY1305
*/
#define MBEDTLS_SSL_TICKET_C
@ -859,7 +859,7 @@
* MBEDTLS_X509_CRT_PARSE_C
* and at least one of:
* MBEDTLS_ECDSA_C or PSA_WANT_ALG_ECDSA
* MBEDTLS_PKCS1_V21
* PSA_WANT_ALG_RSA_PSS
*
* Comment to disable support for the ephemeral key exchange mode in TLS 1.3.
* If MBEDTLS_SSL_PROTO_TLS1_3 is not enabled, this option does not have any
@ -903,7 +903,7 @@
* Caller: library/ssl*_client.c
* library/ssl*_server.c
*
* Requires: MBEDTLS_CIPHER_C, MBEDTLS_MD_C
* Requires: PSA_WANT_ALG_SHA_256 or PSA_WANT_ALG_SHA_384
* and at least one of the MBEDTLS_SSL_PROTO_XXX defines
*
* This module is required for SSL/TLS.
@ -1210,7 +1210,7 @@
* Enable parsing and verification of X.509 certificates, CRLs and CSRS
* signed with RSASSA-PSS (aka PKCS#1 v2.1).
*
* Requires: MBEDTLS_PKCS1_V21
* Requires: PSA_WANT_ALG_RSA_PSS
*
* Comment this macro to disallow using RSASSA-PSS in certificates.
*/

1
include/mbedtls/oid.h
View File

@ -11,6 +11,7 @@
#define MBEDTLS_OID_H
#include "mbedtls/build_info.h"
#include "mbedtls/asn1.h"
/*
* Top level OID tuples

2
include/mbedtls/version.h
View File

@ -60,7 +60,7 @@ void mbedtls_version_get_string_full(char *string);
* support", "Mbed TLS modules" and "Mbed TLS feature
* support" in mbedtls_config.h
*
* \param feature The string for the define to check (e.g. "MBEDTLS_AES_C")
* \param feature The string for the define to check (e.g. "MBEDTLS_SSL_SRV_C")
*
* \return 0 if the feature is present,
* -1 if the feature is not present and

1
library/CMakeLists.txt
View File

@ -1,5 +1,6 @@
set(src_x509
error.c
mbedtls_config.c
pkcs7.c
x509.c
x509_create.c

1
library/Makefile
View File

@ -121,6 +121,7 @@ LOCAL_CFLAGS+=$(THIRDPARTY_INCLUDES)
OBJS_CRYPTO+=$(THIRDPARTY_CRYPTO_OBJECTS)
OBJS_X509= \
mbedtls_config.o \
x509.o \
x509_create.o \
x509_crl.o \

0
include/mbedtls/check_config.h → library/mbedtls_check_config.h
View File

13
library/mbedtls_config.c Normal file
View File

@ -0,0 +1,13 @@
/*
* Mbed TLS configuration checks
*/
/*
* Copyright The Mbed TLS Contributors
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include <mbedtls/build_info.h>
/* Consistency checks in the configuration: check for incompatible options,
* missing options when at least one of a set needs to be enabled, etc. */
#include "mbedtls_check_config.h"

14
library/ssl_misc.h
View File

@ -10,7 +10,7 @@
#ifndef MBEDTLS_SSL_MISC_H
#define MBEDTLS_SSL_MISC_H
#include "common.h"
#include "tf_psa_crypto_common.h"
#include "mbedtls/build_info.h"
#include "mbedtls/error.h"
@ -2376,7 +2376,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
#endif /* PSA_WANT_ALG_SHA_512 && MBEDTLS_ECP_DP_SECP521R1_ENABLED */
#endif /* PSA_HAVE_ALG_SOME_ECDSA */
#if defined(MBEDTLS_PKCS1_V21)
#if defined(PSA_WANT_ALG_RSA_PSS)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
break;
@ -2389,7 +2389,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* MBEDTLS_PKCS1_V21 */
#endif /* PSA_WANT_ALG_RSA_PSS */
default:
return 0;
}
@ -2401,7 +2401,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
const uint16_t sig_alg)
{
switch (sig_alg) {
#if defined(MBEDTLS_PKCS1_V15)
#if defined(PSA_WANT_ALG_RSA_PKCS1V15_SIGN)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256:
break;
@ -2414,7 +2414,7 @@ static inline int mbedtls_ssl_tls13_sig_alg_is_supported(
case MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512:
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* MBEDTLS_PKCS1_V15 */
#endif /* PSA_WANT_ALG_RSA_PKCS1V15_SIGN */
default:
return mbedtls_ssl_tls13_sig_alg_for_cert_verify_is_supported(
sig_alg);
@ -2455,7 +2455,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
}
switch (sig_alg) {
#if defined(MBEDTLS_PKCS1_V21)
#if defined(PSA_WANT_ALG_RSA_PSS)
#if defined(PSA_WANT_ALG_SHA_256)
case MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256:
*md_alg = MBEDTLS_MD_SHA256;
@ -2474,7 +2474,7 @@ static inline int mbedtls_ssl_get_pk_type_and_md_alg_from_sig_alg(
*pk_type = MBEDTLS_PK_RSASSA_PSS;
break;
#endif /* PSA_WANT_ALG_SHA_512 */
#endif /* MBEDTLS_PKCS1_V21 */
#endif /* PSA_WANT_ALG_RSA_PSS */
default:
return MBEDTLS_ERR_SSL_FEATURE_UNAVAILABLE;
}

3
library/ssl_tls12_client.c
View File

@ -2082,8 +2082,7 @@ start_processing:
#if defined(MBEDTLS_X509_RSASSA_PSS_SUPPORT)
if (pk_alg == MBEDTLS_PK_RSASSA_PSS) {
ret = mbedtls_pk_verify_ext(pk_alg, NULL,
peer_pk,
ret = mbedtls_pk_verify_new(pk_alg, peer_pk,
md_alg, hash, hashlen,
p, sig_len);
} else

4
library/ssl_tls13_generic.c
View File

@ -300,13 +300,13 @@ static int ssl_tls13_parse_certificate_verify(mbedtls_ssl_context *ssl,
MBEDTLS_SSL_DEBUG_BUF(3, "verify hash", verify_hash, verify_hash_len);
if ((ret = mbedtls_pk_verify_ext(sig_alg, NULL,
if ((ret = mbedtls_pk_verify_new(sig_alg,
&ssl->session_negotiate->peer_cert->pk,
md_alg, verify_hash, verify_hash_len,
p, signature_len)) == 0) {
return 0;
}
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_ext", ret);
MBEDTLS_SSL_DEBUG_RET(1, "mbedtls_pk_verify_new", ret);
error:
/* RFC 8446 section 4.4.3

1
library/x509.c
View File

@ -24,6 +24,7 @@
#include "mbedtls/oid.h"
#include "x509_oid.h"
#include <limits.h>
#include <stdio.h>
#include <string.h>

1
library/x509_create.c
View File

@ -14,6 +14,7 @@
#include "mbedtls/oid.h"
#include "x509_oid.h"
#include <limits.h>
#include <string.h>
#include "mbedtls/platform.h"

5
library/x509_crt.c
View File

@ -27,6 +27,7 @@
#include "x509_oid.h"
#include "mbedtls/platform_util.h"
#include <limits.h>
#include <string.h>
#if defined(MBEDTLS_PEM_PARSE_C)
@ -2060,7 +2061,7 @@ static int x509_crt_verifycrl(mbedtls_x509_crt *crt, mbedtls_x509_crt *ca,
flags |= MBEDTLS_X509_BADCERT_BAD_KEY;
}
if (mbedtls_pk_verify_ext(crl_list->sig_pk, NULL, &ca->pk,
if (mbedtls_pk_verify_new(crl_list->sig_pk, &ca->pk,
crl_list->sig_md, hash, hash_length,
crl_list->sig.p, crl_list->sig.len) != 0) {
flags |= MBEDTLS_X509_BADCRL_NOT_TRUSTED;
@ -2134,7 +2135,7 @@ static int x509_crt_check_signature(const mbedtls_x509_crt *child,
(void) rs_ctx;
#endif
return mbedtls_pk_verify_ext(child->sig_pk, NULL, &parent->pk,
return mbedtls_pk_verify_new(child->sig_pk, &parent->pk,
child->sig_md, hash, hash_len,
child->sig.p, child->sig.len);
}

2
library/x509_internal.h
View File

@ -10,7 +10,7 @@
#ifndef MBEDTLS_X509_INTERNAL_H
#define MBEDTLS_X509_INTERNAL_H
#include "common.h"
#include "tf_psa_crypto_common.h"
#include "mbedtls/build_info.h"
#include "mbedtls/private_access.h"

5
programs/fuzz/CMakeLists.txt
View File

@ -31,18 +31,19 @@ foreach(exe IN LISTS executables_no_common_c executables_with_common_c)
$<TARGET_OBJECTS:mbedtls_test_helpers>
$<TARGET_OBJECTS:mbedtls_test>)
if(NOT FUZZINGENGINE_LIB)
list(APPEND exe_sources onefile.c)
list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_onefile.c)
endif()
# This emulates "if ( ... IN_LIST ... )" which becomes available in CMake 3.3
list(FIND executables_with_common_c ${exe} exe_index)
if(${exe_index} GREATER -1)
list(APPEND exe_sources common.c)
list(APPEND exe_sources ${MBEDTLS_DIR}/tf-psa-crypto/programs/fuzz/fuzz_common.c)
endif()
add_executable(${exe} ${exe_sources})
set_base_compile_options(${exe})
target_include_directories(${exe} PRIVATE ${CMAKE_CURRENT_SOURCE_DIR}/../../framework/tests/include
${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/programs/fuzz/
${CMAKE_CURRENT_SOURCE_DIR}/../../tests/include)
if (NOT FUZZINGENGINE_LIB)

16
programs/fuzz/Makefile
View File

@ -3,7 +3,7 @@ MBEDTLS_TEST_PATH:=../../tests
MBEDTLS_PATH := ../..
include ../../scripts/common.make
PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/programs/fuzz
PROGRAM_FUZZ_PATH:=$(MBEDTLS_PATH)/tf-psa-crypto/programs/fuzz
DEP=${MBEDLIBS}
@ -15,6 +15,8 @@ LOCAL_CFLAGS += -I$(PROGRAM_FUZZ_PATH)
# A test application is built for each fuzz_*.c file.
APPS = $(basename $(wildcard fuzz_*.c))
APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_privkey.c)
APPS += $(basename $(PROGRAM_FUZZ_PATH)/fuzz_pubkey.c)
# Construct executable name by adding OS specific suffix $(EXEXT).
BINARIES := $(addsuffix $(EXEXT),$(APPS))
@ -32,13 +34,13 @@ C_FILES := $(addsuffix .c,$(APPS))
ifdef FUZZINGENGINE
$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(DEP)
echo " $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
$(CXX) $(PROGRAM_FUZZ_PATH)/common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(DEP)
echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
$(CXX) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
else
$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $(DEP)
echo " $(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
$(CC) $(PROGRAM_FUZZ_PATH)/common.o $(PROGRAM_FUZZ_PATH)/onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
$(BINARIES): %$(EXEXT): %.o $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $(DEP)
echo " $(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@"
$(CC) $(PROGRAM_FUZZ_PATH)/fuzz_common.o $(PROGRAM_FUZZ_PATH)/fuzz_onefile.o $< $(LOCAL_LDFLAGS) $(LDFLAGS) -o $@
endif
clean:

107
programs/fuzz/common.c
View File

@ -1,107 +0,0 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include "common.h"
#include <limits.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include "mbedtls/ctr_drbg.h"
#if defined(MBEDTLS_PLATFORM_TIME_ALT)
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time)
{
(void) time;
return 0x5af2a056;
}
#endif
void dummy_init(void)
{
#if defined(MBEDTLS_PLATFORM_TIME_ALT)
mbedtls_platform_set_time(dummy_constant_time);
#else
fprintf(stderr, "Warning: fuzzing without constant time\n");
#endif
}
int dummy_send(void *ctx, const unsigned char *buf, size_t len)
{
//silence warning about unused parameter
(void) ctx;
(void) buf;
//pretends we wrote everything ok
if (len > INT_MAX) {
return -1;
}
return (int) len;
}
int fuzz_recv(void *ctx, unsigned char *buf, size_t len)
{
//reads from the buffer from fuzzer
fuzzBufferOffset_t *biomemfuzz = (fuzzBufferOffset_t *) ctx;
if (biomemfuzz->Offset == biomemfuzz->Size) {
//EOF
return 0;
}
if (len > INT_MAX) {
return -1;
}
if (len + biomemfuzz->Offset > biomemfuzz->Size) {
//do not overflow
len = biomemfuzz->Size - biomemfuzz->Offset;
}
memcpy(buf, biomemfuzz->Data + biomemfuzz->Offset, len);
biomemfuzz->Offset += len;
return (int) len;
}
int dummy_random(void *p_rng, unsigned char *output, size_t output_len)
{
int ret;
size_t i;
#if defined(MBEDTLS_CTR_DRBG_C)
//mbedtls_ctr_drbg_random requires a valid mbedtls_ctr_drbg_context in p_rng
if (p_rng != NULL) {
//use mbedtls_ctr_drbg_random to find bugs in it
ret = mbedtls_ctr_drbg_random(p_rng, output, output_len);
} else {
//fall through to pseudo-random
ret = 0;
}
#else
(void) p_rng;
ret = 0;
#endif
for (i = 0; i < output_len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) rand();
}
return ret;
}
int dummy_entropy(void *data, unsigned char *output, size_t len)
{
size_t i;
(void) data;
//use mbedtls_entropy_func to find bugs in it
//test performance impact of entropy
//ret = mbedtls_entropy_func(data, output, len);
for (i = 0; i < len; i++) {
//replace result with pseudo random
output[i] = (unsigned char) rand();
}
return 0;
}
int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
uint32_t timeout)
{
(void) timeout;
return fuzz_recv(ctx, buf, len);
}

28
programs/fuzz/common.h
View File

@ -1,28 +0,0 @@
#include "mbedtls/build_info.h"
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
#endif
#include <stddef.h>
#include <stdint.h>
typedef struct fuzzBufferOffset {
const uint8_t *Data;
size_t Size;
size_t Offset;
} fuzzBufferOffset_t;
#if defined(MBEDTLS_HAVE_TIME)
mbedtls_time_t dummy_constant_time(mbedtls_time_t *time);
#endif
void dummy_init(void);
int dummy_send(void *ctx, const unsigned char *buf, size_t len);
int fuzz_recv(void *ctx, unsigned char *buf, size_t len);
int dummy_random(void *p_rng, unsigned char *output, size_t output_len);
int dummy_entropy(void *data, unsigned char *output, size_t len);
int fuzz_recv_timeout(void *ctx, unsigned char *buf, size_t len,
uint32_t timeout);
/* Implemented in the fuzz_*.c sources and required by onefile.c */
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size);

2
programs/fuzz/fuzz_client.c
View File

@ -4,7 +4,7 @@
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "test/certs.h"
#include "common.h"
#include "fuzz_common.h"
#include <string.h>
#include <stdlib.h>
#include <stdint.h>

2
programs/fuzz/fuzz_dtlsclient.c
View File

@ -3,7 +3,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include "common.h"
#include "fuzz_common.h"
#include "mbedtls/ssl.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)
#include "mbedtls/entropy.h"

2
programs/fuzz/fuzz_dtlsserver.c
View File

@ -3,7 +3,7 @@
#include <string.h>
#include <stdlib.h>
#include <stdint.h>
#include "common.h"
#include "fuzz_common.h"
#include "mbedtls/ssl.h"
#include "test/certs.h"
#if defined(MBEDTLS_SSL_PROTO_DTLS)

2
programs/fuzz/fuzz_pkcs7.c
View File

@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/pkcs7.h"
#include "common.h"
#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{

2
programs/fuzz/fuzz_server.c
View File

@ -5,7 +5,7 @@
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/ssl_ticket.h"
#include "test/certs.h"
#include "common.h"
#include "fuzz_common.h"
#include <string.h>
#include <stdlib.h>
#include <stdint.h>

2
programs/fuzz/fuzz_x509crl.c
View File

@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/x509_crl.h"
#include "common.h"
#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{

2
programs/fuzz/fuzz_x509crt.c
View File

@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/x509_crt.h"
#include "common.h"
#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{

2
programs/fuzz/fuzz_x509csr.c
View File

@ -2,7 +2,7 @@
#include <stdint.h>
#include "mbedtls/x509_csr.h"
#include "common.h"
#include "fuzz_common.h"
int LLVMFuzzerTestOneInput(const uint8_t *Data, size_t Size)
{

70
programs/fuzz/onefile.c
View File

@ -1,70 +0,0 @@
#define MBEDTLS_DECLARE_PRIVATE_IDENTIFIERS
#include <stdint.h>
#include <stdlib.h>
#include <stdio.h>
#include "common.h"
/* This file doesn't use any Mbed TLS function, but grab mbedtls_config.h anyway
* in case it contains platform-specific #defines related to malloc or
* stdio functions. */
#include "mbedtls/build_info.h"
int main(int argc, char **argv)
{
FILE *fp;
uint8_t *Data;
size_t Size;
const char *argv0 = argv[0] == NULL ? "PROGRAM_NAME" : argv[0];
if (argc != 2) {
fprintf(stderr, "Usage: %s REPRODUCER_FILE\n", argv0);
return 1;
}
//opens the file, get its size, and reads it into a buffer
fp = fopen(argv[1], "rb");
if (fp == NULL) {
fprintf(stderr, "%s: Error in fopen\n", argv0);
perror(argv[1]);
return 2;
}
if (fseek(fp, 0L, SEEK_END) != 0) {
fprintf(stderr, "%s: Error in fseek(SEEK_END)\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
Size = ftell(fp);
if (Size == (size_t) -1) {
fprintf(stderr, "%s: Error in ftell\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
if (fseek(fp, 0L, SEEK_SET) != 0) {
fprintf(stderr, "%s: Error in fseek(0)\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
Data = malloc(Size);
if (Data == NULL) {
fprintf(stderr, "%s: Could not allocate memory\n", argv0);
perror(argv[1]);
fclose(fp);
return 2;
}
if (fread(Data, Size, 1, fp) != 1) {
fprintf(stderr, "%s: Error in fread\n", argv0);
perror(argv[1]);
free(Data);
fclose(fp);
return 2;
}
//launch fuzzer
LLVMFuzzerTestOneInput(Data, Size);
free(Data);
fclose(fp);
return 0;
}

2
programs/ssl/ssl_test_lib.c
View File

@ -293,7 +293,7 @@ int pk_wrap_as_opaque(mbedtls_pk_context *pk, psa_algorithm_t psa_alg, psa_algor
}
mbedtls_pk_free(pk);
mbedtls_pk_init(pk);
ret = mbedtls_pk_setup_opaque(pk, *key_id);
ret = mbedtls_pk_wrap_psa(pk, *key_id);
if (ret != 0) {
return ret;
}

1
programs/test/CMakeLists.txt
View File

@ -56,6 +56,7 @@ if(GEN_FILES)
${CMAKE_CURRENT_SOURCE_DIR}/../../tf-psa-crypto/include/psa/crypto_config.h
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/data_files/query_config.fmt
${CMAKE_CURRENT_BINARY_DIR}/query_config.c
WORKING_DIRECTORY ${CMAKE_CURRENT_SOURCE_DIR}/../..
DEPENDS
${CMAKE_CURRENT_SOURCE_DIR}/../../scripts/generate_query_config.pl
${CMAKE_CURRENT_SOURCE_DIR}/../../include/mbedtls/mbedtls_config.h

1
programs/test/udp_proxy.c
View File

@ -16,6 +16,7 @@
#include "mbedtls/build_info.h"
#include <limits.h>
#if defined(MBEDTLS_PLATFORM_C)
#include "mbedtls/platform.h"
#else

2
scripts/data_files/error.fmt
View File

@ -5,7 +5,7 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "common.h"
#include "tf_psa_crypto_common.h"
#include "mbedtls/error.h"

76
scripts/data_files/query_config.fmt
View File

@ -1,4 +1,4 @@
/*
/* -*-c-*-
* Query Mbed TLS compile time configurations from mbedtls_config.h
*
* Copyright The Mbed TLS Contributors
@ -10,73 +10,17 @@
#include "query_config.h"
#include "mbedtls/platform.h"
/*
* Include all the headers with public APIs in case they define a macro to its
* default value when that configuration is not set in mbedtls_config.h, or
* for PSA_WANT macros, in case they're auto-defined based on mbedtls_config.h
* rather than defined directly in crypto_config.h.
*/
#include "psa/crypto.h"
#include "mbedtls/aes.h"
#include "mbedtls/aria.h"
#include "mbedtls/asn1.h"
#include "mbedtls/asn1write.h"
#include "mbedtls/base64.h"
#include "mbedtls/bignum.h"
#include "mbedtls/camellia.h"
#include "mbedtls/ccm.h"
#include "mbedtls/chacha20.h"
#include "mbedtls/chachapoly.h"
#include "mbedtls/cipher.h"
#include "mbedtls/cmac.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/debug.h"
#include "mbedtls/des.h"
#include "mbedtls/ecdh.h"
#include "mbedtls/ecdsa.h"
#include "mbedtls/ecjpake.h"
#include "mbedtls/ecp.h"
#include "mbedtls/entropy.h"
#include "mbedtls/error.h"
#include "mbedtls/gcm.h"
#include "mbedtls/hmac_drbg.h"
#include "mbedtls/md.h"
#include "mbedtls/md5.h"
#include "mbedtls/memory_buffer_alloc.h"
#include "mbedtls/net_sockets.h"
#include "mbedtls/nist_kw.h"
#include "mbedtls/oid.h"
#include "mbedtls/pem.h"
#include "mbedtls/pk.h"
#include "mbedtls/pkcs12.h"
#include "mbedtls/pkcs5.h"
#if defined(MBEDTLS_HAVE_TIME)
#include "mbedtls/platform_time.h"
#endif
#include "mbedtls/platform_util.h"
#include "mbedtls/poly1305.h"
#include "mbedtls/ripemd160.h"
#include "mbedtls/rsa.h"
#include "mbedtls/sha1.h"
#include "mbedtls/sha256.h"
#include "mbedtls/sha512.h"
#include "mbedtls/ssl.h"
#include "mbedtls/ssl_cache.h"
#include "mbedtls/ssl_ciphersuites.h"
#include "mbedtls/ssl_cookie.h"
#include "mbedtls/ssl_ticket.h"
#include "mbedtls/threading.h"
#include "mbedtls/timing.h"
#include "mbedtls/version.h"
#include "mbedtls/x509.h"
#include "mbedtls/x509_crl.h"
#include "mbedtls/x509_crt.h"
#include "mbedtls/x509_csr.h"
#include <string.h>
/* Work around https://github.com/Mbed-TLS/TF-PSA-Crypto/issues/393 */
#if defined(MBEDTLS_HAVE_TIME)
#include <mbedtls/platform_time.h>
#endif
/* *INDENT-OFF* */
INCLUDE_HEADERS
/* *INDENT-ON* */
/*
* Helper macros to convert a macro or its expansion into a string
* WARNING: This does not work for expanding function-like macros. However,

31
scripts/generate_query_config.pl
View File

@ -49,6 +49,8 @@ if( @ARGV ) {
or die "No arguments supplied, must be run from project root or a first-level subdirectory\n";
}
}
-f 'include/mbedtls/build_info.h'
or die "$0: must be run from project root, or from a first-level subdirectory with no arguments\n";
# Excluded macros from the generated query_config.c. For example, macros that
# have commas or function-like macros cannot be transformed into strings easily
@ -100,6 +102,34 @@ EOT
close(CONFIG_FILE);
}
# We need to include all the headers with public APIs in case they
# define a macro to its default value when that configuration is not
# set in a header included by build_info.h (crypto_config.h,
# mbedtls_config.h, *adjust*.h). Some module-specific macros are set
# in that module's header. For simplicity, include all headers, with
# some ad hoc knowledge of headers that are included by other headers
# and should not be included directly. We don't include internal headers
# because those should not define configurable macros.
my @header_files = ();
my @header_roots = qw(
include
tf-psa-crypto/include
tf-psa-crypto/drivers/builtin/include
);
for my $root (@header_roots) {
my @paths = glob "$root/*/*.h $root/*/*/*.h";
map {s!^\Q$root/!!} @paths;
# Exclude some headers that are included by build_info.h and cannot
# be included directly.
push @header_files, grep {!m[
^psa/crypto_(platform|struct)\.h$ | # have alt versions, included by psa/crypto.h anyway
^mbedtls/platform_time\.h$ | # errors without time.h
_config\.h |
[/_]adjust[/_]
]x} @paths;
}
my $include_headers = join('', map {"#include <$_>\n"} @header_files);
# Read the full format file into a string
local $/;
open(FORMAT_FILE, "<", $query_config_format_file) or die "Opening query config format file '$query_config_format_file': $!";
@ -107,6 +137,7 @@ my $query_config_format = <FORMAT_FILE>;
close(FORMAT_FILE);
# Replace the body of the query_config() function with the code we just wrote
$query_config_format =~ s/INCLUDE_HEADERS/$include_headers/g;
$query_config_format =~ s/CHECK_CONFIG/$config_check/g;
$query_config_format =~ s/LIST_CONFIG/$list_config/g;

4
tests/psa-client-server/psasim/src/aut_psa_aead_encrypt_decrypt.c
View File

@ -12,13 +12,13 @@
* -I$(MBEDTLS_ROOT_PATH)/tf-psa-crypto/drivers/builtin/include
* None of those cover tf-psa-crypto/core, so we rely on the
* -I$(MBEDTLS_ROOT_PATH)/include entry plus a parent-relative
* include "../tf-psa-crypto/core/common.h" in order to pull in common.h here,
* include "../tf-psa-crypto/core/tf_psa_crypto_common.h" in order to pull in tf_psa_crypto_common.h here,
* which in turn gets MBEDTLS_ATTRIBUTE_UNTERMINATED_STRING (to silence the
* new GCC-15 unterminated-string-initialization warning).
* See GitHub issue #10223 for the proper long-term fix.
* https://github.com/Mbed-TLS/mbedtls/issues/10223
*/
#include "../tf-psa-crypto/core/common.h"
#include "../tf-psa-crypto/core/tf_psa_crypto_common.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

2
tests/psa-client-server/psasim/src/aut_psa_cipher_encrypt_decrypt.c
View File

@ -4,7 +4,7 @@
*/
#include "psa/crypto.h"
#include "../tf-psa-crypto/core/common.h"
#include "../tf-psa-crypto/core/tf_psa_crypto_common.h"
#include <string.h>
#include <stdio.h>
#include <stdlib.h>

8
tests/scripts/analyze_outcomes.py
View File

@ -327,10 +327,6 @@ class DriverVSReference_cipher_aead_cmac(outcome_analysis.DriverVSReference):
'Low and high error',
'Single low error'
],
# Similar to test_suite_error above.
'test_suite_version': [
'Check for MBEDTLS_AES_C when already present',
],
# The en/decryption part of PKCS#12 is not supported so far.
# The rest of PKCS#12 (key derivation) works though.
'test_suite_pkcs12': [
@ -659,10 +655,6 @@ class DriverVSReference_block_cipher_dispatch(outcome_analysis.DriverVSReference
'Single low error',
'Low and high error',
],
'test_suite_version': [
# Similar to test_suite_error above.
'Check for MBEDTLS_AES_C when already present',
],
'test_suite_platform': [
# Incompatible with sanitizers (e.g. ASan). If the driver
# component uses a sanitizer but the reference component

3
tests/scripts/components-basic-checks.sh
View File

@ -123,4 +123,7 @@ component_check_test_helpers () {
msg "unit test: translate_ciphers.py"
python3 -m unittest framework/scripts/translate_ciphers.py 2>&1
msg "unit test: generate_config_checks.py"
tests/scripts/test_config_checks.py 2>&1
}

96
tests/scripts/components-configuration-crypto.sh
View File

@ -138,7 +138,6 @@ component_test_psa_crypto_without_heap() {
component_test_no_rsa_key_pair_generation () {
msg "build: default config minus PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE"
scripts/config.py unset MBEDTLS_GENPRIME
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE
make
@ -310,7 +309,6 @@ component_test_full_no_cipher () {
msg "build: full no CIPHER"
scripts/config.py full
scripts/config.py unset MBEDTLS_CIPHER_C
# The built-in implementation of the following algs/key-types depends
# on CIPHER_C so we disable them.
@ -329,7 +327,6 @@ component_test_full_no_cipher () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# The following modules directly depends on CIPHER_C
scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_NIST_KW_C
make
@ -479,7 +476,6 @@ component_test_crypto_for_psa_service () {
scripts/config.py unset MBEDTLS_VERSION_FEATURES
# Crypto stuff with no PSA interface
scripts/config.py unset MBEDTLS_BASE64_C
# Keep MBEDTLS_CIPHER_C because psa_crypto_cipher, CCM and GCM need it.
scripts/config.py unset MBEDTLS_HKDF_C # PSA's HKDF is independent
# Keep MBEDTLS_MD_C because deterministic ECDSA needs it for HMAC_DRBG.
scripts/config.py unset MBEDTLS_NIST_KW_C
@ -519,11 +515,6 @@ component_test_depends_py_cipher_chaining () {
tests/scripts/depends.py cipher_chaining
}
component_test_depends_py_cipher_padding () {
msg "test/build: depends.py cipher_padding (gcc)"
tests/scripts/depends.py cipher_padding
}
component_test_depends_py_curves () {
msg "test/build: depends.py curves (gcc)"
tests/scripts/depends.py curves
@ -1148,9 +1139,6 @@ config_psa_crypto_config_accel_ecc_ffdh_no_bignum () {
# on BIGNUM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_KEY_TYPE_RSA_[0-9A-Z_a-z]*"
scripts/config.py -f "$CRYPTO_CONFIG_H" unset-all "PSA_WANT_ALG_RSA_[0-9A-Z_a-z]*"
scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Also disable key exchanges that depend on RSA
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
@ -1425,12 +1413,6 @@ config_psa_crypto_accel_rsa () {
helper_libtestdriver1_adjust_config "crypto_full"
if [ "$driver_only" -eq 1 ]; then
# Remove RSA support and its dependencies
scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_GENPRIME
# We need PEM parsing in the test library as well to support the import
# of PEM encoded RSA keys.
scripts/config.py -c "$CONFIG_TEST_DRIVER_H" set MBEDTLS_PEM_PARSE_C
@ -1494,7 +1476,7 @@ component_test_psa_crypto_config_reference_rsa_crypto () {
# This is a temporary test to verify that full RSA support is present even when
# only one single new symbols (PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC) is defined.
component_test_new_psa_want_key_pair_symbol () {
msg "Build: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
msg "Build: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
# Create a temporary output file unless there is already one set
if [ "$MBEDTLS_TEST_OUTCOME_FILE" ]; then
@ -1509,11 +1491,8 @@ component_test_new_psa_want_key_pair_symbol () {
scripts/config.py crypto
# Remove RSA support and its dependencies
scripts/config.py unset MBEDTLS_PKCS1_V15
scripts/config.py unset MBEDTLS_PKCS1_V21
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED
scripts/config.py unset MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED
scripts/config.py unset MBEDTLS_RSA_C
scripts/config.py unset MBEDTLS_X509_RSASSA_PSS_SUPPORT
# Keep only PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC enabled in order to ensure
@ -1524,7 +1503,7 @@ component_test_new_psa_want_key_pair_symbol () {
make
msg "Test: crypto config - MBEDTLS_RSA_C + PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
msg "Test: crypto config - PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC"
make test
# Parse only 1 relevant line from the outcome file, i.e. a test which is
@ -1550,15 +1529,6 @@ component_test_psa_crypto_config_accel_hash () {
# Start from default config (no USE_PSA)
helper_libtestdriver1_adjust_config "default"
# Disable the things that are being accelerated
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
scripts/config.py unset MBEDTLS_SHA1_C
scripts/config.py unset MBEDTLS_SHA224_C
scripts/config.py unset MBEDTLS_SHA256_C
scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C
# Build
# -----
@ -1588,14 +1558,7 @@ config_psa_crypto_hash_use_psa () {
helper_libtestdriver1_adjust_config "full"
if [ "$driver_only" -eq 1 ]; then
# disable the built-in implementation of hashes
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
scripts/config.py unset MBEDTLS_SHA1_C
scripts/config.py unset MBEDTLS_SHA224_C
scripts/config.py unset MBEDTLS_SHA256_C # see external RNG below
scripts/config.py unset MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT
scripts/config.py unset MBEDTLS_SHA384_C
scripts/config.py unset MBEDTLS_SHA512_C
scripts/config.py unset MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT
fi
}
@ -1676,11 +1639,9 @@ config_psa_crypto_hmac_use_psa () {
# Disable MD_C in order to disable the builtin support for HMAC. MD_LIGHT
# is still enabled though (for ENTROPY_C among others).
scripts/config.py unset MBEDTLS_MD_C
# Disable also the builtin hashes since they are supported by the driver
# and MD module is able to perform PSA dispathing.
# Also disable the configuration options that tune the builtin hashes,
# since those hashes are disabled.
scripts/config.py unset-all MBEDTLS_SHA
scripts/config.py unset MBEDTLS_MD5_C
scripts/config.py unset MBEDTLS_RIPEMD160_C
fi
# Direct dependencies of MD_C. We disable them also in the reference
@ -1747,11 +1708,6 @@ component_test_psa_crypto_config_accel_aead () {
# Start from full config
helper_libtestdriver1_adjust_config "full"
# Disable things that are being accelerated
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
# Disable CCM_STAR_NO_TAG because this re-enables CCM_C.
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CCM_STAR_NO_TAG
@ -1802,32 +1758,10 @@ component_test_psa_crypto_config_accel_cipher_aead_cmac () {
common_psa_crypto_config_accel_cipher_aead_cmac
# Disable the things that are being accelerated
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CIPHER_PADDING_PKCS7
scripts/config.py unset MBEDTLS_CIPHER_MODE_CTR
scripts/config.py unset MBEDTLS_CIPHER_MODE_CFB
scripts/config.py unset MBEDTLS_CIPHER_MODE_OFB
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py unset MBEDTLS_CMAC_C
scripts/config.py unset MBEDTLS_DES_C
scripts/config.py unset MBEDTLS_AES_C
scripts/config.py unset MBEDTLS_ARIA_C
scripts/config.py unset MBEDTLS_CHACHA20_C
scripts/config.py unset MBEDTLS_CAMELLIA_C
scripts/config.py unset MBEDTLS_POLY1305_C
# Disable DES, if it still exists.
# This can be removed once we remove DES from the library.
scripts/config.py unset PSA_WANT_KEY_TYPE_DES
# Disable CIPHER_C entirely as all ciphers/AEADs are accelerated and PSA
# does not depend on it.
scripts/config.py unset MBEDTLS_CIPHER_C
# Build
# -----
@ -1887,14 +1821,6 @@ common_block_cipher_dispatch () {
# Start from the full config
helper_libtestdriver1_adjust_config "full"
if [ "$TEST_WITH_DRIVER" -eq 1 ]; then
# Disable key types that are accelerated (there is no legacy equivalent
# symbol for ECB)
scripts/config.py unset MBEDTLS_AES_C
scripts/config.py unset MBEDTLS_ARIA_C
scripts/config.py unset MBEDTLS_CAMELLIA_C
fi
# Disable cipher's modes that, when not accelerated, cause
# legacy key types to be re-enabled in "config_adjust_legacy_from_psa.h".
# Keep this also in the reference component in order to skip the same tests
@ -1999,7 +1925,6 @@ component_test_full_block_cipher_legacy_dispatch () {
component_test_aead_chachapoly_disabled () {
msg "build: full minus CHACHAPOLY"
scripts/config.py full
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@ -2010,8 +1935,6 @@ component_test_aead_chachapoly_disabled () {
component_test_aead_only_ccm () {
msg "build: full minus CHACHAPOLY and GCM"
scripts/config.py full
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CHACHA20_POLY1305
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_GCM
make CC=$ASAN_CC CFLAGS="$ASAN_CFLAGS" LDFLAGS="$ASAN_CFLAGS"
@ -2137,16 +2060,12 @@ component_build_aes_variations () {
# manually set or unset those configurations to check
# MBEDTLS_BLOCK_CIPHER_NO_DECRYPT with various combinations in aes.o.
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_KEY_TYPE_DES
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_DES_C
build_test_config_combos ${BUILTIN_SRC_PATH}/aes.o validate_aes_config_variations \
"MBEDTLS_AES_ROM_TABLES" \
@ -2167,7 +2086,7 @@ END
#define PSA_WANT_ALG_SHA3_256 1
#define PSA_WANT_ALG_SHA3_384 1
#define PSA_WANT_ALG_SHA3_512 1
#define MBEDTLS_AES_C
#define PSA_WANT_KEY_TYPE_AES 1
#define MBEDTLS_CTR_DRBG_C
#define MBEDTLS_ENTROPY_C
#define MBEDTLS_PSA_CRYPTO_C
@ -2350,7 +2269,6 @@ helper_block_cipher_no_decrypt_build_test () {
# This is a configuration function used in component_test_block_cipher_no_decrypt_xxx:
config_block_cipher_no_decrypt () {
scripts/config.py set MBEDTLS_BLOCK_CIPHER_NO_DECRYPT
scripts/config.py unset MBEDTLS_CIPHER_MODE_XTS
scripts/config.py unset MBEDTLS_NIST_KW_C
# Enable support for cryptographic mechanisms through the PSA API.
@ -2359,9 +2277,6 @@ config_block_cipher_no_decrypt () {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_CBC_PKCS7
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_ECB_NO_PADDING
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_KEY_TYPE_DES
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_DES_C
}
component_test_block_cipher_no_decrypt_aesni () {
@ -2513,7 +2428,6 @@ component_build_psa_config_file () {
# query_compile_time_config.
echo '#undef PSA_WANT_ALG_CMAC' >psa_user_config.h
echo '#undef PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128' >> psa_user_config.h
echo '#undef MBEDTLS_CMAC_C' >> psa_user_config.h
make CFLAGS="-I '$PWD' -DTF_PSA_CRYPTO_CONFIG_FILE='\"psa_test_config.h\"' -DTF_PSA_CRYPTO_USER_CONFIG_FILE='\"psa_user_config.h\"'"
not programs/test/query_compile_time_config PSA_WANT_ALG_CMAC

25
tests/scripts/components-configuration-tls.sh
View File

@ -54,18 +54,11 @@ component_test_tls1_2_default_stream_cipher_only () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Disable CBC. Note: When implemented, PSA_WANT_ALG_CBC_MAC will also need to be unset here to fully disable CBC
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_NO_PADDING
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CBC_PKCS7
# Disable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Note: The unset below is to be removed for 4.0
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
# Enable stream (currently that's just the NULL pseudo-cipher (controlled by MBEDTLS_CIPHER_NULL_CIPHER))
@ -90,13 +83,9 @@ component_test_tls1_2_default_cbc_legacy_cipher_only () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Disable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py unset MBEDTLS_SSL_ENCRYPT_THEN_MAC
@ -123,13 +112,9 @@ component_test_tls1_2_default_cbc_legacy_cbc_etm_cipher_only () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CCM_STAR_NO_TAG
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_GCM
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_CHACHA20_POLY1305
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_GCM_C
scripts/config.py unset MBEDTLS_CCM_C
scripts/config.py unset MBEDTLS_CHACHAPOLY_C
#Disable TLS 1.3 (as no AEAD)
scripts/config.py unset MBEDTLS_SSL_PROTO_TLS1_3
# Enable CBC-legacy (controlled by MBEDTLS_CIPHER_MODE_CBC plus at least one block cipher (AES, ARIA, Camellia))
# Enable CBC-legacy
scripts/config.py -c $CRYPTO_CONFIG_H set PSA_WANT_ALG_CBC_NO_PADDING
# Enable CBC-EtM (controlled by the same as CBC-legacy plus MBEDTLS_SSL_ENCRYPT_THEN_MAC)
scripts/config.py set MBEDTLS_SSL_ENCRYPT_THEN_MAC
@ -399,8 +384,6 @@ component_test_when_no_ciphersuites_have_mac () {
scripts/config.py -f "$CRYPTO_CONFIG_H" unset PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128
scripts/config.py unset MBEDTLS_CIPHER_NULL_CIPHER
scripts/config.py unset MBEDTLS_CIPHER_MODE_CBC
scripts/config.py unset MBEDTLS_CMAC_C
make
@ -472,7 +455,6 @@ component_test_tls13_only_psk () {
# Note: The four unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -536,7 +518,6 @@ component_test_tls13_only_psk_ephemeral () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -566,7 +547,6 @@ component_test_tls13_only_psk_ephemeral_ffdh () {
# Note: The three unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDH_C
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"
@ -593,7 +573,6 @@ component_test_tls13_only_psk_all () {
scripts/config.py -c $CRYPTO_CONFIG_H unset PSA_WANT_ALG_RSA_PSS
# Note: The two unsets below are to be removed for Mbed TLS 4.0
scripts/config.py unset MBEDTLS_ECDSA_C
scripts/config.py unset MBEDTLS_PKCS1_V21
make CFLAGS="'-DMBEDTLS_USER_CONFIG_FILE=\"../tests/configs/tls13-only.h\"'"

67
tests/scripts/depends.py
View File

@ -30,11 +30,11 @@ The configuration building method can be one of the three following:
direct dependencies, but rather non-trivial results of other configs missing. Then
look for any unset symbols and handle their reverse dependencies.
Examples of EXCLUSIVE_GROUPS usage:
- MBEDTLS_SHA512_C job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
- PSA_WANT_ALG_SHA_512 job turns off all hashes except SHA512. MBEDTLS_SSL_COOKIE_C
requires either SHA256 or SHA384 to work, so it also has to be disabled.
This is not a dependency on SHA512_C, but a result of an exclusive domain
This is not a dependency on SHA512, but a result of an exclusive domain
config building method. Relevant field:
'MBEDTLS_SHA512_C': ['-MBEDTLS_SSL_COOKIE_C'],
'PSA_WANT_ALG_SHA_512': ['-MBEDTLS_SSL_COOKIE_C'],
- DualDomain - combination of the two above - both complementary and exclusive domain
job generation code will be run. Currently only used for hashes.
@ -251,34 +251,11 @@ and subsequent commands are tests that cannot run if the build failed).'''
REVERSE_DEPENDENCIES = {
'PSA_WANT_KEY_TYPE_AES': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
'MBEDTLS_CTR_DRBG_C',
'MBEDTLS_NIST_KW_C',
'MBEDTLS_AES_C'],
'PSA_WANT_KEY_TYPE_ARIA': ['MBEDTLS_ARIA_C'],
'PSA_WANT_KEY_TYPE_CAMELLIA': ['MBEDTLS_CAMELLIA_C'],
'MBEDTLS_NIST_KW_C'],
'PSA_WANT_KEY_TYPE_CHACHA20': ['PSA_WANT_ALG_CHACHA20_POLY1305',
'PSA_WANT_ALG_STREAM_CIPHER',
'MBEDTLS_CHACHA20_C',
'MBEDTLS_CHACHAPOLY_C'],
'PSA_WANT_KEY_TYPE_DES': ['MBEDTLS_DES_C'],
'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG',
'MBEDTLS_CCM_C'],
'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128',
'MBEDTLS_CMAC_C'],
'PSA_WANT_ALG_GCM': ['MBEDTLS_GCM_C'],
'PSA_WANT_ALG_CBC_NO_PADDING': ['MBEDTLS_CIPHER_MODE_CBC'],
'PSA_WANT_ALG_CBC_PKCS7': ['MBEDTLS_CIPHER_MODE_CBC'],
'PSA_WANT_ALG_CFB': ['MBEDTLS_CIPHER_MODE_CFB'],
'PSA_WANT_ALG_CTR': ['MBEDTLS_CIPHER_MODE_CTR'],
'PSA_WANT_ALG_OFB': ['MBEDTLS_CIPHER_MODE_OFB'],
'PSA_WANT_ALG_XTS': ['MBEDTLS_CIPHER_MODE_XTS'],
'MBEDTLS_CIPHER_PADDING_PKCS7': ['MBEDTLS_PKCS5_C',
'MBEDTLS_PKCS12_C',
'PSA_WANT_ALG_CBC_PKCS7'],
'MBEDTLS_CIPHER_PADDING_ONE_AND_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
'MBEDTLS_CIPHER_PADDING_ZEROS': ['MBEDTLS_CIPHER_MODE_CBC'],
'MBEDTLS_CIPHER_PADDING_ZEROS_AND_LEN': ['MBEDTLS_CIPHER_MODE_CBC'],
'PSA_WANT_ALG_STREAM_CIPHER'],
'PSA_WANT_ALG_CCM': ['PSA_WANT_ALG_CCM_STAR_NO_TAG'],
'PSA_WANT_ALG_CMAC': ['PSA_WANT_ALG_PBKDF2_AES_CMAC_PRF_128'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_256': ['MBEDTLS_ECP_DP_BP256R1_ENABLED'],
'PSA_WANT_ECC_BRAINPOOL_P_R1_384': ['MBEDTLS_ECP_DP_BP384R1_ENABLED'],
@ -319,11 +296,9 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_ALG_JPAKE': ['MBEDTLS_ECJPAKE_C',
'MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED'],
'PSA_WANT_ALG_RSA_OAEP': ['PSA_WANT_ALG_RSA_PSS',
'MBEDTLS_X509_RSASSA_PSS_SUPPORT',
'MBEDTLS_PKCS1_V21'],
'MBEDTLS_X509_RSASSA_PSS_SUPPORT'],
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT': ['PSA_WANT_ALG_RSA_PKCS1V15_SIGN',
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED',
'MBEDTLS_PKCS1_V15'],
'MBEDTLS_KEY_EXCHANGE_ECDHE_RSA_ENABLED'],
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_BASIC': [
'PSA_WANT_ALG_RSA_PKCS1V15_CRYPT',
'PSA_WANT_ALG_RSA_OAEP',
@ -331,29 +306,21 @@ REVERSE_DEPENDENCIES = {
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_IMPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_EXPORT',
'PSA_WANT_KEY_TYPE_RSA_KEY_PAIR_GENERATE',
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED',
'MBEDTLS_RSA_C'],
'MBEDTLS_KEY_EXCHANGE_ECDH_RSA_ENABLED'],
'PSA_WANT_ALG_MD5': ['MBEDTLS_MD5_C'],
'PSA_WANT_ALG_RIPEMD160': ['MBEDTLS_RIPEMD160_C'],
'PSA_WANT_ALG_SHA_1': ['MBEDTLS_SHA1_C'],
'PSA_WANT_ALG_SHA_224': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
'MBEDTLS_SHA224_C'],
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY'],
'PSA_WANT_ALG_SHA_256': ['MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED',
'MBEDTLS_ENTROPY_FORCE_SHA256',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA256_USE_ARMV8_A_CRYPTO_ONLY',
'MBEDTLS_LMS_C',
'MBEDTLS_LMS_PRIVATE',
'MBEDTLS_SHA256_C',
'PSA_WANT_ALG_TLS12_ECJPAKE_TO_PMS'],
'PSA_WANT_ALG_SHA_384': ['MBEDTLS_SHA384_C'],
'PSA_WANT_ALG_SHA_512': ['MBEDTLS_SHA512_USE_A64_CRYPTO_IF_PRESENT',
'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY',
'MBEDTLS_SHA512_C'],
'MBEDTLS_SHA512_USE_A64_CRYPTO_ONLY'],
'PSA_WANT_ALG_ECB_NO_PADDING' : ['MBEDTLS_NIST_KW_C'],
}
@ -531,9 +498,6 @@ class DomainData:
# Get cipher modes
cipher_chaining_symbols = {algs[cipher_alg] for cipher_alg in cipher_algs}
# Find block padding mode enabling macros by name.
cipher_padding_symbols = self.config_symbols_matching(r'MBEDTLS_CIPHER_PADDING_\w+\Z')
self.domains = {
# Cipher key types
'cipher_id': ExclusiveDomain(cipher_key_types, build_and_test),
@ -544,9 +508,6 @@ class DomainData:
build_and_test,
exclude=r'PSA_WANT_ALG_XTS'),
'cipher_padding': ExclusiveDomain(cipher_padding_symbols,
build_and_test),
# Elliptic curves. Run the test suites.
'curves': ExclusiveDomain(curve_symbols, build_and_test),
@ -639,8 +600,8 @@ def main():
description=
"Test Mbed TLS with a subset of algorithms.\n\n"
"Example usage:\n"
r"./tests/scripts/depends.py \!MBEDTLS_SHA1_C MBEDTLS_SHA256_C""\n"
"./tests/scripts/depends.py MBEDTLS_AES_C hashes\n"
r"./tests/scripts/depends.py \!PSA_WANT_ALG_SHA_1 PSA_WANT_ALG_SHA_256""\n"
"./tests/scripts/depends.py PSA_WANT_KEY_TYPE_AES hashes\n"
"./tests/scripts/depends.py cipher_id cipher_chaining\n")
parser.add_argument('--color', metavar='WHEN',
help='Colorize the output (always/auto/never)',

63
tests/scripts/test_config_checks.py Executable file
View File

@ -0,0 +1,63 @@
#!/usr/bin/env python3
"""Test the configuration checks generated by generate_config_checks.py.
"""
## Copyright The Mbed TLS Contributors
## SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
import unittest
import scripts_path # pylint: disable=unused-import
from mbedtls_framework import unittest_config_checks
class MbedtlsTestConfigChecks(unittest_config_checks.TestConfigChecks):
"""Mbed TLS unit tests for checks generated by config_checks_generator."""
#pylint: disable=invalid-name # uppercase letters make sense here
PROJECT_CONFIG_C = 'library/mbedtls_config.c'
PROJECT_SPECIFIC_INCLUDE_DIRECTORIES = [
'tf-psa-crypto/include',
'tf-psa-crypto/drivers/builtin/include',
]
@unittest.skip("At this time, mbedtls does not go through crypto's check_config.h.")
def test_crypto_no_fs_io(self) -> None:
"""A sample error expected from crypto's check_config.h."""
self.bad_case('#undef MBEDTLS_FS_IO',
None,
error=('MBEDTLS_PSA_ITS_FILE_C'))
def test_mbedtls_no_session_tickets_for_early_data(self) -> None:
"""An error expected from mbedtls_check_config.h based on the TLS configuration."""
self.bad_case(None,
'''
#define MBEDTLS_SSL_EARLY_DATA
#undef MBEDTLS_SSL_SESSION_TICKETS
''',
error=('MBEDTLS_SSL_EARLY_DATA'))
def test_mbedtls_no_ecdsa(self) -> None:
"""An error expected from mbedtls_check_config.h based on crypto+TLS configuration."""
self.bad_case('''
#undef PSA_WANT_ALG_ECDSA
#undef PSA_WANT_ALG_DETERMINISTIC_ECDSA
#undef MBEDTLS_ECDSA_C
''',
'''
#if defined(PSA_WANT_ALG_ECDSA)
#error PSA_WANT_ALG_ECDSA unexpected
#endif
#if defined(PSA_WANT_ALG_DETERMINSTIC_ECDSA)
#error PSA_WANT_ALG_DETERMINSTIC_ECDSA unexpected
#endif
#if defined(MBEDTLS_ECDSA_C)
#error MBEDTLS_ECDSA_C unexpected
#endif
''',
error=('MBEDTLS_KEY_EXCHANGE_ECDHE_ECDSA_ENABLED'))
if __name__ == '__main__':
unittest.main()

2
tests/scripts/test_config_script.py
View File

@ -130,7 +130,7 @@ def run_one(options, args, stem_prefix='', input_file=None):
### config.py stops handling that case correctly.
TEST_SYMBOLS = [
'CUSTOM_SYMBOL', # does not exist
'MBEDTLS_AES_C', # set, no value
'PSA_WANT_KEY_TYPE_AES', # set, no value
'MBEDTLS_MPI_MAX_SIZE', # unset, has a value
'MBEDTLS_NO_UDBL_DIVISION', # unset, in "System support"
'MBEDTLS_PLATFORM_ZEROIZE_ALT', # unset, in "Customisation configuration options"

2
tests/src/certs.c
View File

@ -5,7 +5,7 @@
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
*/
#include "common.h"
#include "tf_psa_crypto_common.h"
#include <test/certs.h>

4
tests/src/test_helpers/ssl_helpers.c
View File

@ -11,6 +11,8 @@
#include <test/ssl_helpers.h>
#include "mbedtls/psa_util.h"
#include <limits.h>
#if defined(MBEDTLS_SSL_TLS_C)
int mbedtls_test_random(void *p_rng, unsigned char *output, size_t output_len)
{
@ -772,7 +774,7 @@ int mbedtls_test_ssl_endpoint_certificate_init(mbedtls_test_ssl_endpoint *ep,
TEST_EQUAL(mbedtls_pk_import_into_psa(ep->pkey, &key_attr, &key_slot), 0);
mbedtls_pk_free(ep->pkey);
mbedtls_pk_init(ep->pkey);
TEST_EQUAL(mbedtls_pk_setup_opaque(ep->pkey, key_slot), 0);
TEST_EQUAL(mbedtls_pk_wrap_psa(ep->pkey, key_slot), 0);
}
#else
(void) opaque_alg;

7
tests/suites/test_suite_x509write.data
View File

@ -47,7 +47,7 @@ depends_on:PSA_WANT_ALG_SHA_1:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15
x509_csr_check:"../framework/data_files/server1.key":"../framework/data_files/server1.req.ku-ct":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION | MBEDTLS_X509_KU_KEY_ENCIPHERMENT:1:MBEDTLS_X509_NS_CERT_TYPE_SSL_SERVER:1:0
Certificate Request check Server5 ECDSA, key_usage
depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_256
depends_on:PSA_WANT_ALG_SHA_1:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_256
x509_csr_check:"../framework/data_files/server5.key":"../framework/data_files/server5.req.ku.sha1":MBEDTLS_MD_SHA1:MBEDTLS_X509_KU_DIGITAL_SIGNATURE | MBEDTLS_X509_KU_NON_REPUDIATION:1:0:0:0
Certificate Request check Server1, set_extension
@ -155,11 +155,11 @@ depends_on:MBEDTLS_RSA_C:MBEDTLS_PKCS1_V15:PSA_WANT_ALG_MD5
x509_crt_check:"../framework/data_files/server1.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca_unenc.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=PolarSSL Test CA":"ffffffffffffffffffffffffffffffff":"20190210144406":"20290210144406":MBEDTLS_MD_SHA1:0:0:"NULL":0:0:1:-1:"../framework/data_files/server1.long_serial_FF.crt":0:0:"../framework/data_files/test-ca.crt":0
Certificate write check Server5 ECDSA
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"../framework/data_files/server5.crt":0:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server5 ECDSA, Opaque
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:MBEDTLS_ECDSA_DETERMINISTIC:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
depends_on:PSA_WANT_ALG_SHA_256:PSA_HAVE_ALG_ECDSA_SIGN:PSA_WANT_ALG_DETERMINISTIC_ECDSA:PSA_WANT_ECC_SECP_R1_384:PSA_WANT_ECC_SECP_R1_256:MBEDTLS_USE_PSA_CRYPTO
x509_crt_check:"../framework/data_files/server5.key":"":"C=NL,O=PolarSSL,CN=PolarSSL Server 1":"../framework/data_files/test-ca2.key":"PolarSSLTest":"C=NL,O=PolarSSL,CN=Polarssl Test EC CA":"01":"20190210144406":"20290210144406":MBEDTLS_MD_SHA256:0:0:"NULL":0:0:1:-1:"":2:0:"../framework/data_files/test-ca2.crt":0
Certificate write check Server1 SHA1, SubjectAltNames
@ -337,4 +337,3 @@ oid_from_numeric_string:"2.4294967215":0:"8FFFFFFF7F"
OID from numeric string - OID with overflowing subidentifier
oid_from_numeric_string:"2.4294967216":MBEDTLS_ERR_ASN1_INVALID_DATA:""

6
tests/suites/test_suite_x509write.function
View File

@ -41,7 +41,7 @@ static int x509_crt_verifycsr(const unsigned char *buf, size_t buflen)
goto cleanup;
}
if (mbedtls_pk_verify_ext(csr.sig_pk, NULL, &csr.pk,
if (mbedtls_pk_verify_new(csr.sig_pk, &csr.pk,
csr.sig_md, hash, mbedtls_md_get_size_from_type(csr.sig_md),
csr.sig.p, csr.sig.len) != 0) {
ret = MBEDTLS_ERR_X509_CERT_VERIFY_FAILED;
@ -286,7 +286,7 @@ void x509_csr_check_opaque(char *key_file, int md_type, int key_usage,
TEST_EQUAL(mbedtls_pk_import_into_psa(&key, &key_attr, &key_id), 0);
mbedtls_pk_free(&key);
mbedtls_pk_init(&key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&key, key_id), 0);
TEST_EQUAL(mbedtls_pk_wrap_psa(&key, key_id), 0);
mbedtls_x509write_csr_set_md_alg(&req, md_type);
mbedtls_x509write_csr_set_key(&req, &key);
@ -417,7 +417,7 @@ void x509_crt_check(char *subject_key_file, char *subject_pwd,
TEST_EQUAL(mbedtls_pk_import_into_psa(&issuer_key, &key_attr, &key_id), 0);
mbedtls_pk_free(&issuer_key);
mbedtls_pk_init(&issuer_key);
TEST_EQUAL(mbedtls_pk_setup_opaque(&issuer_key, key_id), 0);
TEST_EQUAL(mbedtls_pk_wrap_psa(&issuer_key, key_id), 0);
}
#endif /* MBEDTLS_USE_PSA_CRYPTO */

2
tf-psa-crypto

@ -1 +1 @@
Subproject commit b1c98ebee82c1056cec0f64e24f1b780a5889a0d
Subproject commit 19edaa785dd71ec8f0c9f72235243314c3d895fa